Compiling .hta file to .exe

Question

I have searched far and wide for a way to compile my .hta file (and resources) to a .exe file.

There are plenty of applications that claim to be able to do this - but they have not worked for this application - which is a mixture of javascript and VB.

Simply, (and naively,) I don't want people looking at / screwing with the code. Any suggestions or solutions would be greatly appreciated.

EDIT: Of course, I understand that javascript and VB are not "compilable" since they are interpreted languages. I am just looking for a way to truly hide the source.

If you converth the vbscript portions to jscript, you could then run all the code through a compressor such as Google's closure compiler or the YUI compressor. Those would do a decent job of obfuscating the code. — jimbo, Oct 20 '10 at 15:20
Yes, I have looked at compressing the code. I see this as a last case scenario. While it isn't 'secure', it would certainly help deter reverse engineering. — devinpleuler, Oct 20 '10 at 20:21

score 3 · Answer 1 · edited Dec 05 '12 at 01:17

3

Try using VBSedit, it definitely works for converting both vbs and hta to exe

edited Dec 05 '12 at 01:17

Mxyk

10,678
16
57
76

answered Dec 12 '10 at 09:40

Lyle

31
1

score 3 · Answer 2 · answered Mar 22 '12 at 15:18

3

HTAEdit, which comes bundled with VBSedit, does not truly hide the hta code. At run time, it extracts the original hta file to a subdirectory in %temp% and passes it off to mshta.exe to execute. The converted exe's created by VBSedit don't seem to do this as far as I can tell.

answered Mar 22 '12 at 15:18

Dave

31
1

In my case HTAEdit "compiled" exe extrats the HTA file to %LOCALAPPDATA%/Temp/{*}/*.hta – omegastripes Aug 29 '14 at 14:43

score 2 · Accepted Answer · answered Oct 21 '10 at 02:18

You can "compile to exe" by simply wrapping the HTA into an executable which knows how to setup the HTA context/window.

The most trivial approach (which sounds like ExeScript) is to simply extract the HTA/resources first and then execute them. One could theoretically do this without temporary files by injecting data into a running IE context, but the task becomes more difficult. The internal JS may or may not be obfuscated and the wrapper may or may not add an additional layer of obfuscation/"encryption". (PayMo, and I am sure there are others, uses a wrapped context approach to distribute a single runnable exe).

If protecting "intellectual property" is the goal, hire a good lawyer :-)

Yeah, the good lawyer suggestion is unfortunately relevant. The software itself is less valuable than the idea behind it. It is generally easy to replicate the software. This particular API that we are using just hasn't been used in this specific way before. — devinpleuler, Oct 21 '10 at 12:32

score 1 · Answer 4 · answered Jul 04 '13 at 21:30

1

You don't need a compiler, you need an encryptor/decryptor, like my project (under construction), the CFS project (Cryptographica File Security).

answered Jul 04 '13 at 21:30

Gavriel Feria

415
6
13

score 1 · Answer 5 · answered Oct 20 '10 at 15:56

1

I'm not sure about compiling to an exe - but if you minify & obfuscate your source code, unless you've got something incredibly valuable, it'd be a huge job to reverse-engineer.

http://developer.yahoo.com/yui/compressor/

Good luck.

answered Oct 20 '10 at 15:56

Dave Bish

19,263
7
46
63

1

I was able to "compile" to an .exe using ExeScript (http://www.hide-folder.com/overview/hf_7.html). But I caught it cheating... It says that it doesn't write anything to the HD but I found all of the source files in the user temp file while it was being run. I will try your suggestion. – devinpleuler Oct 20 '10 at 20:24
Also, do you know if this supports not just an .hta file but also related source files? (like .js and .htm(l) etc...) – devinpleuler Oct 20 '10 at 20:30
My advice would be to put as much JavaScript into external .js files as possible & minify them. I'm not sure how you could ever obfuscate/minify HTML in any meaningful way. – Dave Bish Oct 20 '10 at 21:53

score 0 · Answer 6 · edited May 23 '17 at 12:16

My clue is to create VBScript or JScript file for HTA to be dynamically spawned by. So you compile not HTA, but the script. This approach meets your security requirements much better than HTA packed to SFX.

Prepare the resources first - import to HTA all external files: scripts, stylesheets, and images (base64-encoded), to make your HTA standalone app. Then create eg VBScript file, and copy all HTML content from your HTA to the string variable in the script, replacing new line and tab symbols to " & vbCrLf & " and " & vbTab & ". Add code to create HTA window dynamically, .write() that string variable to the window's document, and quit script.

Note that Window_OnLoad() may not work properly due to pushing the content to window, that was already loaded.

Then just encrypt your completed VBScript to exe (using true encrypting utility, eg Primal Script 2012, ExeScript, VbsEdit or ScriptCryptor). And change icon with PE Explorer.

All that will take some time, but it is worth doing.

UPD: Here is an example of prepared script by the link.

Compiling .hta file to .exe

6 Answers6

Linked