There was a thread in general support forum the other day about possibility of compiled executable to verify binary integrity of itself when run. I can't find the topic now to link it, but meh never mind. Logical solution is to calculate checksum of the exe and save it somewhere. Later when the executable is run the checksum is calculated again and compared to the saved value. If they match, all is ok, and if they don't the exe was altered and verification fails.
The obvious problem is how and where to store the hash value. Alternate data stream seems the simplest solution. That way the hash is bound to the exe only and the risks of unwanted manipulations are relatively low. The problem could be if the exe is saved and run from non-NTFS file systems. Another problem is that any read/write action on exe file usually ends up with ADS being deleted. The other solution is registry writing, but that bounds exe and hash to the system. For another system (or even user) the checking wouldn't be valid. Third solution is using some sort of ini file. But that means ini has to go everywhere exe goes, otherwise again the check wouldn't make sense. And it would be too simple for someone to manipulate data, to the level the check wouldn't make sense.
So, this is kind of fourth option. CheckSumVerify2.a3x script below is include file that will calculate the hash of the executable on the first run, save it directly inside that executable using special technique and recheck the hash on every new run. If the new hash wouldn't match the saved one, the script will show message box saying that and further execution will be aborted. CheckSumVerify2.a3x
Just to say that I haven't done any complicated tests to see if it would work in outer space, or even on all supported systems. However my guess is it should work. Don't UPX the compiled executables, because I'm calculating checksum of the image on disk and not the one in memory.
Here's small example of usage:
#include "CheckSumVerify2.a3x"
If @Compiled Then
MsgBox(64 + 262144, "Aha!", "This is an example exe that does nothing except showing this message." & @CRLF & @CRLF & _
"But if you change the binary of me I will show error message and won't allow further execution." & @CRLF & _
$cmdlineraw)
Else
MsgBox(64 + 262144, "Hey", "This is an example script that does nothing except showing this message." & @CRLF & @CRLF & _
"But if you compile me I will check binary integrity of the compiled executable every time its run.")
EndIf
If something wouldn't work, or if you have any questions - simply post here. I'll do my best to answer.
I am writing an obfuscator currently with quite a few features, as I have found no good obfuscators yet that are complex enough to be nearly impossible to deobfuscate (as of course it is impossible to reach a 100% level of obfuscation where no one can deobfuscate it).
Current obfuscation methods include flow obfuscation, string encryption, proxy calls, unique renaming scheme (create gibberish WinAPI like name), junk codes, and removing all functions (merging them with the main script), traps to prevent automated deobfuscation, debugger detection, VM detection, moving strings to other parts of scripts (functions, proxy strings, etc), exit if not compiled, file integrity check. Decompile protection is also added (nothing that violates the reverse engineering clause of the ToS, I am using a PE loader with protections built into it.)
Does anyone have any ideas for more obfuscation methods to add?
Codefuser got a reaction from meoit in Obfuscation Methods