By ro0ted | March 21, 2015 - 21:26 | Posted in /b/ | 6 Comments
#ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, There’s a difference

This an introduction to dealing with packed .exe’s. Every packed file is different…each time you will have to use different techniques…while some aren’t even worth unpacking…others near impossible…point is everyone has their different style to Reverse Engineering whether it’s cracking or analyzing or just doing random shit that involves api classes with binaries. – https://twitter.com/ro0ted/

 


 

First all let’s go over the difference between crypted & packed.

The most common packer you will find in files is UPX.
UPX uses a method known as data compression which compresses the .exe to different bytes. You can add them or take it away. Either way people use this technique so people don’t alter the code. Meaning when you enter the target in any disassembler the code won’t show. So you have to unpack the file before anything. This is the biggest problem sometimes because not every packer is known. So there’s less ways to unpack. Every file is not unpackable. In pack files you see half the code while most times no code at all.

Simple terms if you don’t want anyone to fuck with your work, pack that shit!

Crypted a file with file encryption is mainly for 1 purpose in malware…..Make
the file undetectable to every AV’s for runtime (when the file executes) And…
scantime.

People don’t get if your .exe is crypted but it’s not packed then yeah expect people
to fuck with it. You’ve seen me reverse crypted files..there’s really no magic behind it
except for stupidity (this idiot forgot to pack his shit).

In reverse engineering it’s not the crypted files we fear..it’s that one private packer that’s never been unpacked because nothings working.

We are going to go over a file that is using the most common packer (in packer history) UPX.

Packed this crackme

First of all people who crypt their lil botnets don’t understand that we already know there’s a 99% chance this shit is malware..That’s all they care about. They don’t know shit about their botnet except for what language it was coded in because 99% of the time they didn’t make it.

What did they do?

They heard about DDoS and thought that shit sounds cool, downloaded or bought the bot, got some kind of a server or hosting and bam set that shit up. Then crypt their bot. That’s as far as their knowledge span goes. Then they call themselves a hacker. That’s not a hacker, that’s a poser.

When you run the file in exeinfoPE, you see this:

3

So we download UPX off their website:
http://upx.sourceforge.net/

Open cmd in start>Right click select as admin:

 

3

 

say it’s in downloads type in cmd:

cd C:\Users\yourusername\Downloads\upx391w

cd = change directory

then type upx -d target.exe

3

Now why is this important?
well this is what you get when it’s packed…

Ollydbg:

3

This is all we get for the whole code when it’s packed with UPX:

3

In Referenced All Strings:
3

When we select one we get nothing we can work with:

3

All intermodular calls…we see absolutely nothing:
3

We open it in IDA Pro:

3

Now let’s the unpacked version….:

3

All Referenced Text Strings:

3

All Intermodular Calls:

3

Open it in IDA Pro now:

3

When packed you see this in IDA Pro:

3

Your navigation exploring bar is not split apart in chunks for 1:

3

It says UPX everywhere, instead of the .text segment we see UPX:

 3

When you select a string it takes you here:

3

Now a lot of people use packers as crypters but most crypters now days don’t have anything to do with packing techniques just AV Antis (Anti Anti-Virus).

Some packers will crypt files for a moment:

3

A lot of people crypt their malware but don’t pack it. If you go down this route this could happen to your precious botnet you brag about:

https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-analyzing-an-irc-bot-infected-file/

 

What happen there is the kiddie did not think no ones gonna reverse my malicious file. That’s the problem people don’t think in depth. There’s many ways to unpack files, if the packers known there will be an automatic way. Don’t let anyone give you crap about it because in the Reverse Engineering the real work comes in when it’s unpacked not vice versa.
So pack your file then crypt it.

ro0ted

 


 

 

Check out my tutorials in my series…. “What the Blackhats don’t want you to know”

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference +

(Visited 501 times, 1 visits today)


Trackbacks:

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

6 Responses to #ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, There’s a difference

  1. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood The art of unpacking & Covert Debugging

    […] Unpacking & Crypting there is a difference […]

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Manually Unpacking Part 2

    […] Unpacking & Crypting there is a difference […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: REMnux Volatility Framework

    […] Unpacking & Crypting there is a difference […]

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2

    […] Unpacking & Crypting there is a difference […]

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood You have pictures of your face on the internet right?

    […] Unpacking & Crypting there is a difference […]

  6. March 2, 2016 at 22:46
    Han Chollo says:

    Quick Question; what is the difference from what you are offering and Kali Linux; I am very new to this and just want to know the obvious difference. I mean I know Kali Linux is penetration testing looking for weakenesses etc and I believe what you are teaching here is more hard core code based applications?

    I have alot of reading to do I know I just want to make sure I am in the right place to hone my skills which are lacking at this point.

    Thanks for all the work you do it is impressive; if I could down load your mind to a pill it would be much faster.