Obfuscator suggestions

Unc3nZureD · January 20, 2014

I'm planning to make an obfuscator which is 3.3.10.2 compatible and will use some unique methods and will even obfuscate basic commands (like msgbox etc) with the brand new ability to be able to use the following method $asd = msgbox

Well, yes I'm not one of the worlds best coder, and yes, it will take quite long time to develope it, but I'd like to try it

I made a small list what I have to take care:

Quoted Funcs:
- #OnAutoitStartRegister "asd"
- OnAutoItExitRegister( "asd" )
- OnAutoItExitUnRegister( "asd" )
- AdlibRegister( "asd" )
- AdlibUnRegister( "asd" )
- Call( "asd" )
- Hotkeyset( x, "asd" )

Quoted Vars:
- Assign( "var" )
- IsDeclared( "var" )

Don't change:
- $CmdLine
- $CmdLineRaw
- Include Variables/Funcs (Might have to include/obfuscate all, so won't cause problem -> but +time)

Warning:
- Execute() [Doesn't seem to be hard to deal with it, but who knows]
- FileInstall() [mustn't encode string]
- Change unique execute with real return value [unique function, makes Executable return the real return instead of 1/0]

__________________________________________________________

Any more ideas what cases do I have to take care, which could cause trouble?

guinness · January 20, 2014

...and your question is what exactly? You will soon understand why Jos (quite rightfully so) decided to consider dropping the Obfuscation portion of Obfuscator, because you're giving a false sense of protection to your users. I hope you understand that?!

Edit: I also think using this feature $asd = msgbox is kind of pointless and insulting to those with some common sense, because it's not hard to work out that just by looking at it that it's a MsgBox(), I mean a simple search and replace would show that.

Edited January 20, 2014 by guinness

Unc3nZureD · January 20, 2014

Yes, the problem is that people can easily replace it however I'll try to make something new. I've got some new ideas which would be harder to replace (nothing is impossible)

Lol, of course it won't be just simply

$asd = msgbox, that was just a fast example. I will encrypt it, since you can execute them the following way:

$asd = Execute("msgbox")

Where you can easily encrypt anythign between "..."

What am I waiting? Ideas which can be script breaking. For example commands which I forgot to mention in my notes (for example if you replace all the variables, but forgot to match it with assign it will cause trouble)

I just want to know if someone knows anything which I forgot to note at the starting post. Maybe any helpful comment or something like that

guinness · January 20, 2014

Well so long as you mention that there will be an increase in execution who am I to tell you what to do. Good luck.

Unc3nZureD · January 21, 2014

Heh, well, true... true... I should find a way which is secure at least a bit, and fast enough. I was just curious if I missed any command like thoose upper I think I will start it and later it will turn out if it works. Or I have to look for other ways to protect which is some more secure... Already got some ideas... Got so much things to do, but so little time

Jos · January 21, 2014

I'm planning to make an obfuscator which is 3.3.10.2 compatible and will use some unique methods and will even obfuscate basic commands (like msgbox etc) with the brand new ability to be able to use the following method $asd = msgbox

I say go for it. I am sure it will be a learning experience as it was for me.

Jos

trancexx · January 21, 2014

Obfuscator would be wellcome as far as I'm concerned. guinness, don't be like that.
Obfuscation can be done in many different ways, so Unc3nZureD you shouldn't be limiting yourself inside the box of existing solutions. What you should take into consideration is that you should make it non-reversble without number of manual intervention. This will kill the desire for deobfuscation very soon, even in "determined" hackers.
For example (basic GuiCreate example from the help file):

#include <GUIConstantsEx.au3>

$_ = ObjCreate("Scripting.Dictionary")
$_.Add(-1, $_)
$_.Add(0, GUICreate)
$_.Add(1, GUICtrlCreateButton)
$_.Add(2, GUISetState)
$_.Add(3, @SW_SHOW)
$_.Add(5, Example)
$_.Add(6, $GUI_EVENT_CLOSE)
$_.Add(7, GUIDelete)
$_.Add(8, $GUI_EVENT_CLOSE)
$_.Add(9, "Example")
$_.Add(10, "OK")
$_.Add(11, GUIGetMsg)
$_.Add(40, $_(-1))
$_.Add(17, -1)
$_.Add(12, $_(-1)(40))

