Best way to obfuscate a Batch File?

[PaperTronics]

Hey Everyone!

Today, one of my non-programmer friends asked me if I could make a program which asks for the username and password when the computer starts up. I told him that it was a piece of cake for me... until he added, "I also want it's code to be incomprehensible". So I figured that I should obfuscate the batch file. But what's the best way to do it?

I don't care if the method to obfuscate it takes a lot of time, I just need the batch file to be secure so that other's can't edit the code and figure out the password.


Any help is greatly appreciated!
PaperTronics

[aGerman]

First of all thank you for using "obfuscate" instead of "encode" or "encrypt". Any attempt to securely use a password in a batch code is doomed to failure!
Obfuscated or not - somewhere in your code you will have a line like that:
if [input]==[password] ([success]) else [error]
It doesnt matter if you might have your password obfuscated or if you might have used a hash instead or if you might have read the password from a remote file. All you have to do is to remove the comparison from the batch code.

There are already dozens of possibilities using variables to obfuscate batch code. There are those bat2exe thingies that compress the code in a container (but will unpack it to the original code and execute it).

That's another funny possibility. It doesn't even obfuscate the code. It only confuses your editor if you try to open the batch file

Code: Select all

@echo off
if "%~1"=="" exit /b
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
for /f %%i in ("certutil.exe") do if not exist "%%~$path:i" (
  echo CertUtil.exe not found.
  pause
  exit /b
)
>"temp.~b64" echo(//4mY2xzDQo=
certutil.exe -f -decode "temp.~b64" "%~n1___%~x1"
del "temp.~b64"
copy "%~n1___%~x1" /b + "%~1" /b

Drag/drop your file to it. It creates a new batch file with 3 underscores appended to the name. Try to open it in a text editor. You should see any kind of Chinese characters.
If you open it in a HEX editor you'll see how it works - it prepends an FF FE Byte Order Mark (that leads to parse the code as UTF-16 LE in a text editor) + CLS to remove the error message that cmd.exe will throw.

Steffen

[ShadowThief]

I immediately thought of this: viewtopic.php?f=3&t=4876

[aGerman]

Yeah but I was rather thinking about something like that:

Code: Select all

@echo off &setlocal EnableDelayedExpansion
%=sun%set% in the morning% "%tim%e="& %is not %for %%i%diotic% i%nsura%n%ces% (b%ut% c%oul% d%n't% f%i% g%ure out% h%ow% j%ournalists% %ma%k%e% l%ong% m%anuscripts % n%asty% %up%p%ercase% %e%q%ual% %signs ma%r%k% %seriou%s %=tex%t%ual% v%iolation% %=no%w%here% %are e%x%tra% % o%z%one layers%) %=please% do %not fight% for %%j%ulian's incompetence% i%n batch codi%n%g% (%=this guy f%a%ils% e%very time &% %c o n t %i %n u% o u %s l% y) %=rather%do %=un%set "%elem%e%nts%=!e%nergy%!%%i%n%%%j%ourney trips%"

%bab%%e:~15,2%%=o bab%%e:~66,2% ^
%don't scar%!%e:~195,1%!%me away%
%sh%%e:~132,2%%doesn't let m%%e:~213,1%%se%%e:~170,2%%her smile%

The code defines a variable e in a nested FOR loop and prints its content. Using substrings of e and undefined variables you can obfuscate the code. A human brain will always try to read known words in it.

Steffen

[Hackoo]

First of all thank you for using "obfuscate" instead of "encode" or "encrypt". Any attempt to securely use a password in a batch code is doomed to failure!
Obfuscated or not - somewhere in your code you will have a line like that:
if [input]==[password] ([success]) else [error]
It doesnt matter if you might have your password obfuscated or if you might have used a hash instead or if you might have read the password from a remote file. All you have to do is to remove the comparison from the batch code.

There are already dozens of possibilities using variables to obfuscate batch code. There are those bat2exe thingies that compress the code in a container (but will unpack it to the original code and execute it).

That's another funny possibility. It doesn't even obfuscate the code. It only confuses your editor if you try to open the batch file

Code: Select all

@echo off
if "%~1"=="" exit /b
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
for /f %%i in ("certutil.exe") do if not exist "%%~$path:i" (
  echo CertUtil.exe not found.
  pause
  exit /b
)
>"temp.~b64" echo(//4mY2xzDQo=
certutil.exe -f -decode "temp.~b64" "%~n1___%~x1"
del "temp.~b64"
copy "%~n1___%~x1" /b + "%~1" /b

Drag/drop your file to it. It creates a new batch file with 3 underscores appended to the name. Try to open it in a text editor. You should see any kind of Chinese characters.
If you open it in a HEX editor you'll see how it works - it prepends an FF FE Byte Order Mark (that leads to parse the code as UTF-16 LE in a text editor) + CLS to remove the error message that cmd.exe will throw.

