flat assembler
Message board for the users of flat assembler.

Index > Windows > XOR Crypting.

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hello everyone. I have some questions about XOR Crypting. I am able tu crypt memory I guess when openning in debugger it shows encrypted instructions, but when I open file with hex editor data is shown normally. How can I hide data too from viewing hex editor ? like UPX does it ? Is there way to do that with XOR Crypting ? thanks.
Post 17 Nov 2010, 23:21
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
1) Kinda, at least most of it. You'd have to have a small block of exposed code that decrypts the rest.

2) Xor encryption is really easy to break.

3) The fact that the only decrypted code is for decrypting the rest, will draw attention to the decrypting code, making for easy reversing.
Post 17 Nov 2010, 23:53
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Tyler
I'm just learning cryptography and I'm trying to start from very easy way.. Smile I think I know how to do that, data sections are on 0x00403000 address and I'll modify that. I'll do what I'm thinking and will post result.. Smile
Post 18 Nov 2010, 00:05
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Correct me if I'm wrong, but doesn't Windows write protect it's code pages?
Post 18 Nov 2010, 00:54
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I don't know what you mean Razz I've crypted data and works fine now. I tried crypt idata and rdata sections but program failed and crashed.. It's night here so I'll do that later.. Well, what I was thinking was true. I've edited with ollydbg and crypted with it. 1 question, how to get how much RVA size and Virtual Size program has ? Thanks.
Post 18 Nov 2010, 01:09
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3045
Location: vpcmipstrm
bitRAKE
Here is a quick test which works for me:
Code:
format PE64 CONSOLE 5.0 at $10000
section '' readable writeable executable

    entry $

;-------------------------- DECRYPT
    lea esi,[.1 - 1]
    push .end - .1 + 1
    push rsi
    pop rdi
    pop rcx
.0: lodsb
    xor al,$55
    stosb
    loop .0
.1:

;-------------------------- PROGRAM
        enter '0',0
        mov ecx,-11             ; STD_OUTPUT_HANDLE
        call [GetStdHandle]
        mov [hStdOut],rax
        inc rax
        jz .ERROR_INVALID_HANDLE

        mov r9,'mY  bIg '
        mov r8,' sEcReT!'
        lea rdx,[.test]
        lea ecx,[_buf]
        call [wsprintfA]

        and qword [rsp+32],0
        lea r9,[rsp+40]
        mov r8,rax
        lea rdx,[_buf]
        mov rcx,[hStdOut]
        call [WriteFile]
        xchg ecx,eax
        jrcxz .ERROR_WRITE_FAULT

.ERROR_SUCCESS:
        xor eax,eax
        leave
        retn
.ERROR_INVALID_HANDLE:
        push 6
        pop rax
        leave
        retn
.ERROR_WRITE_FAULT:
        push 29
        pop rax
        leave
        retn

.test   db      \
        13,10,"%I64X",\
        13,10,"%I64X",\
        0
.end:
;-------------------------- ENCRYPT


repeat $ - .1 + 1
  load a byte from $ - %
  store byte a xor $55 at $ - %
end repeat


;--------------------------
macro import [lib,api] {
  common
    local part0,part1,first

    macro part0 lib0,[api0] \{
      \common   lib0\#_STR db \`lib0
      \forward  rb 2 - RVA $ AND 1
                label api0\#_STR at $-2
                db \`api0
      \common   db 0
      \}
    first = 7
    macro part1 lib1,[api1] \{
      \common   rb (8 - RVA $ AND 7) AND first
                first = 15
                label lib1\#_TAB
      \forward  api1 dq RVA api1\#_STR
      \}
  forward  part0 lib,api
  forward  part1 lib,api
  common   data import
  forward  dd 0,0,0,RVA lib#_STR,RVA lib#_TAB
  common   rd 5
           end data
}
import  \
        kernel32,<\
                GetStdHandle,\
                WriteFile\
                >,\
        user32,<\
                wsprintfA\
                >

hStdIn          rq 1
hStdOut         rq 1

_buf:           rb 1024
_buf.. = $ - _buf    
Wink
Post 18 Nov 2010, 06:07
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
bitRAKE
Sorry that code is too much for me :p I'm trying do it with debugger Smile) Anyway thanks for useful post, I'll learn that later.
Post 18 Nov 2010, 11:01
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Well. I was playing with antivirus'es and I'm trying how does worms bypass them I don't understand. I've used NetCat tool for testing. I crypted it with XOR encryption data,text and rdata sections and when opened in Hex Editor data was fully encrypted. But.. AV's catched them again after crypting. Can someone explain me how other malwares bypassing antivirus ? And also, I'm not going to write things like virus or trojans and etc.. I just like analys of them. For education purposes only. Thanks.
Post 18 Nov 2010, 11:26
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Found this at this site:
http://comrade.ownz.com/docs/fasm.html

