Understanding the Difference Between Dynamic and Straight Obfuscation for Autohotkey Scripts

Dynamic Obfuscation uses the Autohotkey feature of dynamic variable name creation and straight obfuscation does not. In Dynamic Obfuscation, object names are full of "%"s and each pair of "%"s represents a variable whose value will be returned to become part of the object name being built. These references are resolved at program run time when the actual statement in question is being executed.

You can use straight obfuscation that does not use dynamic variable name obfuscation. In this method, the object names are obfuscated but no real variables are used in the calling of objects. This method is the easiest to implement because it requires less program preparation, however it is much less secure than dynamic obfuscation.

Straight Obfuscation is Simpler

Straight obfuscation is simpler because Dynamic Obfuscation takes more source code preparation. All functions in which you would like to have dynamic obfuscation will have to be made assume GLOBAL instead of assume LOCAL. Also Dynamic Obfuscation will require you to start using the Obfuscator DUMP command comments. Because this will take more conversion work by you, you probably will want to start out obfuscating your program by doing straight obfuscation only at first. Once that is working good, you can make the changes to start using Dynamic Obfuscation. See straight obfuscation steps and Dynamic Obfuscation steps.

Dynamic Obfuscation is More Secure

Dynamic Obfuscation has more security features to protect your source code than straight obfuscation. It makes everything in your program hard to find, it allows you to break whole sections of your code all at once, and it allows you to 'rewire' your most sensitive functions to go to 'decoy' functions.

When you use Dynamic Obfuscation you can also obfuscate Autohotkey built in functions, and class methods or object properties. Also built-in functions obfuscation and all other obfuscation will be much stronger.

Object names will be made up of variable name 'fragments' that will be represented by the use of multiple "%"s in object names. At run time these fragments will all be resolved and the actual object name will be built. Some of the fragments will be part of the actual obfuscated object name and other ones will be 'security' fragments. See Dynamic Obfuscation steps.

Dynamic Obfuscation Makes it Nearly Impossible to Find Anything in Your Code

Because Dynamic Obfuscation can create multiple obfuscations per object and add object name 'security fragments', multiple calls to the same object can all look different.

You could have 20 calls to the same function in your source code and all look completely different. In the statement below, the 3 uses of var1 can look completely different when obfuscated:
var1:= var1 + var1
The upshot to this is that it will be almost impossible for the hacker to find all your uses of objects within your code. It will be extremely difficult to find the usages of variables, parameters, functions, and labels.

This methodology extends the general obfuscation idea of making strings in the program hard to find to making everything in the program hard to find!

Dynamic Obfuscation Can 'Break' Whole Classes of Functions and Labels at Once

Dynamic Obfuscation allows you to add functions and label sections to 'secure' classes that you can then 'break' all at once if you want. Start your program with all your most sensitive stuff 'broken'.

Dynamic Obfuscation Allows You to 'Rewire' Functions to Go to Other Functions

You can also 'rewire' your most sensitive function references to go to other functions as an extra security measure. All usages of that function within your code will go to the wrong place! When the user passes your security, you can then 'rewire them straight' so they now will go to the actual function.