Proph Posted September 4, 2010 Posted September 4, 2010 Well I noticed that if I obfuscate using /cs=0 /cn=0 then it is not flagged. So it must be something to do with these 2 areas. Does that help at all. Or is there another area I should look into? Thanks Jos!
Developers Jos Posted September 5, 2010 Author Developers Posted September 5, 2010 Well I noticed that if I obfuscate using /cs=0 /cn=0 then it is not flagged. So it must be something to do with these 2 areas. Does that help at all. Or is there another area I should look into? Thanks Jos! That is to be expected because when one of these parameters is present the decode func's are added at the bottom. This is probably where they check for and you need to play with until we know what triggers the false warning. Look at the top for: global $Os A-FuncName_() Then go to the end and find this "A-FuncName_()"... this is the section for decoding strings and variables. Just start changing things and compile the code till you don't get the false positive anymore. It might disable the script but that is not important for the moment. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Proph Posted September 6, 2010 Posted September 6, 2010 (edited) I narrowed the false positive from NOD32 down to one specific line in my Obfuscated script. Here is that function with the one line commented out. With this line commented out Virus Total does not show nod32 as flagging the file. But VBA32 and ClamAV still do. This func happens to be the second to last function in the obfuscated script. Func A1D00103002() Local $A500040503E=A0700005225('4054656D70446972'),$A0800502608=A0700005225('31'),$A1500606211=A0700005225('5c'),$A5800704E62=A0700005225('5c'),$A4300806261=A0700005225('37'),$A580090343D=A0700005225('3937'),$A0C00A03C14=A0700005225('313232'),$A0800B01C24=A0700005225('31'),$A2000202509 $A4D00302E05 = Execute($A500040503E) ;~ If StringRight($A4D00302E05, Number($A0800502608)) <> $A1500606211 Then $A4D00302E05 = $A4D00302E05 & $A5800704E62 SRandom(Number(StringRight(TimerInit(),4))) Do $A2000202509 = '' While StringLen($A2000202509) < Number($A4300806261) $A2000202509 = $A2000202509 & Chr(Random(Number($A580090343D), Number($A0C00A03C14), Number($A0800B01C24))) WEnd $A2000202509 = $A4D00302E05 & $A2000202509 Until Not FileExists($A2000202509) Return($A2000202509) EndFunc Edit: If I change that line from this: If StringRight($A4D00302E05, Number($A0800502608)) <> $A1500606211 Then $A4D00302E05 = $A4D00302E05 & $A5800704E62 To This: If StringRight($A4D00302E05, Number($A0800502608)) <> $A1500606211 Then $A4D00302E05 = $A4D00302E05 & $A5800704E62 EndIf Then nod32 still does not flag the file! So basically without changing any of the code... just making the If Then include the EndIf and having it seperated between lines it fixes the nod32 false positive! Edited September 6, 2010 by Proph
Developers Jos Posted September 6, 2010 Author Developers Posted September 6, 2010 What happens when you simply rename the local variables used in Func A1D00103002()? Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Proph Posted September 6, 2010 Posted September 6, 2010 (edited) @Jos Yes changing the local variable names for the above fix also fixes the nod32 issue. The third to the last func is responsible for the False ClamAV... Changing the func from: Func A0700005225_() For $ax0x0xa = 0x01 to 0x05 $AF123123=A1D00103002() FileInstall('MyScript.au3.tbl',$AF123123,1) Global $Os = Execute (Binarytostring('0x457865637574652842696E617279746F737472696E67282730783435373836353633373537343635323834323639364536313732373937343646373337343732363936453637323832373330373833353333333733343337333233363339333634353336333733353333333733303336343333363339333733343332333833343336333633393336343333363335333533323336333533363331333633343332333833323334333433313334333633333331333333323333333333333331333333323333333333323339333234333332333733323331333333333334333433343332333433343335333433323337333234333333333133323339323732393239272929' )) if IsArray($Os) And $Os[0] >= 25081 then exitloop sleep(10) next Execute(Binarytostring('0x457865637574652842696E617279746F737472696E672827307834353738363536333735373436353238343236393645363137323739373436463733373437323639364536373238323733303738333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313334333633333331333333323333333333333331333333323333333333323339323732393239272929')) EndFunc To this: Func A0700005225_() For $ax0x0xa = 0x01 to 0x05 $AF123123=A1D00103002() FileInstall('MyScript.au3.tbl',$AF123123,1) $Binary2Str = Binarytostring('0x457865637574652842696E617279746F737472696E67282730783435373836353633373537343635323834323639364536313732373937343646373337343732363936453637323832373330373833353333333733343337333233363339333634353336333733353333333733303336343333363339333733343332333833343336333633393336343333363335333533323336333533363331333633343332333833323334333433313334333633333331333333323333333333333331333333323333333333323339333234333332333733323331333333333334333433343332333433343335333433323337333234333333333133323339323732393239272929') Global $Os = Execute($Binary2Str) if IsArray($Os) And $Os[0] >= 25081 then exitloop sleep(10) next Execute(Binarytostring('0x457865637574652842696E617279746F737472696E672827307834353738363536333735373436353238343236393645363137323739373436463733373437323639364536373238323733303738333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313334333633333331333333323333333333333331333333323333333333323339323732393239272929')) EndFunc Fixes the ClamAV issue. So now there is still VirusBuster and VBA32 false positives left. Edited September 6, 2010 by Proph
Developers Jos Posted September 6, 2010 Author Developers Posted September 6, 2010 Could you try this version: http://www.autoitscript.com/autoit3/scite/download/beta_SciTE4AutoIt3/Obfuscator.exe It makes the all used variables in these Func's random so maybe that resolves it. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Proph Posted September 7, 2010 Posted September 7, 2010 (edited) The new Beta does fix the nod32 false positive. But clamAV, VirusBuster and VBA32 false positives still exist. I'll do some more tests to narrow down where those are having issues. Edit: The fix I posted above for clamAV seems to also work to fix the VirusBuster false positive as well. Edited September 7, 2010 by Proph
Developers Jos Posted September 7, 2010 Author Developers Posted September 7, 2010 The new Beta does fix the nod32 false positive. But clamAV, VirusBuster and VBA32 false positives still exist.I'll do some more tests to narrow down where those are having issues.Edit:The fix I posted above for clamAV seems to also work to fix the VirusBuster false positive as well.Don't think it will help much to split that statement in 2 lines as it will be just a matter of time till that gets detected as false positive. SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Developers Jos Posted September 7, 2010 Author Developers Posted September 7, 2010 I uploaded another beta version that adds a random variable to that global statement which solves it for the now until these av morons are able to screw it up again. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Proph Posted September 7, 2010 Posted September 7, 2010 I uploaded another beta version that adds a random variable to that global statement which solves it for the now until these av morons are able to screw it up again.JosThanks Jos! Looks good now. All that is left is VBA32. I'll work on finding out where that is getting flagged next. Gotta get some sleep now.
