AutoCamo - 98.18b

[Mobius]

 

Last updated 9/10/21

* Image may not represent current product

Features

• Simple Integrated countermeasures against file and memory analysis based decompilers.
• Add basic types of resources into the interpreter or other types as raw data.
• Define multiple programs to execute pre and post build.
• Create and include pe version information.
• User defined patches that can be implemented globally on the interpreter and compiler or selectively.
• Handles its own basic macro's as well as environment variables in most fields for easier path finding.
• Drag and drop configs (script bound or separate) to the input edit box or to the icon to load them.
• Configuration settings can be copied to the clipboard or saved as config files or Au3 scripts.
• Settings can now be saved directly to an AutoIt3 script.
• Subsystem independant, can act as a gui or console tool.
• And much more.

See next post for update information.

 

 

A3C_97.16b.7z A3C_98_18_b.zip

Edited March 24, 2023 by Mobius
Fixes

[Mobius]

98.18b

Represents the last time we touched this product before doing other things.

Although recently compiled and tested on windows 10 from a repaired archive it's still bloody old, and the same issues still follow with its use.

It is what it is, an old and unfinished glance at older builds of Autoit and the topic this program covers.

Edited October 9, 2021 by Mobius

[Emiel Wieldraaijer]

Nice work vlad

[Fire]

Hi,

Great Job Dude as always.

TYVM for such tools.

5 stars from me & Thx again.

Respect!

[wakillon]

You don't specify any conditions for get it working but

I had to place your files in autoit3 directory, otherwise i get a Building Error 65535.

Thanks to share !

[Mobius]

You don't specify any conditions for get it working but

I had to place your files in autoit3 directory, otherwise i get a Building Error 65535.

Thanks to share !

wakillon,

I understand the embedded help text (also those within the MAN directory) are very bad.

When you download AutKit for best results you could:

Put it within the Compiler directory of you Au3 installation

or

Put it in a directory of its own say "AutKit" within the root directory of your Au3 installation directory.

both locations will be searched for the build files Aut2Exe AutoItSC.bin and UPX., I know you probably might not like that idea but using any of the 2 above directories will mean that relative paths to the include directory and other relative paths used by Aut2Exe (modified name A2ECamo) will not be affected.

If AutoIt3Camo does not find the build files Aut2Exe and AutoItSC.bin It will also search the directory of your script, or alternatively you could enter or drag these two files into thier respective edit fields on the MAIN tab.

[BillLuvsU]

Posting this from my phone but it looks nice. Of course I've never writtin any code (at least in autoit) that I Wouldn't want people to see. Good job anyways. Also just an idea but (while being far to complicated) perhaps just going with your own post compile wrapper would be more secure? That is a wrapper for the wrapper on the compiled code. Still just 'another layer' but a thicker one then the others I would think.

Hope that made any semblance of sense.

[Mobius]

Posting this from my phone but it looks nice. Of course I've never writtin any code (at least in autoit) that I Wouldn't want people to see.

I imagine that a greater percentage of the community feel the same way.

Also just an idea but (while being far to complicated) perhaps just going with your own post compile wrapper would be more secure? That is a wrapper for the wrapper on the compiled code. Still just 'another layer' but a thicker one then the others I would think.

Hope that made any semblance of sense.

I am not sure I understand what you mean BillLuvsU, would you mind elaborating please?

I am guessing here but...

Do you mean ditch or merge the smaller utils with the main wrapper (AutoIt3Camo)?

Or perhaps you mean that the fuzzed A3x component should be wrapped in a fake original A3x header and tail data sequence to further confuse?

Edited April 10, 2011 by Mobius

[nend]

Nice!!!

It works great.

I had to find out how it all works, but I’m happy with it.

Keep up the great work!

Edited April 10, 2011 by nend

[Mobius]

I concede it is desperately lacking a help file, if you are really stuck you could have a glance at this and wherever you read AutoHotkey read AutoIt3. Lame I know; so much has changed I doubt it will be of much use. But you could use it in conjunction with the embedded or nfo references in AutKit.

Edited April 10, 2011 by Mobius

[willichan]

A couple of my observations:

1 - Symantec will detect anything compiled/built using this as a Bloodhound.Malautoit threat unless you check both "Strip default interpreter resources" and "Crop A3X Tail bytes" on the Options tab.

2 - If I include an ICO file, I get the "A2ECamo.exe has encountered a problem and needs to close." error with the following information in the error report:

AppName: a2ecamo.exe

AppVer: 3.3.6.1

ModName: a2ecamo.exe

ModVer: 3.3.6.1

Offset: 000037d1

I have tried multiple ICO files with different resolutions, but get the same results. I can compile using the normal method supplied with AutoIt/SciTe.

