Desafio deofuscador

Tus preguntas. Algoritmos o Grupos de Comandos formando Programas Escripts.
Avatar de Usuario
ms999
Hacker del Foro
Mensajes: 116
Registrado: 26 Ene 2011, 06:13

Desafio deofuscador

Mensaje por ms999 »

Hola gente... el titulo asusta mucho aveces.. pero no es para tanto..
La programacion para mi es un hobbie y decidi ponerme a hacer esto como proyecto y desafío.. Lo que voy a hacer no es un decompilador sino un deofuscador
Tengo algunas cosas ya echas y entendidas y otras en las que me podrían ayudar

Primero la propuesta

Si me quieren dar scripts ofuscados por ustedes yo trataría de deofuscarlos, a la larga viendo todos los metodos que se usaron para hacerlo terminaría mi desafío hacierndo un programa para deofuscar ofuscaciones de todo tipo.

Como funciona

Por lo que veo los que realmente se esmeran en ofuscar lo hacen varias veces con varios tipos de ofuscaciones, por ahora voy viendo 3 que usan estas funciones
Execute(BinaryToString())
chr()
Stringlen()

Por ahora hice estos 2 scripts ambos incompletos pero me ayudaron a deofuscar tipos diferentes

Código: Seleccionar todo

#RequireAdmin
$file = Fileopendialog("Archivo au3 a deofuscar",@scriptdir& "\", "AutoIT Scripts (*.txt)", 1)
If @error Then MsgBox(4096,"","Error", "intentelo nuevamente.")
$fileopen = FileOpen($file,0)
If $fileopen = -1 Then
	MsgBox(0, "Error", "Error", "intentelo nuevamente.")
	Exit
EndIf
$filenew = FileOpen($file& "_deofuscado.au3",2)
While 1
	$line = FileReadline($fileopen)
	If @error = -1 Then ExitLoop
	StringReplace($line, "Execute(BinaryToString(", "Execute(BinaryToString(")
	If @extended > 0 Then
		$splitline = StringSplit($line,"Execute(BinaryToString(",1)
		$line2 = StringTrimRight($splitline[2],3)
		ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : StringTrimRight($splitline[2],3) = ' & StringTrimRight($splitline[2],3) & @crlf & '>Error code: ' & @error & @crlf) ;### Debug Console
		$line3 = StringTrimleft($line2,1)
		ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : StringTrimleft($line2,1) = ' & StringTrimleft($line2,1) & @crlf & '>Error code: ' & @error & @crlf) ;### Debug Console
		$line4 = binarytostring($line3)
		ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : binarytostring($line3) = ' & binarytostring($line3) & @crlf & '>Error code: ' & @error & @crlf) ;### Debug Console
		filewriteline($filenew,$splitline[1]&$line4)
	Else
		filewriteline($filenew,$line)
	Endif
Wend

fileclose($fileopen)

Código: Seleccionar todo

#RequireAdmin
$file = Fileopendialog("Archivo au3 a deofuscar",@scriptdir& "\", "AutoIT Scripts (*.*)", 1)
If @error Then MsgBox(4096,"","Error", "intentelo nuevamente.")
$fileopen = FileOpen($file,0)
If $fileopen = -1 Then
	MsgBox(0, "Error", "Error", "intentelo nuevamente.")
	Exit
EndIf
$filenew = FileOpen($file& "_temp2.au3",2)
While 1
	$line = FileReadline($fileopen)
	If @error = -1 Then ExitLoop
	StringReplace($line, "Stringlen", "Stringlen")
	If @extended > 0 Then
		$splitline = StringSplit($line,"Stringlen",1)
		for $i = 2 to $splitline[0]
		$splitline2 = StringSplit($splitline[$i],")",1)
			for $e = 1 to $splitline2[0]
				If stringinstr($splitline2[$e],"Binarytostring") = 0 Then
					If stringinstr($splitline2[$e],")") = 0 Then
						$word = StringTrimRight($splitline2[$e],1)
						$word2 = StringTrimleft($word,2)
						$word3 = Stringlen($word2)
						$word4 = StringReplace($line,"Stringlen("&$splitline2[$e]&")",$word2)
					EndIf
				EndIf
			Next
		next
	Else
		filewriteline($filenew,$line)
	Endif
Wend
fileclose($fileopen)
Ayuda

