Shadows Obfuscator (mit Sourcecode)

Page 17 of 18 « First 71516 17 18
02/11/2014 16:35 Shadow992#241
Quote:
Originally Posted by Nobita2014 View Post
Hi Shadow992, I use your obfuscator C + + 1.1.4, and after obfuscated script does not work, msg some errors. Maybe you can help 1 ver English and msg Error at num line, it msg ?? 20 ?? . Thank Mr Shadow992.
Obfuscators may never work perfect, so it is nearly impossible to say what exactly went wrong or even how to fix it. Just try again by adding/removing/... code.
02/12/2014 03:33 Nobita2014#242
Hi! Shadow992, maybe you can help obfuscator C 1.1.4 :
_ With Func "name obfuscator" but Func ($i, $x=2) : $i, $x Not "name obfuscator". A Some func it can "name obfuscator",
_ how for obfuscator C 1.1.4 "String" -> "name obfuscator". Thank you.
02/12/2014 12:10 Shadow992#243
Quote:
Originally Posted by Nobita2014 View Post
Hi! Shadow992, maybe you can help obfuscator C 1.1.4 :
_ With Func "name obfuscator" but Func ($i, $x=2) : $i, $x Not "name obfuscator". A Some func it can "name obfuscator",
_ how for obfuscator C 1.1.4 "String" -> "name obfuscator". Thank you.
I cannot really help you as already described...
02/13/2014 01:41 Nobita2014#244
Thank Shadow992 for tool. With autoit obfuscator complie all working good, With obfuscator C 1.1.4 -> successful -> run autoit successful -> But something in Func No Working (test and test)
I wan A Tool help Anti Code Anti Decomplie, scarcity ...
02/13/2014 12:28 Shadow992#245
Quote:
Originally Posted by Nobita2014 View Post
Thank Shadow992 for tool. With autoit obfuscator complie all working good, With obfuscator C 1.1.4 -> successful -> run autoit successful -> But something in Func No Working (test and test)
I wan A Tool help Anti Code Anti Decomplie, scarcity ...
Anti decompilation is not possible at the moment.
03/06/2014 21:23 AxelMtE#246
Hello Mister Shadow992,
Nice work with crackme, i'd like the way your packer works)
I'll post here the analisys of your packer but not the solution to your crackme...since is pointless patch it, when you can decompile it totally...However I can make patched solution and send you in private.
From my point of view has been nice reverse your crackme, and again good job Mate!

List of Anti-Debugging tricks used:
[Only registered and activated users can see links. Click Here To Register...] - FindWindow function
[Only registered and activated users can see links. Click Here To Register...] - IsDebuggerPresent function
[Only registered and activated users can see links. Click Here To Register...] - OutputDebugString function
[Only registered and activated users can see links. Click Here To Register...] - ZwQuerySystemInformation function
[Only registered and activated users can see links. Click Here To Register...] - ContextFlags

read and write at runtime:
[Only registered and activated users can see links. Click Here To Register...] - ReadProcessMemory function
[Only registered and activated users can see links. Click Here To Register...] - WriteProcessMemory function

In addition to this it will use self-mod code description is down:

About the AU3 script - compressed it means (interpreter + plain AU3 script encrypted):
the executable will be handled and rewritten using 4 "C" functions:

// c functions
int fseek(FILE *stream, long offset, int whence);
size_t fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
long ftell(FILE *stream);
void rewind(FILE *stream);
// end c functions

After that the packer will check if it is a DOS MZ format: checking if it has the MAgic_Number MZ and after it checks if it's a portable executable using a cmp with the hexadecimal rappresentation of "EP".
At the end it will create the process using Windows API CreateProcess
Now it will pause the thread and preparing us for a nice surprise:
it will play us with the last trick to check if debugger is present using "ContextFlags"....
and after it will resume the thread and run the program normally.


