Protecting AHK code against piracy

[labrint]

Hi Guys,

Need some tips on how to protect my code from being pirated. Can anyone suggest some methods?

I need to protect against:

1. Viewing the code
2. Copying of the file on to other PCs

[Jovannb]

Hi,

if necessary I

• put (flipped) harddisk-serial in that ahk-program-code to avoid running that script on other machines as intended

• limit running that ahk-code depending on machine-date e.g. til end of 2019

• encrypt ahk-code by https://autohotkey.com/boards/viewtopic.php?t=42494

• compile that ahk-code to an exe

regards

J.B.

[CyL0N]

NO, this has been asked & answered a thousand times.
If your looking to hide data in your source,that's possible but,hiding the source itself in AHK_L is not possible.Period.

I'm not trying to be rude, I'm just trying to express the nature of AHK in it's current form. Any attempt can easily be bypassed by using 'de-compilation' & de-obfuscation tools in these forums...

[FanaticGuru]

There is no easy way to do what you want.

The ironic things is that any anti-piracy code that did a decent job would be far more valuable than 99.9% of the AHK code that people want to protect.

Some of the compiling and obfuscation tools available will give the casual user problems. If your code is not very valuable then you can probably raise the trouble to hack above the value of the code.

If your code is very valuable then you are going to need very good anti-piracy. Programs that cost thousands of dollars like AutoCAD, Adobe Suite, etc. have pretty good anti-piracy and they still get hacked all the time. Because it is worth the effort.

The problem is that it is easy to encrypt something that is very secure but at some point the data or code has to be unencrypted to be used and then the user can do anything they want with the data or code. They can copy it, share it, modify it, etc.

FG

[Wicked]

As for viewing, there's obfuscators on these forums somewhere.

[labrint]

Hi,

if necessary I

• put (flipped) harddisk-serial in that ahk-program-code to avoid running that script on other machines as intended

• limit running that ahk-code depending on machine-date e.g. til end of 2019

• encrypt ahk-code by https://autohotkey.com/boards/viewtopic.php?t=42494

• compile that ahk-code to an exe

regards

J.B.

I have used HDD and MAC to block other machines running the script.
I have encrypted the ahk using AHK source code Encryptor v2.7 By FeiYue https://autohotkey.com/boards/viewtopic.php?t=42494
I don't truly believe in compiling as it is still viewable using notepad.

The time limit is good, but can't they simply defeat the system by reversing the clock on windows? Any reliable way to get the current year via HTML request? Is there a raw html website which hosts the current date which is reliable and used for decades?

Thanks for the other tips, as I said, I've implemented them.

[labrint]

There is no easy way to do what you want.

The ironic things is that any anti-piracy code that did a decent job would be far more valuable than 99.9% of the AHK code that people want to protect.

Some of the compiling and obfuscation tools available will give the casual user problems. If your code is not very valuable then you can probably raise the trouble to hack above the value of the code.

If your code is very valuable then you are going to need very good anti-piracy. Programs that cost thousands of dollars like AutoCAD, Adobe Suite, etc. have pretty good anti-piracy and they still get hacked all the time. Because it is worth the effort.

The problem is that it is easy to encrypt something that is very secure but at some point, the data or code has to be unencrypted to be used and then the user can do anything they want with the data or code. They can copy it, share it, modify it, etc.

FG

Part of your argument is true because this is a very vast world with unlimited permutations.

I operate in a niche environment with few clients.
These clients are not in the IT business, and all I really need is to make it as expensive as possible get people to crack the software, as well as bind anyone in contact with a legal contract. I have mechanisms in place that make it possible to trace the usage of the program, such as IP and other computer unique identifiers.

It's a minefield. Not impenetrable, but deterring.

[FanaticGuru]

There is no easy way to do what you want.

The ironic things is that any anti-piracy code that did a decent job would be far more valuable than 99.9% of the AHK code that people want to protect.

Some of the compiling and obfuscation tools available will give the casual user problems. If your code is not very valuable then you can probably raise the trouble to hack above the value of the code.

If your code is very valuable then you are going to need very good anti-piracy. Programs that cost thousands of dollars like AutoCAD, Adobe Suite, etc. have pretty good anti-piracy and they still get hacked all the time. Because it is worth the effort.

The problem is that it is easy to encrypt something that is very secure but at some point, the data or code has to be unencrypted to be used and then the user can do anything they want with the data or code. They can copy it, share it, modify it, etc.

FG

Part of your argument is true because this is a very vast world with unlimited permutations.

