VB6 Obfuscator

[some1uk03]

Hello,

Can anyone guide me to a VB6 Obfuscator?
I've tested out VBEXEObfuscator340 and as much as I like it, it seems to leave out actually sub/function names but is able to rename event names :/

I'm after something that can also rename sub/function names?

Any ideas?

[Rinzwind]

Maybe vbobfuscator.net? It handles vbscript and vba reasonably. Still... Big projects need paying attention and some copy and pasting.

[dilettante]

I doubt you are going to find very much out there.

VB6 native code simply doesn't have the need for obfuscation, certainly not as badly as scripting languages or languages compiled to pseudocode. Remember, most simple obfuscators only alter data names. The result is only of limited effectiveness.

People who analyze viruses for a living hate it when script kiddies use VB6, because the generated code is harder to reverse engineer than most. Luckily for them script kiddies aren't too smart and mostly cobble together boilerplate, so generally full analysis isn't necessary and they can just use a tool that matches a library of templates against the compiled code.

[some1uk03]

vbobfuscator.net seems it's for vbscripts [vbs] rather than VB itself or am i missing something ?

VB6 native code simply doesn't have the need for obfuscation, certainly not as badly as scripting languages or languages compiled to pseudocode. Remember, most simple obfuscators only alter data names. The result is only of limited effectiveness.

I believe I have waaayyy too many checks and tricks to make it harder for my app to be cracked but,
I just watched a Video tutorial of my software getting cracked!! And it's not a nice thing to see!!

Although an exe is compressed, crackers still dump out the uncompressed version from memory and start their work.
VBDecompiler is a hefty lil tool for hackers to easily view the whole structure / objects / classes / mods etc.. of your VB Project! So a Function that says CheckSize or Check Licence can easily be tracked. Now obviously Most of my functions are renamed with random un-obvious names but still... I want to beef up my security!!!

I've done loads of research and implemented many security checks but these guys always win.
Any smart ideas to make it harder for crackers to crack?

[LaVolpe]

As a fallback plan and not perfect by any means... I once read an article where the author conceded that his code would be cracked if someone wanted it bad enough. The author obfuscated to a reasonable extent based on what he deemed reasonable. Elsewhere in the code was a random timer-like function that would kick off a couple weeks after installed. In that function, if it was determined that project was hacked (i.e., checksums don't match), then the project would silently close/shut down. The theory was that by delaying this function, the original hackers may not find it because they weren't looking for it. Also, if the code was hacked, thieves would get a few weeks of use out of it, but it would eventually stop working. Would hackers go back & try to re-hack the software to find the problem? If more than one of these random functions were used, would the hackers find them all the first time?

Above provided as food for thought

[The trick]

There are lot of technique to do cracking most harder
But most best result - compile code to native and learn them asm code. Honestly very difficult secure program because most of statements call runtime function. Quite long I'm learning native vb6 code and possible to do independed from runtime code. It helped me to write driver, dll, shellcode etc. But it very difficult with big restrictions. You can do static link using coff modules being wrote in others languages or even on vb. Ever i'll done my addins for advanced compilation.

[dilettante]

When the native code optimizer/code generator (C2.EXE) runs it rearranges much of the original logic as part of code optimization. This is one reason why stuff like VBDecompiler is relatively useless unless the cracker is very determined.

But it depends on what you are trying to protect. If it is just proprietary algorithms in your program the compiler does a pretty good job turning that into something difficult to reverse engineer. If it is security related (for example copy protection schemes) there is often some fairly small amount of critical code involved holding the keys to the kingdom, so that can be less work since there is less code to study and reverse engineer.

One way to help make that harder to crack is to make it harder to locate within the disassembled object code in the first place. An obvious way to do that is to defer calling it, i.e. don't make it the first thing your program does. You can go further and do a portion of it retaining intermediate results and then somewhere later finish it and perform your "run or abort" checking.

The "delayed check" based on some sort of time or count sounds like a variation on the same theme.

But if I was writing code for a market with this level of hostility I'd just abandon it and choose a new market. Let them starve.

