53 replies to this topic

[Dave-]

I uploaded the project to github:

https://github.com/d...tkey-obfuscator

-includes some bug fixes

-fixed problem with hotkeys with spaces in them

 

 

i'm open sourcing an autohotkey obfuscator i created:

http://dynamicobfuscator.org

download and unzip

includes all source code, documentation, and examples

it can obfuscate autohotkey and autohotkey_L scripts

 

i obfuscated this 8,000 line autohotkey  program i built with it:

http://speedy-orange-pc-shortcuts.com/

download that program and then load it into resource hacker to see the obfuscated code!

version of program with no installation program:

http://speedy-orange...EE-portable.zip

 

here's some of the obfuscated code lifted from that program:

f@kff@fkf@kfk#() {
global
f@%ffkffkk#ffk#fkfff@kf%@f%f@kfk#ffkfk#k#fkf@kffkfkkf%ffk%k#fkfkk#kffffkfkk#fkf@%fkf%ffkffkffffk#k#kffkk#fkfk%()
f%fkk#f@f@f@fff@k#kffkfkfk%kk#f%f@kfkff@k#ffffkfkfkf%f@kf%fffkf@kff@f@k#fkffk#fk%f%f@fff@kff@k#f@ff%fkfkf()
k#k%f@fff@kff@k#f@ff%#kfk%fkf@fkkfkffkfkfff@%%fff@kffffff@kfk#f@k#kf%ff%k#k#fkf@k#f@fkkffkf@f@ff%ff@ff()
}
k#fkf@k#k#kfffk#ffkfffkfk#f@ffffk#kf:
f@%f@k#k#k#f@fkk#f@%%fkk#kff@kfk#fffkk#%@kfk%f@ffkfffk#fkfkkffkff%%f@fffkkfffk#kf%%f@fkfkk#fffkk#f@k#%("kfffk#f@fkf@fffffkfkkfkfk#fff@fkf@fkk#f@k#ffk#ffkfffk#kff@fkkffffffffffkfff@f@k#fffkk#k#fffffffff@fkfkfkk#kfkfkfk#f@kfkff@f@fkfkfkkff@fffk")
return
f@f@fkk#kfkff@kf(kffkfkkfk#ffkfff, f@ffk#kfkff@k#f@, f@fkk#kffkf@ = 0) {
global
%fkk#fffkfkkff@fk%%fkf@f@kffffffkf@k#%%kff@fkf@kff@fkk#f@k#%%k#fkfkfkf@k#fkk#ffkfk#%%f@k#f@kfk#f@kffkf@k#%%k#kffkfffkk#fkfff@%(f@f%f@fkkffkf@kff@kfffk#kfff%f@%fff@k#ffffkffff@fkfkf@ff%#f%kff@f@k#ffk#f@f@f@ffk#%f%f@fkfkk#fffkk#f@k#%kfk#fk("e40367074516881777e707c457a775f5e7a6f71767c3d2"), fkf%ffk#kfk#fffkfff@%%kfk#k#kff@fkkff@f@k#%@fk%k#fkkfkfffk#ffffkf%k%kfk#fkf@fffkkffk%fkfff@, f@%fkk#kff@k#ffkfkfffkf%%k#kfffkfk#k#k#ff%kk%fffkkfkfkff@k#fk%#kffkf@, %k#fff@k#ffk#k#k#f@%%fkf@f@kffffffkf@k#%kf%fkfkkfffffffk#f@k#kf%@fk%fkfkk#f@fkk#fkffk#%fkfkfff@, kf%fkk#kff@ffffkf%f%kffkkffkkfk#k#k#fkfkk#ff%fk%fkfkk#f@fkk#fkffk#%k%ffkfk#ffkff@fffkff%fk#ffkfff, %k#fkk#kfffffkf%%kff@f@fkk#kfkffkfkffkfff%%k#fkfkkff@kffkfkfk%, f%kffkk#fkfkfffffkfkfkkf%@f%k#fkkfkfffk#ffffkf%k#%kffkkffkkfk#k#k#fkfkk#ff%f%f@k#fkffffkfffff%kff@k#f@, f%f@fkfkfkfkf@k#fffkfkk#fk%kf%fffkkfkfkff@k#fk%@f%kfk#kfkfk#f@f@k#%%fffkkff@k#f@fkk#ff%k%ffk#kff@k#kfkffkfkkfkfkf%fkfff@)
}
fkf@kffkkfk#(kfkfkfk#kff@fkk#) {
global
local kffkk#fkffkffkffk#fkf@, kfk#kfkfffkfffk#ffkf, kfffkff@kffkkff@
kff%kffffffffff@k#kffkf@%fkf%fkfff@kfk#kffkk#%@k%f@fkkfkffkf@ffk#fffk%ffkk%fkk#ffk#f@f@fffffkfkff%f@ = % kfk%k#k#fkfkf@fkk#%kf%k#fkfkfkf@k#fkk#ffkfk#%k#%fkfffkkfk#f@k#f@ffkfkfkf%kff@%f@fkkffkk#k#f@k#ffk#kffk%fkk#
