About AHK Security

Get help with using AutoHotkey and its commands and hotkeys
User avatar
manehscripts
Posts: 101
Joined: 03 May 2019, 16:10

About AHK Security

29 May 2019, 17:30

Hello everybody,

I'm developing a test-to-learn project, I'm doing my best to finish it, but I've been thinking about the security issue of all the code I've already developed. I have found an AHK-Obfuscator (https://www.everfastaccess.com/AHK-Obfuscator/), where I have adapted all of my code, but I still have some doubts about whether my .exe file will be safe.
I was wondering if the compilation I make with Ahk2Exe.ahk is the most correct way in regards to security, or will it be that I need to migrate to a Visual Studio maybe, or other.
In my test, I make a database connection, and if that security does not exist, someone can have access and all my work goes into the trash. I've also looked for decompilers, and have not found anything yet that will show me that I can reverse what I've produced, a reverse engineering maybe, does anyone know if it exists?

I would really like the help of someone who has already done it or know how to protect themselves in the best way possible.

I'm currently working with AutoHotkey_H v1 Unicode 64-bit version 1.1.30.3, and taking advantage of ...
Does anyone know how to customize the executable, so that the data that is presented with below can be changed?
Screenshot_1.png
Screenshot_1.png (3.75 KiB) Viewed 257 times
User avatar
Gio
Posts: 639
Joined: 30 Sep 2013, 10:54
Location: Brazil

Re: About AHK Security

29 May 2019, 18:01

There are many things you can do to try and hide source code information from a hacker (but be advised: security is just like the height of a wall: there are always some practical limits and perhaps even problems to applying too many methods). Here a few examples:

1. Obfuscator (you are using already).
2. An executable packer (some packers are pretty hard to unpack, but do check if the source code is not visible afterwards). Hint: don't use mpress.
3. Separation of the sensitive information (in example: create a DLL file using visual studio and have the script call a function in it to retrieve the info).
4. Use an encrypted connection to the database engine (this avoids a bogus DLL attack).

Does anyone know how to customize the executable, so that the data that is presented with below can be changed?
HexEdit should be enougth if you know the structure of a PE file (hint: always keep the same string lengths of the info you change). PE Explorer might do it aswell, with the added benefit of some UI controls.
guest3456
Posts: 2556
Joined: 09 Oct 2013, 10:31

Re: About AHK Security

29 May 2019, 18:22

if you ask in the AHK_H subforum, then HotKeyIt can help you better to make the script more secure and harder to decompile

but no solution is 100%. usually you are better off focusing your marketing and advertising on the customers who value your product and want to pay for it.

(i sell a compiled ahk script but i use AHK_Basic and the old HotKeyCamo compiler)

User avatar
manehscripts
Posts: 101
Joined: 03 May 2019, 16:10

Re: About AHK Security

29 May 2019, 18:48

Gio wrote:
29 May 2019, 18:01
There are many things you can do to try and hide source code information from a hacker (but be advised: security is just like the height of a wall: there are always some practical limits and perhaps even problems to applying too many methods). Here a few examples:

1. Obfuscator (you are using already).
2. An executable packer (some packers are pretty hard to unpack, but do check if the source code is not visible afterwards). Hint: don't use mpress.
3. Separation of the sensitive information (in example: create a DLL file using visual studio and have the script call a function in it to retrieve the info).
4. Use an encrypted connection to the database engine (this avoids a bogus DLL attack).

Does anyone know how to customize the executable, so that the data that is presented with below can be changed?
HexEdit should be enougth if you know the structure of a PE file (hint: always keep the same string lengths of the info you change). PE Explorer might do it aswell, with the added benefit of some UI controls.
Hello! :wave:
Your tip is very interesting. Unfortunately my programming level is not so good, although I'm in the maximum endeavor to learn.

An executable packer: I'm using Ahk2Exe.ahk loaded in 64bit AutoHotkey.exe on (ahkdll-v1-release-master), it opens a window to which I create .exe (this is reliable?) My question is really whether I keep compiling like this, or I need migrate to another program (I'll have to learn from scratch, but I can do it).

Separation of the sensitive information: In this case is another case to study, Idk how to create the .dll

Use an encrypted connection to the database engine: Obfuscator encrypts the information I need, and between them is the data access to my database. Does this become safe?

And I don't quite understand the HexEdit, what file do I need to access to change this information that is displayed in the compiled .exe? Ahk2Exe.ahk? (I know I could go and look at the file, but at the moment I can't do that, and I did not resist wanting to know :lol: )!
guest3456 wrote:
29 May 2019, 18:22
if you ask in the AHK_H subforum, then HotKeyIt can help you better to make the script more secure and harder to decompile

but no solution is 100%. usually you are better off focusing your marketing and advertising on the customers who value your product and want to pay for it.

(i sell a compiled ahk script but i use AHK_Basic and the old HotKeyCamo compiler)
After your tip, I thought about creating a new publication in the AHK_H subforum, but although I'm using the AHK_H version, this doubt might be interesting for any version (I believe). Anyway, if the protection of the AHK_H is different I'll created a new one where you recommended, thank you! ;)

Yes, I'll be focusing on marketing for my target audience, but the problem I run is not far from me if I can do just that, on the contrary, my target audience will be more interested in wanting to access my information and recreate based on my work, or else access my database to cause a big mess! :(
-----------------------------------------------------------
Stop to think, shut up to resist, and act to win!
guest3456
Posts: 2556
Joined: 09 Oct 2013, 10:31

Re: About AHK Security

30 May 2019, 01:44

the protection in AHK_H is different. you can create a customized password to prevent Ahk2exe decompilation. You can also create a whole custom function even to hide the password. Also you could use the dll and download the script from a website instead of including it into the executable. for example, first do your license check, and then if the license is accepted, then download the encrypted script code and pipe it into the ahkdll and have it run dynamically. this could still be intercepted by memory readers of course.


Return to “Ask For Help”

Who is online

Users browsing this forum: Albireo, Bing [Bot], MannyKSoSo, sinkfaze, steffen, swagfag and 148 guests