Jump to content

Strange result when compiling obfuscated script


qwert
 Share

Recommended Posts

I have a small (20 line) script that I ran Obfuscator.exe on. The script's compiled result is normally about 250,000 bytes. The compiled result of the obfuscated version was over 500,000 bytes. I was curious about the difference so I opened the executable for the obfuscated version with notepad and found the following text about three-fourths of the way through the "gibberish":

TLOSS error

SING error

DOMAIN error

R6034

An application has made an attempt to load the C runtime library incorrectly.

Please contact the application's support team for more information.

R6033

- Attempt to use MSIL code from this assembly during native code initialization

This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

R6032

- not enough space for locale information

R6031

- Attempt to initialize the CRT more than once.

This indicates a bug in your application.

R6030

- CRT not initialized

R6028

- unable to initialize heap

R6027

- not enough space for lowio initialization

R6026

- not enough space for stdio initialization

R6025

- pure virtual function call

R6024

- not enough space for _onexit/atexit table

R6019

- unable to open console device

R6018

- unexpected heap error

R6017

- unexpected multithread lock error

R6016

- not enough space for thread data

This application has requested the Runtime to terminate it in an unusual way.

Please contact the application's support team for more information.

R6009

- not enough space for environment

R6008

- not enough space for arguments

R6002

- floating point support not loaded

Microsoft Visual C++ Runtime Library

... <program name unknown> Runtime Error!

Needless to say, it's unsettling to have that inserted in any code that, potentially, might be viewed by others. Does anyone happen to know what this means? The script seems to run OK so is this a problem or not?

Thanks in advance for any help.

Link to comment
Share on other sites

  • Developers

and your point is what ?

Have you looked at a normal script after compilation ?

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Have you looked at a normal script after compilation ?

Yes I have. The only readable text they contain is the basic identification of the module that starts with:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

<assemblyIdentity

type="win32"

processorArchitecture="*"

version="3.0.0.0"

The text reporting errors only occurs in the obfuscated version. My point is simply to determine if the errors are real errors -- or are they a normal product of the obfuscation?

Link to comment
Share on other sites

  • Developers

Obfuscator creates another version of your scipt ...only a bit more difficult to read and adds a FileInclude() which will add a file to the executable.... thats all.

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Thanks for your response.

Upon further investigation, I got the Hello World sample script -- unobfuscated -- to compile and contain the error text in my original post.

I'll continue to investigate and will post my best explanation of how/why this has happened.

Link to comment
Share on other sites

  • Developers

I do not understand what your issue is or what it is you want to understand. When you "compile" a script you really build a shell program that contains a Bin file, containing the runtime module, and your tokenized script.

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

OK, I'm beginning to get a handle on the source of the problem. Looking back on my library of compiled scripts, I've found that the insertion of the "error text" only occurred after I downloaded ResHacker and started using AutioIt3Wrapper as part of the compile process. Obviously there's something missing from what AutoIt3Wrapper requires, although I'm not seeing any indicators or error messages -- only the large .exe's with the inserted text. I have a second PC on which I did not implement the wrapper feature and the same scripts compile properly on it -- obfuscated or normal.

I'll continue investigating, primarily by backtracking and probably by reinstalling AutoIt3 on my main PC. I'm certainly open to any suggestions on what, specifically, to look for.

For the benefit of anyone willing to offer suggestions, it's probably worth mentioning that I have over 20 years experience writing software software -- so I understand basic principles and mechanisms -- but I've only be using AutoIt for 2 months now, so please bear with me.

Thanks.

Link to comment
Share on other sites

  • Developers

I have been trying to explain things to you how it all work but have the impression I am ignored so have fun with your investigation. :D

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

I have been trying to explain things to you how it all work but have the impression I am ignored so have fun with your investigation. :D

Sorry you got that impression. I've been following everything you've explained, but I guess I didn't give any feedback to confirm that. I do appreciate you looking at this and hope you'll take a look at any specific issues that I might be able to identify.

Thanks for you help.

Link to comment
Share on other sites

  • Developers

Try this and see the differnce:

Run AUT2EXE manually 2 times on the same test script:

1. Without UPX enabled.

2. With UPX enabled

and see the difference

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

The results are virtually the same, except for in the last 1000 characters of so of the file (when viewed with a hex file comparison utility). However, when I immediately compile the same au3 file using the SciTE4 Tools>>Compile option, the result is the 500K file with the error text inserted.

Does that give any clue? I've thought that the different outcomes could be due to some difference in the way the file paths are defined between the editor, the compiler and the wrapper programs. Up until last week I had only used the SciTE4 Tools>>Compile method. The strange result only showed up after I started using the wrapper method.

Link to comment
Share on other sites

  • Developers

Don't think you correctly set the UPX on and off.

It is the Bottom checky at the Compression page and will produce a pretty different EXE.

With UPX you will not find the Test you checked, without its there .

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

  • Developers

I was referring to aut2exe not autoit3wrapper just so you see what the root cause of your "issue" is.

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Oh. In that case, there are real differences:

With UPX, the file looks "normal" to me -- just like the ones I had gotten from SciTE4 Tools >> Compile in the past.

Without UPX, the file is 500K and has the embedded error text.

So, is the embedded text normal for an uncompressed .exe? Or does it indicate a problem that needs correcting?

Link to comment
Share on other sites

  • Developers

Oh. In that case, there are real differences:

With UPX, the file looks "normal" to me -- just like the ones I had gotten from SciTE4 Tools >> Compile in the past.

Without UPX, the file is 500K and has the embedded error text.

So, is the embedded text normal for an uncompressed .exe? Or does it indicate a problem that needs correcting?

UPX is a compression tool which is ran by default by the AUT2EXE tool to make your EXE as small as possible.

It is nothing to worry about and its normal that these "Errors"are seen with an C++ compiled EXE without being packed.

More info on UPX can be found here: http://upx.sourceforge.net/

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

It is nothing to worry about and its normal that these "Errors"are seen with an C++ compiled EXE without being packed.

Well, that's a relief. I do appreciate very much you helping me get to the bottom of this. Being new to AutoIt3, I was truly concerned that I had something set up wrong that would compromise the scripts I am writing. I trust these posts will help others, as well. Thanks.
Link to comment
Share on other sites

  • Developers

Well, that's a relief. I do appreciate very much you helping me get to the bottom of this. Being new to AutoIt3, I was truly concerned that I had something set up wrong that would compromise the scripts I am writing. I trust these posts will help others, as well. Thanks.

Your welcome and have no issues with people raising concerns...

Your initial topic title was kinda misleading and since I have written Obfuscator and AUtoIt3Wrapper I am of course interested in issue but knew from the start you were making wrong conclusions.

Anyways ... good it got cleared up :D

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Your initial topic title was kinda misleading

I'll be glad to edit my first post if you can suggest a more appropriate title (to help others can make sense of it).

BTW, since you wrote Obfuscator, what is the .tbl file it builds? I'm just curious -- and if it's confidential info, that's OK.

Link to comment
Share on other sites

  • Developers

I'll be glad to edit my first post if you can suggest a more appropriate title (to help others can make sense of it).

BTW, since you wrote Obfuscator, what is the .tbl file it builds? I'm just curious -- and if it's confidential info, that's OK.

The thread explains the whole thing, so not worried about changing it :D

The tbl file Contains the obfuscated Literal string and values information from the script making it harder to put it all back together :P

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...