kf%k#kfffkfkffkfkf@fffkff%#kfk%k#k#k#k#fkffffkf%fffk%fffkfkkffkfkfffkf@f@fkff%fffk#ffkf =
loop, %
%fffkf@k#f@k#f@ff%%kfk#fkkff@f@fkkf%%k#f@k#f@fkkffkk#ff%%ffkfk#k#fffkkf%%fkffk#fffff@fkff%%k#fff@ffkfk#ffk#%(%f@f@f@k#fkfkk#f@fkkf%kff%fkk#ffk#f@f@fffffkfkff%%kfkffkffkffff@fkk#f@ff%ff@k%kffkk#fkfkkffffffkkf%ffkkff@)
{
k%fkkff@kfkfkfkff@fff@k#ff%fkk%fkf@f@kffffffkf@k#%#f%f@fkkffkk#k#f@k#ffk#kffk%kffkffkffk#fkf@ = % %k#ffk#fkk#f@fkf@%%fffff@f@kffkf@fff@%%k#kfkfffk#k#%%fkffk#f@k#kfk#k#k#k#f@f@%%kff@fkfff@fkfk%%k#k#fkf@k#fkfkf@fk%(k%kfffkffff@fkfffkk#fkf@%%k#k#fkfkf@fkk#%fkf%f@kfk#k#k#k#kfkffk%f%fffkfff@ffk#fk%@kf%fkf@k#fkfkk#fkkfk#k#ff%fkkff@, a_index, 1)
kf%ffk#kff@k#kfkffkfkkfkfkf%k#k%fkk#kff@k#ffkfkfffkf%kfffk%k#k#fkf@k#fkfkf@fk%fffk#ffkf = % kf%kff@fkf@kff@fkk#f@k#%%k#f@kfkffkfffffff@%fkk%kffffkffffkffffkkfk#f@kf%f%f@kffkfkkff@fkkffffkff%ffkffkffk#fkf@ . k%kfk#kfk#f@fffff@kf%k%ffkfkfffkffff@f@k#ff%%f@kfk#k#f@f@kfk#kf%%kff@fffkk#fkkffkk#%kfkfffkfffk#ffkf
}
kfk#k%fkfffkkfk#f@k#f@ffkfkfkf%%kfk#k#kff@fkkff@f@k#%fkfffk%k#fkkfkfffk#ffffkf%ffk#ffkf = % %fkfkf@k#k#k#kff@ff%%kfk#k#kff@fkkff@f@k#%%kfkfkffkfkkfffk#%(%ffkfkffff@f@fkk#kffk%fk#k%f@fffff@f@k#fff@fkk#f@%%kffkk#fkfkfffffkfkfkkf%fkf%fkfkfffkfkf@fff@%%kfk#k#k#k#fkfkfkfkf@%fkfffk#ffkf)
return, % %kff@fkkfkfkffkf@k#kf%%fkkffffkfff@f@fff@k#%%f@fkfkk#fffkk#f@k#%
}
k#ffk#k#k#kffkk#f@f@f@kffff@:
f%ffffk#k#fkk#f@ff%@f%kfkfk#k#k#f@k#fk%%f@fkfkffk#kffkffff%fk%f@kfk#kffkkfffkff@%%k#fff@ffkfk#ffk#%%f@fffkkfffk#kf%("k#kfk#fffkfffkk#k#k#k#fkf@kfk#fff@fkk#f@k#fff@kfkff@fkffffkff@ffk#k#k#k#fkk#f@fkkfffk#f@f@f@kffkf@fkkff@k#fkffkfkfkfkfk#k#f@kff@ffffkff@k#fkfff@fkffkfffkff@kffkff")
return
fkfkkfk#k#fkk#ff(ffkffkffk#fk) {
global
gui, font, norm underline
gui, add, text, xm+%ffkffkffk#fk%%kff@f@fkk#kfkffkfkffkfff%%fkf@k#fkfkk#fkkfk#k#ff% yp-4 Cblue Gkffkk%k#ffk#fkk#f@fkf@%fk#f@f@%kff@f@fkfff@fkk#fk%fk#%f@fkffk#f@kff@k#kfffkf%ff%fkf@fkk#ffkfffkff@kf%kfff@ffkfkfkfk#kf, % f@ff%fff@k#fkkfk#f@f@kfff%f%fffkk#ffffkfkfk#%%fkfkfffkfffkfkffk#kfffkf%k#ff%fff@fff@kffkf@fkk#f@f@fk%kfk#fk("a77697e70797a7c297d71747d2a6e7b297877757c7c6d82297674816f2a6d747d2a7c71508c9")
}
kffkfkf@kffffkk#(f@fff@fffkf@f@) {
global
MsgBox, 4096, **ERROR**, % f@f%fkkff@kfkfkfkff@fff@k#ff%f@f%fkfkf@k#k#k#kff@ff%f%fkfff@f@k#kffkfffffff@kf%fkf@f@
}
f@fff@f@k#kf() {
global
static fkf@k#f@k#ffkfff
fkf@k%fkkffkfffkk#kfk#f@f@%%fffkfkkffkfkfffkf@f@fkff%f@%kff@f@fkk#kfkffkfkffkfff%k#ffkfff++
if (fkf@%f@fkffk#f@kff@k#kfffkf%#f@k#%k#kffkfffkk#fkfff@%ff%k#f@k#f@fkkffkk#ff%kfff // 8) {
k#%f@kfk#ffkfk#k#fkf@kffkfkkf%kff%kff@kfkff@f@f@kff@kff@%@k%kff@k#kfkffffk%ffkfkfkf()
fkf%f@k#kff@k#kfkfk#fk%@k#%fkf@k#ffkff@fffffffk%@k%fkk#fffkkffff@f@fkf@fkfk%#ff%f@fkfkffk#kffkffff%fff=
}
}

