Sign in to follow this  
Followers 0
Unc3nZureD

Obfuscator suggestions

18 posts in this topic

I'm planning to make an obfuscator which is 3.3.10.2 compatible and will use some unique methods and will even obfuscate basic commands (like msgbox etc) with the brand new ability to be able to use the following method $asd = msgbox
 
Well, yes I'm not one of the worlds best coder, and yes, it will take quite long time to develope it, but I'd like to try it :)
 
I made a small list what I have to take care:
 
Quoted Funcs:
- #OnAutoitStartRegister "asd"
- OnAutoItExitRegister( "asd" )
- OnAutoItExitUnRegister( "asd" )
- AdlibRegister( "asd" )
- AdlibUnRegister( "asd" )
- Call( "asd" )
- Hotkeyset( x, "asd" )

Quoted Vars:
- Assign( "var" )
- IsDeclared( "var" )

Don't change:
- $CmdLine
- $CmdLineRaw
- Include Variables/Funcs (Might have to include/obfuscate all, so won't cause problem -> but +time)

Warning:
- Execute() [Doesn't seem to be hard to deal with it, but who knows]
- FileInstall() [mustn't encode string]
- Change unique execute with real return value [unique function, makes Executable return the real return instead of 1/0]

__________________________________________________________

Any more ideas what cases do I have to take care, which could cause trouble?

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

...and your question is what exactly? You will soon understand why Jos (quite rightfully so) decided to consider dropping the Obfuscation portion of Obfuscator, because you're giving a false sense of protection to your users. I hope you understand that?!

Edit: I also think using this feature $asd = msgbox is kind of pointless and insulting to those with some common sense, because it's not hard to work out that just by looking at it that it's a MsgBox(), I mean a simple search and replace would show that.

Edited by guinness

_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 04/09/2015

Share this post


Link to post
Share on other sites

Yes, the problem is that people can easily replace it however I'll try to make something new. I've got some new ideas which would be harder to replace (nothing is impossible)

Lol, of course it won't be just simply

$asd = msgbox, that was just a fast example. I will encrypt it, since you can execute them the following way:

$asd = Execute("msgbox")

Where you can easily encrypt anythign between "..."

What am I waiting? Ideas which can be script breaking. For example commands which I forgot to mention in my notes (for example if you replace all the variables, but forgot to match it with assign it will cause trouble)

I just want to know if someone knows anything which I forgot to note at the starting post. Maybe any helpful comment or something like that :)

Share this post


Link to post
Share on other sites

Well so long as you mention that there will be an increase in execution who am I to tell you what to do. Good luck.


_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 04/09/2015

Share this post


Link to post
Share on other sites

Heh, well, true... true... :) I should find a way which is secure at least a bit, and fast enough. I was just curious if I missed any command like thoose upper :P I think I will start it and later it will turn out if it works. Or I have to look for other ways to protect which is some more secure... Already got some ideas... :) Got so much things to do, but so little time :P

Share this post


Link to post
Share on other sites

I'm planning to make an obfuscator which is 3.3.10.2 compatible and will use some unique methods and will even obfuscate basic commands (like msgbox etc) with the brand new ability to be able to use the following method $asd = msgbox

I say go for it. I am sure it will be a learning experience as it was for me. :)

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Obfuscator would be wellcome as far as I'm concerned. guinness, don't be like that.
Obfuscation can be done in many different ways, so Unc3nZureD you shouldn't be limiting yourself inside the box of existing solutions. What you should take into consideration is that you should make it non-reversble without number of manual intervention. This will kill the desire for deobfuscation very soon, even in "determined" hackers.
For example (basic GuiCreate example from the help file):

#include <GUIConstantsEx.au3>

$_ = ObjCreate("Scripting.Dictionary")
$_.Add(-1, $_)
$_.Add(0, GUICreate)
$_.Add(1, GUICtrlCreateButton)
$_.Add(2, GUISetState)
$_.Add(3, @SW_SHOW)
$_.Add(5, Example)
$_.Add(6, $GUI_EVENT_CLOSE)
$_.Add(7, GUIDelete)
$_.Add(8, $GUI_EVENT_CLOSE)
$_.Add(9, "Example")
$_.Add(10, "OK")
$_.Add(11, GUIGetMsg)
$_.Add(40, $_(-1))
$_.Add(17, -1)
$_.Add(12, $_(-1)(40))