[dilettante]

Consider the following tiny program:

Module1.bas

Code:

Option Explicit

Public Function CheckLicense1() As Boolean 'Only Public to show it doesn't matter.
    CheckLicense1 = True
End Function

Private Sub Main()
    With New Security
        If CheckLicense1() And .CheckLicense2() Then
            MsgBox "Ok"
        Else
            MsgBox "Failed", vbOKOnly Or vbExclamation
        End If
    End With
End Sub

Security.cls

Code:

Option Explicit

Public Function CheckLicense2() As Boolean
    CheckLicense2 = True
End Function

When compiled to native code and dumped you get:

Code:

00000980 ················ ················ ················ ······@·········
000009C0 <·@·,·@········· ,·@··f····vN·r·· '·?···········@· ··············@·
00000A00 ················ ··@·······@····· ··@·····t·@····· ················
00000A40 ··@·····L·@····· ········|·@····· p·@············· <·@·Module1·Secu
00000A80 rity····Project1 ················ +=····h··8··+3q· ·-··|>·C·····\··
00000AC0 *=····h··8··+3q· ······bM··j··$2R !=····h··8··+3q· Class···P··gv···
00000B00 ·3··+3o·VBIntern al····@········· ··········@·4#@· ··········2·Chec
00000B40 kLicense2·····@· ············O·k· ········F·a·i·l· e·d·····VBA6.DLL
00000B80 ····__vbaFreeObj ····__vbaObjSetA ddref···__vbaFre eVarList····__vb
00000BC0 aVarDup·__vbaHre sultCheckObj···· __vbaNew····__vb aObjSet·······@·
00000C00 ····`·@········· ·······`··@····· ·········#······ ··@···········@·
00000C40 ················ ······@···@·8#@· ······@········· ··········@·····

Note that both Security and CheckLicense2 appear in the dump of the compiled EXE. However CheckSecurity1 does not!

The reason has to do with the difference between a simple static function vs. a method (or a class for that matter).

[some1uk03]

@LaVolpe: I already have such a feature implemented. Just need to wait and see how well it works.

@The trick: Learning ASM, is simply something I can't spend time on right now to be honest.

dilettante:
One way to help make that harder to crack is to make it harder to locate within the disassembled object code in the first place. An obvious way to do that is to defer calling it, i.e. don't make it the first thing your program does. You can go further and do a portion of it retaining intermediate results and then somewhere later finish it and perform your "run or abort" checking.

The "delayed check" based on some sort of time or count sounds like a variation on the same theme.

Already implemented well deep within a lot of subs. No the First thing the program calls. I even have random junk code generating before any 'licence' needs authorisation etc...

But if I was writing code for a market with this level of hostility I'd just abandon it and choose a new market. Let them starve.

I am quite close to doing that actually. I am starting to think of a serverside / web type service.

Also with the checkSecurity test, yes checkLicence1 cannot be seen in a hex editor, but these guys mainly work with olly!
Which show them step by step what is being pushed in to the stack. No running away.

[7edm]

Have you tried something like Themida or WinLicense fro Oreans? Cost some but I assume your program isn't free either as it get hacked...

[some1uk03]

Have you tried something like Themida or WinLicense fro Oreans? Cost some but I assume your program isn't free either as it get hacked...

Yes, I took a look at them and I'm really tempted on buying a Licence, but I remember seeing even their software cracked!!!
So I'm thinking, they are selling a solution to stop / prevent cracking, but their software is already cracked! So not really persuaded sadly.

[7edm]

Not really the same thing... and which version was it, recently? I haven't looked at it lately but I know their demo got cracked some years ago and that it was used to "protect" a trojan which caused problems with some a-virus programs for some time, but it has loads of way to specialize your protection. Also, I doubt they give it all away in the demo like that, as a cracked version of the tool isn't really of any great value to anyone as only a fool would "protect" something with it. Then, there is no such thing as an uncrackable program, but I have never had any problems and can just recommend these guys.

[Tech99]

I am starting to think of a serverside / web type service.

In my opinion. There is no other way, than that to protect your IP. Transfer some essential parts (fex. computation functions) of your app, to serverside and use robust methods to impersonate licensed users.

[Jonney]

Only licensed version has full functions. limit the demo functionalities can solve your part of problem.

[Tech99]

Licensed versions, 'can have wings - sort of' ie. 'leak out to wrong hands'.