Creating your own executable from a PB program?

[thefool]

Fluid; its easy to put it in the executable at another place too

[ricardo]

Fluid; its easy to put it in the executable at another place too

Some example?

[Fluid Byte]

Fluid; its easy to put it in the executable at another place too

Stop talking in riddles you git!

You know I have no clue....

Well, "another place", eh? At the beginning!

I also tried another method wich is to define a string named "KEYTAG" in the source. So when you modify or hex view the .EXE you have some sort of an anchor point but then again it's visible as plain text and rather useless. Even if you named it to something else. It's also stored at the end of the .EXE, right before the XP manifest resource.

Seriously, throw me a bone here.

[thefool]

Fluid; its easy to put it in the executable at another place too

Stop talking in riddles you git!

You know I have no clue....

Well, "another place", eh? At the beginning!

I also tried another method wich is to define a string named "KEYTAG" in the source. So when you modify or hex view the .EXE you have some sort of an anchor point but then again it's visible as plain text and rather useless. Even if you named it to something else. It's also stored at the end of the .EXE, right before the XP manifest resource.

Seriously, throw me a bone here.

I got tons of ideas on how to protect it hehe
do some stuff with the key. xor it, manipulate it.
You can store it in data sections instead of with the strings directly. Ill throw an example.

[thefool]

Ok i have made an example; not too well protected but if you can disguise the reading of the key with some encrytion of the key itself its ok. But here we go:


First, compile this to "decryptia.exe" :

Code: Select all

;Main program. this is where you will inject the stuff into :)

Procedure.s myXorCryption(string.s,key)
  For i=1 To Len(string.s)
    myreturnstring.s+Chr(Asc(Mid(string.s,i,1)) ! key)
  Next i
  ProcedureReturn myreturnstring.s
EndProcedure


myencstring.s="RN~ZC_RRYTENGCRSDCE^YP" ;Encrypted using 55!

OpenConsole()
PrintN("Welcome to decryptia!")
PrintN("---")
Print("Encrypted string: ")

;***WOW! i save the key right here!!!
;DB 50 and 60 is so i can find the right place to put it in.
Goto over
peekPalace:
!db 50
!db 60
!db 00
!db 00
!db 00
!db 00
over:


PrintN(myencstring.s)
PrintN("Now im reading the key ;) ")

key=PeekL(?peekpalace+2) ;<-------------LOOK! +2 because i had the 2 leadin' bytes.

PrintN("Decrypting using key!")

mydec.s=myXorCryption(myencstring.s,key) ;Decrypting the stuff

Print("Decrypted string: ")
PrintN(mydec.s)

Input()

Great? now. If you open a hex editor at this, you search for 50h 60h 00 00 00 00. You find that at 483h in this case, so you compile this part:

Code: Select all

;injectia

OpenConsole()
PrintN("Going to inject :)")

;using a hex editor i know the place to smash the bytes are at 483h
ReadFile(1,"decryptia.exe")
*mem=AllocateMemory(Lof(1))
ReadData(1,*mem,Lof(1))
CloseFile(1)

;Stuff is loaded.
Print("Key to decrypt with(55, perhaps?): ")
mykey.l=Val(Input())
PrintN("")
PrintN("*Writing key to exe*")

PokeL(*mem+$483,mykey) ;<------LOOK!!!! i write at $483

CreateFile(2,"Decryptia_WITHKEY.exe")
WriteData(2,*mem,MemorySize(*mem))
CloseFile(2)

PrintN("Done...")

now compile the first code to decryptia.exe, when you then run this you will get a Decryptia_WITHKEY.exe, that only displays the correct result if you enter the correct key wich is 55 in this case.

I hope this helps a bit Tell if you need ideas on how to hide it even more.

[Fluid Byte]

UTOPIA !!

I like your witty comments: ";<------LOOK!!!! i write at $483"

Like you talking to a complete moron! LMAO!

Anyway, this is good stuff! Lemme play around with that and take a deeper look at it. I'll give you a shout when need more details on hiding the key and stuff.

Thanks so far f00l!

PS: Xor encryption is pretty weak, isn't it?

PS2: Do you know a good hex editor? I mostly use MS Notepad to look at files

[thefool]

Like you talking to a complete moron! LMAO!

hehe
well that was not the purpose, but its just too bad if someone misses the comments

Anyway, this is good stuff! Lemme play around with that and take a deeper look at it. I'll give you a shout when need more details on hiding the key and stuff.

do that

PS: Xor encryption is pretty weak, isn't it?

Of course! You shouldnt use that its just an example about how to store a key. Then you can use whatever encryption you want. But encrypt the key too, xor it do funny stuff to it. Make it a string, reverse it and make it a number again (bad idea to end with a zero in this case though)

Why do that? To hide the key a bit. I mean, so they cant just read it.
When you make the program compare if the key is equal to zero (because that mean that you havent injected the key yet).