($_(5))()


Func Example()
    Local $hGUI = ($_($_(-1)(17))(0))(($_(9)))
    Local $idOK = ($_(1))((($_($_(40)(17)))(10)), 310, 370, 85, 25)
    ($_(-1)(2))(($_(40)(3)), $hGUI)
    While 1
        Switch ($_(40)(11))()
            Case ($_(8)), $idOK
                ExitLoop
        EndSwitch
    WEnd
    ($_(-1)(7))($hGUI)
EndFunc

That can be obfuscated to the level which would make it impossible to be run through some de-obfuscator tool for source. Hiding code by encrypting strings and whatnot isn't really what obfuscation should be about.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

@trancexx: there must be something if you are the one who said that.

If its possible, why not somebody create one?

Share this post


Link to post
Share on other sites

Well, that's a good idea. String encryption should be secondary. I think I should find solutions to make it real hard to reverse.

Anyways your example gives some error for me.

>"D:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "C:\Users\Unknown User\Desktop\ShellMod.au3" /UserParams    
+>12:01:32 Starting AutoIt3Wrapper v.2.1.4.0 SciTE v.3.3.7.0 ;  Keyboard:0000040E  OS:WIN_81/  CPU:X64 OS:X64    Environment(Language:0409  Keyboard:0000040E  OS:WIN_81/  CPU:X64 OS:X64)
>Running AU3Check (3.3.10.1)  from:D:\Program Files\AutoIt3
"C:\Users\Unknown User\Desktop\ShellMod.au3"(18,18) : error: syntax error
$_.Add(12, $_(-1)(
~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(20,9) : error: syntax error
($_(5))()
~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(24,29) : error: syntax error
    Local $hGUI = ($_($_(-1)(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(25,26) : error: syntax error
    Local $idOK = ($_(1))(
~~~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,12) : error: unbalanced paranthesis expression.
    ($_(-1)(
~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,15) : error: syntax error
    ($_(-1)(2))
~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,24) : error: unbalanced paranthesis expression.
    ($_(-1)(2))(($_(40)(
~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,24) : error: unbalanced paranthesis expression.
    ($_(-1)(2))(($_(40)(
~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,27) : error: syntax error
    ($_(-1)(2))(($_(40)(3))
~~~~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(28,23) : error: unbalanced paranthesis expression.
        Switch ($_(40)(
~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(28,23) : error: syntax error
        Switch ($_(40)(
~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(33,12) : error: unbalanced paranthesis expression.
    ($_(-1)(
~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(33,15) : error: syntax error
    ($_(-1)(7))
~~~~~~~~~~~~~~^
C:\Users\Unknown User\Desktop\ShellMod.au3 - 13 error(s), 0 warning(s)
!>12:01:32 AU3Check ended. Press F4 to jump to next error.rc:2
>Exit code: 2    Time: 0.452

Share this post


Link to post
Share on other sites

There are no errors in that code. It can only be error in Au3Check.

I see you use Jos' wrapper tool. You have directive there to disable AU3Check.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Heh, interesting. I compiled it and it works perfectly. I will disable AU3Check and analyze your code :) Thanks for the suggestion.

Share this post


Link to post
Share on other sites

After that analyze this:

$_ = ObjCreate("Scripting.Dictionary")
$_.Add(-1, $_)
$_.Add(0, GUICreate)
$_.Add(1, GUICtrlCreateButton)
$_.Add(2, GUISetState)
$_.Add(3, @SW_SHOW)
$_.Add(3.21, Example)
$_.Add(7, GUIDelete)
$_.Add(21.3, 7)
$_.Add(8, $GUI_EVENT_CLOSE)
$_.Add(1/10, @AutoItPID)
$_.Add(9, "Example")
$_.Add(10.1, "OK")
$_.Add(11, GUIGetMsg)
$_.Add(40, $_(-1))
$_.Add(17, -1)
$_.Add(0.75, $_(-1)(40))
$_.Add($_(.1), $_.item(8))

($_(.321*10))()


Func Example()
    Local $hGUI = ($_($_(-1)(17))(0))(($_(9)))
    Local $idOK = ($_(1))((($_($_(40)(17)))(9 + 1.1)), 310, 370, 85, 25)
    ($_(-1)(2))(($_(40)(3)), $hGUI)
    While 1
        Switch ($_(3/4 + $_(0))(11))()
            Case ($_($_(.1))), $idOK
                ExitLoop
        EndSwitch
    WEnd
    ($_(-1)($_(21.3)))($hGUI)
EndFunc

...It's the same thing only access is randomized more.