I operate in a niche environment with few clients.
These clients are not in the IT business, and all I really need is to make it as expensive as possible get people to crack the software, as well as bind anyone in contact with a legal contract. I have mechanisms in place that make it possible to trace the usage of the program, such as IP and other computer unique identifiers.

It's a minefield. Not impenetrable, but deterring.

If you really wanted to make a run at it, I would have the client run an installer program that gets the UUID of their computer (computer unique indentifier) sends that information to your server. Your server would then generate a unique version of the program with the UUID embedded into the code so that it would check and only run on the computer that installed it. You could also have it call home to your server from time to time to do security checks, track usage, etc. and check for updates.

The unique version of the program the client downloads would need to be obsificated and compiled to make it as hard as possible for the client to not modify and take out the UUID check. If your code is already large and complex so much the better to make it hard to find the UUID check.

You could have a launcher program that ask for an encryption key (password to run) or goes online and gets from your server based on the UUID of the computer, that then decrypts the actual program and runs it dynamically so the program only exist in computer memory. The launcher could be hacked though to display the code instead of running dynamically but it is another layer to peel. You could have just parts of the program encrypted with the UUID as the key that decrypts various functions at run time.

You could have a crucial function that exist only on your server. The program has to send your server the parameters and then server spits back the result. This is not a simple check that can be removed. The returned results are actual information that would be hard to replicate. The down side is that if your server goes down everyones program stops working.

Often the security is just layers upon layers that are difficult to unravel. You have to assume a hacker is going to see the code unencrypted, that code then needs obfuscation to be as hard as possible to unravel.

https://en.wikipedia.org/wiki/Obfuscation_(software)

It is a rabbit hole that you can go down as deep as you want.

FG

[DRocks]

Lol its a funny topic. I like how everything can be hacked according to what I read. Its impressive how people are smart. Much smarter then me.

What do you guys think of going the opposite way with complete trust and just a legal notice to make people choose to steal or choose to be legit?

I mean wouldnt people have more respect for a program that trusts them rather then another one that wants to be sure no1 cracks it?

What do you thibk and what is realistic?
My example i have in mind is the music software Reaper. Found at reaper.fm this company is awesome because it believes in this way and they gained my trust. I ended up buying software and liking it more than my 1000 dollar investment in other software.

[FanaticGuru]

Lol its a funny topic. I like how everything can be hacked according to what I read. Its impressive how people are smart. Much smarter then me.

What do you guys think of going the opposite way with complete trust and just a legal notice to make people choose to steal or choose to be legit?

I mean wouldnt people have more respect for a program that trusts them rather then another one that wants to be sure no1 cracks it?

What do you thibk and what is realistic?
My example i have in mind is the music software Reaper. Found at reaper.fm this company is awesome because it believes in this way and they gained my trust. I ended up buying software and liking it more than my 1000 dollar investment in other software.

Now don't get the impression that everything can be hacked. Many people just assume everything can be hacked. That is not really true. It is easy to encrypt a file so that nobody can see or use it without the password. The problem is that anyone that has the password and can unencrypt the information can then tell it to someone else. There is mathematically perfect encryption that cannot be directly hacked without breaking the laws of the universe as humans understand it. Now you can always pay someone to give you the password or trick them into doing it. Most "hacking" of account information and so forth that you heard about in the news is not really what I would call hacking. It is mostly just tricking people into "sharing" a password. Usually an employee of the company that exposes the system in some way.

It is like a secret. It is easy to keep a secret. Just never tell the secret to anyone. But it is hard to tell someone a secret and make sure they do not then tell the secret to someone else.

Many computers never get hacked. No hacker launches nuclear missiles or transfers a trillion dollars from the federal reserve. Those systems are very secure. The systems also require multiple passwords that are spread amount lots of very trustworthy people and systems. The overall systems were designed with the bar of difficult to hack set at beyond forseeable human technology. Now maybe alien technology, time travelers, or divine intervention could hack it but that was a risk that was deemed acceptable.

FG

[FanaticGuru]

As for the just not even trying and trust people, I read about a small code author that tried to secure his software and sell it for like 10 to 20 dollars.

It was a constant struggle to keep it secure so eventually he gave up on security and removed the security. Sales stayed about the same. It was getting pirated but that was causing it to get wider distributed which made the overall sales stay about the same.

After a while the software was pretty much "complete" without any updates or development for awhile so he decided to just make it free with an ask for donations but no specific amount. The software then brought it more money than ever. Apparently some people were very generous and would give more than the price that he use to sell it for, a lot more if the software really helped them.

