1. Delete all(or nearly most) files in C:\windows\temp
2. Run the script and keep the black windows batch window open.
3. Get the 'decompile' file(s) from C:\windows\temp
That's it
If the the Batfile is ghosted or don't waits for user input open the it in a hexeditor and replace 'DeleteFileA' with 'DeleteFileW'.
If you want to aviod the script to execute (because it may contain something like 'echo |format c: /q') additionally replace 'CreateProcessA' by 'CreateProcessW'.
Please keep script files what they are - script files !
@Oleg instead trying to deny this - you should at least mention it in one sentence in the manual as 'limitation' -as every good and honest program did - until you fixed or improved it.People have a right to know all about a program they use to deal with their private stuff.
Byway I like BFC - it's pure&simple and nice to use.
You've never tried some stuff to improve 'protection' like
creating the tempfile without shareaccess flags so it becames locked to any other program for readaccess. May this will require to inject some code to cmd.exe process adress space to do so (A Dll is the easiest way but there are others as well like CreateRemoteThread.) Intercept/hook fileaccess API's like CreateFileW or ReadFile to redirect it to your data an keep the whole story in RAM or check out what pipes may do.
Be creative and explore the possiblities !:laugh:
Edited By Code Cloude on 1129832904
It's really easy to decompile a BFC-file - Quick Batch File Compiler
-
- Site Admin
- Posts: 307
- Joined: Fri Feb 13, 2004 5:55 pm
- Contact:
Ok. This is not a secret, but...anybody known about EXE source? Does you know that your favorite tool created with Visual C++, Visual Basic, Delphi or QuickBFC? Usually no. QuickBFC protect your source from modifications and hide the source code from users.
Your suggestions not so good. We tested shareaccess, dll injection and much more - this solutions can't guarantee stable work on any Windows version. Moreover, we working on byte-code compiler for next versions - it work as Visual Basic, EXE file contain a bytecode+interpreter.
P.S. As I know all our competitors uses same algorithm as our current version and created temporary files in TEMP folder and nobody can't guarantee better protection.
Your suggestions not so good. We tested shareaccess, dll injection and much more - this solutions can't guarantee stable work on any Windows version. Moreover, we working on byte-code compiler for next versions - it work as Visual Basic, EXE file contain a bytecode+interpreter.
P.S. As I know all our competitors uses same algorithm as our current version and created temporary files in TEMP folder and nobody can't guarantee better protection.
-
- Posts: 3
- Joined: Thu Oct 20, 2005 5:33 pm
>...anybody known about EXE source? Does you know that
> your favorite tool created with Visual C++, Visual Basic,
> Delphi or QuickBFC?
I use the Total Commander and usually view the begin and the end of any unknow exe (especially some I downloaded by emule) with the build in ACCI-Viewer for unwanted code.
If you see MSVBVM60.dll it's VB6.
If you see 'Boolean' and 'Smallint' it's Delphi; when you open it in some resource viewer or in DeDe you get more infos.
quickbfc.exe is for ex. compiled with Delphi 7(enterprise)
and about Visual C++m it usually has '.data' as sectionname and has somewhere "Microsoft Visual C++" (from msvcrt.lib standardlib) or "MFC..."
QuickBFC script exe appears as Delphi exe but they have some 'supicious' data(=packed/encrypted data) attached at the end. That's how I stumble over BFC (google:"Quick Batch File Compiler") and found out that this is some packed script data and no adloader or Trojan 'FileAttachement'...
> Moreover, we working on byte-code compiler for next
> versions - it work as Visual Basic, EXE file contain a
> bytecode+interpreter.
Well that's some real good solution but as I guess also pretty much work.
Edited By Code Cloude on 1130021513
> your favorite tool created with Visual C++, Visual Basic,
> Delphi or QuickBFC?
I use the Total Commander and usually view the begin and the end of any unknow exe (especially some I downloaded by emule) with the build in ACCI-Viewer for unwanted code.
If you see MSVBVM60.dll it's VB6.
If you see 'Boolean' and 'Smallint' it's Delphi; when you open it in some resource viewer or in DeDe you get more infos.
quickbfc.exe is for ex. compiled with Delphi 7(enterprise)
and about Visual C++m it usually has '.data' as sectionname and has somewhere "Microsoft Visual C++" (from msvcrt.lib standardlib) or "MFC..."
QuickBFC script exe appears as Delphi exe but they have some 'supicious' data(=packed/encrypted data) attached at the end. That's how I stumble over BFC (google:"Quick Batch File Compiler") and found out that this is some packed script data and no adloader or Trojan 'FileAttachement'...
> Moreover, we working on byte-code compiler for next
> versions - it work as Visual Basic, EXE file contain a
> bytecode+interpreter.
Well that's some real good solution but as I guess also pretty much work.
Edited By Code Cloude on 1130021513
-
- Site Admin
- Posts: 307
- Joined: Fri Feb 13, 2004 5:55 pm
- Contact: