Legion

omfg :p its kinda shocking to see the obfuscated version in front of me :p but yes you are correct its written in autoit.

the allow decompile doesn't really work and its not a real suprise to me.

so the only true question that remains is wheater or not some information can be de-obfuscated and can you tell me how i'm generating the passwords ?
or an alternative is to remove the checks im making and run the program.
hint: i haven't figured what algorithm to encrypt it with, so the current algorithm is extremly simple.

p.s. i created this as an option to show my boss but i'm having second thoughts

Ooble

OK, here's the thing about password generation: if the algorithm generates 10-digit alpha-numeric passwords, that's 36^10 = 3.65615844 × 10^15 passwords. All you need to make it random is a pseudo-random seed. If it's the seed you're having problems with, check out hardware-based random number generators such as those in Trusted Platform Modules. If it's not, even if people do figure out your algorithm, how would they guess what the password is?

__________________
Me :: You :: Them

Legion

the password needs to change every 10-20 seconds like standart OTS generators.

and the server needs to know how to validate it.

therefore it cannot be random, it has to be a mathematical algorythm. currently it just makes a sequence of "+" and "-" operations, but i intend to make it more complex.

has anyone figured out how to get info from the obfuscated source yet ?

p.s. just figured out the simplest way to hack it, the script uses the keyword "exit" to terminate the process and therefore u can simply replace the word "exit" with something like "$i=0" and it will happily run the program regardless of the security checks, i intend to replace it with an infinate loop that does some random calculations, so infact it will never exit but just get stuck if the security isn't passed.

Jimbo

Writing your own crypto functions is a bad idea, unless you work for the NSA or similar. It takes a long time to make one work half-decent and a very long time to make it work well (plus a lot of complicated math involved). Google around and find what functions the government is [publicly] using. If you're just looking for a hashing algorithm, SHA-<number> is probably a good bet

__________________
<insert disclaimer here>
<insert shameless plug for Visual Studio here>

Legion

it needs to be something i can revert in ASP later on, ill google for something later, as i said i did this in my spare time just as a thought.

mbd

The point here is that security through obscurity simply does not work. This program is a post-it note with your password written on it.

Legion

gess you are correct :p well it was a phun saturday wasted on it ^^