One story from one developer and I can't even remember the software so take it with a grain of salt.

FG

[DRocks]

cool story and thanks for all this explanation on the first reply.

[SOTE]

NO, this has been asked & answered a thousand times.
If your looking to hide data in your source,that's possible but,hiding the source itself in AHK_L is not possible.Period.

I'm not trying to be rude, I'm just trying to express the nature of AHK in it's current form. Any attempt can easily be bypassed by using 'de-compilation' & de-obfuscation tools in these forums...

I believe that's not entirely accurate. The decompiler tools on the forum will work for normally "compiled" AutoHotkey_L executables, but not work if the script is encrypted (such as Feiyue's Encryptor), obfuscated (Digidon's Obfuscator), in Mcode (machine code), or is AutoHotkey_H. In those cases, a person must have greater understanding of those methods in order to extract or read the script.

In the case of machine code, it's similar to having a normally compiled executable like with C, C++, Pascal, or Assembly. Once in machine code, you won't be able to read it normally, and can only get it into Assembly language form or pseudo C code. If you decompiled a script with machine code, you will only see the parts in the AutoHotkey language, will be still stuck with not knowing what the machine code is.

With encryption, the issue will be with the AutoHotkey interpreter. The script must be in a form that allows the AutoHotkey interpreter to read it, so skilled people will then know where to look. AutoHotkey_H makes that a bit more difficult than using Feiyue's Encryptor for AutoHotkey_L, but experts can do it. However, this requires more specialized knowledge and understanding of AutoHotkey, that casuals or people not familiar with the language won't usually have.

With Digidon's Obfuscator, it's more of a time problem or reverse-engineering his Obfuscator to be a de-obfuscator. Both of which is bound to be annoying and time consuming, as to be a strong deterrent to most.

Per the OP's question about piracy, you can't ever be 100% certain with any protection method. What one person can think up, another person can find a way to undo it. It's usually a matter of providing a deterrent to the vast majority, let's say 95% or more people. Refer to this old AutoHotkey post which directly address software protection and provides example scripts. https://autohotkey.com/board/topic/5427 ... rotection/

Lastly, going freeware is very much a viable option too these days, because you can ask for donations. This is because people or businesses that donate to you, don't have any set limit or price, and this can possibly compensate. So depending on the type of software, making it payware might not bring you any more money than having it as freeware and requesting donations. Arguably, having the software as payware, can be a cause of headaches and problems over "piracy", protection, customer demands, and customer complaints. Where if it was freeware, the software might actually be vastly more popular, the creator becomes more popular, no obligation to customers, and it might likely get more donations. So this is a depends question, where a software creator might want to give thought about what they really want or experiment with both directions.

[CyL0N]

NO, this has been asked & answered a thousand times.
If your looking to hide data in your source,that's possible but,hiding the source itself in AHK_L is not possible.Period.

I'm not trying to be rude, I'm just trying to express the nature of AHK in it's current form. Any attempt can easily be bypassed by using 'de-compilation' & de-obfuscation tools in these forums...

I believe that's not entirely accurate. The decompiler tools on the forum will work for normally "compiled" AutoHotkey_L executables, but not work if the script is encrypted (such as Feiyue's Encryptor), obfuscated (Digidon's Obfuscator), in Mcode (machine code), or is AutoHotkey_H. In those cases, a person must have greater understanding of those methods in order to extract or read the script.

Perhaps i was too expansive, what i simply meant was you could use MCode to store things like passwords & such inside scripts,however with the exception of AHK_H which i have never managed to get the source in full for, for either of the other methods discussed such as Feiyue's Encryptor or Digidon's Obfuscator for example a simple memory dump gives you the entire script, and even using a systinternals utility like strings gives you most of the script from a process dump. I once attempted to modify the ahk source to dump the script after the interpreter parsed it,i never put much time into that approach so it never got anywhere but it was a very simple & plausible approach to countering any source encryption,because no matter how you go about it, the interpreter needs a version of the source that it can understand & given the interpreter is open source,then you might as well not bother with encryption.

So If you wish to counter act piracy by locking down the source entirely, i stand by my statement,it' doesn't work for the major software developers,it's certainly not going to work here due to the nature of interpreter. If you wish to protect data in the source,just use MCode,which is a solid but still not bulletproof approach. So obfuscation is actually your best bet,by virtue of few if any having the motivation & desire to go through designer spaghetti code,which obfuscated code basically is.

