Jump to content
Tuts 4 You

[Help] How to protect autoit script


Modify

Recommended Posts

Posted

Anyone help me, protect my autoit script


 

Posted
On 21/1/2016 at 4:41 PM, GoravGupta said:

Anyone help me, protect my autoit script


 

There's not really very posible to protect Autoit since you can dump each value or string or source code, is a Script language(And also this Self-Read the Data From EOF so you can't use packers for protect it, uh).


But well, my advices are:
First: Use last Autoit Version(will be a bit more hard to decompile  (see for Exe2Aut), anyway any user with some knowledge can get the source code manually)
Second: Obfuscate as much you can for do more hard get the source code, (Of course never will be imposible).
Third: You can edit delimiters and the position of the EOF data from where it reads for make it more difficult to get the source.

  • Like 1
Posted
On Saturday, January 23, 2016 at 11:02 AM, Reasen said:

There's not really very posible to protect Autoit since you can dump each value or string or source code, is a Script language(And also this Self-Read the Data From EOF so you can't use packers for protect it, uh).


But well, my advices are:
First: Use last Autoit Version(will be a bit more hard to decompile  (see for Exe2Aut), anyway any user with some knowledge can get the source code manually)
Second: Obfuscate as much you can for do more hard get the source code, (Of course never will be imposible).
Third: You can edit delimiters and the position of the EOF data from where it reads for make it more difficult to get the source.

Thnx... very Help full reply
 

  • 9 months later...
Posted
On 23/1/2016 at 8:02 PM, Reasen said:

Third: You can edit delimiters and the position of the EOF data from where it reads for make it more difficult to get the source.

All the point are clear but this not. Please, please explain step-by-step how to do. I think i need and Hex Editor ( and i have ) and i have see the EOF but then? Thanks

Posted
4 hours ago, Tyron said:

All the point are clear but this not. Please, please explain step-by-step how to do. I think i need and Hex Editor ( and i have ) and i have see the EOF but then? Thanks

Reversing deautoit could help you..

  if ( v0 && (fseek(globalvar, v0 + 16, 0), fread(&v2, 8u, 1u, globalvar), !strncmp(&v3, "EA06", 4u)) )

 

 

Posted

That doesn't help. We know there is a signature inside the OEF but if we just change it with an hex editor the script refuse to start. So i'm agree with Tyron what we need to do, something everyone can understand?

Posted (edited)

So...after some research and hex editing i have understand how:

1) Change the signature

2) Replace the delimeter

xm0sbc.jpg

3) Position of the EOF = ??? = is the same as before

All this work has done some result? Yes, zero. One of the two decompiler just decompile it without any hesitation, the other one ( the opensource ) ask me a couple of question:

Is this an autoit script? Yes

A recent one? Yes

Done, here we have my source. God someone please explain what i need to do, here or PM. The output if help:

