Jump to content

Obfuscation Methods


 Share

Recommended Posts

I am writing an obfuscator currently with quite a few features, as I have found no good obfuscators yet that are complex enough to be nearly impossible to deobfuscate (as of course it is impossible to reach a 100% level of obfuscation where no one can deobfuscate it).

Current obfuscation methods include flow obfuscation, string encryption, proxy calls, unique renaming scheme (create gibberish WinAPI like name), junk codes, and removing all functions (merging them with the main script), traps to prevent automated deobfuscation, debugger detection, VM detection, moving strings to other parts of scripts (functions, proxy strings, etc), exit if not compiled, file integrity check. Decompile protection is also added (nothing that violates the reverse engineering clause of the ToS, I am using a PE loader with protections built into it.)

Does anyone have any ideas for more obfuscation methods to add?
 

Edited by Codefuser
Link to comment
Share on other sites

Your thread title remember me 3 years ago, time's going by so fast. Mine was called "Obfuscator Method" i was just wondering an improvement of the security of executables developed with autoit...thread closed. "Everyone knows" but nothing changed, the situation is worsened since now "official" obfuscator was discontinued and we don't have nothing from a "secure source" for protect our script. Apart from anything else, if your obfuscator can at least avoid automatic tool we are lucky, i'll hope you can share it we us when is done. Good work.

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to comment
Share on other sites

I know autoit is not secure and the dev teams are not interested in working on that, which is why I am working on it.

I have implemented many complications and methods to avoid automated deobfuscation. However I feel that it would still be too easy since RegExp could be used.

If anyone has any ideas, that would greatly help. And yes this will be available, not sure if for free or not yet since I spent a lot of times debugging and working on this.

Link to comment
Share on other sites

I'm not an expert of de-obfuscation, at all lol, but imho you can make an .exe protected with your system and post it in a forum like tuts4you ( since here you can't do it by rules ) so they can tell you what improve and where are security holes or vulnerability. Release it for free, remember the community It would be grateful for life if is a real solution again decompilation or deobfuscation

P.S. I was thinking, what about performance? Autoit isn't the fastest tool in this word so i'll hope don't slow up too much the things.

 

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to comment
Share on other sites

Last I checked decompilation is not allowed but discussions of obfuscation is, so I can still post obfuscated scripts/obfuscated crackmes right?
And I am still looking for ideas to be implemented into my obfuscator.

Regarding performance, it will have a certain degree of impact as strings are encrypted and obfuscated. I am currently using AES but I will consider using a shellcode with Xor as Xor is much faster.

 

Edited by Codefuser
Link to comment
Share on other sites

Don't encrypt strings. Why would you want to do that?

Think outside the box. For example, does this work for you:

#AutoIt3Wrapper_Run_AU3Check=n

#include <GUIConstantsEx.au3>


$_ = Execute
$_ = ($_) (Chr(Random(64 + SRandom(-2139808481), 122, 1)) & Chr(Random(65, 122, 1)) & Chr(Random(65, 122, 1)) & Chr(Random(65, 122, 1)) & Chr(Random(65 + SRandom(-2139808481), 122, 1)) & Chr(SRandom(-2138722446) - 1 + Random(65, 122, 1)) & Chr(Random(65, 122, 1)) & Chr(Random(65, 122, 1)) & Chr(Random(65, 122, 1))) ("{EE09B103-97E0-11CF-978F-00A02463E06F}")
$_(-1) = $_
$_(40) = $_(-1)
$_(0) = GUICreate
$_(1) = GUICtrlCreateButton
$_(2) = GUISetState
$_(3.1) = @SW_SHOW
$_(Random(1, 1000, 1)) = Example
$_(6) = $GUI_EVENT_CLOSE
$_(7) = GUIDelete
$_(8) = $GUI_EVENT_CLOSE
$_(9) = "Example"
$_(10) = "OK"
$_(Random(1, 1000, 1)) = GUIGetMsg
$_(Random(1, 1000, 1)) = $_(-1)
$_(16 + 1) = -1
$_(13 + $_(20 - 3)) = $_(-1) (598)
($_(310)) ()