[DRocks]

Thanks guys I had good education by reading you

[gwarble]

If you wish to protect data in the source,just use MCode,which is a solid but still not bulletproof approach. So obfuscation is actually your best bet,by virtue of few if any having the motivation & desire to go through designer spaghetti code,which obfuscated code basically is.

Any advice on where to start with the approach of using MCode to "encrypt" or protect a password from easy-but-not-impossible access by users?

Lets say I want to send an email using stored credentials that get sent to a mailserver, with a function like:
Email(To="",Subj="",Body="",From="",_Attach="",User="",Password="",SMTP="",Port="",TLS="")

and want to send bug reports from users, how do I store %Password% in the script with MCode?

thanks

[CyL0N]

If you wish to protect data in the source,just use MCode,which is a solid but still not bulletproof approach. So obfuscation is actually your best bet,by virtue of few if any having the motivation & desire to go through designer spaghetti code,which obfuscated code basically is.

Any advice on where to start with the approach of using MCode to "encrypt" or protect a password from easy-but-not-impossible access by users?

Lets say I want to send an email using stored credentials that get sent to a mailserver, with a function like:
Email(To="",Subj="",Body="",From="",_Attach="",User="",Password="",SMTP="",Port="",TLS="")

and want to send bug reports from users, how do I store %Password% in the script with MCode?

thanks

Apologies for my partially functional answer,i can't seem to get the returned value from my old C functions below in MCode,although they still work...
I figured you were more interested in methodology so I'm just posting this... I'll PM you a functional example once i sort it out...

Code: Select all

#include <stdio.h>
#include <time.h>
const char* myStr = "my very very very long password";  //store password just as a string...
const char* myPwd()
{
    return myStr;
}
//Msgbox % DllCall(MCode("2,x86:oQAAAADDkJCQkJCQkJCQkG15IHZlcnkgdmVyeSB2ZXJ5IGxvAAAAAA=="),"cdecl char")



int main()
{
    printf("%d\n", logicbomb());
    printf("%s", myPwd());

}


#include <time.h>
int logicbomb()
{
  time_t rawtime;
  struct tm * timeinfo;
  time ( &rawtime );
  timeinfo = localtime ( &rawtime );
  int    sec = timeinfo->tm_sec;   //seconds [0,61]
  int    min = timeinfo->tm_min;   //minutes [0,59]
  int    hour = timeinfo->tm_hour;  //hour [0,23]
  int    mday = timeinfo->tm_mday;  //day of month [1,31]
  int    month = timeinfo->tm_mon;   //month of year [0,11]
  int    year = timeinfo->tm_year;  //years since 1900
  int    dweek = timeinfo->tm_wday;  //day of week [0,6] (Sunday = 0)
  int    dyear = timeinfo->tm_yday;  //day of year [0,365]

  if (min % 2 == 0 && sec > 5 && sec < 15){    //if minute is even and second is within specified range... only then return stored value...
    return 111111111;    //decimal encoded password example....
  };
    return 0;
}
//Msgbox % DllCall(MCode("2,x86:U4PsKI1cJByJHCToAAAAAIkcJOgAAAAA9kAEAYsIugEAAAB1EYPpBoP5MRnSgeLGa58Gg8IBg8QoidBbw5CQkA=="),"cdecl UInt64")


unsigned long long int myFunc() {
	return 11111111 ;
}

The whole premise of my statement is to do with giving the password it's own logic beyond that of the ahk interpreter,such as having an MCode function only return contained password at a specific point in time like a logic bomb, whereby you can attempt to send email consistently, and there might be a single (hard coded time)window with in a period of a month,that the function would return the password,where the only attempt that would succedd(output the pwd) in sending email being the one that matches the internal conditions of the MCode function which can't be viewed by users ... see the logicbomb() function in the pwdPrototype.c
>Think, specific second,hour,minute,hour and perhaps an Even or Odd fibonacci number for the day of the year...you get the idea...

The more complicated the internal logic of the MCode function, the more difficult it is for users to get at, which is ESPECIALLY 'almost' bullet proof when all you're trying to do password verification, you simply have to pass provided password to the MCode function & IT compares provided password with it's internal password, and if it's a match it returns a decryption key for example to an embedded encrypted script as in AHK source code Encryptor v2.7 By FeiYue https://autohotkey.com/boards/viewtopic.php?t=42494 ,as otherwise it could just as easy be commented out,so it ought to return some useful data in return for the correct password.

But the best solution to your example problem is to use google forms or similar, where you fill out a form and it's submitted to your inbox with out bothering with passwords, or if you don't want to bother with google just create a free wordpress account,and by default they all have a contact form, which allows you to post to the form & the form goes to your inbox, here's mine for example, https://cyl0nn.wordpress.com/contact/ ,either one should be fantastic for automated bug reports.

