topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday October 5, 2024, 6:58 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: encrypted AHK script  (Read 10083 times)

ljbirns

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 229
    • View Profile
    • Donate to Member
encrypted AHK script
« on: January 19, 2010, 01:13 PM »
I have and AHK script that sends a text  password to open a program by my pressing a hotkey series . In the password GUI it shows as ******************
 But if anyone were to open the AHK file the password is in plain text. ( although you would have to know it is a password )
Is there a way to hide or encrypt the plain text in tha AHK file and yet have it work as the  password  to open the program ?

Lew

Lew

argv

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 45
    • View Profile
    • Donate to Member
Re: encrypted AHK script
« Reply #1 on: January 19, 2010, 02:24 PM »
Why not compiling the script and eventually compacting it with UPX (http://upx.sourceforge.net/)..

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: encrypted AHK script
« Reply #2 on: January 19, 2010, 02:58 PM »
You can use any of the number of string encrypting functions on the AutoHotkey forums but if somebody has access to your source code, they can easily debug it right after your string is decrypted and see what your password is anyway.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: encrypted AHK script
« Reply #3 on: January 19, 2010, 03:44 PM »
Doesn't matter what you do, if the script is going to send the password somewhere, it can be catched somehow. Sure, you can compile the script - people will just unpack or dump from memory. You can encrypt the password and decrypt it runtime, but that can be dumped from memory as well. There's nothing you can do about it, really :)

Well, you could store the password in Windows "protected storage", and retrieve it from there - the protected storage is automatically available when you're logged in. That does mean that if you're logged in, it's again easy as eating pie to get at the password.
- carpe noctem

ljbirns

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 229
    • View Profile
    • Donate to Member
Re: encrypted AHK script
« Reply #4 on: January 19, 2010, 09:06 PM »
I compiled the script and put it on a flash drive. ( Strangely it took my three tries to compile.  Kept getting an error message.)
That should Thank you all for your help.
Lew

argv

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 45
    • View Profile
    • Donate to Member
Re: encrypted AHK script
« Reply #5 on: January 20, 2010, 09:41 AM »
Doesn't matter what you do, if the script is going to send the password somewhere, it can be catched somehow. Sure, you can compile the script - people will just unpack or dump from memory. You can encrypt the password and decrypt it runtime, but that can be dumped from memory as well. There's nothing you can do about it, really :)

You are right, but remember, locks are for honest people. Just compiling should do the trick for most of the users

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: encrypted AHK script
« Reply #6 on: January 20, 2010, 10:39 AM »
You are right, but remember, locks are for honest people. Just compiling should do the trick for most of the users
True - I just wanted to point out that there's no way to ultimately secure the thing :)

Depending on what the password is for, and where the script might be lying around, this could prove to be a problem or not. Bank or remote system credentials? Oops! For something that's not critical enough that you can live with the password being snooped by somebody very determined, but still critical enough that you don't want people to snoop it, I'd suggest a two-stage approach:

1) keep an encryption key in the Windows protected storage - this key is only available when you're logged in to the system (which does also mean, though, that if as soon as you're logged in, the key could be stolen by malware or while you're away from the computer).
2) have the password in the script encrypted by the key from part #1.

This way, you could even leave your script uncompiled, as nobody would be able to use it without the key in the Protected Storage. You're still vulnerable to sniffing and all that, but at least you've removed a fairly large attack vector.
- carpe noctem

ljbirns

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 229
    • View Profile
    • Donate to Member
Re: encrypted AHK script
« Reply #7 on: January 20, 2010, 11:11 AM »
You are right, but remember, locks are for honest people. Just compiling should do the trick for most of the users

I am sure nobody is trying  hard to hack my computer for  passwords or private info.  I just don't want to make it easy for anyone who might take a look.

Lew

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: encrypted AHK script
« Reply #8 on: January 20, 2010, 11:13 AM »
You are right, but remember, locks are for honest people. Just compiling should do the trick for most of the users

I am sure nobody is trying  hard to hack my computer for  passwords or private info.  I just don't want to make it easy for anyone who might take a look.
Then simply compiling the script is going to be fine, as long as it's nothing too critical - casual users won't know how to dump process memory, and I dunno if there's any AHK decompilers around :)
- carpe noctem

ljbirns

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 229
    • View Profile
    • Donate to Member
Re: encrypted AHK script
« Reply #9 on: January 20, 2010, 11:32 AM »
Thanks to everyone. 
Lew