AHK Script Encryption Topic is solved

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
Zoanthario
Posts: 16
Joined: 10 Nov 2019, 13:22

Re: AHK Script Encryption

13 Nov 2019, 14:54

@guest3456 I tried HotKeyCamo but I don't get how to use it's own compiler, it requires to browse for an external compiler, I choosed A2ECamo.exe but I got the error : failed to locate UPX
Is there a specific compiler for HotKeyCamo or it uses other compilers like UPX?
guest3456
Posts: 3454
Joined: 09 Oct 2013, 10:31

Re: AHK Script Encryption

13 Nov 2019, 18:44

Zoanthario wrote:
13 Nov 2019, 14:54
@guest3456 I tried HotKeyCamo but I don't get how to use it's own compiler, it requires to browse for an external compiler, I choosed A2ECamo.exe but I got the error : failed to locate UPX
Is there a specific compiler for HotKeyCamo or it uses other compilers like UPX?
ehhh i just leave both the "Compiler" and "Bin File" fields empty

i'm not sure how exactly i have it configured, but it looks like clicking Help->Requirements gives some info saying that it looks for both the Ahk2exe compiler and SC.bin in this default folder: %ProgramFiles%\AutoHotkey\Compiler\

and UPX isn't a compiler, its a compressor after the exe is already compiled, and i have it in that same default folder too

remember its for AHK Basic 1.0 only

SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: AHK Script Encryption

13 Nov 2019, 21:33

Zoanthario wrote:
13 Nov 2019, 14:46
@SOTE
SOTE wrote:
11 Nov 2019, 23:26
I lean towards Encryptor by FeiYue (for AutoHotkey_L) or AutoHotkey_H being the better ways to protect code versus obfuscation. In the case of FeiYue's Encryptor, it will likely be easier for casual or newer users of AutoHotkey to use, though a user might want to eventually replace the machine code used with their own machine code as they become more advanced. The AutoHotkey_H fork would also be an option for more advanced or adventurous users looking for something a little extra.
Actually I know a way of decryption for FeiYue's encryptor, besides that it only works with ahk files without compiling them which doesn't allow to use the program as an exe file.
I think you are mistaken. If you are referring to Garry's "decompiler" (EXE2AHK), it doesn't decrypt the script of a FeiYue encryptor .exe, an it just works on normal AutoHotkey .exe files. It is possible to "decrypt" Encryptor files, but not in an obvious way for casual users. Secondly, FeiYue's encrpytor does "compile" files and produces an .exe. So I'm not sure what you mean by it only works with .ahk files. You might want to reread the instructions on his thread about how to use it.

For AutoHotkey_L, FeiYue's method is arguably a very good way to go. The next level up, above FeiYue's Encryptor, would be AutoHotkey_H. Casual users are not going to easily crack it nor are 98% of users spending large amounts of time trying. If a person is so focused on software protection, they might want to consider buying some type of 3rd party professional protection or wrap the AutoHotkey exe inside another executable of a different and compiled programming language.

You could also use Digidon's Obfuscator (https://www.autohotkey.com/boards/viewtopic.php?t=49887), but the methods of obfuscation are well published, opening it up for medium to advanced users to create deobfuscator scripts or understand the method enough to somewhat be able to read the code. Whether it's Digidon's Obfuscator or FeiYue's Encryptor, they are mainly just deterrents against casuals and non-professionals.

However, a person could improve upon Digidon's method or make their own variation. To understand this methodology a bit more or to see how far it can be taken, a person could look at PELock, which is a professional obfuscator made for AutoIt (and other languages like Basic and Pascal). This does more than just obfuscation, but is also a license management system with time-trials. Google search PELock to find out more, I won't link them here, as I'm not promoting their product. Another product that has been mentioned on the forums is Enigma Protector, so you might want to look them up too.

When people are referring to "script protection", this has different degrees. Are you referring to protection against casuals, or are you looking for professional grade protection against high level hackers/crackers? The issue about that is it's unlikely you will stop very knowledgeable programmers from cracking your program. Think of all the companies with expensive products that have tried and failed. This includes many "smart" malware programmers that have Anti-Virus professionals crack their bad programs too or help put them in jail. Methods for cracking and reverse engineering programs are numerous and long. There are so many tools out there.

To get professional grade protection for a software product could cost hundreds of dollars, and the number of users that need such high level protection are very few. Arguably, what many people making professional products do is get a copyright, so that they have legal protection. Legal protection is just as much a deterrent as software protection, because you can sue people who are violating your copyright and stop them from making any money off of you.