================================================================================
Unpacking: C:\Test1.hack.exe
AlternativeSigScan for 'FILE'-signature in au3-body...
Scanning for FILE-(old)signature: FF 6D B0 CE    ÿm°Î
...not found.
Scanning for FILE-(new)signature: 6B 43 CA 52    kCÊR
Modified Script Type 3.2.5+ found.
00049856 -> SrcFile_FileInst: >>>AUTOIT SCRIPT<<<
Seeking back to script start position...
Modified AU3_Signature: 41 42 43 44 45 46 44 48 49 4C 4D 4E 4F 50 51 52   ABCDEFDHILMNOPQR
 ---> ScriptStartOffset: 00049800
      EndOf_PE-ExeFile : 00049800
Extracting ExeIcon/s to: "C:\Test1.hack.ico"
00049814 -> SubType: 0x59  YYY?
00049814 -> Unexpected Script subtype: 0x3F595959 YYY?
~ Note:  The following offset values are were the data ends (and not were it starts) ~
00049818 -> Type2 = XXXX  Normally you would get 'Error: Unsupported Version of AutoIt script.' here
Script is password protected!
00049828 -> Password/MD5PassphraseHash: 07E646778EFD7B845FAD18A72C9E122C
            æFwŽý{„_­§,ž,
MD5PassphraseHash_ByteSum: 00000000  '+ 2477' => decryption key!
------------ Processing Body -------------
=== > Processing FILE: #1
0004982C -> ResType: FILE
00049856 -> SrcFile_FileInst: >>>AUTOIT SCRIPT<<<
000498B4 -> CompiledPathName: C:\aut240.tmp
000498B5 -> IsCompressed: True  (01)
000498B9 -> ScriptSize Compressed: 0000008C  Decimal:140
000498BD -> ScriptSize UnCompressed(used to seek to next file): 0000008D  Decimal:141
000498C1 -> ADLER32 CRC of unencrypted script data: BA072786
000498D1 -> FileTime (number of 100-nanosecond intervals since January 1, 1601) 
    pCreationTime:  01D235053C957133  2.11.2016 12:32:55 [470]
    pLastWrite   :  01D235053C96F863  2.11.2016 12:32:55 [480]
000498D1 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:XXXX
WARNING: Normally signature is 'EA06' - possible reasons: 'modified' AutToExe, decryption failure, new version...
Forcing/overwrite signature to 'EA06
Compressed scriptdata written to C:\Test1.hack.pak
Expanding script data to "Test1.hack.tok" at C:\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
Processing Finished!
0004995D -> End of script data
  FileLen: 00049965  => Overlay: 00000008
  overlaybytes: 59 59 59 3F 58 58 58 58   YYY?XXXX
===============================================================================
Trying to DeTokenise: C:\ Test1.hack.tok
00000004 -> Code Lines: 4   0x00000004
Keep TmpFile is unchecked => Deleting 'Test1.hack.tok'
Deleting: C:\ Test1.hack.tok
Converting Unicode to UTF8, since Tidy don't support unicode.
Save/overwrite script to: C:\ Test1.hack.au3
Skipping to run 'data\Tidy\Tidy.exe' onTest1.hack.au3' to improve sourcecode readability. (Plz run it manually if you need it.)
Token expansion succeed.
===============================================================================
Testing for Scripts that were obfuscate by 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' or 'EncodeIt 2.0'
===============================================================================
Trying to DeObfuscate : C:\ Test1.hack.au3
Running 'Tidy.exe Test1.hack.au3' to improve sourcecode readability.
C:\ MA2E\data\Tidy\Tidy.exe "C:\ Test1.hack.au3"
Tidy: Tidy AutoIt3 v2.1.0.0   Copyright (c) Jos van der Zande  December 28, 2009
Tidy: Params$: c:\ ma2e\data\tidy\tidy.exe c:\ test1.hack.au3
Tidy: 0.00 Initializing...
Tidy: !> Script is encoded in UTF8 which is not supported ..  stopping process.
Tidy: Params$:
Tidy: 0.02 Creating Tables
Tidy: 0.02 Start Pre-processing File...
Tidy: 0.02 C:\data\Tidy\..\api\au3.api      File Date:  1 1 1601 1 0
Tidy: 0.02 C:\data\Tidy\au3.api      File Date:  6 12 2008 9 52
Tidy: 0.02 C:\data\Tidy\functions.tbl      File Date:  6 12 2008 9 52
Tidy: 0.02 Processing au3.api...
Tidy: 0.35 Start Processing File...
Tidy: +> Tidy AutoIt3 finished. Original copied to:"C:\Test1.hack_old1.au3"
Tidy: 0.36 Done...
=> Okay (ExitCode: 0).
Deleting Tidy BackupFile...
Deleting: C:\Test1.hack_old1.au3
===============================================================
Seperating Includes of : C:\Test1.hack.au3
  162 bytes loaded.

 

Edited by JohnReese
Posted

@JohnReese: You can't protect autoit script against being analyzed. No, you really can't. All you can do, is to obfuscate the script and slow down reverser's work. 

* The stuff you tried will stop absolute beginners. Like those 12-year-olds who just discovered a hex editor.
* More professional tools (like https://forum.tuts4you.com/topic/38891-autoit-obfuscator/) will slow down analysis for everyone.
* But nothing will stop a really dedicated reverser. That is just impossible. Accept it as a fact.

  • Like 2
Posted (edited)

Hello,

You can't

Regards

Edited by Happening
Posted

@kao do you want to know another fact? I don't care about reverser, zero, nothing. Do you think i want to stop a skilled guy with an hex editor? I'm not so stupid.

My only goal is defeat the two automatic tool for decompile can be used by 8 year olds with zero skill that think an hex editor is something to eat. I ask so much? Do you know how? What mean the third suggestione of Reasen? Any way? No-Yes

That obfuscator is a paid software, i'll pass since my product are all free.