[guest3456]

excellent work, i will definitely study this

i donated on your site as well, as a 'thank you' for sharing this

however, your donation dropdown is broken, the paypal page automatically put $5 instead of $10, so i changed quantity x2

[Dave-]

thank you for your donation

 

feel free to post any questions you have about using the program or its architecture

[Uberi]

Impressive. A lot of people have been looking for something exactly like this. I'm sure it will be very useful.

[Kangaroo]

Can you explain what's the purpose of this? Why would you "obfuscate" your AHK code? I don't understand.

thn. Kangaroo

 

 

[Dave-]

One reason to obfuscate program code is to protect your intellectual property. You don’t want someone else to decompile your code and use pieces or all of it as he wishes. Though you can’t prevent someone from decompiling your code, if he can’t understand the code, your coding secrets may remain secret. He may decide to not use any of your code in his own programs if he cannot figure out what the various parts of your code do.

 

professional obfuscators already exist for java and .NET

 

http://www.red-gate....CFQSf4AodAgMAFQ

 

http://web.archive.o...V/Article/11351

http://www.excelsior...bfuscators.html

[trueski]

This looks like it would be pretty effective. You could make it even more confusing by using characters that almost look identical, such as 

 

ὋὌῸΌ

[Dave-]

one thing i thought of afterwards is all the obfusticated object names could randomly start with either the letter l or the letter O and then all the rest of the obfuscated object name would be constructed of random ones and zeros:

l1011001100101010:=O011010101010101010

that's actually a variable starting with the letter l being set equal to a variable starting with the letter O! those letters might look nearly identical to ones and zeros on your system especially with a monospace font like the code box above uses.

l00110101110101010101010(O0010101011101010, O110110100101010)

function call simulated above

 

same function call with security fragments inserted below:

l0%l0011101010111101010%1101%O000111101010111101%11101%l01010101011010%1010101010(O%l1110000110101010%00101%O01010101010%01011101010, O1%l1010101010111101%101%l111011101010%10100%O0101011111111000%101010)

obfuscated binary object names!

