flat assembler
Message board for the users of flat assembler.
Index
> Windows > XOR Crypting. Goto page Previous 1, 2 |
Author |
|
Overflowz 18 Nov 2010, 22:26
asmhack
But I don't understand, why AV still detecting when I've encrypted import things ? When opened in hex editor imports where not shown. it were everything XOR' ed. But still same result.. For example if code is like this: Code: section .text: cmd1, cmd2, cmd3 section .data: data1, data2, data3 section .idata: func1, func2, func3 after XOR crypt it becomes like this: Code: section .text: xorcmd1, xorcmd2, xorcmd3 section .data: xordata1, xordata2, xordata3 section .idata: xorfunc1, xorfunc2, xorfunc3 Everything is Encrypted. but STILL av is catching them.. |
|||
18 Nov 2010, 22:26 |
|
asmhack 18 Nov 2010, 22:34
you xored a 59.392 bytes file with only one byte (0x37)
bitRAKE wrote: Well, you could try more than simple xor. My first asumption would be that AV aren't fooled by simple xor. Try something more complex and reversible |
|||
18 Nov 2010, 22:34 |
|
Overflowz 18 Nov 2010, 22:46
asmhack
Ok, I'll try crypt with more hard way XOR and I'll post result. Thanks for helping anyway. |
|||
18 Nov 2010, 22:46 |
|
Overflowz 18 Nov 2010, 23:23
Well, some result. Tried to crypt with INC XOR method but same AV's detected it with same results. Also, I've removed all API calls with hex editor just for testing if that's was problem but no result. still same problem. Any suggestions ?
|
|||
18 Nov 2010, 23:23 |
|
mindcooler 18 Nov 2010, 23:56
Spotify is obfuscated beyond description.. O_o Self-modifying forwards & backwads, data shuffling, register twiddling..
Code: MOV CL,1 ADD CL,64 DEC CL INC CL XOR CL,47 ADD DL,CL POP ECX XOR DL,07 XOR AL,DL POP EDX ADD BL,37 SUB BL,2B SUB BL,94 SUB BL,0FA ADD BL,AL ADD BL,0FA ADD BL,94 _________________ This is a block of text that can be added to posts you make. |
|||
18 Nov 2010, 23:56 |
|
Overflowz 19 Nov 2010, 00:31
I'm just trying to know.. How AV's catch viruses if all data is encrypted ? I've crypted EVERY BYTE of program after DOS Header. Is AV running worm in virtual mode first ?
|
|||
19 Nov 2010, 00:31 |
|
mindcooler 19 Nov 2010, 00:39
The heuristics engine probably figured your xor encryption out.
|
|||
19 Nov 2010, 00:39 |
|
baldr 19 Nov 2010, 17:44
Overflowz,
Any protection scheme that isn't intermingled with protected code can be defeated easily, using locality of code. Your decryption routine takes control at the very beginning and passes control back to original code after decryption's done, right? Decrypt one instruction, give it control, take control back, encrypt executed instruction, decrypt next and so on. Morph decryptor by the way. Decrypt entire page if you're brave enough. Heh, I'm not into VX stuff anymore. |
|||
19 Nov 2010, 17:44 |
|
Overflowz 19 Nov 2010, 20:30
baldr
If I'll change EP, AV's wont catch it ? or what you mean ? :/ |
|||
19 Nov 2010, 20:30 |
|
Overflowz 19 Nov 2010, 21:58
Hey I've changed EP to FFFF and only 3 of them detected is NOT AS NETCAT. I've tried loop instruction with 4096 bytes (for avoiding AV's byte scanning) and then jump to original code. But it failed. I'm thinking how much bytes are reading AV's and how many nop's can be in program ? I've tried much NOP instructions and when I've tried to save file, debugger said error too much nops or something like that.. What should I do next ?
|
|||
19 Nov 2010, 21:58 |
|
edfed 21 Nov 2010, 17:12
maybe the AV detect the decrypter....
maybe if you use a data based code, you will be able to do what you want without detectoin. data code is simple in that you use datas instead of instructions, to say what to do. for example, do a xor on a data: Code: mov esi,XORit! mov eax,[esi+0] call eax ... XORit: dd .xor,key,data .xor: mov eax,[esi+4] xor [esi+8],eax ret and then, if you use something like this as a bruidge between normal code and your code, it may be impossible to detect by AV. can you try it? |
|||
21 Nov 2010, 17:12 |
|
Overflowz 21 Nov 2010, 22:46
edfed
I don't understand What I've understood is to make code run at data section not at code. Do you mean that ? |
|||
21 Nov 2010, 22:46 |
|
edfed 21 Nov 2010, 23:34
not at all.
