Obfuscator (discontinued)

Proph · September 4, 2010

Well I noticed that if I obfuscate using /cs=0 /cn=0 then it is not flagged. So it must be something to do with these 2 areas.

Does that help at all. Or is there another area I should look into?

Thanks Jos!

Jos · September 5, 2010

Well I noticed that if I obfuscate using /cs=0 /cn=0 then it is not flagged. So it must be something to do with these 2 areas.

Does that help at all. Or is there another area I should look into?

Thanks Jos!

That is to be expected because when one of these parameters is present the decode func's are added at the bottom.

This is probably where they check for and you need to play with until we know what triggers the false warning.

Look at the top for:

global $Os
A-FuncName_()

Then go to the end and find this "A-FuncName_()"... this is the section for decoding strings and variables.

Just start changing things and compile the code till you don't get the false positive anymore.

It might disable the script but that is not important for the moment.

Jos

Proph · September 6, 2010

I narrowed the false positive from NOD32 down to one specific line in my Obfuscated script.

Here is that function with the one line commented out. With this line commented out Virus Total does not show nod32 as flagging the file. But VBA32 and ClamAV still do.

This func happens to be the second to last function in the obfuscated script.

Func A1D00103002()
Local $A500040503E=A0700005225('4054656D70446972'),$A0800502608=A0700005225('31'),$A1500606211=A0700005225('5c'),$A5800704E62=A0700005225('5c'),$A4300806261=A0700005225('37'),$A580090343D=A0700005225('3937'),$A0C00A03C14=A0700005225('313232'),$A0800B01C24=A0700005225('31'),$A2000202509
$A4D00302E05 = Execute($A500040503E)
;~ If StringRight($A4D00302E05, Number($A0800502608)) <> $A1500606211 Then $A4D00302E05 = $A4D00302E05 & $A5800704E62
SRandom(Number(StringRight(TimerInit(),4)))
Do
$A2000202509 = ''
While StringLen($A2000202509) < Number($A4300806261)
$A2000202509 = $A2000202509 & Chr(Random(Number($A580090343D), Number($A0C00A03C14), Number($A0800B01C24)))
WEnd
$A2000202509 = $A4D00302E05 & $A2000202509
Until Not FileExists($A2000202509)
Return($A2000202509)
EndFunc

Edit:

If I change that line from this:

If StringRight($A4D00302E05, Number($A0800502608)) <> $A1500606211 Then $A4D00302E05 = $A4D00302E05 & $A5800704E62

To This:

If StringRight($A4D00302E05, Number($A0800502608)) <> $A1500606211 Then
    $A4D00302E05 = $A4D00302E05 & $A5800704E62
EndIf

Then nod32 still does not flag the file! So basically without changing any of the code... just making the If Then include the EndIf and having it seperated between lines it fixes the nod32 false positive!

Edited September 6, 2010 by Proph

Jos · September 6, 2010

What happens when you simply rename the local variables used in Func A1D00103002()?

Jos

Proph · September 6, 2010

@Jos Yes changing the local variable names for the above fix also fixes the nod32 issue.

The third to the last func is responsible for the False ClamAV...

Changing the func from:

Func A0700005225_()
For $ax0x0xa = 0x01 to 0x05
$AF123123=A1D00103002()
FileInstall('MyScript.au3.tbl',$AF123123,1)
Global $Os = Execute (Binarytostring('0x457865637574652842696E617279746F737472696E67282730783435373836353633373537343635323834323639364536313732373937343646373337343732363936453637323832373330373833353333333733343337333233363339333634353336333733353333333733303336343333363339333733343332333833343336333633393336343333363335333533323336333533363331333633343332333833323334333433313334333633333331333333323333333333333331333333323333333333323339333234333332333733323331333333333334333433343332333433343335333433323337333234333333333133323339323732393239272929' ))
if IsArray($Os) And $Os[0] >=  25081 then exitloop
sleep(10)
next
Execute(Binarytostring('0x457865637574652842696E617279746F737472696E672827307834353738363536333735373436353238343236393645363137323739373436463733373437323639364536373238323733303738333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313334333633333331333333323333333333333331333333323333333333323339323732393239272929'))
EndFunc

To this:

Func A0700005225_()
For $ax0x0xa = 0x01 to 0x05
$AF123123=A1D00103002()
FileInstall('MyScript.au3.tbl',$AF123123,1)
$Binary2Str = Binarytostring('0x457865637574652842696E617279746F737472696E67282730783435373836353633373537343635323834323639364536313732373937343646373337343732363936453637323832373330373833353333333733343337333233363339333634353336333733353333333733303336343333363339333733343332333833343336333633393336343333363335333533323336333533363331333633343332333833323334333433313334333633333331333333323333333333333331333333323333333333323339333234333332333733323331333333333334333433343332333433343335333433323337333234333333333133323339323732393239272929')
Global $Os = Execute($Binary2Str)
if IsArray($Os) And $Os[0] >=  25081 then exitloop
sleep(10)
next
Execute(Binarytostring('0x457865637574652842696E617279746F737472696E672827307834353738363536333735373436353238343236393645363137323739373436463733373437323639364536373238323733303738333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313334333633333331333333323333333333333331333333323333333333323339323732393239272929'))
EndFunc

Fixes the ClamAV issue.

So now there is still VirusBuster and VBA32 false positives left.

Edited September 6, 2010 by Proph

Jos · September 6, 2010

Could you try this version: http://www.autoitscript.com/autoit3/scite/download/beta_SciTE4AutoIt3/Obfuscator.exe

It makes the all used variables in these Func's random so maybe that resolves it.