Happening, thanks for the info. You job is done.

Posted

Learn a real programming language ffs

  • Like 3
Posted (edited)

A real programming language is safety against decompilation? Yeah you have right, for this reason we have games, app, software of thousand dollars for free on the net couple of hours after they was released, but wait they are all made in autoit right? Or maybe is autohotkey? Go out of here and get a life, if you don't want help ( and you don't want to help but just trolling here ) is none of your business. Mr.Programmer...learn to read.

Edited by JohnReese
Posted

You can use 

which is a good obfuscator to slow down reverser. Other than that there is not really much you can do.

Posted (edited)

I'd suggest modifying the compiler itself for AutoIt if you want to make it more secure. Outside of obfuscation, which is nearly pointless in a script language, your best bet is to alter how the output is generated. Since your goal is to prevent drag and drop tools from working, then target how those tool work in the first place. Alter how AutoIt handles storing your code in the binary as well as how it reads it back into a interpreted format. Add more steps to that process with custom code, alter compression methods used, any encryption (such as the key used to enc/dec) the location of that key, etc. Given that AutoIt is  closed source, you are going to have to do this via custom patches to the compiler itself. Be it through simple byte patching, or something more intensive such  as inline patches, detouring, full blown loader etc. you should definitely be looking into altering how the output is generated and handled.

Things like obfuscators are a waste of time when it comes to a scripting language that is interpreted at runtime. You are literally doing nothing but making the source code slightly harder to read.

As for getting serious replies here, don't expect much. This is not the most friendly of sites to actually ask for help anymore. 

Edited by atom0s
  • Like 4
Posted (edited)
5 hours ago, zunzutech said:

You can use...is a good obfuscator to slow down reverser. Other than that there is not really much you can do.

Kao has already suggested it. Is a paid product, also server side for both software and online interface. Who tell he don't make a copy of the source for his "Source Code Recovery"? Sorry but i don't trust and i don't want to pay. Thanks anyway

4 hours ago, atom0s said:

I'd suggest modifying the compiler itself for AutoIt if you want to make it more secure...This is not the most friendly of sites to actually ask for help anymore. 

That is EXACLTY what i want to do, alter in some way the output executable to make unrecognized to automatic tool, i don't care about the reverser as i have already saw it. But if i was able my myselft do you think i was here to ask help? Is this isn't there right place where? On the autoit forum will be ban me in two seconds, maybe one.

Alterning the signature, removing AU3 or EA06 from the compiled itselft and from stub was my best try and the decompiler still work*, on the web there isn't ONE guide to make something like this. Please, if you can help me... 

*For check that is autoit since singature and AU3 and EA06 was removed see 00049856 -> SrcFile_FileInst, move ( yeah "move" how? ) the address in another location. Or there is 00049828 -> Password/MD5PassphraseHash 00000000 '+ 2477' => decryption key. Maybe i can use a custom key with different leght that will change for every executable i made, or the token many thing i can alter and many things i don't know how to do, all undocumented.

Edited by JohnReese
Posted

Considering how long Bartosz Wojcik has been in the reversing community, your accusations are totally ridiculous. But we're not here to make flame wars, so you can stick to your opinion if you wish. :)

If all you want is a protection against kids running automated tools, CWAutComp (possibly in combination with some free PE packer/protector) could be able to do it for you. It's free and can be easily found using Google - but you get what you paid for: possible 3rd party AV detections, no English manual, no support, no nothing.

  • Like 2
Posted (edited)

My intention wasn't flame anyone, instead some guy here want the opposite. I don't trust since i don't know him, i don't like the server-side of that obfuscator and i don't want to pay with "tickets" what in theory at the principe was "free". If for you this is flame...

EDIT: I have try CWAutComp. For a simple MsgBox without obfuscation there are 15 detection, i'll not make a malware and seems these tool is used for that so there is a reason for so many detection. I'll pass, unfortunately. 

Edited by JohnReese
Posted

Another option:
1. Find some random obfuscator that doesn't have a public deobfuscator
2. Manually editing stuff (adding junk code, adding Execute, Eval and Assign)
3. Compile
4. Pack with Enigma Free or any packer you have.

Posted

Name of one this obfuscator without a public deobfuscator? I don't know one. Enigma Free is skipped by Exe2Aut

With Hex editing, after some test, i was able to stop myAutToExe. Alternative search fail, Invalid InputData bla bla bla go to the hell. The other one instead still able to decompile, i don't know how.