so if you want to use Ollydbd you need this plugin MagicHideOllyDbg
and you need to turn on these options:
Auto Run HideOD
HideNTDebugBit
OutDebugStringA
ZwSetInformationThread
ZwQuerySysteminformation
ZwSetInformationProcess

I was forgetting that you need to hide even the Window title of Ollydbg, since shadow's packer is checking for it
so I posted a little piece of Asm to change title of "Ollydbg" in "AxelMtE" so it won't be detected, however you can use any Ollydbg plugin to do this.
The code has been written using masm32, so you need masm32 to compile this little piece of code
Code:
.486
.model flat, stdcall
option casemap :none

include \masm32\include\user32.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data    
    Error       db  "Error",0
    ODBG        db  "OLLYDBG",0
    NFodbg      db  "OllyDbg not found.",0
    Success     db  "Succesfully Changed!",0     
    hWndW       dd  0
    NewT        db  "AxelMtE",0
.code
start:
    mov edx,offset ODBG
    push 0
    push edx
    call FindWindow    
    cmp eax,0
    jz err  
    mov edx,offset NewT   
    push edx
    push eax
    call SetWindowText
    jz noDBG
    cmp eax,0
    je err
    mov edx,offset Success
    push 40h
    push 0
    push edx
    push 0    
    call MessageBox
    push 0
    call ExitProcess
    
 err:
    mov edx,offset Error
    push 10h 
    push 0
    push edx
    push 0    
    call MessageBox    
    jmp exit  
    
noDBG:
    mov edx,offset NFodbg
    push 10h 
    push 0
    push edx
    push 0    
    call MessageBox 
     
exit:

    push 1
    call ExitProcess

end start
; end of code
have fun
Best regards
AxelMtE:)
03/20/2014 18:51 ws-man#247
My sir,

Thank you very much/
Really you are the best member in this forum.
03/22/2014 21:34 swayzHard#248
Hello and thanks for letting my join your community, i downloaded this obfuscator and it works fine for my needs except that doesnt take into account Fileinstall("litral path",$canbevariable)

:( kind of a waste of time but i dont want to end this yet any idea?
03/22/2014 22:04 alpines#249
FileInstall doesn't accept any variable because you can overflood the final exe with many ressources. You need to remove the variable and have to use a constant.
06/05/2014 07:38 DuguWudi#250
Shadow, would I be able to see a Shadows Obfuscator for autohotkey too anytime soon?
06/08/2014 00:41 unlist3d#251
When using any type of obfuscator including yours I always get variable declared error when running compiled program.
06/22/2014 08:35 johnny71#252
Shadow,

Any idea why I get the error:

"Invalid FileInstall() Function:"

When I try to compile after using your obfuscator? I tried changing the dir of the random generated variable to this:

FileInstall("obfuscator_file.s92", "C:\Windows\Autoit\" & $REPPTGDEVLQKO,1)
$00O0OOO00OsIqdLKgMLDTpcg=StringSplit(__uBmsPcKtMT CcvPBnoD(FileRead("C:\Windows\Autoit\" & $REPPTGDEVLQKO)),chr("74"),2)
FileDelete("C:\Windows\Autoit\" & $REPPTGDEVLQKO)

Still get the same error.
07/18/2014 15:21 DuguWudi#253
Hi Shadow,
I have a problem with your AutoIt-Obfuscator written in C++ in the latest autoit version.

It seem it no longer works if the obfuscated compiled exe run in other language(regional setting) OS beside english. Previously no such problem.
01/19/2016 14:47 legend90#254
Hi shadow, im not sure you have got my pm?

If not, is it possible that you can make the obfuscator support command lines, like:
obfuscator.exe script.au3 from cmd.

and also it does not work if the script contains spaces, ex:
new script.au3 does not work
newscript.au3 does work,

is it possible to fix that :)?
01/19/2016 16:37 alpines#255
You have to add " to the file name if there is any whitespace in between.
"new script.au3"
Page 17 of 18 « First 71516 17 18