Modified Headers Possible ?

markisac · 06-28-2022, 11:25 AM

Hello,

Modified version of UPX with headers stripped any possible approach ways to manually de-obfuscate it to retrieve content from such files ?

Thanks in advance.

TB0ne · 06-28-2022, 12:53 PM

Quote:

Originally Posted by markisac

Hello,
Modified version of UPX with headers stripped any possible approach ways to manually de-obfuscate it to retrieve content from such files ?

No idea what you're really asking here, but it seems to be related to your other thread where you ask a similar question about obfuscation and retrieval of source content. And from this post: https://www.linuxquestions.org/quest...ml#post6338692

...you seem to be wanting to crack code to use for free, rather than paying for it. And you also had a link to mass-emailing sites previously, and now it looks like you're trying to do the same thing. Sorry, but we aren't going to help you steal things that others wrote. If it's yours, then you have the content already...if it's not, pay for it. Reported.

dugan · 06-28-2022, 04:27 PM

In your last thread, you made it clear that you were asking for help cheating people out of money. Money that you owed them. Money that they had worked for. You wanted to take from them and not pay for it.

I think you need to reread our rules about "cracking".

TB0ne · 06-28-2022, 06:14 PM

Quote:

Originally Posted by dugan

In your last thread, you made it clear that you were asking for help cheating people out of money. Money that you owed them. Money that they had worked for. You wanted to take from them and not pay for it.

I think you need to reread our rules about "cracking".

Agreed...I reported as well, and the OP removed their link to spam/mass-email sites in their last thread.

markisac · 06-29-2022, 01:05 AM

Quote:

Originally Posted by TB0ne

No idea what you're really asking here, but it seems to be related to your other thread where you ask a similar question about obfuscation and retrieval of source content. And from this post: https://www.linuxquestions.org/quest...ml#post6338692

...you seem to be wanting to crack code to use for free, rather than paying for it. And you also had a link to mass-emailing sites previously, and now it looks like you're trying to do the same thing. Sorry, but we aren't going to help you steal things that others wrote. If it's yours, then you have the content already...if it's not, pay for it. Reported.

Your memory is really great. And these are open source code just like challenge to retrieve code but not like as you assumed

Yes i have the content with me .. See i am asking for approach ways so that i can learn its just a question.

Thanks.

markisac · 06-29-2022, 01:07 AM

Quote:

Originally Posted by dugan

In your last thread, you made it clear that you were asking for help cheating people out of money. Money that you owed them. Money that they had worked for. You wanted to take from them and not pay for it.

I think you need to reread our rules about "cracking".

Omg. Where all this assumptions are coming from ? its just a question if you cannot its totally fine but dont mislead the topic please ..

Thanks.

ondoho · 06-29-2022, 02:20 AM

Quote:

Originally Posted by markisac

Omg. Where all this assumptions are coming from ?

These are not assumptions.
You made it pretty clear yourself in your last thread; re-read my reply.

Be that as it may, your question in this thread is short and unclear and requires expansion. Please read the 1st link in my signature. Thank you.

markisac · 06-29-2022, 02:36 AM

Quote:

Originally Posted by ondoho

These are not assumptions.
You made it pretty clear yourself in your last thread; re-read my reply.

Be that as it may, your question in this thread is short and unclear and requires expansion. Please read the 1st link in my signature. Thank you.

See my intent is not to break anything here just to know how this obfuscation works.

Code:

execve("/usr/bin/test", ["test"], 0x7ffe5e83a840 /* 60 vars /) = 0
brk(NULL) = 0x5641b5b60000
arch_prctl(0x3001 / ARCH_??? */, 0x7ffc661e6590) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=183229, ...}) = 0
mmap(NULL, 183229, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fab7a742000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029224, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fab7a740000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
mmap(NULL, 2036952, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fab7a54e000
mprotect(0x7fab7a573000, 1847296, PROT_NONE) = 0
mmap(0x7fab7a573000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fab7a573000
mmap(0x7fab7a6eb000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x7fab7a6eb000
mmap(0x7fab7a736000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7fab7a736000
mmap(0x7fab7a73c000, 13528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fab7a73c000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7fab7a741580) = 0
mprotect(0x7fab7a736000, 12288, PROT_READ) = 0
mprotect(0x5641b5392000, 4096, PROT_READ) = 0
mprotect(0x7fab7a79c000, 4096, PROT_READ) = 0
munmap(0x7fab7a742000, 183229) = 0
brk(NULL) = 0x5641b5b60000
brk(0x5641b5b81000) = 0x5641b5b81000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=11459520, ...}) = 0
mmap(NULL, 11459520, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fab79a60000
close(3) = 0
close(1) = 0
close(2) = 0
exit_group(1) = ?
+++ exited with 1 +++

Regards,

suramya · 06-29-2022, 03:10 AM

Quote:

Originally Posted by markisac

Your memory is really great. And these are open source code just like challenge to retrieve code but not like as you assumed

Yes i have the content with me .. See i am asking for approach ways so that i can learn its just a question.