Cheers.

[SOTE]

NO, this has been asked & answered a thousand times.
If your looking to hide data in your source,that's possible but,hiding the source itself in AHK_L is not possible.Period.

I'm not trying to be rude, I'm just trying to express the nature of AHK in it's current form. Any attempt can easily be bypassed by using 'de-compilation' & de-obfuscation tools in these forums...

I believe that's not entirely accurate. The decompiler tools on the forum will work for normally "compiled" AutoHotkey_L executables, but not work if the script is encrypted (such as Feiyue's Encryptor), obfuscated (Digidon's Obfuscator), in Mcode (machine code), or is AutoHotkey_H. In those cases, a person must have greater understanding of those methods in order to extract or read the script.

Perhaps i was too expansive, what i simply meant was you could use MCode to store things like passwords & such inside scripts,however with the exception of AHK_H which i have never managed to get the source in full for, for either of the other methods discussed such as Feiyue's Encryptor or Digidon's Obfuscator for example a simple memory dump gives you the entire script, and even using a systinternals utility like strings gives you most of the script from a process dump. I once attempted to modify the ahk source to dump the script after the interpreter parsed it,i never put much time into that approach so it never got anywhere but it was a very simple & plausible approach to countering any source encryption,because no matter how you go about it, the interpreter needs a version of the source that it can understand & given the interpreter is open source,then you might as well not bother with encryption.

Actually, such a dump would not give them the entire script. Rather it would be fragments of it, in which someone that is not strong in programming, wouldn't be able to do anything with or wouldn't want to spend a lot of time on it. And if the script was obfuscated, it would be more of a problem. It's not so different from a compiled language, because machine code can give you Assembly code or pseudo C code. Crackers can do dumps and use their knowledge of Assembly to do equally nefarious things, but to be more effective at it, they still have to be knowledgeable programmers. So the protection level would still be around the same ball park. Average Joe wouldn't know of or be into such things. A casual programmer would have to still climb the programming knowledge ladder, to do anything with the various pieces.

MCode would only be able to offer a certain agree of protection. The more the attacker knows and is highly determined, the less protection there will be. They can still understand what's going on by analyzing the program visually, using Assembly, dumps, research, etc...

So If you wish to counter act piracy by locking down the source entirely, i stand by my statement,it' doesn't work for the major software developers,it's certainly not going to work here due to the nature of interpreter. If you wish to protect data in the source,just use MCode,which is a solid but still not bulletproof approach. So obfuscation is actually your best bet,by virtue of few if any having the motivation & desire to go through designer spaghetti code,which obfuscated code basically is.

Kind of true, obfuscation is a deterrent. However, a determined attacker can have lots of time to keep chipping away and analyzing a program, until they have cracked it. Give people weeks, months, or years... They can solve a lot, if they are that determined. It's really copyright and the law that is the strongest deterrent. Because even if they cracked the program, illegally distributing and selling it can land them in jail. The other stuff like compiling, encryption, or obfuscation is just more due diligence. Like not leaving your keys in the ignition, your wallet on the table, or the door to your house wide open. It filters out the vast majority, who don't want to be wasting a lot of time or are law abiding types.

Another point that I would like to make about this, in regards to thinking compiled languages offer so much more protection, is the nature of GUI based programs. For even compiled code in say C or C++, Resource Hacker and ResEdit (and there are more such programs for other programming languages) can give you the menus and GUI used (Dialog). This include giving you the equivalent C or C++ code used to make the GUI. This can be debatably worse than AutoHotkey (or similar such "bound" scripting languages), where you can't get such information about the GUI from Resource Hacker or such programs. So if somebody really wanted to reverse engineer a GUI based program, they can start from that point, with copies of all the GUIs used and then seeing how the program works by playing with it. The author can't protect what the users can see on their desktop nor them having copies of GUIs, menus, and other various resources.

So this thinking, in regards to MCode or compiled languages, being so much more protected works more for console (command line) programs. Even then, if the console program is using menus, then it's an easier staring point to reverse engineer for someone with coding skills. If a person doesn't have coding skills, which is the case of most average Joes, even handing them a fresh copy of the source code will probably not do them any good. If they try to distribute or sell a copy, that's violating the copyright and the law, putting them in major legal jeopardy. Most people don't want to get involved in that, and for the segment that does, there is just no way to stop the highly skilled ones short of the law knocking on their door.