Func Example()
    Local $hGUI = ($_($_(-5 + 4) (-1 + 18)) (56 - 67 + 11)) (($_(91 - 82)))
    Local $idOK = ($_(1)) ((($_($_(598) (11 + 6))) (101 - 91)), 310, 370, 85, 25)
    ($_(-11 + 10) (1 + 1)) (($_(598) (3 + .1)), $hGUI)
    While 1
        Switch ($_(598) (269)) ()
            Case ($_(2 * 4)), $idOK
                ExitLoop
        EndSwitch
    WEnd
    ($_($_(10 + 7)) (7)) ($hGUI)
EndFunc

...if yes then what's the code?

This is super simple obfuscation method that makes it impossible to be passed through universal deobfuscator if implemented correctly.
Variation of the method is used here for only a piece of the script. Can you deobfuscate it?

Edited by trancexx

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

@trancexx nice use of Scripting.Dictionary. between that is how my deobfuscated scripts look like all time :sweating:

the "Is" AutoIt functions help to deobfuscate  at least manually. 

 

Saludos 

Link to comment
Share on other sites

@trancexxI am encrypting and then apply obfuscation through Chr + some math generation stuffs

And yes I am doing the proxy call through assign functions to variables as well.

Scripting.Dictionary does look interesting and I will look at it. Looks like some powerful stuffs right there

Edited by Codefuser
Link to comment
Share on other sites

I speculate that, with obfuscation, deliberately confusing information can be as annoying as obviously hidden information. Misnomers, inappropriate constants and the like may make cracking the code more difficult. That was the idea when I posted Orfuscator. I have discontinued this idea for the time being, but I still think the concept has a little merit. For example, the following script looks like it has something to do with File.au3:

#include <File.au3>
Global $i, $FILE = MsgBox, $DeepThought = StringToBinary, $WhiteMice = StringRegExpReplace
$FILE(BitOR($FILE_ATTRIBUTE_SYSTEM, $FSF_CREATEBUTTON), 'HGGTTG', $WhiteMice(StringReverse($DeepThought(-($i^$i)^(($i^$i)/(($i^$i)+($i^$i))))), ".\K.+(?=\dx)|x\d", ""))

At the end of the day, methods of this nature are only (at best) going to hinder human comprehension of the script.

Edited by czardas
Link to comment
Share on other sites

On 14/10/2016 at 2:05 PM, trancexx said:

This is super simple obfuscation method that makes it impossible to be passed through universal deobfuscator if implemented correctly

The legend tells about a girl, a girl with a enchanted compiler that won't be detected by AV-s as false positive and an obfuscator made by herself. But the Dark Lord, jealous of the magical power, shut her in the highest tower of the castle, condemning us all in darkness...

Something like this can be deobfuscated by automating tools rights?