Esto es algo que no entiendo y encontre en varios scripts ofuscados...
vi dlls compiladas dentro de scripts(si es esto posible :S) y vi imágenes echas de esta manera

Código: Seleccionar todo

Func _WELCOME()
	Global $PIC = ""
	$PIC &= "0xFFD8FFE000104A46494600010101006000600000FFDB0043000201010201010202020202020202030503030303030604040305070607070706070708090B0908080A0807070A0D0A0A0B0C0C0C0C07090E0F0D0C0E0B0C0C0CFFDB004301020202030303060303060C0807080C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0CFFC000110802A5024A03012200021101031101FFC4001F0000010501010101010100000000000000000102030405060708090A0BFFC400B5100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FAFFC4001F0100030101010101010101010000000000000102030405060708090A0BFFC400B51100020102040403040705040400010277000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00FD66FF00826DF8FB43F857FF00047CFD9FBC49E25D5F4ED07C3FA17C20F0DDEEA3A8DFDC2DBDAD9411E8D6CCF2492310AAAA0124935F257C62FF0083C07F643F859E349F48D35FE2678EE1B798C2DA9787B4087EC448241656BBB8B776518EAA8411C8C8AF833FE0E0AF8BDE2FF08FFC108FF601F08693A85CD9F83BC63E01D2A6F1041148556FA5B4D17497B48E403EF2032CCF8271B910E0950456FF0083607FE086BF02BFE0A2FF00B2DF8F7E277C64D1353F15C963E2997C2DA669B16AF73A7C16621B2B5B87B826DDE37776378A00672A3CAFBA72725ECC4EE7EBA7EC13FF0007017ECC5FF0513F195A785BC15E35B8D1BC677E3FD17C3DE25B33A6DF5E3618948492D0CCE0292522919B0338C57DA75F9C3F033FE0D5FF00D94BF67AFDA67C3BF13F40D3FC7325FF00853528756D3346BED716EB4AB7B985C3C4E55A2F39F63AAB00F29190320F4AFD1EA0105145140C28A8751D46DF48D3E7BBBB9E1B5B5B58DA69A699C2471228CB3331E00001249E0015F17F89BFE0E2DFD8ABC25E347D06EBE3F785A5BE43832D9595FDED91E9D2EA181E03D47493D7D0E003ED6A2B9BF84DF18BC27F1EBC0561E29F04F89343F16F86F534DF6BA9E917B1DE5ACE3BED92325723A119C83C1C1AF91FF6F5FF008381FF00674FF8272FED2FA37C29F885AAF8925F136A314571A849A46982EED7C3914A3313DE3191586F5F982C4B2B852AC540652403EDCA2B97F1FF00C6DF07FC2CF84D7DE3CF11F89B43D1BC17A7590D46E35BBABC8D2C63B7600ACBE6E76956DCBB4827716503248AF19FD907FE0AE9FB37FEDE9E33BCF0E7C27F8B1E1EF157886C95E47D2CC57161792A2121E48A1B98E279917192F186500839C106803E8EA2BE5DFF00829DFF00C15E7E0EFF00C128BE1BDBEAFF0011F569EEB5FD5D1CE89E19D2D566D57572B9CB2A12047083C34B21540781B9B0A7F153E2DFFC1ED9F19F53F174AFE04F843F0C344D044C7CB835E92FB54BC68F27199219AD903118E884039EB4203FA4DA2BF3BBFE080FFF0005C8D53FE0B1BE16F1DDBF883E1DA7837C41F0F7EC26EEF34EB97B8D2F50174250BB3780F1481A090F964BFCA41DE706BE34F19FFC1DF5E26F0C7FC150AE7E1C1F873E16B7F831A678C5BC2B797D335C3EBFE4A5D0B592F95C4A201860F2884C44EDC2F999058807EEE515E55FB697ED9DE01FD80FF676D77E27FC49D54E97E1AD09554AC415EEAFE67388EDADE32CBE64CE7385047019890AAC47C49FF0474FF838DACBFE0AEDFB53F89FE1CE9BF0675DF05E9FA168B2EB706B8FAE2EA31C8893C5108EE235B78C40EFE6E571249928C3B6695D01FA615FCCD7ED81FF000797FC78F1AF8D755B1F849E12F06FC3CF0E413CD0DA5C6A566FAAEAF22062A92486465811B6804C7E536D2482CC057F4CB5FC737FC1C69F137C37F10FFE0AF1F16ACFC27E18F0CF86346F096A034131E8FA6DBD9FDBEEE151F6CB9B8312AF9B33DCB4D977CB615413C552B584CEAECBFE0EA5FDB92D75717327C5EB0B984107EC92783