Source Encryption

Like many other languages, AutoHotkey cannot be completely secured against source code theft even after a script has been converted to an EXE. However, there are methods that can be used to make it harder for your source code to leak.

(for AHK v1.1 and v2.0)

The standard method of protecting a script's source code is by using ScriptGuard. ScriptGuard comes in two components, ScriptGuard1 and ScriptGuard2, that work together to help secure your code.

ScriptGuard1 erases a script's source code from memory after it has been loaded by AutoHotkey. Normally, AutoHotkey will keep the original source code in memory, making it easy to extract using memory inspection tools. With ScriptGuard1, it becomes much harder. ScriptGuard1 is available as a snippet of code that you should include at the top of your AutoHotkey source file.

ScriptGuard2 is a set of configuration settings for ahk2exe that will cause the finished executable to have its source code resources encrypted. This will prevent your source code from being leaked using normal exe extraction tools like Resource Hacker or 7-Zip.

(for AHKv1.1 only)

FeiYue's Source Code Encryptor offers an alternate approach to protecting your source code. Instead of creating an encrypted executable file, it creates an encrypted source file and uses it alongside the stock AutoHotkey executable file.

FeiYue's Source Code Encryptor uses embedded machine code to encrypt, then later decrypt, your script contents. Once decrypted, the contents are passed to the AutoHotkey executable. The default encryption mixes your source code with the AutoHotkey executable's hash and a secret key, in order to prevent the simplest forms of tampering.

After your script has been encrypted using FeiYue's source code encryptor, it can only be executed using the specific version of AHK it was encrypted against. For example, if you encrypt it against AHK v1.1.37.02 U32 then the encrypted version will only ever work when run using the AHK v1.1.37.02 U32 executable.

Scripts that have been converted to exe, especially scripts that have been converted to exe and encrypted, have a high chance of triggering antivirus software. For best results, if you can use FeiYue's Source Code Encryptor instead of ScriptGuard it will be less likely to trigger antivirus software since it does not require you to convert the script to exe in order to secure it.

If you must convert your script to an exe, the best way to stop it from triggering anti-virus software is to sign it with a Code Signing Certificate. Code Signing Certificates can be purchased from companies like Comodo, Sectigo, and DigiCert, for around $200-$600 per year. By signing your code with a certificate, the high cost helps to show antivirus vendors that you are acting in good faith, and your registration with the certificate provider company means that you could be tracked down if your signed code is found to be genuinely malicious. However, it does not guarantee you will bypass all antivirus scanning.

In the United States, the Federal government's Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent technological measures that control access to copyrighted works. This applies broadly to software that has been encrypted using tools like ScriptGuard and FeiYue's Source Code Encryptor.

All AutoHotkey source encryption tools have known flaws that can be used to extract the original source code, but it is illegal to exploit those flaws except for in pursuit of an activity which has been specifically exempted by the DMCA. Although you may be acting in good faith, we will not publicly release guides on how to exploit those flaws.

The DMCA does normally allow an exception for the purposes of security research. If you are concerned that an encrypted script may be malicious, please bring it to the @Staff on the AutoHotkey Discord for security analysis. We will not give you the decrypted code, but we will check the decrypted code to see if it contains any obvious malware.