The ????_appcompat.txt file generated contains the following:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="A2ECamo.exe" FILTER="GRABMI_FILTER_PRIVACY">
    <MATCHING_FILE NAME="A2ECamo.exe" SIZE="305536" CHECKSUM="0x9FDADA46" BIN_FILE_VERSION="3.3.6.1" BIN_PRODUCT_VERSION="3.3.6.1" PRODUCT_VERSION="3, 3, 6, 1" FILE_DESCRIPTION="Aut2Exe" COMPANY_NAME="AutoIt Team" PRODUCT_NAME="Aut2Exe" FILE_VERSION="3, 3, 6, 1" ORIGINAL_FILENAME="Aut2Exe.exe" INTERNAL_NAME="Aut2Exe.exe" LEGAL_COPYRIGHT="©1999-2010 Jonathan Bennett &amp; AutoIt Team" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4E5A4" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.3.6.1" UPTO_BIN_PRODUCT_VERSION="3.3.6.1" LINK_DATE="04/16/2010 07:47:56" UPTO_LINK_DATE="04/16/2010 07:47:56" VER_LANGUAGE="English (United Kingdom) [0x809]" />
    <MATCHING_FILE NAME="A3C.exe" SIZE="146432" CHECKSUM="0x2F87CBB3" BIN_FILE_VERSION="0.11.0.0" BIN_PRODUCT_VERSION="0.11.0.0" PRODUCT_VERSION="0.11.0.0" FILE_DESCRIPTION="Armored Aut2Exe Wrapper" COMPANY_NAME="Darkside" PRODUCT_NAME="AutoIt3 Camo" FILE_VERSION="0.11.0.0" LEGAL_COPYRIGHT="© Vlad Mobius ~ 2011" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.11.0.0" UPTO_BIN_PRODUCT_VERSION="0.11.0.0" LINK_DATE="05/27/2011 18:54:02" UPTO_LINK_DATE="05/27/2011 18:54:02" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="A3XINJ.exe" SIZE="18944" CHECKSUM="0x2DC438E0" BIN_FILE_VERSION="0.1.0.0" BIN_PRODUCT_VERSION="0.1.0.0" PRODUCT_VERSION="0.1.0.0" FILE_DESCRIPTION="A3x Resource inject &amp; fuzz" COMPANY_NAME="Darkside" PRODUCT_NAME="A3XINJ" FILE_VERSION="0.1.0.0" LEGAL_COPYRIGHT="© Vlad Mobius ~ 2011" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.1.0.0" UPTO_BIN_PRODUCT_VERSION="0.1.0.0" LINK_DATE="05/27/2011 18:54:07" UPTO_LINK_DATE="05/27/2011 18:54:07" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="A3XMAP.exe" SIZE="27648" CHECKSUM="0xCD5C48AC" BIN_FILE_VERSION="0.1.0.0" BIN_PRODUCT_VERSION="0.1.0.0" PRODUCT_VERSION="0.1.0.0" FILE_DESCRIPTION="A3x Structure Mapper for AutKit" COMPANY_NAME="Darkside" PRODUCT_NAME="A3XMAP" FILE_VERSION="0.1.0.0" LEGAL_COPYRIGHT="© Vlad Mobius ~ 2011" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.1.0.0" UPTO_BIN_PRODUCT_VERSION="0.1.0.0" LINK_DATE="05/27/2011 18:54:12" UPTO_LINK_DATE="05/27/2011 18:54:12" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="A3XSH.exe" SIZE="13312" CHECKSUM="0x9A7E125" BIN_FILE_VERSION="0.1.0.0" BIN_PRODUCT_VERSION="0.1.0.0" PRODUCT_VERSION="0.1.0.0" FILE_DESCRIPTION="A3x overlay shunter" COMPANY_NAME="Darkside" PRODUCT_NAME="A3XSH" FILE_VERSION="0.1.0.0" LEGAL_COPYRIGHT="© Vlad Mobius ~ 2011" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.1.0.0" UPTO_BIN_PRODUCT_VERSION="0.1.0.0" LINK_DATE="05/27/2011 18:54:16" UPTO_LINK_DATE="05/27/2011 18:54:16" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="FAHKIT.exe" SIZE="14848" CHECKSUM="0xEAE1ED70" BIN_FILE_VERSION="0.1.0.0" BIN_PRODUCT_VERSION="0.1.0.0" PRODUCT_VERSION="0.1.0.0" FILE_DESCRIPTION="Fake AutoHotkey Interpreter Tail" COMPANY_NAME="Darkside" PRODUCT_NAME="FAHKIT" FILE_VERSION="0.1.0.0" LEGAL_COPYRIGHT="© Vlad Mobius ~ 2011" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.1.0.0" UPTO_BIN_PRODUCT_VERSION="0.1.0.0" LINK_DATE="05/27/2011 18:54:23" UPTO_LINK_DATE="05/27/2011 18:54:23" VER_LANGUAGE="Language Neutral [0x0]" />
    <MATCHING_FILE NAME="test.exe" SIZE="707584" CHECKSUM="0x7CA969CE" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA4491" LINKER_VERSION="0x0" LINK_DATE="04/16/2010 07:47:33" UPTO_LINK_DATE="04/16/2010 07:47:33" />
    <MATCHING_FILE NAME="UPX.exe" SIZE="271872" CHECKSUM="0x9377AB32" BIN_FILE_VERSION="3.3.0.0" BIN_PRODUCT_VERSION="3.3.0.0" PRODUCT_VERSION="3.03 (2008-04-27)" FILE_DESCRIPTION="UPX executable packer" COMPANY_NAME="The UPX Team [url="http://upx.sf.net"]http://upx.sf.net"[/url] PRODUCT_NAME="UPX" FILE_VERSION="3.03 (2008-04-27)" ORIGINAL_FILENAME="upx.exe" INTERNAL_NAME="upx.exe" LEGAL_COPYRIGHT="© 1996-2008 Markus F.X.J. Oberhumer" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x10000" UPTO_BIN_FILE_VERSION="3.3.0.0" UPTO_BIN_PRODUCT_VERSION="3.3.0.0" LINK_DATE="04/27/2008 07:42:39" UPTO_LINK_DATE="04/27/2008 07:42:39" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
    <MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