Execute(BinaryToString("0x5F" & StringLen("EGIE") & "C" & StringLen("IKT") & "0" & StringLen("CGAIVWU") & "8" & Execute("_L0x49BC1F2FFF7F67EA4ED529224AE5653D(1*9)-5") & StringLen("e") & Execute("_L0x49BC1F2FFF7F67EA4ED529224AE5653D(1*9)-5") & StringLen("IKT") & "4" & StringLen("IKT") & "4541344" & StringLen("qD") & "3630353938313544464334314" & StringLen("qD") & "434" & StringLen("qD") & "464630464534334433454C" & StringLen("qD") & "829"))
Execute(BinaryToString("0x5F" & StringLen("TQIC") & "C" & StringLen("TQIC") & "C" & StringLen("SLB") & "0" & StringLen("IRQXQGN") & "8" & StringLen("TQIC") & "4" & StringLen("SLB") & "84" & StringLen("SLB") & "3" & StringLen("gD") & "3944344" & StringLen("gD") & "363030433435353" & StringLen("t") & "4" & StringLen("t") & "433843373" & StringLen("t") & "453642424536344236372829"))
Global Const $_L0x0FEE588EED7D9F95815388C8D4AD16D0 = -3
Global Const $_L0x3F88BD354EFF231C06FC11430C17047C = 0x00020000
Global Const $_L0xF00FC9BCB110A7DCBDA5A57D85D11876 = 0x00080000
Global Const $_L0x8079E7527BA1F4F4EFD5A53453337009 = 0x00C00000
Global Const $_L0x21039B523C18684398B38F5643401B0D = 0x80000000
Global Const $_L0x1DEF558C46E120C632612D27F4DFE56F = BitOR($_L0x3F88BD354EFF231C06FC11430C17047C, $_L0x8079E7527BA1F4F4EFD5A53453337009, $_L0x21039B523C18684398B38F5643401B0D, $_L0xF00FC9BCB110A7DCBDA5A57D85D11876)
$_L0x122506BFD02937035E895EB15AC9A82A = Execute(BinaryToString("0x" & StringLen("dY") & "0" & StringLen("EJSJ") & StringLen("PQOVUUI") & "55" & StringLen("EJSJ") & "9" & StringLen("EJSJ") & StringLen("IPU") & StringLen("PQOVUUI") & StringLen("dY") & "656" & StringLen("t") & StringLen("PQOVUUI") & "465" & StringLen("dY") & "820244C5F4C" & StringLen("IPU") & "0" & StringLen("PQOVUUI") & "83437333931424634383430314138463731313745433444433045303845363934202C203330302C203330302C202D312C202D3129"))
Execute(BinaryToString("0x" & StringLen("JOLN") & StringLen("ETOWAVV") & "55" & StringLen("JOLN") & "95" & StringLen("NZI") & "65" & StringLen("ETOWAVV") & Execute("_L0x49BC1F2FFF7F67EA4ED529224AE5653D(7*9)-5") & "5" & StringLen("NZI") & "746" & StringLen("q") & "7465" & StringLen("dT") & "8405" & StringLen("NZI") & "575F53484F57" & StringLen("dT") & "9"))

While 1
    $_L0x7C495B03B3AD6D149BF530999C7E063D = Execute(BinaryToString("0x" & StringLen("kI") & "0" & StringLen("RYCW") & StringLen("MLEVCMZ") & "55" & StringLen("RYCW") & "94" & StringLen("MLEVCMZ") & "65" & StringLen("MLEVCMZ") & "44D" & StringLen("MLEVCMZ") & StringLen("SKT") & "6" & StringLen("MLEVCMZ") & StringLen("kI") & (5 + 9) ^ 2 - 188 & "29"))
    Switch $_L0x7C495B03B3AD6D149BF530999C7E063D
        Case $_L0x0FEE588EED7D9F95815388C8D4AD16D0
            Exit
    EndSwitch
WEnd

