Author Topic: How are these AutoHotkey script protected? (Read 34736 times)

vbmark · « **on:** December 02, 2013, 07:20 PM »

Hello,

I've been researching how to protect my AHK script from decompiling. I understand that any binary can be decompiled but I'm not talking about people looking at an exe file's assembly language. I'm talking about people taking my compiled AHK script dropping it in to a decompiler and seeing the entire script plain as day. So I'd given up on script protection and even considered <gasp> leaving AutoHotkey </gasp>.

But then I came across this page https://www.donationcoder.com/Software/Skrommel/index.html

I know the source script is readily available, but out of curiosity, I took a compiled exe and dropped it in to the decompiler and decompiler replied...

<Could not find pattern: >
<File seems not to be a valid compiled AHK Script or it uses an unknown protection.>

So I dropped some of the exe files into PEiD and it says: Microsoft Visual C++ 7.0 [Overlay]

So what is that? Are these complied AHK scripts or C++ programs? And if they are AHK scripts are they protected by something? If so what?

Thanks!

4wd · « **Reply #1 on:** December 02, 2013, 08:11 PM »

Looks like they've been compressed with UPX, (usually an option when compiling both AutoHK and AutoIT).

Generally, now on DC for any scripts we write in AutoHK/AutoIT we don't compress with UPX after compiling due to the number of false positives given by AV software, (see here).

AV tends to regard almost anything packed with UPX as "possibly nasty" but here, I'll let mouser explain: mouser's pet peeve

[Oooppss! That was his anti-AutoIT pet peeve - oh well, holds true for his other ones

]

vbmark · « **Reply #2 on:** December 02, 2013, 08:23 PM »

I don't think it is UPX and here is why:

1. I can decompile AHK scripts compressed with UPX but I can't decompile these.

2. PEiD says "Nothing found *" on UPX packed scripts. Whereas on the Skrommel exe files PEiD says, Microsoft Visual C++ 7.0 [Overlay].

However, it is possible that UPX was used with some command line arguments that I am unaware of but I doubt.

4wd · « **Reply #3 on:** December 02, 2013, 08:50 PM »

Sorry, my bad - it just happened the first couple I got were UPX'd.

justice · « **Reply #4 on:** December 03, 2013, 05:35 AM »

Interesting question!
AutoHotkey scripts are interpret on runtime, the AHK runtime is bundled inside the .exe file and then interprets the script after 'unpacking' it from the .exe. Because of this any binary protection solution I've tried doesn't process AHK .exe files because it 'breaks out' the files and then evaluates. (my layman's understanding).

So I was under the impression that it wasn't possible, unless there is a AHK compiler that actually compiles AHK to exe files that do not require interpretation..

EDIT: perhaps it's using http://www.ironahk.net/docs/autohotkey/ IronAHK:

Security

When scripts are compiled the source code is not attached to the binary file so it cannot be decompiled. This is unlike AutoHotkey which stores a full copy of the script with the compiled .exe which can be extracted and decrypted or read from process memory when it is executed.

mouser · « **Reply #5 on:** December 03, 2013, 06:48 AM »

I don't think they are actively protected/obfuscated. Would be kind of silly given that the source code versions are also made available by skrommel.

I think it might be that they have been run through something that gives them a custom icon?

vbmark · « **Reply #6 on:** December 03, 2013, 06:49 AM »

...perhaps it's using http://www.ironahk.net/docs/autohotkey/ IronAHK
-justice (December 03, 2013, 05:35 AM)

Unfortunately you may be right. I compiled the hello world example, tried to decompile it, and got the message:

<Could not find pattern: >
<File seems not to be a valid compiled AHK Script or it uses an unknown protection.>

I say unfortunately because that seems to be an abandoned project not updated since 2010-10-24 and it will not compile more complex recent scripts.

vbmark · « **Reply #7 on:** December 03, 2013, 06:53 AM »

I don't think they are actively protected/obfuscated. Would be kind of silly given that the source code versions are also made available by skrommel.
-mouser (December 03, 2013, 06:48 AM)

Maybe, if IronAHK was just his normal compiler then he didn't do it with the intention of obfuscation but just out of routine/habit.

I think it might be that they have been run through something that gives them a custom icon?
-mouser (December 03, 2013, 06:48 AM)

Can you tell me more about this? I'll give it a try.