($_(5))()


Func Example()
    Local $hGUI = ($_($_(-1)(17))(0))(($_(9)))
    Local $idOK = ($_(1))((($_($_(40)(17)))(10)), 310, 370, 85, 25)
    ($_(-1)(2))(($_(40)(3)), $hGUI)
    While 1
        Switch ($_(40)(11))()
            Case ($_(8)), $idOK
                ExitLoop
        EndSwitch
    WEnd
    ($_(-1)(7))($hGUI)
EndFunc

That can be obfuscated to the level which would make it impossible to be run through some de-obfuscator tool for source. Hiding code by encrypting strings and whatnot isn't really what obfuscation should be about.

michaelslamet · January 21, 2014

@trancexx: there must be something if you are the one who said that.

If its possible, why not somebody create one?

Unc3nZureD · January 21, 2014

Well, that's a good idea. String encryption should be secondary. I think I should find solutions to make it real hard to reverse.

Anyways your example gives some error for me.

>"D:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "C:\Users\Unknown User\Desktop\ShellMod.au3" /UserParams    
+>12:01:32 Starting AutoIt3Wrapper v.2.1.4.0 SciTE v.3.3.7.0 ;  Keyboard:0000040E  OS:WIN_81/  CPU:X64 OS:X64    Environment(Language:0409  Keyboard:0000040E  OS:WIN_81/  CPU:X64 OS:X64)
>Running AU3Check (3.3.10.1)  from:D:\Program Files\AutoIt3
"C:\Users\Unknown User\Desktop\ShellMod.au3"(18,18) : error: syntax error
$_.Add(12, $_(-1)(
~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(20,9) : error: syntax error
($_(5))()
~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(24,29) : error: syntax error
    Local $hGUI = ($_($_(-1)(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(25,26) : error: syntax error
    Local $idOK = ($_(1))(
~~~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,12) : error: unbalanced paranthesis expression.
    ($_(-1)(
~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,15) : error: syntax error
    ($_(-1)(2))
~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,24) : error: unbalanced paranthesis expression.
    ($_(-1)(2))(($_(40)(
~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,24) : error: unbalanced paranthesis expression.
    ($_(-1)(2))(($_(40)(
~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(26,27) : error: syntax error
    ($_(-1)(2))(($_(40)(3))
~~~~~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(28,23) : error: unbalanced paranthesis expression.
        Switch ($_(40)(
~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(28,23) : error: syntax error
        Switch ($_(40)(
~~~~~~~~~~~~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(33,12) : error: unbalanced paranthesis expression.
    ($_(-1)(
~~~~~~~~~~~^
"C:\Users\Unknown User\Desktop\ShellMod.au3"(33,15) : error: syntax error
    ($_(-1)(7))
~~~~~~~~~~~~~~^
C:\Users\Unknown User\Desktop\ShellMod.au3 - 13 error(s), 0 warning(s)
!>12:01:32 AU3Check ended. Press F4 to jump to next error.rc:2
>Exit code: 2    Time: 0.452

trancexx · January 21, 2014

There are no errors in that code. It can only be error in Au3Check.

I see you use Jos' wrapper tool. You have directive there to disable AU3Check.

Unc3nZureD · January 21, 2014

Heh, interesting. I compiled it and it works perfectly. I will disable AU3Check and analyze your code Thanks for the suggestion.

trancexx · January 21, 2014

After that analyze this:

$_ = ObjCreate("Scripting.Dictionary")
$_.Add(-1, $_)
$_.Add(0, GUICreate)
$_.Add(1, GUICtrlCreateButton)
$_.Add(2, GUISetState)
$_.Add(3, @SW_SHOW)
$_.Add(3.21, Example)
$_.Add(7, GUIDelete)
$_.Add(21.3, 7)
$_.Add(8, $GUI_EVENT_CLOSE)
$_.Add(1/10, @AutoItPID)
$_.Add(9, "Example")
$_.Add(10.1, "OK")
$_.Add(11, GUIGetMsg)
$_.Add(40, $_(-1))
$_.Add(17, -1)
$_.Add(0.75, $_(-1)(40))
$_.Add($_(.1), $_.item(8))

($_(.321*10))()


Func Example()
    Local $hGUI = ($_($_(-1)(17))(0))(($_(9)))
    Local $idOK = ($_(1))((($_($_(40)(17)))(9 + 1.1)), 310, 370, 85, 25)
    ($_(-1)(2))(($_(40)(3)), $hGUI)
    While 1
        Switch ($_(3/4 + $_(0))(11))()
            Case ($_($_(.1))), $idOK
                ExitLoop
        EndSwitch
    WEnd
    ($_(-1)($_(21.3)))($hGUI)
EndFunc

...It's the same thing only access is randomized more.

