flat assembler
Message board for the users of flat assembler.
Index
> Windows > XOR Crypting. Goto page 1, 2 Next |
Author |
|
Tyler 17 Nov 2010, 23:53
1) Kinda, at least most of it. You'd have to have a small block of exposed code that decrypts the rest.
2) Xor encryption is really easy to break. 3) The fact that the only decrypted code is for decrypting the rest, will draw attention to the decrypting code, making for easy reversing. |
|||
17 Nov 2010, 23:53 |
|
Overflowz 18 Nov 2010, 00:05
Tyler
I'm just learning cryptography and I'm trying to start from very easy way.. I think I know how to do that, data sections are on 0x00403000 address and I'll modify that. I'll do what I'm thinking and will post result.. |
|||
18 Nov 2010, 00:05 |
|
Tyler 18 Nov 2010, 00:54
Correct me if I'm wrong, but doesn't Windows write protect it's code pages?
|
|||
18 Nov 2010, 00:54 |
|
Overflowz 18 Nov 2010, 01:09
I don't know what you mean I've crypted data and works fine now. I tried crypt idata and rdata sections but program failed and crashed.. It's night here so I'll do that later.. Well, what I was thinking was true. I've edited with ollydbg and crypted with it. 1 question, how to get how much RVA size and Virtual Size program has ? Thanks.
|
|||
18 Nov 2010, 01:09 |
|
bitRAKE 18 Nov 2010, 06:07
Here is a quick test which works for me:
Code: format PE64 CONSOLE 5.0 at $10000 section '' readable writeable executable entry $ ;-------------------------- DECRYPT lea esi,[.1 - 1] push .end - .1 + 1 push rsi pop rdi pop rcx .0: lodsb xor al,$55 stosb loop .0 .1: ;-------------------------- PROGRAM enter '0',0 mov ecx,-11 ; STD_OUTPUT_HANDLE call [GetStdHandle] mov [hStdOut],rax inc rax jz .ERROR_INVALID_HANDLE mov r9,'mY bIg ' mov r8,' sEcReT!' lea rdx,[.test] lea ecx,[_buf] call [wsprintfA] and qword [rsp+32],0 lea r9,[rsp+40] mov r8,rax lea rdx,[_buf] mov rcx,[hStdOut] call [WriteFile] xchg ecx,eax jrcxz .ERROR_WRITE_FAULT .ERROR_SUCCESS: xor eax,eax leave retn .ERROR_INVALID_HANDLE: push 6 pop rax leave retn .ERROR_WRITE_FAULT: push 29 pop rax leave retn .test db \ 13,10,"%I64X",\ 13,10,"%I64X",\ 0 .end: ;-------------------------- ENCRYPT repeat $ - .1 + 1 load a byte from $ - % store byte a xor $55 at $ - % end repeat ;-------------------------- macro import [lib,api] { common local part0,part1,first macro part0 lib0,[api0] \{ \common lib0\#_STR db \`lib0 \forward rb 2 - RVA $ AND 1 label api0\#_STR at $-2 db \`api0 \common db 0 \} first = 7 macro part1 lib1,[api1] \{ \common rb (8 - RVA $ AND 7) AND first first = 15 label lib1\#_TAB \forward api1 dq RVA api1\#_STR \} forward part0 lib,api forward part1 lib,api common data import forward dd 0,0,0,RVA lib#_STR,RVA lib#_TAB common rd 5 end data } import \ kernel32,<\ GetStdHandle,\ WriteFile\ >,\ user32,<\ wsprintfA\ > hStdIn rq 1 hStdOut rq 1 _buf: rb 1024 _buf.. = $ - _buf |
|||
18 Nov 2010, 06:07 |
|
Overflowz 18 Nov 2010, 11:01
bitRAKE
Sorry that code is too much for me :p I'm trying do it with debugger ) Anyway thanks for useful post, I'll learn that later. |
|||
18 Nov 2010, 11:01 |
|
Overflowz 18 Nov 2010, 11:26
Well. I was playing with antivirus'es and I'm trying how does worms bypass them I don't understand. I've used NetCat tool for testing. I crypted it with XOR encryption data,text and rdata sections and when opened in Hex Editor data was fully encrypted. But.. AV's catched them again after crypting. Can someone explain me how other malwares bypassing antivirus ? And also, I'm not going to write things like virus or trojans and etc.. I just like analys of them. For education purposes only. Thanks.