[Dave-]

I uploaded the obfuscator to github:

https://github.com/d...tkey-obfuscator

 

-fixed some bugs

-fixed problem with hotkeys with spaces in them

-fixed problem with obfuscating literal strings

 

[tomoe_uehara]

Interesting script you have here, Dave-
Very useful, but it's like a dual edged blade, it will be harder to detect malicious code inside a script

[guest3456]

thanks for the update

[Bugz000]

i'm looking to convert this entire script to a single function, no GUI needed - i'll get back to you with the code

[Dave-]

if you guys have a problem with using the program feel free to post it here.

 

tomoe, the obfuscation will hide your programs detection of it's own integrity. If your program is running as a script then it can do tests to make sure it is running on your development computer only. If it is running as a compiled program then it can do tests like checking its own size and crc. i saw an interesting script on this board where an autohotkey script can retrieve it's own code signing certificate and i'm going to start using that one.

 

you can make your code integrity checks into functions which you can then sprinkle throughout the main running parts of your program. these techniques will make it very, very difficult for someone to inject malicious code into your script. if they extract the script from the exe, it will not run, it will just go down a rabbit hole. if they change a single byte then recompile, it will not run.

 

the problem with exe wrap protector programs is that they will give false virus positives for autohotkey scripts. i tried using enigma protector on a script and i was unable to upload it to cnet.com (upload.com) because it said i had a virus! it came up with 12 false virus positives on virustotal.com! using my system you will not get any false virus positives on your script.

 

 

[guest3456]

i just tried it with all the defaults, no checkboxes checked. i ran the translation Map and then obfuscate and tried to run. i added those 5 lines for the simple straight obfuscation at the top and then i added the END_AUTOEXEC line as well. adding those to my source fixed my initial problems of "This variable/function has an illegal character". so thats good

suggestions for above:
1. a checkbox for 'simple straight obfuscation' which checks for the 5 comment commands at the top and adds them if they are not there.
2. if END_AUTOEXEC comment command is missing, then prompt user
3. make the gui fonts smaller. i'm on 125% scaling in windows and the gui buttons for the obfuscate window were cut off at the bottom

anyway...

now, i'm getting this error

"Unsupported parameter default"

;FUNCTION ORIGINAL NAME: IsItemInList
kfffk#fkf@fff@kf(f@k#k#fff@kfff, kffkk#fff@fkk#, ffffffffk#fkfk=f@kffkk#ffkff@ff,f@kffkk#ffkff@ff) { 
   Loop, Parse, kffkk#fff@fkk#, %k#kfkfkffkfkk#fkffk#fk%ÿffffffk#fkfk%%f@fkf@ffffk#f@%
   {
      if (A_LoopField = f@k#k#fff@kfff)
         return true
   }
   return false
}

original:

IsItemInList(item, list, del=",")
{
   Loop, Parse, list, %del%
   {
      if (A_LoopField = item)
         return true
   }
   return false
}

[Dave-]

i like your ideas guest3456! i have regretted not making it default to straight obfuscation for the public version of this and i like your idea about the END_AUTOEXEC tag as well.

 

the problem with your code is no doubt the fact that your parameter default is a comma. when my obfuscator finds a new function section, it parses off the parameters by grabbing whatever is between the () and executing line 308 in my include file 'OBFcreatetransmap.ahk':

 

Loop, Parse, paramslist, `,, %A_Space%%A_Tab%
 

it just simply parses the parameters by splitting it by commas. so that means my program would have thought you had 4 parameters, not 3. in fact that is what i see in your obfuscated code. and then a variable ended up assigned as the default for the 3rd parameter which is not allowed by autohotkey and is the reason for the error message you got.

 

i'm not sure what i will do to fix the problem in my program but in the meantime this should work to fix your code:

IsItemInList(item, list, del="")
{
if (!del)
    del:=","
Loop, Parse, list, %del%
{
    if (A_LoopField = item)
        return true
}
return false
}