45 replies to this topic

[w0uter]

I AM NOT AN AUTOIT DEVELOPER
I DONT KNOW HOW AUTOIT WORKS
IT CAN BE UNSTABLE
IT CAN CRASH
I AM NOT RESPONSIBLE FOR ANYTHING THAT HAPENS TO YOUR SCRIPT OR OTHER DATA
THIS IS FOR LEARNING PURPOSE ONLY
USE IT AT YOUR OWN RISK

There ... now for the people that still want to listen after i shouted at them

Well i had some fun and made binaries undecompilable by exe2aut.

HOW:

<Removed>

NOTES:

<Removed>

also you might need to change RegRead('HKEY_LOCAL_MACHINE\SOFTWARE\AutoIt v3\AutoIt', 'InstallDir')
i dont use a seperate beta and dont know where the beta autoit goes. (i remember something about \beta\)

PS.

If someone still has trouble with this code after that huge disclaimer
and "Dont click here" feel free to send me a pm and ill remove it.

<Removed>

[edit] removed an U in Browse [/edit]

Edited by Valik, 08 April 2009 - 09:25 PM.

[SmOke_N]

Edit:
After some trial and error, no more decompile... very nice job w0uter! Hope this sticks around for a while... with this and EnCodeIt mixed ... would pi** most reverse engineers completely off

Edited by SmOke_N, 28 June 2006 - 05:09 PM.

[Skrip]

I changed them all to 0 in that first collum, then in the next one I used 30 then I repeated, and it worked! Thanks wouter!

Edited by Firestorm, 28 June 2006 - 08:17 PM.

[Jos]

Believe the line of thinking here was:

When you can identify the true "Script" section and the "Runtime" section its easier for the AV companies to detect Virusses written in AU3 without qualifying ALL AU3 scripts as a virus.

Edited by JdeB, 28 June 2006 - 08:45 PM.

[jftuga]

If you actually try to click on 'Don't click here', nothing happens.
Seriously, nice work!

-John

[RazerM]

This works well w0uter. I just had to be careful with what bytes i changed.

Edited by RazerM, 26 June 2007 - 03:23 PM.

[PartyPooper]

GUICtrlCreateButton('Browse', 263, 175, 59, 18)

[JSThePatriot]

As always w0uter love your work!

JS

[Busti]

its really nice work, but what does this do, i dont get the point

[JSThePatriot]

its really nice work, but what does this do, i dont get the point

It is for those that dont want someone to be able to decompile their script without some troubles. Just like using EnCodeIt.

Just an extra precaution. It wont "prevent" any of the malitious attempts, but it would slow the determined down and stop the kiddies.

JS

[Busti]

oh wow thats really nice !!! thx wouter

[YoseMite]

Respect!

[Spanky]

<Removed>

Edited by Valik, 08 April 2009 - 09:27 PM.

[w0uter]

Always fun to have another reverser here

This was only ment to stop decompiling for the masses.
Also this was the only method in my head for wich i could create a patcher.
I have other POC code laying around here. Ill post a sample for you later.

Edited by w0uter, 01 July 2006 - 11:08 AM.

[Spanky]

Always fun to have another reverser here

This was only ment to stop decompiling for the masses.

Why I can't ride of the feeling most ppl considering RE as some kinda 'Black Art' or 'computer heretic stuff' when I reading this.

Also this was the only method in my head for wich i could create a patcher.
I have other POC code laying around here. Ill post a sample for you later.

Yeh I felt that there's more potential.
Indeep this methode is really usefull to keep the noobs off or amaze them.
But in my eyes some other really nasty stuff is obfucation(as for ex. EncodeIt does). To me this can be more bitching than a 'nonstandard' AutoIT file.
Anyway there is nothing against putting those two together.

[jftuga]

Would it be possible to use EncodeIt, and then the script Wouter mentions in the first post, and then manually compress with UPX? But then use something similar to Wouter did, but do it to the UPX header so that it could not be decompressed by UPX?

I hope this makes sense. :-)

-John

[JSThePatriot]

@jftuga
Using EnCodeIt is already possible with w0uter's script to modify the header.

What you are asking is possible if I am not mistaken. The question would be how rough it would be to get that accomplished.

IMHO,
JS

[w0uter]

upx doesnt compress the script.
so thats kinda pointless

[WTS]

MZ
MZ^ Error
Error: Unable to parse line

Edited by WTS, 30 June 2006 - 08:45 PM.

[w0uter]

you (alted / used) a wrong byte

we dont have the source so its guesswork