MilesAhead · « **Reply #8 on:** December 03, 2013, 07:46 AM »

Also you might ask Lexicos. He's the author of Autohotkey_L. He may have some insights.

justice · « **Reply #9 on:** December 03, 2013, 07:58 AM »

Can you tell me more about this? I'll give it a try.
-vbmark (December 03, 2013, 06:53 AM)

Compile_AHK II
http://www.autohotke...-who-compile/page-30
Latest version at the end of the thread, explanation at the start.

vbmark · « **Reply #10 on:** December 03, 2013, 12:13 PM »

Compile_AHK II
http://www.autohotke...-who-compile/page-30
Latest version at the end of the thread, explanation at the start.
-justice (December 03, 2013, 07:58 AM)

OK, this is really interesting. I'm not sure what's going on but I cannot decompile a script compiled with this tool.

I have disabled all compressors, mpress and UPX, but I still cannot decompile. However, the bad news is that VirusTotal is still showing one false virus.

But this is farther than I've gotten before. I'm going to start studying the threads and see if I can get this last issue settled and this will be golden.

Thanks!!!

MilesAhead · « **Reply #11 on:** December 03, 2013, 08:46 PM »

I saw some mention that AHK_L can be decompiled with this:
https://gist.github.com/Uberi/3334552

I haven't tried it yet though.

app103 · « **Reply #12 on:** December 04, 2013, 04:59 AM »

Copied from the Help file of the version of AHK that I have installed:

A script compiler (courtesy of Jonathan Bennett's AutoIt v3 source code) is included with the program. AutoIt v2 scripts are not supported, so if necessary, first auto-convert your .aut file to .ahk.

Once a script is compiled, it becomes a standalone executable; that is, it can be used even on machines where AutoHotkey is not installed (and such EXEs can be distributed or sold with no restrictions). The compilation process compresses and encrypts all of the following: the script, any files it includes, and any files it has incorporated via the FileInstall command.

Compiling does not improve the performance of a script. In fact, a compiled script is slightly slower to launch because it must first be decrypted and decompressed into memory, after which it is optimized just like a normal script.

Ahk2Exe can be used in the following ways:

1. GUI Interface: Run the "Convert .ahk to .exe" item in the Start Menu. In v1.0.46.10+, the password N/A may be specified within the GUI interface to prevent exe2ahk from being able to decompile the script. This works only in the GUI interface; for the command line, use the /NoDecompile switch instead.

2. Right-click: Within an open Explorer window, you can right-click any .ahk file and select "Compile Script" (only available if the script compiler option was chosen when AutoHotkey was installed). This creates an EXE file of the same base filename as the script, which appears after a short time in the same directory. Note: The EXE file is produced using the same custom icon and compression level that was last used by Method #1 above and it will not have a password.

3. Command Line: The compiler can be run from the command line with the following parameters:
Ahk2exe.exe /in MyScript.ahk [/out MyScript.exe][/icon MyIcon.ico][/pass password][/NoDecompile]

For example:
Ahk2exe.exe /in "MyScript.ahk" /icon "MyIcon.ico" /pass "CustomPassword" /NoDecompile

Usage:

Parameters containing spaces should be enclosed in double quotes.
If the "out" file is omitted, the EXE will have the same base filename as the script itself.
In v1.0.46.10+, the /NoDecompile switch (if present) prevents exe2ahk from being able to decompile the script even when the correct password is given. This provides an additional layer of protection that goes beyond having a long, elaborate password.

Notes:

If you plan to distribute your EXE and don't want anyone to be able to view the source code of your script, you get the maximum protection by compiling at the command line with the /NoDecompile switch, and also specifying a long, elaborate password. A password's maximum length is 64 characters.
The commands #NoTrayIcon and "Menu, Tray, ShowMainWindow" affect the behavior of compiled scripts.
An EXE can be decompiled to retrieve the original script by downloading Exe2Ahk (this utility should be run from the command prompt). However, any comments originally present (semicolon or /**/) will be lost.
Compiled scripts can be reduced in size by about 20 KB by placing this smaller version of the AutoHotkeySC.bin file in your AutoHotkey\Compiler folder (overwriting the existing file of the same name). Any compiled script produced in this fashion will be dependent on MSVCRT.dll. Although this DLL is always present on Windows 2000/XP or later, older operating systems do not necessarily have it.
Custom version info (as seen in Explorer's file-properties dialog) can be added to your compiled scripts by using a utility such as Resource Hacker (freeware) to edit the file "AutoHotkeySC.bin". This file is contained in the "compiler" subfolder where AutoHotkey was installed. Note: Resource Hacker will corrupt compiled scripts, which is why only the AutoHotkeySC.bin file should be edited.
The method above can also be used to change existing icons or add new ones to all compiled scripts.
The built-in variable A_IsCompiled contains 1 if the script is running in compiled form. Otherwise, it is blank.
If you do not wish your compiled scripts to be compressed, delete or rename the file "upx.exe" in AutoHotkey's "Compiler" folder.
When parameters are passed to Ahk2Exe, a message indicating the success or failure of the compiling process is written to stdout. Although the message will not appear at the command prompt, it can be "caught" by means such as redirecting output to a file. [v1.0.43+]