Joe Glines AutoHotkey Webinar On Protecting your IP
https://youtu.be/hS4tiHq3jXk (part 1)
https://youtu.be/P8sN5FNSm_8 (part 2)

If you are using an interpreted language like AutoHotkey, there is only so much you can do, in terms of software protection. And it's not just AutoHotkey that is in this boat, but also languages such as AutoIt, JavaScript, Java, Python, etc... You might be better off programming in truly compiled languages like C/C++, Object Pascal/Delphi, Go, etc... Even then, high level hackers/crackers/professional programmers have reverse engineering tricks up their sleeves that have pissed off and frustrated many software protection methods.
pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

26 Nov 2019, 22:55

Here is how I imagine a solution might work:

1. Encrypt your .ahk file using jNizM's CNG API.

2. In ahk's script.cpp, rewrite OpenIncludedFile() to decrypt your script, eg:

https://github.com/Lexikos/AutoHotkey_L/blob/master/source/script.cpp#L1501 wrote:

Code: Select all

ts.Open(textbuf, TextStream::READ | TextStream::EOL_CRLF | TextStream::EOL_ORPHAN_CR, CP_UTF8);
Replace with:

Code: Select all

ts.Open(Decrypt(textbuf), TextStream::READ | TextStream::EOL_CRLF | TextStream::EOL_ORPHAN_CR, CP_UTF8);

3. Implement Decrypt() in script.cpp by porting jNizm's CNG to C++, using the same iv and key used in (1).

4. Compile ahk per instructions here, using the "self-contained" configuration which should produce a .bin file.

5. Compile your encrypted .ahk file with AHK2EXE tool using the .bin file from (4).

As I have zero experience with C++, step (3) is virtually impossible for me. Can anyone help?

Also I'm not sure how ahk works internally, whether this would even work or if ahk reads the undecrypted textstream elsewhere.
guest3456
Posts: 3454
Joined: 09 Oct 2013, 10:31

Re: AHK Script Encryption

26 Nov 2019, 23:55

pneumatic wrote:
26 Nov 2019, 22:55
Here is how I imagine a solution might work:
AHK_H does something like this. I don't know exactly how it works, you'd have to ask HotKeyIt

but the AHK_H compiler encrypts the script based on the password you set. Then within the AHK_H source you match the same password so that the interpreter can decrypt it internally

see here for more info:
https://www.autohotkey.com/boards/viewtopic.php?f=67&t=6013

SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: AHK Script Encryption

27 Nov 2019, 00:47

pneumatic wrote:
26 Nov 2019, 22:55
Here is how I imagine a solution might work:

1. Encrypt your .ahk file using jNizM's CNG API.

2. In ahk's script.cpp, rewrite OpenIncludedFile() to decrypt your script, eg:

3. Implement Decrypt() in script.cpp by porting jNizm's CNG to C++, using the same iv and key used in (1).

4. Compile ahk per instructions here, using the "self-contained" configuration which should produce a .bin file.

5. Compile your encrypted .ahk file with AHK2EXE tool using the .bin file from (4).

As I have zero experience with C++, step (3) is virtually impossible for me. Can anyone help?

Also I'm not sure how ahk works internally, whether this would even work or if ahk reads the undecrypted textstream elsewhere.
Seems like you might want to try AutoHotkey_H first (https://www.autohotkey.com/boards/viewforum.php?f=65). Their sub-forum also includes a step-by-step guide for compiling C++ source code (https://www.autohotkey.com/boards/viewtopic.php?f=65&t=62308)

It will put you on the path of a lot of what you appear to want to do. After gaining that experience, you then can decide if you want to customize a solution even more. Though I would think, for the vast majority, AutoHotkey_H will satisfy their requirement or need.

Also, it's beyond the scope of this sub-forum and topic to teach C++. Maybe you want to go to the AutoHotkey C/C++ sub-forum and post your question there- https://www.autohotkey.com/boards/viewforum.php?f=75

AutoHotkey is an interpreted language (like JavaScript, Python, Lua, Java, etc...). That means that at some point the interpreter (to include various Anti-Virus software) will be able to see and read your script. The script must be decrypted for the interpreter, in order to work.

If you are so overly concerned with "maximum security", then you might want to write the entire program in a compiled language. Like write it directly in C/C++, Object Pascal, Rust, Go, etc... Though even then, there are decompilers (like Ghidra) that give quality pseudo C code and disassemblers that give Assembly code (and some people are good at reading that).