Steffen

I like this method
I wonder how we can get back the original batch file by programming ?
Is there any methods like this one to do for *.vbs or *.hta codes
Thank you !

[aGerman]

I like this method
I wonder how we can get back the original batch file by programming ?

The prepended line in a HEX editor is
FF FE 26 63 6C 73 0D 0A
As you can see it's 8 characters. Just let PAUSE eat them.

Code: Select all

@echo off &setlocal
if "%~1"=="" exit /b
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
<"%~1" ((for /l %%N in (1 1 8) do pause)>nul&findstr "^">"%~n1___%~x1")

Again drag/drop the changed batch file onto it.

Is there any methods like this one to do for *.vbs or *.hta codes
Thank you !

At least not that I know.

Steffen

[penpen]

Any attempt to securely use a password in a batch code is doomed to failure!
Obfuscated or not - somewhere in your code you will have a line like that:
if [input]==[password] ([success]) else [error]
It doesnt matter if you might have your password obfuscated or if you might have used a hash instead or if you might have read the password from a remote file. All you have to do is to remove the comparison from the batch code.

I disagree.
You could use use the password as a key to decrypt the batch source, append it to the end of the batch file (after an eof character), and use copy to remove the part after the sub. The appended source must have a label ":access", so it can be called.

So you would get a batch like this (sketched only):

Code: Select all

@echo off
setlocal enableExtensions enableDelayedExpansion
call :main
goto :eof

:access
echo(Login or password incorrect.
goto :eof

:main
set /P "login=Login   :"
set /P "password=Password:"

call :computeHash login
>>"%~f0" call :decrypt hash password
call :access
copy /a "%~f0" /a "dummy"
copy /a "dummy" /a  "%~f0"
del "dummy"
goto :eof

:computeHash
:: "%~1" value
:: "%~2" hash
...

:decrypt
:: "%~1" database entry
:: "%~2" key
echo(EOF-character
echo(deccrypted database antry
goto :eof

:: database

#hash(login1)
:: encrypted batch source using key: password1
:: maybe encoded in base64, or similar

:: ...

#hash(loginN)
:: encrypted batch source using key: passwordN

If someone doesn't know the right password, then the decryption fails, and the :access label above is used, which is useless for an attacker.
But you need to add the enrypted batch file per login and password (so it probably grows very quick).
You also need some de-/crypt software which accepts strings as keys.


penpen

[aGerman]

Don't get me wrong but what would be the benefit to use that kind of batch code? You would need 3rd party tools to do the work for you. Thus, you could just use the command line interface of software like TrueCrypt and you're done

Steffen

[penpen]

Such batch code would contain completely hidden (to third eyes) parts and is securely using a login and password, which is mainly an academic proof, that this is possible.
You may need third party tools, but these also could be written completely in batch, so all could be done without installing anything:
- MD5
- AES.
But you would need to modify "aes.bat" and "aescore.bat", because you don't want to write the key (== password) to hdd.


penpen

[Hackoo]

I like this method
I wonder how we can get back the original batch file by programming ?

The prepended line in a HEX editor is
FF FE 26 63 6C 73 0D 0A
As you can see it's 8 characters. Just let PAUSE eat them.

Code: Select all

@echo off &setlocal
if "%~1"=="" exit /b
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
<"%~1" ((for /l %%N in (1 1 8) do pause)>nul&findstr "^">"%~n1___%~x1")

Again drag/drop the changed batch file onto it.
Steffen

I don't know why it dosen't work on my PC (windows 7 64 bits french version)
The console freezes and findstr is still working, but i got nothing ?

[aGerman]

I don't have access to a Win7 PC before tomorrow. Meanwhile you could try to replace the last line with

Code: Select all

<"%~1" (set /p "="&findstr "^">"%~n1___%~x1")

It will discard the first line of the dropped batch code which is the same as discarding character-wise in this case.

Steffen

[PaperTronics]

Hey everyone!

Sorry for my late reply, I've been busy these few days. I still haven't checked out any methods yet since I didn't get the time to. As soon as I'm finished with my work I'll test each and every method and tell you guys which one works for me and my friend.



PaperTronics

[aGerman]

@Hackoo

Works for me on Win7 x64. Make sure your batch file doesn't have the same name as any of the used commands. If that isn't the case please give a short explanation how to reproduce the failure.

Steffen

[Hackoo]

@Hackoo
Works for me on Win7 x64. Make sure your batch file doesn't have the same name as any of the used commands. If that isn't the case please give a short explanation how to reproduce the failure.
Steffen

@Steffen
I modified the code like this one and it works now like a charm for me

Code: Select all

@echo off
if "%~1"=="" exit /b
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
if exist "%~n1___%~x1" del "%~n1___%~x1"
for /f "skip=1 delims=" %%L in ('CMD /U /C Type "%~1"') do (
   echo %%L
   echo %%L >>"%~n1___%~x1"
)
pause>nul

[aGerman]

Good to know. Although it doesn't explain why the other techniques failed.

Steffen