ENCRYPT the exe when its not in use; i mean. when its on the disk, have an encrypted form. When you inject the key, you decrypt it, inject the key and save the working, decrypted form on the disk.

PS2: Do you know a good hex editor? I mostly use MS Notepad to look at files

damn!
You need a hex editor for this.. REALLY...!
http://www.pspad.com/

My favorite editor. comes with a normal editor, a hex editor and TONS of other stuff. completely free!

[Fluid Byte]

Somehow you encouraged me to work more frequently on this project again so some more questions arise:

1.) What does the asembly keyword " !db " stands for? Was it "define byte"?

2.) What exactly does it do respectivley how does it work? I need to understand this in order to correctly modfiy it's values and position.

3.) Is it truly possible to define a custom data section anywhere in the compiled .EXE for storing the key?

4.) What kind of encryption I should use for the key or the script besides the rather usless XOR thing? Base64? MD5? Custom algo?

5.) I installed PSPad and viewed "decryptia.exe" but I seem to be too dumb for hexadecimal numbers. :roll: Well, as the "h" just means "hex" I searched for "50 60 00 00 00 00", "506000000000" and "5060" using the PSPad find dialog. So when you say "50h 60h 00 00 00 00" where exactly I have to look/search when viewing the .EXE? Top margin? Left margin? The data itself?

[thefool]

Hi!

1)
DB means Define Byte. ! means that its direct assembly without interferation of PB.

2) I make my own "variable" in the code. Instead of having it dynamically, its statically written in the code. I simple have my own place of data where i can peek and poke, whatever i want to. Its placed between the code.

3) Yes its truly possible. Its not a real data section, but again it is. bleh
It is possible, its safe and its easy.

4) MD5 is a hash algo. Base64 is an encoding. its not encryption. The XOR thing is not useless at all, i would eventually combine it with other stuff. For the algo, go for something you know makes a certain size (i mean, you need to "allocate" the needed space in the exe file before you can write anything.)

When you generate the code, first have the real one. Then you can XOR it , then you can reverse the characters, then you can make it back to aschi and encrypt using an algo you choose. I can recommend you to take a look on AES.

5)
You need to search for 80 96 00 00 00 00

[Fluid Byte]

I got it!

I first thought that this

Code: Select all

!db 50
!db 60
!db 00
!db 00
!db 00
!db 00

is meant to be a full hexadecimal value. But instead you directly poke two leading bytes (50 / 60) as an offset for the location of the key.

So the following 4 null bytes are a placeholder for 32bit (LONG) descryption key. Took me a while to figure out.

Its not a real data section, but again it is. bleh

Geeeee! Please never become a teacher.

When you generate the code, first have the real one. Then you can XOR it , then you can reverse the characters, then you can make it back to aschi and encrypt using an algo you choose.

Do you mean the key, the script or the both?

I can recommend you to take a look on AES.

Heard of it, checking it out.

You need to search for 80 96 00 00 00 00

Been there, done that. No success.

[thefool]

Oh damn im wrong; you need to search for:

32 3C 00 00 00 00

In pspad click tools -> Numeric base translator

So the following 4 null bytes are a placeholder for 32bit (LONG) descryption key. Took me a while to figure out.

YES! Thats the idea of it hehe

Do you mean the key, the script or the both?

Of course you need to encrypt the script, otherwise there would be no sense in having a key. My point it: Encrypt the script using AES with a KEY. Then before you store the key in the exe you xor it, reverse it and AES it again so you can't just read the key out of the exe file!

[Fluid Byte]

In wich form AES is it distributed?

Sourcecode? Library? Application? PB UserLib?

And another question...

When I "compile" an .EXE the script will encrypted and appended to it. But what happens while the project file is on the disk wich you load, modify and save with my IDE?

[thefool]

When I "compile" an .EXE the script will encrypted and appended to it. But what happens while the project file is on the disk wich you load, modify and save with my IDE?

Well there are only one person that can answer on that. YOU.

In wich form AES is it distributed?

Sourcecode? Library? Application? PB UserLib?

And another question...

Go search?

[ricardo]

When I "compile" an .EXE the script will encrypted and appended to it. But what happens while the project file is on the disk wich you load, modify and save with my IDE?

You can use the command line to run the script, not for the end of itself but from some file (the project).

So, when then engine runs if it receives some command line (lets say "/RUN c:/path" it should run from the file... also, its suppoused that in this very case the file will not be encrypted. You can also make sure that the one that are calling engine its the IDE by checking the MD5 of the program that call your engine.

[thefool]

You can use the command line to run the script, not for the end of itself but from some file (the project).

So, when then engine runs if it receives some command line (lets say "/RUN c:/path" it should run from the file... also, its suppoused that in this very case the file will not be encrypted. You can also make sure that the one that are calling engine its the IDE by checking the MD5 of the program that call your engine.

Good idea. Just be sure to hide the md5 checking and so on; and be sure to have some anticracking stuff at the check.! Or pm me for some tips to make it harder, wich can even be used in combination with an external thing.