With that typed, you could write just certain functions of your code in C/C++. That is why AutoHotkey also has MCode: (https://www.autohotkey.com/boards/viewtopic.php?t=32)- MCode Tutorial (Compiled Code in AHK)
(https://www.autohotkey.com/boards/viewtopic.php?f=6&t=4642)- MCode4GCC -- C/C++ to MCode Generator

MCode is used with FeiYue's Encryptor- https://www.autohotkey.com/boards/viewtopic.php?t=42494, which is designed for AutoHotkey_L. You can replace his MCode with your own MCode. With FeiYue's Encryptor, you are using the standard AutoHotkey_L and it's AHK2EXE.

I mention all of this, to help you not try to reinvent the wheel. The existing tools might satisfy your requirements.
pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

27 Nov 2019, 16:26

SOTE wrote:
27 Nov 2019, 00:47
Seems like you might want to try AutoHotkey_H first
you might want to write it directly in C/C++, Object Pascal, Rust, Go, etc...

Unfortunately I can't do this as I've already written 40,000+ lines in AHK_L. I'm even locked into using v1.1.24.03 as I can't trust later versions won't break something.

SOTE wrote:
27 Nov 2019, 00:47
The script must be decrypted for the interpreter, in order to work.

Yeah, I'm starting to see the problem. I mean, even if we were to successfully hide the encryption key inside ahk, ahk is still decrypting the whole script and then loading it in memory as plaintext, which could be dumped.

It seems ahk would have to load the whole script into memory in an encrypted format, then decrypt each line in real time as it executes. But then it would probably be obvious where it's reading the key from before each line, and I'm guessing performance would be bad too.


I might go with this solution. Even though mcode lives inside the .ahk file as plaintext, at least it should be difficult to reverse the mcode back into C++ and get the key, if sufficient obfuscation is used.

Thanks.
Last edited by pneumatic on 27 Nov 2019, 21:05, edited 1 time in total.
guest3456
Posts: 3454
Joined: 09 Oct 2013, 10:31

Re: AHK Script Encryption

27 Nov 2019, 19:44

pneumatic wrote:
27 Nov 2019, 16:26
SOTE wrote:
27 Nov 2019, 00:47
Seems like you might want to try AutoHotkey_H first
Unfortunately I can't do this as I've already written 40,000+ lines in AHK_L. I'm even locked into using v1.1.24.03 as I can't trust later versions won't break something.
AutoHotkey_H is a superset of AHK_L. So your script for _L should work fine for _H
You can get _H version 1.1.24.03 here:
https://github.com/HotKeyIt/ahkdll-v1-release/tree/312bf80dcd72a4814c86b9bba22e7ae636cafdb0

pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

27 Nov 2019, 20:29

guest3456 wrote:
27 Nov 2019, 19:44
pneumatic wrote:
27 Nov 2019, 16:26
SOTE wrote:
27 Nov 2019, 00:47
Seems like you might want to try AutoHotkey_H first
Unfortunately I can't do this as I've already written 40,000+ lines in AHK_L. I'm even locked into using v1.1.24.03 as I can't trust later versions won't break something.
AutoHotkey_H is a superset of AHK_L. So your script for _L should work fine for _H
You can get _H version 1.1.24.03 here:
https://github.com/HotKeyIt/ahkdll-v1-release/tree/312bf80dcd72a4814c86b9bba22e7ae636cafdb0
Thanks!

According to release notes, it seems I still need to modify the source code though - is my understanding correct, or did this get changed in later versions?
guest3456
Posts: 3454
Joined: 09 Oct 2013, 10:31

Re: AHK Script Encryption

27 Nov 2019, 20:36

pneumatic wrote:
27 Nov 2019, 20:29
Thanks!

According to release notes, it seems I still need to modify the source code though - is my understanding correct, or did this get changed in later versions?
you can compile your ahk script and use the default password of "AutoHotkey" for the encryption. that requires no modifications. just download the release files linked.

if you want to change that PW (or add better encryption), you need to change it internally within the AHK source, which is simply a matter of changing some strings and offsets within the AHK_H source. i've done it without any c++ knowledge before. this thread helps:
https://www.autohotkey.com/boards/viewtopic.php?f=65&t=62308

i will be doing it again soon to try to get better source code protection as i finally leave AHK Basic behind for my app. like you, i too am wary and conservative with production code, but i've stayed mainly because AHK Basic has offered the best protection

pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

27 Nov 2019, 21:03

guest3456 wrote:
27 Nov 2019, 20:36
you can compile your ahk script and use the default password of "AutoHotkey" for the encryption. that requires no modifications. just download the release files linked.