vbmark · « **Reply #13 on:** December 04, 2013, 07:29 AM »

I saw some mention that AHK_L can be decompiled with this:
https://gist.github.com/Uberi/3334552

I haven't tried it yet though.
-MilesAhead (December 03, 2013, 08:46 PM)

That is what I use to decompile everything. But it does not work on anything I compile with this:

https://www.donationcoder.com/Software/Skrommel/index.html

You can read the details about my trying is here: https://www.donationcoder.com/forum/index.php?topic=36672.msg343309#msg343309

vbmark · « **Reply #14 on:** December 04, 2013, 07:31 AM »

Copied from the Help file of the version of AHK that I have installed:
-app103 (December 04, 2013, 04:59 AM)

The Password and NoDecompile options do nothing to prevent decompilation.

skwire · « **Reply #15 on:** December 04, 2013, 08:31 AM »

The Password and NoDecompile options do nothing to prevent decompilation.
-vbmark (December 04, 2013, 07:31 AM)

To be fair, they used to. Lexikos (current AHK dev) took out that functionality in v1.1.01+.

app103 · « **Reply #16 on:** December 04, 2013, 08:06 PM »

The Password and NoDecompile options do nothing to prevent decompilation.
-vbmark (December 04, 2013, 07:31 AM)

To be fair, they used to. Lexikos (current AHK dev) took out that functionality in v1.1.01+.
-skwire (December 04, 2013, 08:31 AM)

Skrommel hasn't been around in awhile, so his stuff is very likely compiled with an older version where those options still existed.

skwire · « **Reply #17 on:** December 04, 2013, 08:20 PM »

Skrommel hasn't been around in awhile, so his stuff is very likely compiled with an older version where those options still existed.
-app103 (December 04, 2013, 08:06 PM)

Exactly...

vbmark · « **Reply #18 on:** December 05, 2013, 05:53 AM »

I've not been able to decompile any scripts that I've compiled with this tool:

http://www.autohotke.../page-30#entry622493

MilesAhead · « **Reply #19 on:** December 05, 2013, 07:54 AM »

After reading Lexicos's comments that any resource tool could look at an ahk script(not using countermeasures) I loaded a compiled AHK_L script into Reshacker. Clicking around I got to the script text. From there it was copy and paste.

vbmark · « **Reply #20 on:** December 05, 2013, 08:05 AM »

not using countermeasures
-MilesAhead (December 05, 2013, 07:54 AM)

Yes. But that's pretty common knowledge and I don't think anyone is arguing against that fact.

MilesAhead · « **Reply #21 on:** December 05, 2013, 10:39 AM »

not using countermeasures
-MilesAhead (December 05, 2013, 07:54 AM)
Yes. But that's pretty common knowledge and I don't think anyone is arguing against that fact.
-vbmark (December 05, 2013, 08:05 AM)

I dunno'. I use a certain scripting language that bans people from their forums if they get wind of them using the 'D' word.

wraith808 · « **Reply #22 on:** December 05, 2013, 12:14 PM »

What language is that, if you don't mind me asking?

MilesAhead · « **Reply #23 on:** December 05, 2013, 02:20 PM »

What language is that, if you don't mind me asking?
-wraith808 (December 05, 2013, 12:14 PM)

http://www.autoitscr...wiki/Decompiling_FAQ

vbmark · « **Reply #24 on:** December 05, 2013, 02:43 PM »

It looks as though some have discovered a way to prevent AutoIt from being decompiled. (Although you are not allowed to talk about that on the AutoIt forum.)