Func _L0x49BC1F2FFF7F67EA4ED529224AE5653D($_L0x7AD28395A3BCAB9E982F0E258AAEBA48)
    Local $_L0x6E5383D9D6EDCFB6693BCC4072AE83A7 = StringSplit($_L0x7AD28395A3BCAB9E982F0E258AAEBA48, "")
    $_L0x7AD28395A3BCAB9E982F0E258AAEBA48 = Execute(BinaryToString("0x" & StringLen("IUCG") & "5" & StringLen("PNSYDLL") & "8656" & StringLen("TRY") & StringLen("PNSYDLL") & "5" & StringLen("PNSYDLL") & StringLen("IUCG") & "65" & StringLen("fI") & "8" & StringLen("fI") & "74" & StringLen("fI") & "696E6" & StringLen("j") & "7" & StringLen("fI") & "79546F5" & StringLen("TRY") & "7472696E672822" & StringLen("TRY") & "0782226537472696E676C656E2822564F44222926223022292729"))
    For $_L0xFDC06150117C12FE2F6B2E4D3AA25046 = 1 To UBound($_L0x6E5383D9D6EDCFB6693BCC4072AE83A7) - 1
        $_L0x7AD28395A3BCAB9E982F0E258AAEBA48 = Execute(BinaryToString("0x" & StringLen("nV") & StringLen("NWQI") & "5F" & StringLen("NWQI") & "C" & StringLen("GBO") & "0" & StringLen("LBGMIPX") & "8" & StringLen("GBO") & StringLen("LBGMIPX") & StringLen("NWQI") & StringLen("m") & "44" & StringLen("GBO") & StringLen("nV") & "383339354" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "334" & StringLen("nV") & "434" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "4" & StringLen("nV") & "39453938324630453235384" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "4" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "45424" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "34382B245F4C30" & StringLen("LBGMIPX") & "83645353338334439443645444346423636393342434334303" & StringLen("LBGMIPX") & "324" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "4538334" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "375B245F4C307846444330363" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "35303" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "3" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "37433" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "3246453246364232453444334" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "4" & Execute(BinaryToString('0x696E7428436F732853696E202837303533322E3731343438373733363129295E2D3129')) & "32353034365D"))
    Next
    Return $_L0x7AD28395A3BCAB9E982F0E258AAEBA48
EndFunc   ;==>_L0x49BC1F2FFF7F67EA4ED529224AE5653D


Func _LL0xD8C29D4B600C4551AC8C71E6BBE64B67()
    Global $L_L0x47391BF48401A8F7117EC4DC0E08E694
    Execute(BinaryToString("0x" & StringLen("OLRI") & StringLen("t") & StringLen("LXMJLXY") & StringLen("UIW") & StringLen("LXMJLXY") & "3696" & StringLen("LXMJLXY") & "6E" & StringLen("rE") & "8" & StringLen("rE") & "7" & StringLen("OLRI") & "C5F" & Execute("_L0x49BC1F2FFF7F67EA4ED529224AE5653D(6*9)-5") & "C30783" & Execute("_L0x49BC1F2FFF7F67EA4ED529224AE5653D(6*9)-5") & "3733393" & StringLen("t") & "4246343834303" & StringLen("t") & "4138463731313745433444433045303845363934272C2027466F726D312729"))
EndFunc   ;==>_LL0xD8C29D4B600C4551AC8C71E6BBE64B67

Func _L0xACCEA4B6059815DFC41BCBFF0FE43D3EL()
EndFunc   ;==>_L0xACCEA4B6059815DFC41BCBFF0FE43D3EL

 

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to comment
Share on other sites

It can be interpreted and there lies the Achilles heel. Any code that can be interpreted is also susceptible to analysis. You cannot hide the program from the operating system if you ever intend to run it. You might fool an amateur hacker with the code above, but that's about all. It might be better than no protection, but in reality you need to do more. Maybe distract the code hacker by giving them something much harder to solve (and potentially more lucrative) than a simple reverse engineering task. Hopefully they will eventually give up and wish they'd never set eyes on your code, or they might stay in their bedroom trying to figure it out for years. :tv_happy:

Edited by czardas
Link to comment
Share on other sites

We have different expectations. I totally don't care about "amateur hacker" or anyone with reverse knowledge ( if they can know to reverse probably they know how to write... ) I just don't want that everyone, also if don't know 1 line of coding, can see the plain code ready to be execuded with 1 STUPID CLICK or a DRAG AND DROP, lol my grandma is able do it. I have opened thread with this subject, I have opended ticket with this subject, nothing and now the situation now is bad then before. If we can't make the executable "secure" since autoit is an interpreter language at least we can make the code unredable but the obfuscators I have found, included the "old" one, they are all beat by universal deobfuscator. My enemy are the automate tools you can find with a couple of second on Google, is a damn point of principle.