if you want to change that PW (or add better encryption), you need to change it internally within the AHK source, which is simply a matter of changing some strings and offsets within the AHK_H source. i've done it without any c++ knowledge before. this thread helps:
https://www.autohotkey.com/boards/viewtopic.php?f=65&t=62308

i will be doing it again soon to try to get better source code protection as i finally leave AHK Basic behind for my app. like you, i too am wary and conservative with production code, but i've stayed mainly because AHK Basic has offered the best protection
Cool. So if I use a password with the same size as "AutoHotkey" (eg. "abcde12345"), I don't need to modify anything except line 3300 here? :

https://github.com/HotKeyIt/ahkdll/blob/master/source/util.cpp#L3300

On another note, I just installed Visual Studio Community 2015 (what an ordeal) and managed to successfully compile AHK_L!
guest3456
Posts: 3454
Joined: 09 Oct 2013, 10:31

Re: AHK Script Encryption

27 Nov 2019, 21:34

pneumatic wrote:
27 Nov 2019, 21:03
Cool. So if I use a password with the same size as "AutoHotkey" (eg. "abcde12345"), I don't need to modify anything except line 3300 here? :

https://github.com/HotKeyIt/ahkdll/blob/master/source/util.cpp#L3300

On another note, I just installed Visual Studio Community 2015 (what an ordeal) and managed to successfully compile AHK_L!
correct i believe so

pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

29 Nov 2019, 23:30

So I managed to recompile AHK_H in VS2017 with a custom encryption password.

It works! But ultimately I might not use it. Here's why...

1. For large scripts (eg. 40,000 lines) decryption on exe launch is slow. Around 3-4 seconds with CPU pegged at 100% on an i7-4790k. On a low spec system (eg. dual core laptop) this could be a long wait. If I could put up a splash screen letting the user know it's loading, maybe that would be acceptable. Since my script runs at Windows startup too, that's a 3-4 second 100% CPU burst at every Windows startup. That snappy instant portable feeling of ahk is lost a bit. Though once the script is running, performance appears to be fine and normal.

2. Possible reliability issues. I believe _L has been more rigorously tested as its userbase is larger. VarSetCapacity works differently on AHK_H and needs to be carefully adjusted. I'm still not sure how it works, whether I should blank vars or use fillbyte=0. A random anecdote about _H not working on some systems https://www.autohotkey.com/boards/viewtopic.php?f=65&t=64377 . Reliability is super important for me and I have confidence in _L. To put a question mark on reliability at the last minute just doesn't sit well with me.

3. I'm able to improve security a little bit in _L by modifying the source to read an obfuscated payload in RCDATA. Combined with validating the .exe's checksum on launch, provides a little bit of added security.

I may still go with _H, but I find that merely having the option of encryption at hand makes me psychologically more comfortable with not encrypting it.
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: AHK Script Encryption

30 Nov 2019, 00:02

"Combined with validating the .exe's checksum on launch"

Can you tell us more about this?
pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

30 Nov 2019, 01:57

AHKStudent wrote:
30 Nov 2019, 00:02
Can you tell us more about this?
There are 2 ways I know of. First is to generate an encrypted hash of the exe using jNizM's encryption library, store it on disk, then on program launch compare the encrypted hash of the exe to the one on disk. Other way is to use Windows signtool to digitally sign the exe with a certificate. However I'm unable to get it to work following these instructions (the creation of the certificate fails with some generic "unable to create" error).

Keep in mind validating the checksum is useless if your source code is exposed as the attacker can just remove that part of your script. Assuming they haven't recovered the source code, it might be useful to stop file aggregator sites from packing malware into your executable.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: AHK Script Encryption

30 Nov 2019, 04:19

pneumatic wrote:
30 Nov 2019, 01:57
AHKStudent wrote:
30 Nov 2019, 00:02
Can you tell us more about this?
There are 2 ways I know of. First is to generate an encrypted hash of the exe using jNizM's encryption library, store it on disk, then on program launch compare the encrypted hash of the exe to the one on disk. Other way is to use Windows signtool to digitally sign the exe with a certificate. However I'm unable to get it to work following these instructions (the creation of the certificate fails with some generic "unable to create" error).

Keep in mind validating the checksum is useless if your source code is exposed as the attacker can just remove that part of your script. Assuming they haven't recovered the source code, it might be useful to stop file aggregator sites from packing malware into your executable.
As a protective measure, many websites and companies give users the MD5 or SHA hash number for their .exe/zip. It can be via the website or by e-mail. Though you should be clear for which the hash pertains to, the .exe or .zip, as they can be different. Before users buy, download, or use your program, you can give a clear warning to check the MD5/SHA hash and various websites they can get authentic hash checking programs from or make one yourself that they can download.