Both examples are forms of simple obfuscation, so now imagine what would happen if I would add few more functions that would dynamically set dictionary elements (and then set it to its own elements). There would be no way to figure out what's going down, nor any chance of writting successful deobfuscator.

michaelslamet · January 21, 2014

trancexx, why dont you write one? it will be very useful for many people!

trancexx · January 21, 2014

Why do you think I haven't already?

Maybe I wrote different compiler for AutoIt scripts too. One that wouldn't freak out AV-s. Maybe Jon knows that but doesn't want me to share it with you? Maybe he thinks that would make him look incompetent? Maybe things are different below surface than on top?

Things are sometimes very different below surface than on top. I'm not interested in fighting wars.

Factfinder · January 21, 2014

I'm aware of the fact that the topics about prevention of decompiling scripts are forbidden for good reasons and I'm not arguing that in any sense. The mods know what they are doing, thanks to them for the good job.

I have also no issues with security workers who need to know if a program is malicious or not, but there are others over there that don't use reverse engineering for right reasons. I appreciate any effort to make it harder to decompile or understand the decompiled autoit programs.

michaelslamet · January 21, 2014

Why do you think I haven't already?

Maybe I wrote different compiler for AutoIt scripts too. One that wouldn't freak out AV-s. Maybe Jon knows that but doesn't want me to share it with you? Maybe he thinks that would make him look incompetent? Maybe things are different below surface than on top?

Things are sometimes very different below surface than on top. I'm not interested in fighting wars.

I believe non of us interested to starting a fighting wars

You both are very very very competent in your field, I believe nobody will think you both are not.

And yes, I believe compiler that wont freak out AV-s and a really good obfuscator will be benefit for many good people.

What is the goodness and happiness if we have something good but keep it for ourself?

Mobius · January 22, 2014

Why do you think I haven't already?Maybe I wrote different compiler for AutoIt scripts too. One that wouldn't freak out AV-s. Maybe Jon knows that but doesn't want me to share it with you? Maybe he thinks that would make him look incompetent? Maybe things are different below surface than on top? Things are sometimes very different below surface than on top. I'm not interested in fighting wars.

So tell us trancexx don't flirt, what manner of polymorphic wizardry did you come up with in this private compiler build of yours that could consistently weather the abuse all other public tools get from haxor wannabes (your words) and antivirus companies alike?

Far better than the method chosen to obstruct compiler and interpreter modification no doubt. Yes yes I know if you had your way such things would be irrelevant for the betterment of scriptdom.

Anything and everything released publicly will get abused and flagged eventually even something crafted by your fair hand.

The self belief that one might succeed where ALL others have failed is healthy and drives us to excel as individuals, however publicly promoting yourself as succeeding consistently where all others have failed is as big a joke as application security is.

trancexx · January 22, 2014

Who are ALL others?

I remember when I was suggesting adding one particular feature to AutoIt, I was turned off because "it can't be done", because "if it would be possible other languages would have had it already", because "at least one would have done it before you". Later when I added it to the language, making it unique therefore, it was "Oh cool, it's possible".

Your "ALL others" is invalid argument. I invented the current compiler which is better and more correct than the old one, and I invented new compiler which is better and more correct than the current. Why is that hard for you or anyone else to believe really isn't something I'll be losing sleep over.

...And saying I'm cracking jokes. Ouch.

Obfuscator suggestions

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members