flat assembler
Message board for the users of flat assembler.

Index > Windows > XOR Crypting.

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 18 Nov 2010, 22:10
it's not just the imports from wsock32 - but the combination of the executable's imports
CreateProcessA, CreateThread, LoadLibraryA, GetProcAddress

antiviruses prefer to show false positives rather than not showing anything at all
Post 18 Nov 2010, 22:10
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Nov 2010, 22:26
asmhack
But I don't understand, why AV still detecting when I've encrypted import things ? When opened in hex editor imports where not shown. it were everything XOR' ed. But still same result.. For example if code is like this:
Code:
section .text:
cmd1, cmd2, cmd3
section .data:
data1, data2, data3
section .idata:
func1, func2, func3    

after XOR crypt it becomes like this:
Code:
section .text:
xorcmd1, xorcmd2, xorcmd3
section .data:
xordata1, xordata2, xordata3
section .idata:
xorfunc1, xorfunc2, xorfunc3    

Everything is Encrypted. but STILL av is catching them..
Post 18 Nov 2010, 22:26
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 18 Nov 2010, 22:34
you xored a 59.392 bytes file with only one byte (0x37)

bitRAKE wrote:
Well, you could try more than simple xor. My first asumption would be that AV aren't fooled by simple xor. Try something more complex and reversible
Post 18 Nov 2010, 22:34
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Nov 2010, 22:46
asmhack
Ok, I'll try crypt with more hard way XOR and I'll post result. Thanks for helping anyway.
Post 18 Nov 2010, 22:46
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Nov 2010, 23:23
Well, some result. Tried to crypt with INC XOR method but same AV's detected it with same results. Also, I've removed all API calls with hex editor just for testing if that's was problem but no result. still same problem. Any suggestions ?
Post 18 Nov 2010, 23:23
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 18 Nov 2010, 23:56
Spotify is obfuscated beyond description.. O_o Self-modifying forwards & backwads, data shuffling, register twiddling..

Code:
MOV CL,1
ADD CL,64
DEC CL
INC CL
XOR CL,47
ADD DL,CL
POP ECX
XOR DL,07
XOR AL,DL
POP EDX
ADD BL,37
SUB BL,2B
SUB BL,94
SUB BL,0FA
ADD BL,AL
ADD BL,0FA
ADD BL,94    

_________________
This is a block of text that can be added to posts you make.
Post 18 Nov 2010, 23:56
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Nov 2010, 00:31
I'm just trying to know.. How AV's catch viruses if all data is encrypted ? Sad I've crypted EVERY BYTE of program after DOS Header. Is AV running worm in virtual mode first ?
Post 19 Nov 2010, 00:31
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 19 Nov 2010, 00:39
The heuristics engine probably figured your xor encryption out.
Post 19 Nov 2010, 00:39
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 19 Nov 2010, 17:44
Overflowz,

Any protection scheme that isn't intermingled with protected code can be defeated easily, using locality of code. Your decryption routine takes control at the very beginning and passes control back to original code after decryption's done, right?

Decrypt one instruction, give it control, take control back, encrypt executed instruction, decrypt next and so on. Morph decryptor by the way. Decrypt entire page if you're brave enough.

Heh, I'm not into VX stuff anymore.
Post 19 Nov 2010, 17:44
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Nov 2010, 20:30
baldr
If I'll change EP, AV's wont catch it ? or what you mean ? :/
Post 19 Nov 2010, 20:30
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Nov 2010, 21:58
Hey I've changed EP to FFFF and only 3 of them detected is NOT AS NETCAT. I've tried loop instruction with 4096 bytes (for avoiding AV's byte scanning) and then jump to original code. But it failed. I'm thinking how much bytes are reading AV's and how many nop's can be in program ? I've tried much NOP instructions and when I've tried to save file, debugger said error too much nops or something like that.. What should I do next ?
Post 19 Nov 2010, 21:58
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 21 Nov 2010, 17:12
maybe the AV detect the decrypter....

maybe if you use a data based code, you will be able to do what you want without detectoin.

data code is simple in that you use datas instead of instructions, to say
what to do.

for example, do a xor on a data:

Code:
mov esi,XORit!
mov eax,[esi+0]
call eax
...
XORit: dd .xor,key,data
.xor:
mov eax,[esi+4]
xor [esi+8],eax
ret
    


and then, if you use something like this as a bruidge between normal code and your code, it may be impossible to detect by AV.

can you try it?
Post 21 Nov 2010, 17:12
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 21 Nov 2010, 22:46
edfed
I don't understand Sad What I've understood is to make code run at data section not at code. Do you mean that ?
Post 21 Nov 2010, 22:46
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 21 Nov 2010, 23:34
not at all.
i mean, use datas to encode the apis.

