There is a game I play that I want to automate some tasks in.
Not hacking just consistently print screening and execute fake keyboard outputs.
So I wrote some python code and packaged it into a .exe with pyinstaller so I can also share it with others.
The problem is, I know that the game autobans for using known macro softwares like macro recorder, AutoHotKey etc...
The game runs on windows with admin privileges, so I know it can probably gets a list of my running processes..
My question is, how can I protect myself?
There is no real way to protect yourself against a program that can see all processes, without turning it into something like a rootkit. However, there is a good chance your program won't be flagged, since you made it yourself and I doubt python itself is flagged. It depends on what game in particular you are referring to.
Related
My goal is fairly simple, I have written a python 3 script that runs on an ubuntu server at my workplace. Currently I (and other users) have to SSH into this ubuntu box anytime we want to run the script, which with a growing number of users is getting messy - from a convenience and security standpoint. So my boss would like me to create a nice webpage-based GUI to access this script and some other similar scripts I have written.
This seems like a straight forward thing, but the difficulty is in the details - the script is used for viewing and editing records so it has a lot of back-and-forth communication with the user (using input()) as well as screen clears and code like the following:
sys.stdout.write("\033[F") #back to previous line
sys.stdout.write("\033[K") #clear line
...to keep things clean and within one terminal.
If absolutely needed of course I could modify the script to accept inputs in a different format and output in a more html-friendly method without line and screen clears, but this would be rather tedious to redo for the whole script. SO - my question is what would be the best way to achieve what I'm after with minimal modifications to my written code? Ideally the webpage would just have a container holding a terminal-like graphic that handles all the input and output of the selected script as if it was running through a full fat terminal.
Things I've already looked into include basic python web frameworks such as CGI or mod_wsgi, or a python package like flask, but - correct me if I'm wrong - it seems there isn't a nice way to handle constant inputs within scripts with these let alone the terminal-oriented clearing I do for clearing lines and screens.
I also looked into ways to just host a full terminal on the webpage, and security concerns aside, this seems like the closest solution - using something like ajaxterm (which seems rather outdated now?) or wetty. My main concern with this is it isn't any easier than just using SSH at that point. Unless I could modify the terminal to auto-login and start a specific script automagically with the push of a button on the webpage, this would just be a glorified web-rendition of putty.
Any suggestions on how you would achieve this?
I have something in my clipboard, and I'd like to run a python script that invokes CTRL+V as if it was pressed on the keyboard, and pastes the clipboard's content to the current focused window (say chrome). Any idea how to do that?
You have an X-Y problem.
What you want to accomplish is programmatically take data from one program (where you hit cntrl-V) and place it into another arbitrary program (chrome).
There are two ways to do that:
First
You can either set the programs up to have a data exchange mechanism such as a system pipe, or a network connection. This requires some API for data exchange to be already included in the program or access to the source so you might add one. There are very specific channels for cross program data exchange and you wont do well to try to circumvent them. Program A cant just say
get_program_b().get_text_box().add(clip_board);
That would be a violation of Process Isolaton and an OS like windows is written expressly to make it impossible. Some programs are designed to take input from other programs.
popen.open('mysql -e "ISNERT INTO table (a) VALUES ('4')")
Chrome is not one of those programs, chrome avoids allowing programs from doing this because it would be a target for programs to do things like, get the saved password or credit card data out of chrome. Or use save password to login to someone account and buy things in someone elses name.
Second
You could try to spoof user input and input the data exactly like a user would so chrome wont know the difference. But spoofing a user is hard to do and intentionally so because it prevents malicious scripts from taking control of a computer and doing bad things. The makers of windows are accutely aware that spoofing input is a method to circumvent allowed data exchange channels. So the makers of windows made it hard to do. You need to have access to a lot of system assets that most programs wont be given. At a minimum a program has to run as admin on windows to accomplish this, then there are libs that will let you do it. Even then Im willing to bet there are easier way to get the job done. On a machine where you have access to anything and everything it is possible. If you don't have admin access, it should be downright impossible without knowing some unpatched exploit in the system.