P.S. If i was able to write an obfuscator by myself I would have already done

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to comment
Share on other sites

Well I did say obfuscation techniques have some limited application. Universal deobfuscation methods are really a pipe dream, if the object is to produce human readable code. This is because the level of complexity can always be increased: making any reconstructed script still appear totally meaningless without further human analysis. Having said that, it might not matter to the person stealing your script whether they fully understand it or not. I frequently use code without fully comprehending how it interacts with certain elements, either within the script or its environment.

Don't let me put you off trying these things out because you can learn a lot by doing so, and who knows? You might come up with a new idea that nobody even thought of. Entering into a detailed discussion on this is subject is not recommended for a number of reasons. Most specifically it is important to hold the trump card and not to let anyone see it.

Edited by czardas
improved wording
Link to comment
Share on other sites

Deobfuscator for Autoit aren't a dream but the reality. I know i can't enter in the datail but if you know where to search, you'll find a website, a forum, a link, a video for EVERY obfuscator released to public, also with that will break TOS of Autoit*. And the result is a plain code like as you write originally, only the variable don't have the original name but all the structure of the code, without any human intervention, is there.

If a guy want to spend 5-10-15 hours for manually deobuscate my code, you are welcome who cares lose your time as you wish. But if a guy spend 5 minute for automatic deobfuscate my code and get the plain source, well in this case i'm not so glad. This is my 2 cent

*I have never used that since i don't trust the source and all the AV-s will trigger as virus but i know the topic since is a lot of time i'm try to search a good method for protect release script when i don't leave also the source in the .zip

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to comment
Share on other sites

I have used multiple methods to prevent automation of the deobfuscation process. Should work pretty well. I have additionally implemented tons of anti debugging methods, which stops both non-autoit debuggers (OllyDbg, etc) and AutoIt debuggers.

Link to comment
Share on other sites

9 hours ago, Terenz said:

you'll find a website

No I won't because I don't particularly need to. I think you have misunderstood what I was trying to say earlier. The key word in my sentence was the word 'universal'. Just imagine there were no physical hardware limits: a script could be obfuscated ad infinitum using (quite possibly) an infinite number of plausible algorithms without breaking code functionality (the Achilles heel once again). --- EDITED OUT --- There I go again! :censored: 

Anything discussed on a public forum like this will simply play into the hands of the attackers. Although I find it an interesting subject, I also find it troublesome discussing it here. I'm not so sure that this type of conversation belongs in the public domain.

Edited by czardas
Link to comment
Share on other sites

I misunderstood yours but please don't miss-interpretate my message. My only interest is the safe of our compiled software, not the opposite absolutely NOT in any way. And for get the goal, an executable can't be decompile-deofuscate by a grandmother in two seconds but require a really human intervention,  you need to do what *THEY* can do, what tools are around and so on. Like a doctor study the virus, is the same, you can't cure without know the disease.

 

Codefuser,

This is yours right? Since i don't think there are many project like this:

<snip>

Why you have removed the "an open source"? I can't help you with that but people here ( see trancexx ) can. Anyway is your choice, i'll respect.

Edited by Melba23
Link removed

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to comment
Share on other sites

On ‎23‎/‎10‎/‎2016 at 9:43 AM, Terenz said:

I misunderstood yours but please don't miss-interpretate my message. My only interest is the safe of our compiled software, not the opposite absolutely NOT in any way. And for get the goal, an executable can't be decompile-deofuscate by a grandmother in two seconds but require a really human intervention,  you need to do what *THEY* can do, what tools are around and so on. Like a doctor study the virus, is the same, you can't cure without know the disease.

 

Codefuser,

This is yours right? Since i don't think there are many project like this:

<snip>

Why you have removed the "an open source"? I can't help you with that but people here ( see trancexx ) can. Anyway is your choice, i'll respect.

That isn't mine. That is one of my friend's and I am basing a small part of my obfuscator on it. Worked with him on some part of it but then he got busy so I took over. And it won't be open sourced as the more open it is the easier it is for attackers to reverse. Told him to delete the rep on skype as everything in it is gone already

Edited by Melba23
Link removed
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...