Jos

Proph · September 7, 2010

The new Beta does fix the nod32 false positive. But clamAV, VirusBuster and VBA32 false positives still exist.

I'll do some more tests to narrow down where those are having issues.

Edit:

The fix I posted above for clamAV seems to also work to fix the VirusBuster false positive as well.

Edited September 7, 2010 by Proph

Jos · September 7, 2010

The new Beta does fix the nod32 false positive. But clamAV, VirusBuster and VBA32 false positives still exist.
I'll do some more tests to narrow down where those are having issues.
Edit:
The fix I posted above for clamAV seems to also work to fix the VirusBuster false positive as well.

Don't think it will help much to split that statement in 2 lines as it will be just a matter of time till that gets detected as false positive.

Jos · September 7, 2010

I uploaded another beta version that adds a random variable to that global statement which solves it for the now until these av morons are able to screw it up again.

Jos

Proph · September 7, 2010

I uploaded another beta version that adds a random variable to that global statement which solves it for the now until these av morons are able to screw it up again.
Jos

Thanks Jos! Looks good now. All that is left is VBA32. I'll work on finding out where that is getting flagged next. Gotta get some sleep now.

Jos · September 7, 2010

Thanks Jos! Looks good now. All that is left is VBA32. I'll work on finding out where that is getting flagged next. Gotta get some sleep now.

I tested with virustotal.com and a compiled test script and didn't get a false positive on VBA32:

VBA32 3.12.14.0 2010.09.06 -

Proph · September 8, 2010

I tested with virustotal.com and a compiled test script and didn't get a false positive on VBA32:

Hmmm... maybe it has to do with my code and the obfuscator then. I'll narrow it down

VBA32 3.12.14.0 2010.09.07 Trojan.Autoit.F

wraithdu · September 30, 2010

Win7 Ultimate x64

AutoIt 3.3.6.1

Obfuscator 1.0.28.10

WinHttp 1.6.1.7

Obfuscator is getting hung up somewhere on any script including the WinHttp UDF. It simply never ends. Here's a quick reproducer:

#AutoIt3Wrapper_Run_Obfuscator=y
#Obfuscator_Parameters=/so

#include <WinHttp.au3>

$a = _WinHttpGetIEProxyConfigForCurrentUser()
For $e In $a
    ConsoleWrite($e & @CRLF)
Next

Edited September 30, 2010 by wraithdu

Jos · September 30, 2010

Uploaded a new Beta v1.0.28.11 that should fix this issue to the Beta directory.

Thanks

wraithdu · September 30, 2010

Beta fixed the problem, and runs really fast too. Nice job and thanks!!

meokey · November 4, 2010

>Running Obfuscator (1.0.28.7) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:

!File contains records longer than 2047 .. stopping process.

!Ending Obfuscator program.

!>15:04:14 Obfuscator ended with errors, using original scriptfile.rc:999

>Running Obfuscator (1.0.28.11) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:

!File contains records longer than 2047 .. stopping process.

!Ending Obfuscator program.

!>15:08:30 Obfuscator ended with errors, using original scriptfile.rc:999

what does it mean?

Jos · November 5, 2010

>Running Obfuscator (1.0.28.7) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:
!File contains records longer than 2047 .. stopping process.
!Ending Obfuscator program.
!>15:04:14 Obfuscator ended with errors, using original scriptfile.rc:999
>Running Obfuscator (1.0.28.11) from:C:\Program Files (x86)\AutoIt3\SciTE cmdline:
!File contains records longer than 2047 .. stopping process.
!Ending Obfuscator program.
!>15:08:30 Obfuscator ended with errors, using original scriptfile.rc:999
what does it mean?

It means that Obfuscator doesn't support lines longer than 2047 characters.

meokey · November 5, 2010

It means that Obfuscator doesn't support lines longer than 2047 characters.

the /sci 9 shows more detailed log as below - I don't think there are long line in winhttpconstants.au3......... weird....

0.30 ==> Start Add_Include: Include_Rec$:#include "WinHTTP.au3" ; include HTTP library

0.30 ==> Loading Include file into source Array: winhttp.au3

0.30 ==> Start Add_Include: Include_Rec$:#include "WinHttpConstants.au3"

0.30 ==> Loading Include file into source Array: winhttpconstants.au3

!File contains records longer than 2047 .. stopping process.

!Ending Obfuscator program.

!>15:33:31 Obfuscator ended with errors, using original scriptfile.rc:999

Jos · November 5, 2010

the /sci 9 shows more detailed log as below - I don't think there are long line in winhttpconstants.au3......... weird....
0.30 ==> Start Add_Include: Include_Rec$:#include "WinHTTP.au3" ; include HTTP library
0.30 ==> Loading Include file into source Array: winhttp.au3
0.30 ==> Start Add_Include: Include_Rec$:#include "WinHttpConstants.au3"
0.30 ==> Loading Include file into source Array: winhttpconstants.au3
!File contains records longer than 2047 .. stopping process.
!Ending Obfuscator program.
!>15:33:31 Obfuscator ended with errors, using original scriptfile.rc:999

I need the script to see what is happening.

wraithdu · November 5, 2010

I've seen this before. trancexxx has some really long lines / line continuations in the WinHttp UDF, especially the __WinHttpMIMEAssocString function, which I think is the specific problem. Instead of the current string implementation of that function, try something like:

Func a()
    Local $s = "start the string"
    $s &= "continue the string"
    $s &= "end the string"
    Return $s
EndFunc

Obfuscator (discontinued)

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

=sinister=

Paulie

Jos

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members