Therefore
What you are trying to do goes against what the computer was designed to let you do. If we had more information on what you want to accomplish maybe some of the wonderful people here could help. Getting to the end result you want shouldnt be that hard. But you way of doing it is like trying to run across the ocean, when you just need a boat. As it is my answer is -- dont do it, that's not how windows was designed to work.
I am currently working on a little Python project that will function as a custom and highly-configurable launcher for the popular game Minecraft to practice new skills I have been learning recently! However, I am having one problem really throwing me for a loop, and it's just how Minecraft goes about launching the actual game. From my extensive searching, I have learned that the new Minecraft login system sends the user's username and password to authserver.mojang.com/authenticate (the endpoint changing depending on just what is being done) and is returned with an access token, which can be used to log into the game.
(Edit:) What I am asking of you guys is how I would transform the data about where the game is installed and the data received from the POST request into a command that launches the game, alike how it is done in the default launcher. Overnight, I considered looked into the source of the FTB launcher and found this. This is the class for creating this launch command. How could I recreate this in Python?
Note, this question is not a duplicate, the potential duplicates in question are here and here. Both of these questions are relevant to the old launcher, but the new launcher uses a much different process.
Additionally, I have tried the strategy found here. This does not appear to work correctly on later versions, however. Edit: There was a small detail regarding the natives folder I missed. Basically, if I rename the folder to make a static copy, I can then change the natives directory in the command. However, the command still cannot be generated this way for various users.
If anyone has any ideas about this, feedback is much appreciated! Thanks!
What I want to do is protect a Python program from being stolen by people with no computer knowledge. I accept the inevitability of the program being pirated, all I want to do is protect it from average users.
I have come up with two ideas.
1.)Set a time restriction by checking online for the date and time. I.E. 10 days from downloaded time.
2.)Checking the IP or Name of the computer that downloaded it and make the program only runs on that computer. (to prevent friends from simply sharing the file).
The problem with both of these is that I'll need to create a .py file "on the fly" and then use something like pytoexe to make it into an .exe so that the user doesn't need to have Python installed.
The problem with the second is that to my understanding ip's change and getting the computer name is a security risk and might scare away users.
So to sum it up, here are my two questions:
1.) Is there a good way in python to only allow the program to run on that single computer?
2.) What is the best way to implement a "on the fly" creation of the exe? (I was going to host the website on my computer and learn php(?)/servers.
I have moderate c/c++ and basic html/css, java, and python experience.
Thank you for your time!
Messy business. You probably already understand that compiled does not mean encrypted.
However, if you're boss considers c-compiled as satisfactory, you can use cython to compile your python code to c-code and then gcc to compile the c-code.
Check here on how to build your setup.py script.
http://docs.cython.org/src/reference/compilation.html#compiling-with-distutils
And you can embed python using into the resulting c code using the --embed option:
# will generate the target.c
$ cython target.py --embed
Give each user a customized installer that has a unique key in it. When it runs, it contacts a server (with the key) and requests the actual program. Server-side, you check if the key is valid and if so, serve the program customized with the key, and mark the key as used. The installer saves the program somewhere the user can access it, and creates a hidden file that contains the key somewhere deep in the bowels of the computer, where the "average user" won't think of looking. When the program is run, the first thing it does is check if the hidden file exists and if it contains the correct key, and refuses to run if not.
(I am assuming that unzipping an executable and reading source code is beyond the ability of the "average user" (read: "grandma"), so using py2exe is ok.)
To avoid having to contact anything on the Internet, you could use the following way to 'dongle' your program:
Take a vital part of your program (something without which the rest won't be useful),
put it into a string,
encrypt that string symmetrically with the MAC address of the computer it shall run on,
then in your program do this:
decrypt that string with the MAC address of the current machine it runs on an and
call that decrypted string using exec.