F45109C63232B681F9C1CFCFDCE31C63EAAFD8EFF00E0F50F89FE10F115B597C70F879E1AF19787DE4026D47C32ADA66AB6E98E584523BC1311C617F73DFE6AFD7CFF00824CFECD7078C3FE08E7F023C29F18F47D0FE21CB77E0FB6BBB9B6F10E9F06A5135BDD0371042E92AB2B7976F2C511C839F2F9CD7E7FFF00C16DBFE0D5FF008456FF0005BC63F18BE08EA961F096FBC25A75D6BDACE87A8DC48FE1EBBB68226965309C3C96B2E158AA8DD113B542463E604AEEF71743F577F616FF008284FC27FF00828E7C205F1A7C28F145B6BD611158EFEC9F116A1A3CAC09115D404EE89880704E55B04AB3019AF6BAFE30FF00E083BFB42FC44F803FF0555F82E9F0F357BDB097C65E2BD33C37AE59C6DFE8FAAE977377125D433A90414119670C5498D915D7E6506BFA58F891FF00070EFECD5F0ABF6FF87F67"
	$PIC &= "3D5B5ED753C5C7518B45BAD612C10E83A76A323AA2D9CD72640EB20675566119890E4348A55804867DC945707FB48FED3FF0FBF640F8537BE37F89BE2DD1FC19E16B0758A5BFD466D88D23676C48A0179246C1C2206638381C1AE27F632FF8295FC0AFF8284E9DA85C7C1DF893A178D1F4A557BDB38566B4BFB446385924B5B848E7542780E53693C673C5033DCA8AFCFAFF0082D5FF00C1C0FE08FF00823CEA9E19F0E1F0A4DF12BC7FE25B76D43FB0ADF585D3134DB20E1167B898C5315F31848235119DDE4C992A0027A0FF00823E7FC179BE167FC15EACF58D2B43B0BEF03FC42F0FC0B757DE17D52EA39A59EDCE01B9B59576F9F12B908C76232164DCA03A920AE8FB968A28A0678A7ED9DFF0517F829FF04F5F0F695A9FC63F881A4F82ADF5C98C1A7C73C33DD5CDE302031482DE3925645DCBB9C26D5C8C915E97F0ABE2AF86FE38FC38D17C5FE10D6B4FF117867C456897DA6EA56328960BB85C6559587E441E4104100822BF966FF83BAFF686B4F8D9FF00056EBCD134DD562D46C7E1B7866C7C3B22C17225860BB2F35D4EBF2F0B22B5CAA38FBC0C5B4F2B81FBA1F09BF6B0F805FF000439FF00827DFC00F877F183E20E97E08BB5F0ADA5BC30359DCDE4F7D74228DEF2610DAC72BAC66E26725D86D1BF1B8E09A23AE82F53EE9A2B94F81FF1C3C27FB49FC26D0BC75E05D76CBC4BE12F12DB0BBD3752B427CABA8F2549018065219594AB00CACA4100822BF117C61FF077EF8DFF0067DFF828E78CFE1E7C4DF847E1FB2F863E16F15DDF876E1B4F7B94F10E9D04174F09BA72EED0CEDB5449E52C71EEE81F90681DCFDE5A2B2FC13E34D2BE24783348F116857D6FAA687AFD943A8E9D7B036E8AEEDE68D648A543DD5919581F435F915FF05A3FF83AB7C2FF00B19F88F53F869F01AD346F885F116C59EDB54D76E64F3B42F0FCA0ED689446C0DD5C290C19432C71B019690868C3B01FB13457F3F3FF0006FA7FC16FFF006CAFF82877FC14774CF05F8B75CD1FC61F0E8DA5E6A5E25CF86ED2CD741B5481C42D14D6D1C6C19AE4C11A894C9BB7B7A6E5FE81A901CDFC64F8B9E1FF00805F09BC4BE38F15EA09A57867C23A65C6AFAA5D;;....etc etc etc!
	$FORM1 = Execute(BinaryToString("0x20475549437265617465282257656C636F6D652053637265656E2028576169742035205365636F6E647329222C203432372C203437332C203737302C203330352C4269744F52282457535F4D494E494D495A45424F582C202457535F444C474652414D452C202457535F47524F55502C202457535F434C49505349424C494E4753292C204269744F52282457535F45585F544F504D4F53542C202457535F45585F57494E444F57454447452929"))
	Execute(BinaryToString("0x475549536574426B436F6C6F7228307830303030303029"))
	$PIC1 = Execute(BinaryToString("0x204755494374726C437265617465506963285F437265617465546D7046696C652827456E657267792E6A7067272C2024506963292C20302C20302C203432312C2034363929"))
	$GUI1 = Execute(BinaryToString("0x204755495365745374617465284053575F53484F5729"))
EndFunc
Esto de arriba es muucho mas largo y resulta siendo una pic :S

