Obfuscating Sensitive Strings in Your Autohotkey Scripts

This program allows you to obfuscate any sensitive strings in your Autohotkey scripts by surrounding them with the hidestr() function.

Place Dummy hidestr Functions in Your Source Autohotkey Script

To set up your program to obfuscate literal strings, place a dummy function like this somewhere in your source code:

hidestr(thisstr)

{

return thisstr

}

This dummy function will just return the parameter it was sent. This allows you to fully test your program before you obfuscate it.

Place the decode Function(s) to Decode the Obfuscated Strings in Your Autohotkey Script

The function to decode obfuscated literal strings must be copied to the Autohotkey script files you're looking to obfuscate. Copy the decode_hidestr() function from the OBFhidestr.ahk file in the dynamicobfusctor.ahk project into your Ahk project.

This function is included in the Obfuscator source code so you can easily copy it to your projects, but it is never actually called by the Obfuscator.

You should never call the decode_hidestr() function directly in your source code, only use the hidestr() function directly.

Surround your sensitive strings with hidestr function(s)

You can surround sensitive literal strings with hidestr() any place you use them like in variable assignments, in function calls, in statement parameters, and in expressions. You can do stuff like this:

var1:= hidestr("some sensitive string") 

somefunc(hidestr("some sensitive string"), parameter2)

At Obfuscation time some changes will happen

At obfuscation time, any literal string found passed as a parameter to hidestr() will be replaced by an obfuscated literal string. The call to the hidestr() function will then be replaced with a call to the decode_hidestr() function which will then itself be obfuscated.

Create Your Own Version(s) of These Functions for Greater Security

It is highly recommended that you make these functions your own by creating your own version(s) of the encode_hidestr() and decode_hidestr() functions.

To test your encode decode functions

There is a folder in this project named 'custom-hidestr-encoders'. It also contains a few scripts that you can use as a template to design and test your own encode_hidestr() and decode_hidestr() literal string obfuscators.
The file READ HELP OBFhidestr.ahk contains good explanation comments on how the functions work and can be modified !

To modify the current encode/decode functions

The function used by the Obfuscator to convert a literal string into a obfuscated literal string is named encode_hidestr() and is located in the OBFhidestr.ahk include file.
The decode_hidestr() function is in the OBFhidestr.ahk and should be copied to your script.
This is a quite easy personalization and in fact the versions of those supplied with the Obfuscator are not the versions that I used to obfuscate my own programs.

You can have multiple encode decode functions

You can have multiple encode decode functions for multiple levels of security and speed.
The encode function must be preceded by "encode_" and the decode function must have the same name as the encode one preceded by "decode_".
Then you should modify only 1 line in the Dynamic Obfuscator Source Code, file OBFinit.ahk:
At the beginning of initOBFdefaults() function :
if your new hide function is called hidestrB(), you must have this:

HideStrFunc_list := "hidestr,hidestrB"

Then the encode function must be added to the OBFhidestr.ahk and your decode function must be added to your script's code.

Increase the Security of Your decode_ Function by Fragmenting the Function

The security of the decode_ functions which will be found in your obfuscated code can be increased in several easy ways. The first is to break a long decode_ functions into multiple small functions:

decode_hidestr(startstr)
{

global

;one part of the obfuscations process

return decode_hidestr_2(currentstr)

} 

decode_hidestr_2(startstr)

{

global

;another part of the obfuscations process

return decode_hidestr_3(currentstr)

}

decode_hidestr_3(startstr)

{

global

;another part of the obfuscations process

return decode_hidestr_4(currentstr)

}

decode_hidestr_4(startstr)

{

global

;another part of the obfuscations process

return currentstr

}

When you obfuscate your program and choose to randomize the order of functions and label sections, these separate parts of the decode_ functions will be scattered throughout your script. Also, if Dynamic Obfuscation is being used it will not be possible for the hacker to directly search for the decode_hidestr_4(startstr) function definition by just selecting that term in the statement return decode_hidestr_4(currentstr). That's because with Dynamic Obfuscation the 2 usages of that same function will look completely different!

Increase Security Even More By Using the Use the 'Rewire Function' Feature of the Obfuscator

You can increase the security of your decode_ function even more by using the rewire function path capability of the Obfuscator. Create a new function in your program named DECOY_decode_hidestr, and then use this command comment near the beginning of your program:

;$OBFUSCATOR: $DUMP_REWIREFUNCPATH: decode_hidestr, DECOY_decode_hidestr

Once the program has passed your security tests, use these commands to wire the decode_ function up 'straight':

;$OBFUSCATOR: $DUMP_REWIRE_STRAIGHT: decode_hidestr

To create even more confusion, you might use it instead on one of the fragments of your decode_ function:

;$OBFUSCATOR: $DUMP_REWIREFUNCPATH: decode_hidestr_2, DECOY_decode_hidestr_2
;[...]
;$OBFUSCATOR: $DUMP_REWIRE_STRAIGHT: decode_hidestr_2