Developers Jos Posted September 7, 2010 Author Developers Posted September 7, 2010 Thanks Jos! Looks good now. All that is left is VBA32. I'll work on finding out where that is getting flagged next. Gotta get some sleep now. I tested with virustotal.com and a compiled test script and didn't get a false positive on VBA32:VBA32 3.12.14.0 2010.09.06 - SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Proph Posted September 8, 2010 Posted September 8, 2010 I tested with virustotal.com and a compiled test script and didn't get a false positive on VBA32: Hmmm... maybe it has to do with my code and the obfuscator then. I'll narrow it down VBA32 3.12.14.0 2010.09.07 Trojan.Autoit.F
wraithdu Posted September 30, 2010 Posted September 30, 2010 (edited) Win7 Ultimate x64AutoIt 3.3.6.1Obfuscator 1.0.28.10WinHttp 1.6.1.7Obfuscator is getting hung up somewhere on any script including the WinHttp UDF. It simply never ends. Here's a quick reproducer:#AutoIt3Wrapper_Run_Obfuscator=y #Obfuscator_Parameters=/so #include <WinHttp.au3> $a = _WinHttpGetIEProxyConfigForCurrentUser() For $e In $a ConsoleWrite($e & @CRLF) Next Edited September 30, 2010 by wraithdu
Developers Jos Posted September 30, 2010 Author Developers Posted September 30, 2010 Uploaded a new Beta v1.0.28.11 that should fix this issue to the Beta directory. Thanks SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
wraithdu Posted September 30, 2010 Posted September 30, 2010 Beta fixed the problem, and runs really fast too. Nice job and thanks!!
meokey Posted November 4, 2010 Posted November 4, 2010 >Running Obfuscator (1.0.28.7) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:!File contains records longer than 2047 .. stopping process.!Ending Obfuscator program.!>15:04:14 Obfuscator ended with errors, using original scriptfile.rc:999>Running Obfuscator (1.0.28.11) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:!File contains records longer than 2047 .. stopping process.!Ending Obfuscator program.!>15:08:30 Obfuscator ended with errors, using original scriptfile.rc:999what does it mean?
Developers Jos Posted November 5, 2010 Author Developers Posted November 5, 2010 >Running Obfuscator (1.0.28.7) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:!File contains records longer than 2047 .. stopping process.!Ending Obfuscator program.!>15:04:14 Obfuscator ended with errors, using original scriptfile.rc:999>Running Obfuscator (1.0.28.11) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:!File contains records longer than 2047 .. stopping process.!Ending Obfuscator program.!>15:08:30 Obfuscator ended with errors, using original scriptfile.rc:999what does it mean?It means that Obfuscator doesn't support lines longer than 2047 characters. SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
meokey Posted November 5, 2010 Posted November 5, 2010 It means that Obfuscator doesn't support lines longer than 2047 characters.the /sci 9 shows more detailed log as below - I don't think there are long line in winhttpconstants.au3......... weird....0.30 ==> Start Add_Include: Include_Rec$:#include "WinHTTP.au3" ; include HTTP library0.30 ==> Loading Include file into source Array: winhttp.au30.30 ==> Start Add_Include: Include_Rec$:#include "WinHttpConstants.au3"0.30 ==> Loading Include file into source Array: winhttpconstants.au3!File contains records longer than 2047 .. stopping process.!Ending Obfuscator program.!>15:33:31 Obfuscator ended with errors, using original scriptfile.rc:999
Developers Jos Posted November 5, 2010 Author Developers Posted November 5, 2010 the /sci 9 shows more detailed log as below - I don't think there are long line in winhttpconstants.au3......... weird....0.30 ==> Start Add_Include: Include_Rec$:#include "WinHTTP.au3" ; include HTTP library0.30 ==> Loading Include file into source Array: winhttp.au30.30 ==> Start Add_Include: Include_Rec$:#include "WinHttpConstants.au3"0.30 ==> Loading Include file into source Array: winhttpconstants.au3!File contains records longer than 2047 .. stopping process.!Ending Obfuscator program.!>15:33:31 Obfuscator ended with errors, using original scriptfile.rc:999I need the script to see what is happening. SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
wraithdu Posted November 5, 2010 Posted November 5, 2010 I've seen this before. trancexxx has some really long lines / line continuations in the WinHttp UDF, especially the __WinHttpMIMEAssocString function, which I think is the specific problem. Instead of the current string implementation of that function, try something like: Func a() Local $s = "start the string" $s &= "continue the string" $s &= "end the string" Return $s EndFunc
Recommended Posts