instead of runing sequential instructions to do something, you use a generic functions, and data structure, that will contain some pointers, to use as operands for the generic function.

then, if the generic function reads the function pointer in the structure, load it in eax, and call it.

it can be a way to bypass some code detections.


for example, to exploit the opengl function more easy, i've made something like this:

Code:
desk:   dd GL_node,@f-$-4
        dd quad1
        dd .rot
        @@:
.rot:   dd GL_rot, 10.0, -1.0, 1.0, 1.0
quad1:  dd GL_QUADS,.dot1,.dot2,.dot3,.dot4,.c
.dot1:  dd  0.0  , 0.0  , 0.0
.dot2:  dd  1.0  , 0.0  , 0.0
.dot3:  dd  0.707, 0.707, 0.0
.dot4:  dd  0.0  , 1.0  , 0.0
.c   :  dd  0.0  , 1.0  , 0.0

    


and it lets play with only the required datas instead of hardlly trying to manage datas inside code sections.

like this:

Code:
;from fasmw/examples/opengl.asm
 .wmpaint:
        invoke  GetTickCount
        sub     eax,[clock]
        cmp     eax,10
        jb      .animation_ok
        add     [clock],eax
        invoke  glRotatef,[theta],0.0,0.0,1.0
      .animation_ok:
        invoke  glClear,GL_COLOR_BUFFER_BIT
        invoke  glBegin,GL_QUADS
        invoke  glColor3f,1.0,0.1,0.1
        invoke  glVertex3f,-0.6,-0.6,0.0
        invoke  glColor3f,0.1,0.1,0.1
        invoke  glVertex3f,0.6,-0.6,0.0
        invoke  glColor3f,0.1,0.1,1.0
        invoke  glVertex3f,0.6,0.6,0.0
        invoke  glColor3f,1.0,0.1,1.0
        invoke  glVertex3f,-0.6,0.6,0.0
        invoke  glEnd
        invoke  SwapBuffers,[hdc]
        xor     eax,eax
        jmp     .finish
    
Post 21 Nov 2010, 23:34
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Nov 2010, 10:23
edfed
Sorry I'm not so pro to understand that.. I've tried, tried but no point. I guess you mean I should change data section with instructions and in code section load it for decrypting, right ?
Post 22 Nov 2010, 10:23
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 22 Nov 2010, 12:14
no again.

if you want to bypass the XOR crypto detection, you can try some virtual asm.

virtual in that it will not use opcodes, but pointers, and not operandes, but pointers.

you don't use CS:IP, but an index.
do you see now?

instead of mov eax,ebx
Code:

mov esi,moveaxebx
call [esi]
...
moveaxebx:
dd func.mov,datas.eax,datas.ebx
...
datas:
.eax dd ?
.ebx dd 90
...
func:
.mov:
mov eax,[esi+4]
mov ebx,[esi+8]
mov ebx,[ebx]
mov [eax],eax
ret
     


after the execution of call [esi], the content of datas.eax will be 90.

that is exactlly the way used by fool, it let arrange instructions in trees.
Post 22 Nov 2010, 12:14
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 22 Nov 2010, 13:33
edfed
Thank you, I'll save this post and I'll learn later cause I don't understand much here )) for example what is Virtual what I'm doing wrong etc.. Thank you all for useful posts. Smile
Post 22 Nov 2010, 13:33
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4079
Location: vpcmpistri
bitRAKE 22 Nov 2010, 15:38
There are levels of indirection:

mov eax,edx
mov eax,1

These are direct instructions, level 0. (You are here. Wink)

mov eax,[edx]
mov eax,[name]

These are indirect instructions, level 1.

mov ebx,[edx], mov eax,[ebx]
mov ebx,[name], mov eax,[ebx]

There are indirect-indirect, level 2.

...etc...now imagine not just MOV, but also other operations happening in an indirect manner. This is what edfed is saying, imho. Automatic detection will be limited in the dimentionality of indirection. Of course, it could always sandbox the code and execute it (limited by dectection of sandbox), or use emulation (limited by accuracy of implementation). And so on...
Post 22 Nov 2010, 15:38
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 22 Nov 2010, 16:26
and fool use indirect ^3 or 4.

because:
Code:
mov [root],desk ;level 0???, store the root pointer
...
mov edi,[root] ;level 1 , load the root pointer
...
mov esi,[edi+item.children] ;level 2 ,load the current children in root
...
mov eax,[esi+item.call] ;level 3 , load the function pointer of children
...
mov eax,[eax] ;level 4 , load the function adress from the fucntion list
...
call eax ;level 5 , call the function.
    


by this indirection, i am able to execute some portable code, like a java byte code, or else.

with this kind of indirection, i doubt the popular AV will detect anything, they should at least execute it one time (for example simulate) to know what it is doing.
Post 22 Nov 2010, 16:26
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.