Let me know if I can provide any other information.

[FireFox]

@Mobius

I have tried all directories you mentionned but it does not work, I always get this in the log :

Compiler unpack - Not packed with upx warning
Auto detect version from vdf failed!

Br, FireFox.

[Warmonger]

Nice tool, and for people concerned, about people decompiling their source. I would switch #AutoIt3Wrapper option #AutoIt3Wrapper_UseUpx= to N and pack your exe with something stronger then UPX, like themida.

[Mobius]

@All,

All I can say is that I have released some buggy shit in my time but the first release of AutoIt3Camo (which I never really expected to see the light of day) is right at the top of a stagnant steaming pile of excrement.

Spent the last week and a half tearing it apart with extreme prejudice, and although this download is not the finished release of A3C 0.16.1.0 it is what I have in my repository until I post the finished article over the weekend.

There are still many bugs in this release, but hopefully many less than before.

A couple of my observations:

1 - Symantec will detect anything compiled/built using this as a Bloodhound.Malautoit threat unless you check both "Strip default interpreter resources" and "Crop A3X Tail bytes" on the Options tab.

2 - If I include an ICO file, I get the "A2ECamo.exe has encountered a problem and needs to close." error with the following information in the error report:

I have tried multiple ICO files with different resolutions, but get the same results. I can compile using the normal method supplied with AutoIt/SciTe.

The ????_appcompat.txt file generated contains the following:

1 Sequentially that is an example of why antivirus utils suck so badly, and why such a tool as AutoIt3Camo might not be such a hot idea, anything premade attracts n00b malware authors like shit does flies.

2 Please see the download above, that problem hopefully should be now fixed.

Let me know if I can provide any other information.

Bug reports are always welcome.

@Mobius

I have tried all directories you mentionned but it does not work, I always get this in the log :

Compiler unpack - Not packed with upx warning
Auto detect version from vdf failed!

Br, FireFox.

Regarding your directory problem, unfortunately I have not touched that region of A3C because I did not find any bugs regarding the location of the build files.

A3C will try to locate the files Aut2Exe and AutoItSC in the following directory regions:

• In its own directory
• In a directory called compiler above its own directory (..\compiler)
• In the directory of your script / config file.
• Or the path and filename you specify in the config / gui

Regarding your quoted log output, please see the download above.

Removed all that build detection and separate offset map file business (vdf), it was a retarded workaround when I should have just had A3C do it all, which it should now do.

Upx.exe has been removed as a dependency, which means A3C will not abort the build if it fails to find this file; it will just warn you that it is missing.

Plus a list of other things as long as my arm which I will post about upon release.

Edited April 20, 2011 by Mobius

[Mobius]

Nice tool, and for people concerned, about people decompiling their source. I would switch #AutoIt3Wrapper option #AutoIt3Wrapper_UseUpx= to N and pack your exe with something stronger then UPX, like themida.

Besides most people don't use packers (like upx - mpress ...) for security reasons dude because it is futile, they merely want to reduce the overall size of the output binary which is something that bloaters like armadillo or themida certainly cannot do.

Edited April 20, 2011 by Mobius

[FireFox]

@Mobius

Thanks, it works like a charm !

Br, FireFox.

Edited April 20, 2011 by FireFox

[Mobius]

@Mobius

Thanks, it works like a charm !

Br, FireFox.

Thanks FireFox,

There are a number of bugs in it still, just this moment found a nasty one to do with the pack and alternate packer string mechanism which I thought I sorted. OM NOM NOM

Edited April 20, 2011 by Mobius

[willichan]

There are a number of bugs in it still, just this moment found a nasty one to do with the pack and alternate packer string mechanism which I thought I sorted. OM NOM NOM

If there weren't bugs to chase, what would we all do in our spare time?

After I get a couple of quick projects knocked out, I will re-test with the latest version.

[Mobius]

If there weren't bugs to chase, what would we all do in our spare time?

Spare Time?? sorry concept does not compute. Edited April 22, 2011 by Mobius

[Mobius]

Yay no more bugs in editing posts

A little later than planned but AutoIt3Camo Updated to 0.16.2.0

Edited March 26, 2012 by Mobius