Both examples are forms of simple obfuscation, so now imagine what would happen if I would add few more functions that would dynamically set dictionary elements (and then set it to its own elements). There would be no way to figure out what's going down, nor any chance of writting successful deobfuscator.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

trancexx, why dont you write one? it will be very useful for many people!

Share this post


Link to post
Share on other sites

Why do you think I haven't already?

Maybe I wrote different compiler for AutoIt scripts too. One that wouldn't freak out AV-s. Maybe Jon knows that but doesn't want me to share it with you? Maybe he thinks that would make him look incompetent? Maybe things are different below surface than on top?

Things are sometimes very different below surface than on top. I'm not interested in fighting wars.

1 person likes this

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

I'm aware of the fact that the topics about prevention of decompiling scripts are forbidden for good reasons and I'm not arguing that in any sense. The mods know what they are doing, thanks to them for the good job. 

I have also no issues with security workers who need to know if a program is malicious or not, but there are others over there that don't use reverse engineering for right reasons. I appreciate any effort to make it harder to  decompile or understand the decompiled  autoit programs.

Share this post


Link to post
Share on other sites

Why do you think I haven't already?

Maybe I wrote different compiler for AutoIt scripts too. One that wouldn't freak out AV-s. Maybe Jon knows that but doesn't want me to share it with you? Maybe he thinks that would make him look incompetent? Maybe things are different below surface than on top?

Things are sometimes very different below surface than on top. I'm not interested in fighting wars.

 

I believe non of us interested to starting a fighting wars :)

You both are very very very competent in your field, I believe nobody will think you both are not.

And yes, I believe compiler that wont freak out AV-s and a really good obfuscator will be benefit for many good people.

What is the goodness and happiness if we have something good but keep it for ourself? :P

Share this post


Link to post
Share on other sites

Why do you think I haven't already?Maybe I wrote different compiler for AutoIt scripts too. One that wouldn't freak out AV-s. Maybe Jon knows that but doesn't want me to share it with you? Maybe he thinks that would make him look incompetent? Maybe things are different below surface than on top? Things are sometimes very different below surface than on top. I'm not interested in fighting wars.

So tell us trancexx don't flirt, what manner of polymorphic wizardry did you come up with in this private compiler build of yours that could consistently weather the abuse all other public tools get from haxor wannabes (your words) and antivirus companies alike?

Far better than the method chosen to obstruct compiler and interpreter modification no doubt. Yes yes I know if you had your way such things would be irrelevant for the betterment of scriptdom.

Anything and everything released publicly will get abused and flagged eventually even something crafted by your fair hand.

The self belief that one might succeed where ALL others have failed is healthy and drives us to excel as individuals, however publicly promoting yourself as succeeding consistently where all others have failed is as big a joke as application security is.

Share this post


Link to post
Share on other sites

Who are ALL others?

I remember when I was suggesting adding one particular feature to AutoIt, I was turned off because "it can't be done", because "if it would be possible other languages would have had it already", because "at least one would have done it before you". Later when I added it to the language, making it unique therefore, it was "Oh cool, it's possible".

Your "ALL others" is invalid argument. I invented the current compiler which is better and more correct than the old one, and I invented new compiler which is better and more correct than the current. Why is that hard for you or anyone else to believe really isn't something I'll be losing sleep over.

...And saying I'm cracking jokes. Ouch.

1 person likes this

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0