The issue about your program having a self-checking hash, is that if your program gets cracked, that will obviously be removed. Where if authentic users are encouraged to download a hash checker from your website, company server, or 3rd parties, this will make it much harder for a hacker/cracker to defend against this type of verification. Also any update program that is downloaded from your website or server, if it does the check, will also make it a bit harder for hackers/crackers to defeat. This includes if they attempt to put up cracked versions on BitTorrent, as those will fail authentication by your update software from your website, server, or sent by e-mail.

You can buy legit Code Signing Certificates from 3rd party companies (e-mail the company and check their website to verify) and they can have easy to use Signing Utility software. Google search it. So the process can be pretty quick and painless, if you want to go that route instead.

Another part of what you are saying is why copyright protection is important, so that you also have legal options. If you find that a hacker/cracker has put a cracked version of your software on their website, you can notify their ISP to take their website down. In this case, Google or Bing is your friend, in searching for rogue websites containing your cracked software. And you can attempt to sue the offenders or hold their ISP accountable.

Your legitimate business customers, school, or company will usually not be the issue. They should know you or know your website. They usually wouldn't be programmers (so have no clue how to crack software) nor would they usually be that type of criminal. The type of lawless people that use cracked software or those spending tremendous amounts of time cracking software, would not be your customers or users. They would always be outside of your circles, where you can do little about them, except to attempt legal actions.
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: AHK Script Encryption

30 Nov 2019, 05:43

Your legitimate business customers, school, or company will usually not be the issue. They should know you or know your website. They usually wouldn't be programmers (so have no clue how to crack software) nor would they usually be that type of criminal. The type of lawless people that use cracked software or those spending tremendous amounts of time cracking software, would not be your customers or users. They would always be outside of your circles, where you can do little about them, except to attempt legal actions.
"Software piracy, or the use of software not legitimately paid for and used according to license terms, is a worldwide epidemic. Statistics from the Business Software Alliance show that 42 percent of software installed globally is not properly licensed, resulting in lost revenue of over $63 billion"

If the average software is 100 dollars, that's about 630 million installs that were stolen.

Is there a way to make the software connect to the web and verify the user and then temporary download encrypted items or to memory? I don't know a lot about this.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: AHK Script Encryption

30 Nov 2019, 09:28

AHKStudent wrote:
30 Nov 2019, 05:43
Your legitimate business customers, school, or company will usually not be the issue. They should know you or know your website. They usually wouldn't be programmers (so have no clue how to crack software) nor would they usually be that type of criminal. The type of lawless people that use cracked software or those spending tremendous amounts of time cracking software, would not be your customers or users. They would always be outside of your circles, where you can do little about them, except to attempt legal actions.
"Software piracy, or the use of software not legitimately paid for and used according to license terms, is a worldwide epidemic. Statistics from the Business Software Alliance show that 42 percent of software installed globally is not properly licensed, resulting in lost revenue of over $63 billion"

If the average software is 100 dollars, that's about 630 million installs that were stolen.

Is there a way to make the software connect to the web and verify the user and then temporary download encrypted items or to memory? I don't know a lot about this.
Lessons about piracy were learned by the music and movie industry long ago. Pirates weren't going to pay or they were too poor to pay. Hoping to stop or catch all of them is pointless. Usually law-abiding people will do the right thing and pay you or use the software properly. Where lawless criminals, won't. And very poor people who can't afford it, might resort to piracy, where those with money will often not care about what are minor expenditures for them. If you have a good product, then you can usually still make money, despite piracy. If you are using the software for your company or school, and hackers are running amok on your internal servers, you have more problems than just that single piece of cracked software. This is why music and movie companies have mostly given up embarrassing themselves trying to make up for imaginary losses of profit by suing poor grandmothers with an IP they thought might be in violation.

There is no method that is hackerproof. Hackers can victimize your website, just like they can desktop software. It's like asking for a guarantee that you will never get robbed or swindled in your life. The best you can do is use reasonable precautions.
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: AHK Script Encryption

30 Nov 2019, 09:47

@SOTE

Good points, I would add people who sell photos and videos also deal with people that use photos or videos they own without buying a licence.
pneumatic
Posts: 338
Joined: 05 Dec 2016, 01:51

Re: AHK Script Encryption

30 Nov 2019, 21:17

Another approach might be to compress your exe with a modified UPX which obfuscates its decompression to fool the payload method used by the ahk decompiler tool.

https://dl.packetstormsecurity.net/papers/general/Using_UPX_as_a_security_packer.pdf

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: FanaticGuru and 134 guests