Code:
; selfencrypt
; 04.07.2008

format PE GUI 4.0
entry start

include "%include%/win32a.inc"

;
; This is the encryption macro.
; It is a simple XOR with 0xAA (10101010 in binary).
;
macro encrypt dstart,dsize {
    local ..char,..key,..shift
    repeat dsize
        load ..char from dstart+%-1
        ..char = ..char xor $AA
        store ..char at dstart+%-1
    end repeat
}

section ".code" code readable writeable executable
start:
        ;
        ; This will be the only non-encrypted part of the code.
        ; Here we will decrypt the code at run-time.
        ;
        mov     edx,real_start
        xor     eax,eax
        mov     ecx,code_size
@@:     xor     byte [edx],$AA
        inc     edx
        loop    @B

real_start:
        ;
        ; Everything from here on will be encrypted.
        ;
        stdcall [MessageBox],0,HelloWorld,HelloWorld,MB_ICONASTERISK

        stdcall [ExitProcess],0

        ;
        ; Encrypt everything from real_start to here.
        ;
        display "Encrypting code... "
        code_size = $ - real_start
        encrypt real_start,code_size
        display "done",13,10

section ".data" data readable writeable import
        library kernel32,"kernel32.dll",user32,"user32.dll"
        include "%include%/api/kernel32.inc"
        include "%include%/api/user32.inc"

        HelloWorld      db      "Hello World!",0
    
Post 18 Nov 2010, 14:42
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
ctl3d32
I know how to XOR data mate. I'm trying to crypt executable file. I crypted but AV's still detected it but I don't know how they're detecting file. I know AV's detect file with "signatures" in file. But I crypted all data there but still catched. Whats problem ? >.>
Post 18 Nov 2010, 15:09
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3045
Location: vpcmipstrm
bitRAKE
Well, you could try more than simple xor. My first asumption would be that AV aren't fooled by simple xor. Try something more complex and reversible:
Code:
lodsd             ; get
ror eax,1         ; skew
xor eax,edx       ; variable
xor eax,edi       ; delta constant
xor eax,$53CA9653 ; constant
stosd             ; set
xchg edx,eax      ; next    
...my next assumption would be that AVs are picking up something else not encrypted. Keep trying - you'll figure it out.

_________________
¯\(°_o)/¯ unlicense.org
Post 18 Nov 2010, 15:33
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
bitRAKE
No mate, I'm not trying to crypt data or something like that, I'm interested how AV's catch worms ? I though it just checks some signature on file like when opening with hex editor and see there's some data, I've changed all the data but it still cought it. Now I'm thinking, its running worm in virtual mode, then checks decrypted data and reads signature.. But don't think that was easy for that cause many worms aren't detectable.. How does it work ? :/ Thanks.
Post 18 Nov 2010, 17:50
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Actually, they usually use esp as a counter and xor with esp to confuse debuggers.
Post 18 Nov 2010, 19:33
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
drobole



Joined: 03 Nov 2010
Posts: 67
Location: Norway
drobole
I don't know how AVs work but I wouldn't be surprised if the most aggressive AVs will alarm on any sequence not found in the C library.
More or less.

Maybe mimicking the assembly produced by C compilers will be less targeted by the AV's?
Post 18 Nov 2010, 19:39
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
I just got mad again at Spotify for ninjaing when starting OllyDbg, so I thought I'd debug it just in spite.

Lo! A xor decrypter! Xors with $3C29334C and then adds $4A582EB3 to some 1k memory area, which I suppose is the second stage.
Post 18 Nov 2010, 20:52
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Here, look what I done in debugger. here's attached.
Post 18 Nov 2010, 21:18
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
don't attach executables.. anyway what is your point ?
Post 18 Nov 2010, 21:34
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
No no, I don't used any virus things like kiddies does.. My problem is, I've crypted NC and AV's are still detecting it. What I'm doing wrong ? If people don't believe I'll make new one with source code but I don't know how to make program with virus signature, so I've picked little program called NC. Not virus and just tool. Anyone can explain me why this is still detectable ? Check it with debugger and hex editor, all data is encrypted fine..
Post 18 Nov 2010, 21:43
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
maybe because of the imports. wsock32, createthread ?
Post 18 Nov 2010, 21:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
If so, then other viruses would be NetCat too if they have imports from wsock32. BTW I've crypted idata section too, where's import names and program were crashed. still uploaded corrupted file and same result.
Post 18 Nov 2010, 21:54
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.