Otra ayuda


Hay funciones que son para ofuscar dentro del script, abajo pongo un ejemplo... yo puedo encontrar cuando empieza la funcion... pero no se como hacer para buscar a partir de ese lugar el endfunc de esa funcion asi poder copiar de alguna manera(que todabia no se) la funcion y reprodicirla para obtener el resultado...

Código: Seleccionar todo

#RequireAdmin
Execute(BinaryToString("0"&chr(_W1721421250(15))&""&chr(_S1111325902(20))&""&chr(_G160628353(15))&"6C6C436"&chr(_A1811823631(3))&"6C6C28226E74646C6C2E646C6C222C2022696E74222C202252746C41646A75737450726976696C656765222C2022696E74222C2032302C2022696E74222C20312C2022696E74222C20302C2022696E742A222C203029"))
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : chr(_W1721421250(15)) = ' & chr(_W1721421250(15)) & @crlf & '>Error code: ' & @error & @crlf) ;### Debug Console
Execute(BinaryToString("0"&chr(_F1341221034(3))&""&chr(_A1471123315(11))&""&chr(_C86125706(20))&"6C6C"&chr(_Z1651827927(2))&"3616C6C28226E74646C6C2E646C6C222C2022696E74222C202252746C41646A75737450726976696C656765222C2022696E74222C20342C2022696E74222C20312C2022696E74222C20302C2022696E742A222C203029"))
Global Const $PROCESS_SUSPEND_RESUME = 0x0800
Global Const $SYNCHRONIZE = 0x00100000
$Form1 =Execute(BinaryToString(""&chr(_Y671213458(15))&"x"&chr(_Q1031181410(4))&"0"&chr(_V1770204911(9))&"755494372"&chr(_M1191215779(17))&"56174652822333220426974205370656369616C222C203232342C203132382C203139322C2031323429"))
Execute(BinaryToString(""&chr(_O18118129814(18))&""&chr(_C17111154615(16))&""&chr(_A12819104013(20))&"7"&chr(_I129782412(4))&"96E5365745472616E732824466F726D312C22222C32343029"))
Execute(BinaryToString(""&chr(_X1501676816(18))&""&chr(_X1743100017(20))&"4"&chr(_V1064124918(19))&"55495"&chr(_O1436148419(4))&"6574426B436F6C6F7228307841434138393929"))
$Checkbox1 =Execute(BinaryToString("0x2"&chr(_L1079201423(14))&""&chr(_O1300155321(3))&"7"&chr(_L11811130020(10))&"5"&chr(_D1544178222(2))&"94374726C437265617465436865636B626F78282248475743222C20362C20362C2035352C20313729"))
$Checkbox2 =Execute(BinaryToString("0"&chr(_O7612134124(11))&""&chr(_M893158025(20))&"047"&chr(_Z1839181226(12))&"54"&chr(_J9810205727(17))&"4374726C437265617465436865636B626F7828224165676973222C20362C2033302C2034392C20313729"))
$Checkbox3 =Execute(BinaryToString("0"&chr(_H8815197729(7))&""&chr(_B1841624423
Y mucho mas abajo las funciones....