|
|||
18 Nov 2010, 11:26 |
|
ctl3d32 18 Nov 2010, 14:42
Found this at this site:
http://comrade.ownz.com/docs/fasm.html Code: ; selfencrypt ; 04.07.2008 format PE GUI 4.0 entry start include "%include%/win32a.inc" ; ; This is the encryption macro. ; It is a simple XOR with 0xAA (10101010 in binary). ; macro encrypt dstart,dsize { local ..char,..key,..shift repeat dsize load ..char from dstart+%-1 ..char = ..char xor $AA store ..char at dstart+%-1 end repeat } section ".code" code readable writeable executable start: ; ; This will be the only non-encrypted part of the code. ; Here we will decrypt the code at run-time. ; mov edx,real_start xor eax,eax mov ecx,code_size @@: xor byte [edx],$AA inc edx loop @B real_start: ; ; Everything from here on will be encrypted. ; stdcall [MessageBox],0,HelloWorld,HelloWorld,MB_ICONASTERISK stdcall [ExitProcess],0 ; ; Encrypt everything from real_start to here. ; display "Encrypting code... " code_size = $ - real_start encrypt real_start,code_size display "done",13,10 section ".data" data readable writeable import library kernel32,"kernel32.dll",user32,"user32.dll" include "%include%/api/kernel32.inc" include "%include%/api/user32.inc" HelloWorld db "Hello World!",0 |
|||
18 Nov 2010, 14:42 |
|
Overflowz 18 Nov 2010, 15:09
ctl3d32
I know how to XOR data mate. I'm trying to crypt executable file. I crypted but AV's still detected it but I don't know how they're detecting file. I know AV's detect file with "signatures" in file. But I crypted all data there but still catched. Whats problem ? >.> |
|||
18 Nov 2010, 15:09 |
|
bitRAKE 18 Nov 2010, 15:33
Well, you could try more than simple xor. My first asumption would be that AV aren't fooled by simple xor. Try something more complex and reversible:
Code: lodsd ; get ror eax,1 ; skew xor eax,edx ; variable xor eax,edi ; delta constant xor eax,$53CA9653 ; constant stosd ; set xchg edx,eax ; next _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
18 Nov 2010, 15:33 |
|
Overflowz 18 Nov 2010, 17:50
bitRAKE
No mate, I'm not trying to crypt data or something like that, I'm interested how AV's catch worms ? I though it just checks some signature on file like when opening with hex editor and see there's some data, I've changed all the data but it still cought it. Now I'm thinking, its running worm in virtual mode, then checks decrypted data and reads signature.. But don't think that was easy for that cause many worms aren't detectable.. How does it work ? :/ Thanks. |
|||
18 Nov 2010, 17:50 |
|
mindcooler 18 Nov 2010, 19:33
Actually, they usually use esp as a counter and xor with esp to confuse debuggers.
|
|||
18 Nov 2010, 19:33 |
|
drobole 18 Nov 2010, 19:39
I don't know how AVs work but I wouldn't be surprised if the most aggressive AVs will alarm on any sequence not found in the C library.
More or less. Maybe mimicking the assembly produced by C compilers will be less targeted by the AV's? |
|||
18 Nov 2010, 19:39 |
|
mindcooler 18 Nov 2010, 20:52
I just got mad again at Spotify for ninjaing when starting OllyDbg, so I thought I'd debug it just in spite.
Lo! A xor decrypter! Xors with $3C29334C and then adds $4A582EB3 to some 1k memory area, which I suppose is the second stage. |
|||
18 Nov 2010, 20:52 |
|
Overflowz 18 Nov 2010, 21:18
Here, look what I done in debugger. here's attached.
|
|||
18 Nov 2010, 21:18 |
|
asmhack 18 Nov 2010, 21:34
don't attach executables.. anyway what is your point ?
|
|||
18 Nov 2010, 21:34 |
|
Overflowz 18 Nov 2010, 21:43
No no, I don't used any virus things like kiddies does.. My problem is, I've crypted NC and AV's are still detecting it. What I'm doing wrong ? If people don't believe I'll make new one with source code but I don't know how to make program with virus signature, so I've picked little program called NC. Not virus and just tool. Anyone can explain me why this is still detectable ? Check it with debugger and hex editor, all data is encrypted fine..
|
|||
18 Nov 2010, 21:43 |
|
asmhack 18 Nov 2010, 21:52
maybe because of the imports. wsock32, createthread ?
|
|||
18 Nov 2010, 21:52 |
|
Overflowz 18 Nov 2010, 21:54
If so, then other viruses would be NetCat too if they have imports from wsock32. BTW I've crypted idata section too, where's import names and program were crashed. still uploaded corrupted file and same result.
|
|||
18 Nov 2010, 21:54 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.