Example with the vital part being print "hello world":
def getMyMac():
return 123456789L # for testing now
return uuid.getnode() # this would be the real thing
def strxor(s, key):
key *= len(s) / len(key) + 1
return ''.join(chr(ord(key[i]) ^ ord(s[i])) for i in range(len(s)))
def performVitalCode():
code = 'A#ZZA\x16\x15P\\]^\\\x14BYET]\x13'
# I found that code by entering:
# strxor('print "hello world"', str(getMyMac()))
realCode = strxor(code, str(getMyMac()))
exec realCode
I here used a simple xor on strings for crypting (which is not a hard cypher to crack).
Of course the user of the "allowed" computer can hand over his MAC address to the next user which then
either can patch the getMyMac() or
spoof his own MAC address; most network cards allow this.
So this is not a "safe" solution to your problem.
But if a person with just little computer knowledge gave your code to some other guy without any further information (maybe by putting it online in a forum or similar), the receiver won't be able to execute it out of the box.
Finally I need to point out that every chaining of code to a specific computer may well become a hassle for the rightful user of the code. If I'm using a program which stops working just because I switch to a different hardware (maybe just because I get a new laptop), I'm usually pissed and curse the writer of that code. You might not want to annoy your customers.
Seems like a combination of things here. Encapsulating python as others have suggested is a good way to go, for bundling. You may also consider obfuscation, as talked about here in another StackOverflow thread:
Python Code Obfuscation
Which references:
http://freecode.com/projects/pyobfuscate
As for making it so that someone can't just download your program and run it elsewhere or distribute it, how willing are you to inconvenience your end users? :)
As others have noted above, you can generate a compiled and bundled bit of code with the ID specific to the user. That way, if/when the application phones home, you can track usage.
If your end users/customers have the following requirements fulfilled:
An account with you, which they can login and check their subscription/account status
Internet connectivity from the machine running the program
You can make the installation process do the following:
Installer is NOT the full program. Generates a profile of the machine.
This profile bundled up and a hash is generated. Both are uploaded to your servers.
The hash is displayed to the end user to enter, once they have signed into their online web account.
The user installing the application submits the hash, and gets a download link and an unlock key. The key is only good for that dynamically generated download and only on that machine. The downloaded program, however, will accept a range of keys unique to itself(iteratively generated, etc).
The user can then complete the install and run their program. The program will periodically check the profile of the machine it is on, to make sure that the hash does not deviate. If it does, the program can prompt them to login to their web account to generate a new key. The new key is then used to refresh their application. This can be automated by the application, but with the internet laws and such, having the user sign into their account and perhaps agree to any updates to the EULA, would be better.
If they decide to share the program in a VM bundle, they would still need an active account to get keys.
Note, this does not prevent someone from bypassing the hash check. But for the average user, this will serve as a good way for you to deter people giving away or reselling your program.
Just bear in mind, no system is foolproof.
I have 2 questions, so I figured I would cram them into 1 single post instead of filling the board up with useless information
Simple description of situation: I am attempting to create a python script that opens an executable for a simple C++ program with an unknown number of inputs in a windows environment, sends some data into that program, and then check to see if it has crashed / rinse and repeat.
Question 1: This is a pipes question. Bear with me, I am still learning about pipes, so I may have a misunderstanding of exactly how they work. Forgive me if I do. Is it possible to detect how many inputs a program has? Basically what I'm attempting to do is open an executable using my python script, that I personally know nothing about, and send in garbage data into each available input. If it is NOT possible to detect how many inputs there are: would there be an adverse reaction (like crashing the program Im sending the data into) if I send more arguments into it than there are inputs? As in the C++ program takes 3 inputs and I send in 6 arguments?
Question 2: Does anyone know if it possible using a python script to detect whether a program has hung or not? So far the best information on this I've been able to find is simply detecting whether the program is running or not via FindWindow, and then I suppose I could monitor the CPU usage to see if it continues to rise... but that is hardly an ideal method (and may not even work properly!) If there are any better known methods out there I would be thrilled!
Thanks for your time :)
An Answer to Question 2
You should look into investigating psutil, hosted # https://github.com/giampaolo/psutil . I don't know whether you'll find what you're looking for, but pusutil is a decent API, offering access to info such as number of CPUs in addition to process information, which is what you want.