i mean, use datas to encode the apis. instead of runing sequential instructions to do something, you use a generic functions, and data structure, that will contain some pointers, to use as operands for the generic function. then, if the generic function reads the function pointer in the structure, load it in eax, and call it. it can be a way to bypass some code detections. for example, to exploit the opengl function more easy, i've made something like this: Code: desk: dd GL_node,@f-$-4 dd quad1 dd .rot @@: .rot: dd GL_rot, 10.0, -1.0, 1.0, 1.0 quad1: dd GL_QUADS,.dot1,.dot2,.dot3,.dot4,.c .dot1: dd 0.0 , 0.0 , 0.0 .dot2: dd 1.0 , 0.0 , 0.0 .dot3: dd 0.707, 0.707, 0.0 .dot4: dd 0.0 , 1.0 , 0.0 .c : dd 0.0 , 1.0 , 0.0 and it lets play with only the required datas instead of hardlly trying to manage datas inside code sections. like this: Code: ;from fasmw/examples/opengl.asm .wmpaint: invoke GetTickCount sub eax,[clock] cmp eax,10 jb .animation_ok add [clock],eax invoke glRotatef,[theta],0.0,0.0,1.0 .animation_ok: invoke glClear,GL_COLOR_BUFFER_BIT invoke glBegin,GL_QUADS invoke glColor3f,1.0,0.1,0.1 invoke glVertex3f,-0.6,-0.6,0.0 invoke glColor3f,0.1,0.1,0.1 invoke glVertex3f,0.6,-0.6,0.0 invoke glColor3f,0.1,0.1,1.0 invoke glVertex3f,0.6,0.6,0.0 invoke glColor3f,1.0,0.1,1.0 invoke glVertex3f,-0.6,0.6,0.0 invoke glEnd invoke SwapBuffers,[hdc] xor eax,eax jmp .finish |
|||
21 Nov 2010, 23:34 |
|
Overflowz 22 Nov 2010, 10:23
edfed
Sorry I'm not so pro to understand that.. I've tried, tried but no point. I guess you mean I should change data section with instructions and in code section load it for decrypting, right ? |
|||
22 Nov 2010, 10:23 |
|
edfed 22 Nov 2010, 12:14
no again.
if you want to bypass the XOR crypto detection, you can try some virtual asm. virtual in that it will not use opcodes, but pointers, and not operandes, but pointers. you don't use CS:IP, but an index. do you see now? instead of mov eax,ebx Code: mov esi,moveaxebx call [esi] ... moveaxebx: dd func.mov,datas.eax,datas.ebx ... datas: .eax dd ? .ebx dd 90 ... func: .mov: mov eax,[esi+4] mov ebx,[esi+8] mov ebx,[ebx] mov [eax],eax ret after the execution of call [esi], the content of datas.eax will be 90. that is exactlly the way used by fool, it let arrange instructions in trees. |
|||
22 Nov 2010, 12:14 |
|
Overflowz 22 Nov 2010, 13:33
edfed
Thank you, I'll save this post and I'll learn later cause I don't understand much here )) for example what is Virtual what I'm doing wrong etc.. Thank you all for useful posts. |
|||
22 Nov 2010, 13:33 |
|
bitRAKE 22 Nov 2010, 15:38
There are levels of indirection:
mov eax,edx mov eax,1 These are direct instructions, level 0. (You are here. ) mov eax,[edx] mov eax,[name] These are indirect instructions, level 1. mov ebx,[edx], mov eax,[ebx] mov ebx,[name], mov eax,[ebx] There are indirect-indirect, level 2. ...etc...now imagine not just MOV, but also other operations happening in an indirect manner. This is what edfed is saying, imho. Automatic detection will be limited in the dimentionality of indirection. Of course, it could always sandbox the code and execute it (limited by dectection of sandbox), or use emulation (limited by accuracy of implementation). And so on... |
|||
22 Nov 2010, 15:38 |
|
edfed 22 Nov 2010, 16:26
and fool use indirect ^3 or 4.
because: Code: mov [root],desk ;level 0???, store the root pointer ... mov edi,[root] ;level 1 , load the root pointer ... mov esi,[edi+item.children] ;level 2 ,load the current children in root ... mov eax,[esi+item.call] ;level 3 , load the function pointer of children ... mov eax,[eax] ;level 4 , load the function adress from the fucntion list ... call eax ;level 5 , call the function. by this indirection, i am able to execute some portable code, like a java byte code, or else. with this kind of indirection, i doubt the popular AV will detect anything, they should at least execute it one time (for example simulate) to know what it is doing. |
|||
22 Nov 2010, 16:26 |
|
Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.