Bartosz Wójcik
Posted (edited)
12 hours ago, JohnReese said:

My intention wasn't flame anyone, instead some guy here want the opposite. I don't trust since i don't know him, i don't like the server-side of that obfuscator and i don't want to pay with "tickets" what in theory at the principe was "free". If for you this is flame...

Where are all of your free obfuscators huh? They are either blacklisted with every AV engine for using shitty methods of obfuscation (BinaryToString and so on) or dead projects, unsupported, with no future and no support for anything more complex AutoIt language comes with (no wonder if they utilize regular expressions to parse the source code). My stuff comes with an online interface, Windows app, console app for both Windows and Linux and Web API interface for PHP.

If you read my page you would find a section how to get a free code, it's not that hard.

You don't like server side of my software? Why do you even use Internet? I bet you share more private information with Facebook and Google. Server side let me keep up my customers with all the updates and protects me from pretentious people who thinks everything should be free for them - just because you're some kind of special snowflake. You're not. And you're free to use whatever you like.

Edited by Bartosz Wójcik
Posted (edited)

People here know re but not english. For the third and last time, i don't want to use your paid product thanks for the ads of the feature, i don't want a free ticket, i don't have facebook or twitter if you care so much. In my very little i release only free things, my only intention was protect hour of dedicated life by 8 year olds lamer. I was registrered here for help, instead except some guys (i'm thanks they) i have see post like "buy this, you can't, change language n00b". Explanation or guide was my expectation, my mistake to think this was a right place for threat the subject, there isn't a place for me, or for us. Now is all clear, i must surrender, i don't have the age anymore for asking, waiting for someone, hoping, just delusion. I'll give up, i'm really tired of everything, people and programming included. Acta est fabula.

Edited by JohnReese
Bartosz Wójcik
Posted
21 minutes ago, JohnReese said:

People here know re but not english.

"i don't want to pay with "tickets" what in theory at the principe was "free""

"(i'm thanks they)"

"Now is all clear"

" my mistake to think this was a right place for threat the subject "

"  i don't have the age anymore for asking "

Sounds like "perfect" english to me... Maybe that's why people didn't understand you? Talking shit like you're in your Kentucky's home backyard and blaming others for not understanding your local slang...

  • Like 1
Posted

@mrexodia: Exe2Aut works just fine.

Spoiler

....

Opt("GUIOnEventMode", 1)
Global $g_idexit
_main()

Func _main()
	Local $idyes, $idno
	GUICreate("Custom MsgBox", 210, 80)
	GUICtrlCreateLabel("Please click a button!", 10, 10)
	$idyes = GUICtrlCreateButton("Yes", 10, 50, 50, 20)
	GUICtrlSetOnEvent($idyes, "OnYes")
	$idno = GUICtrlCreateButton("No", 80, 50, 50, 20)
	GUICtrlSetOnEvent($idno, "OnNo")
	$g_idexit = GUICtrlCreateButton("Exit", 150, 50, 50, 20)
	GUICtrlSetOnEvent($g_idexit, "OnExit")
	GUISetOnEvent($gui_event_close, "OnExit")
	GUISetState()
	While 1
		Sleep(1000)
	WEnd
EndFunc

Func onyes()
	MsgBox($mb_systemmodal, "You clicked on", "Yes")
EndFunc

Func onno()
	MsgBox($mb_systemmodal, "You clicked on", "No")
EndFunc

Func onexit()
	If @GUI_CtrlId = $g_idexit Then
		MsgBox($mb_systemmodal, "You clicked on", "Exit")
	Else
		MsgBox($mb_systemmodal, "You clicked on", "Close")
	EndIf
	Exit
EndFunc

 

 

@JohnReese: I explained that your expectations are unreasonable. I also gave 2 suggestions that get as close to your goal as possible but you don't like either of them. There's not much else I can help you with.

Posted

I have give up. Let this threat die.

Bartowski or whatever is your name. People here has understood my goal, you not maybe for my slag or you are just flaming who know. You are in this thread just for advertise your product not here for help or suggest, i'll write it in polish so you understand:

Jesteś tu tylko po to. Aby uzyskać rozgłos, nie będę korzystać z produktu

Stop with that, or continue i don't mind anymore. With my stupid hex editing i have stop at least myaut2exe but who cares at this point, i'm out.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...