Código: Seleccionar todo

$95D48671=$95D48671+34
return $95D48671
EndFunc
Func _S1111325902($90H299192)
$90H299192=$90H299192-5
$90H299192=$90H299192-17
$90H299192=BitAnd($90H299192,3)
$90H299192=$90H299192-10
$90H299192=$90H299192+7
$90H299192=$90H299192+53
return $90H299192
EndFunc
Func _G160628353($153V82843)
$153V82843=$153V82843-18
$153V82843=$153V82843+9
$153V82843=BitXOr($153V82843,13)
$153V82843=$153V82843-5
$153V82843=BitAnd($153V82843,10)
$153V82843=$153V82843+50
return $153V82843
EndFunc
Func _F1341221034($146R287284)
$146R287284=BitAnd($146R287284,1)
$146R287284=BitAnd($146R287284,3)
$146R287284=$146R287284+3
$146R287284=$146R287284+116
return $146R287284
EndFunc
Func _A1471123315($81W236935)
$81W236935=$81W236935+17
$81W236935=BitAnd($81W236935,5)
$81W236935=$81W236935+6
$81W236935=$81W236935-14
$81W236935=BitXOr($81W236935,11)
$81W236935=$81W236935+61
return $81W236935
EndFunc
Func _C86125706($91H280636)
$91H280636=$91H280636+19
$91H280636=$91H280636+18
$91H280636=BitAnd($91H280636,20)
$91H280636=BitXOr($91H280636,6)
$91H280636=$91H280636+30
return $91H280636
EndFunc
Func _Z1651827927($98P301997)
$98P301997=BitAnd($98P301997,18)
$98P301997=$98P301997+8
$98P301997=BitXOr($98P301997,20)
$98P301997=BitXOr($98P301997,9)
$98P301997=$98P301997+2
$98P301997=$98P301997-20
$98P301997=$98P301997+16
$98P301997=$98P301997-6
$98P301997=$98P301997+37
return $98P301997
EndFunc
Func _Y671213458($156G30188)
$156G30188=BitAnd($156G30188,1)
$156G30188=BitAnd($156G30188,3)
$156G30188=$156G30188+3
$156G30188=$156G30188+44
return $156G30188
EndFunc
Func _M1191215779($190Y65099)
$190Y65099=BitAnd($190Y65099,1)
$190Y65099=BitAnd($190Y65099,3)
$190Y65099=$190Y65099+3
$190Y65099=$190Y65099+50
return $190Y65099
EndFunc
Func _Q1031181410($164P3119110)
$164P3119110=$164P3119110+19
$164P3119110=$164P3119110+18
$164P3119110=BitAnd($164P3119110,20)
$164P3119110=BitXOr($164P3119110,6)
$164P3119110=$164P3119110+44
return $164P3119110
EndFunc
Func _V1770204911($112M192011)
$112M192011=$112M192011-1
$112M192011=BitXOr($112M192011,15)
bueno espero que se haya entendido :D sino preguntenme y pondre ejemplos mas explicitos.... espero su ayuda gente
Responder