Thanks.

If this is from a challenge please share a link to the challenge. Or share more details about the software/code from where you are getting the obfuscated code that you have shared. As others have commented this looks like you are trying to learn how to crack software so that you don't have to pay for it and that is not something this forum supports.

markisac · 06-29-2022, 03:41 AM

I am not cracking or doing any bad stuff at all i need to learn is, What kind of obfuscation is this so that i can do same on my project to protect myself.

i cannot really give source of the file nor i am telling you do decode for me. All my question is approach ways cause there are bogus straces which are really not related when i see this obfuscation.

Thanks

dugan · 06-29-2022, 09:04 AM

Quote:

Originally Posted by markisac

Omg. Where all this assumptions are coming from ?

They're coming from your own words:
https://www.linuxquestions.org/quest...3/#post6338692

Q (TB0ne): Where did you get it?

A (You): I got it coded but developers wants me to pay for every machine cause it asks for code and email developer gave me to enter them... Coder is just taking advantage of me so i want to learn and just take the execution part without all those license checks.

TB0ne · 06-29-2022, 09:32 AM

Quote:

Originally Posted by markisac

Your memory is really great. And these are open source code just like challenge to retrieve code but not like as you assumed
Yes i have the content with me .. See i am asking for approach ways so that i can learn its just a question.

Sorry, just don't believe you. If this is a 'challenge', then post a link to it...and even if it *IS*, you then go on to say that you already HAVE the content...meaning you already KNOW how to do it, so why do you ask??? You can't both know and not-know.

Quote:

Originally Posted by markisac

Omg. Where all this assumptions are coming from ? its just a question if you cannot its totally fine but dont mislead the topic please ..

It's coming from your other thread, where you ask essentially the same question, and flat-out said that your goal was to get software for free, and you didn't want to pay for it. Those were YOUR WORDS...it's not an assumption.

Quote:

Originally Posted by markisac

See my intent is not to break anything here just to know how this obfuscation works.

Then why don't you just read the documentation?? Study the source code of UPX??

Quote:

Originally Posted by markisac

I am not cracking or doing any bad stuff at all i need to learn is, What kind of obfuscation is this so that i can do same on my project to protect myself. i cannot really give source of the file nor i am telling you do decode for me. All my question is approach ways cause there are bogus straces which are really not related when i see this obfuscation.

There are *MANY* ways to obfuscate/encrypt your code...what you don't bother telling us is what kind of code/executable it is, provide any proof that it's yours (and conveniently can't/won't tell us), or show us what you've done. Your last thread was VERY clear..you wanted to crack someone elses code to use it for free. Now you're asking how to get content from an encrypted file...most likely because you'd have to pay for access to it otherwise.

If you genuinely want to learn, you can look at their source code and read their docs...that will tell you EVERYTHING about it, and there's nothing stopping you from doing it. If you (again) want to steal things, too bad.

dugan · 06-29-2022, 09:57 AM

Quote:

Originally Posted by markisac

i cannot really give source of the file

Why not

markisac · 06-29-2022, 10:06 AM

Quote:

Originally Posted by TB0ne

Then why don't you just read the documentation?? Study the source code of UPX??

True i did same but this obfuscation is really interesting. When i packed with UPX for same source code file size is almost 1.8MB but the file they gave me is just 800 bytes.

So i am after what kind of compression and obfuscation techniques they used here.

Thanks

TB0ne · 06-29-2022, 10:23 AM

Quote:

Originally Posted by markisac

True i did same but this obfuscation is really interesting. When i packed with UPX for same source code file size is almost 1.8MB but the file they gave me is just 800 bytes. So i am after what kind of compression and obfuscation techniques they used here.

Great...if you want to know that, it's in their source code. And in their docs. And if you claim you read them, you should know....so again, why ask???

Again: if this is an 'exercise', then you should have no problem posting the link to it. If you have the content already, you shouldn't need to do anything else to read it. If you want to know how UPX does it, read their docs/code. Again..there is just no reason to post here, unless you have an actual technical question. Which you don't....combine this with your other thread about stealing, and I don't think you're going to find many people to help you.