CheckSumVerify - verify integrity of the compiled exe

[trancexx]

^^ Yes, you do that. It could be AV issue though.

I've updated the first post with newer script. Maybe it'll work better now.

JohnOne, if you're reading try this version please and see if you get any issues. Thanks.

[JohnOne]

Works as it is.

First says successfully added checksums, then subsequent runs just show message box.

EDIT:

Also catches the binary edit

Edited September 21, 2014 by JohnOne

[trancexx]

It's been brought to my attention (thanks!) that one AV company has flagged the script as Trojan for some reason. Go figure. The detection algo is secret, so I had to pull some strings too see how and why this have happened. Very interesting to see how they do it.

Long story short, there is new file in the first post which doesn't have mentioned problems.

[AdmiralAlkex]

Are we allowed to speculate? I noticed the word WriteProcessMemory was... Hidden 

[trancexx]

Yes, that's the keyword.

[czardas]

Yes, that's the keyword.

 

OMG, that was ... how shall I put it? ... quite educational. Thanks again for the script.

Edited September 26, 2014 by czardas

[Bizzaro]

Hi, this script looks great. Do I simply add the #include into my target script and that is it? I don't need to do anything else?

 

Will this help protect against code injection etc? I'm trying to protect against people bypassing my current license protection system by altering my compiled exe.

[trancexx]

Just #include and that's it.

Compiled executable then has capability to detect if it has been altered.

[czardas]

Isn't that something AV is meant to be able to detect? 

[trancexx]

No, it's not.

I've updated the code and changed the way hash is stored inside the exe. It should be impossible to decipher what the script does now. I used special obfuscation technique to make the critical code unreadable. Obfuscator is run four times. Crazy.

I wonder if it works now? I hope so.

[czardas]

No, it's not.

Hmm, I would have thought that file integrity for executables would be high priority for (AV) heuristic detection. Now I wonder why not: it seems like a wasted opportunity.

Anyway, I can't test this ATM, but I look forward to trying it later. Avast didn't like the previous version.

[argumentum]

I don't use antivirus, so, to test it I uploaded the old and new versions of the test example.
au3 version is at https://www.virustotal.com/en/file/677e2fe4955a838673ec8c31a4b77b715eb7e0331a207db4c6e1ba9f43e76500/analysis/1451254984/
a3x version is at https://www.virustotal.com/en/file/bb9f27d57f4b0e650f6e2d9d8357dec2864b20f6626bb8fae035b25a23b8bb23/analysis/1451255057/
The compiled files were run once to apply the patch ( self patch ), then uploaded.

Edit: then, just for the heck of it, uploaded the test without the include, making it just a compiled MsgBox,
the results are at https://www.virustotal.com/en/file/1123bf18ba323f41a388493ed2a7852b4fba13e599697ae8f64b911cce1af33d/analysis/1451257979/ 
therefore, whatever showed as virus, has nothing to do with the include.

Edited December 27, 2015 by argumentum
more testing

[Bizzaro]

I found that this is not compatible with Au3Stripper's /rm option.

Do you think there is a simple way to fix it and make it compatible? No dialog appears explaining that the checksums have been added with /rm turned on.

[trancexx]

To make it compatible with some tool that appears not to be compatible with AutoIt? I have no intention to do something like that. Sorry.

Edited January 12, 2016 by trancexx

[Bizzaro]

Au3stripper is part of the compile options. It is made for Autoit. I'm not sure what you mean. Go to SciTe and compile a script, you'll see Au3Stripper in the options, it comes with the editor.

[trancexx]

Au3stripper is part of the compile options. It is made for Autoit. I'm not sure what you mean. Go to SciTe and compile a script, you'll see Au3Stripper in the options, it comes with the editor.

Don't get me wrong, I fancy strippers. However your premisses are wrong.

If some tool can't process this script correctly then it's not fully compatible with AutoIt. Talk to the author of it, maybe you'll get better response or explanation from there. 

Edited January 13, 2016 by trancexx

[Bizzaro]

Don't get me wrong, I fancy strippers. However your premisses are wrong.

If some tool can't process this script correctly then it's not fully compatible with AutoIt. Talk to the author of it, maybe you'll get better response or explanation from there. 

It is probably just a few undeclared Vars.

[trancexx]

If you say so.

[Anas]

On 22/12/2015 at 10:18 PM, trancexx said:

I've updated the code and changed the way hash is stored inside the exe. It should be impossible to decipher what the script does now. I used special obfuscation technique to make the critical code unreadable. Obfuscator is run four times. Crazy.

Hi,

Is it possible to have it return a value instead of running/terminating based on the check?

I was wondering if I can use the returned value as a key to RTFC's CodeCrypter.

Thanks.

[Deye]

I didn't see anyone mention how this can work together with code signing ..
If you code sign a file before the first run the digital signature breaks right after
Sign the file after the first run and it becomes unverified  ..

was just interested to know how if it was technically possible to combine the both