Friday, October 7, 2011

Crypters tutorial for Hackers by Hackingloops


Crypters are computer applications which are solely used to bypass the antivirus detection of malwares. Hackers use crypters to hide viruses, Trojans, RATS, keyloggers and other hack tools into a new executable, whose sole purpose is to bypass the detection of the same from antivirus. Crypters are basically dead programs which does not affect the actual functionality of the program, they just spoof the actual program behind their encryption and make antivirus fool. Most antivirus detects viruses on basis of heuristics and normal string based detection. Since we have spoofed the original program, so antivirus stand lame and does not detect it as virus.

Crypters tutorial by hackingloops
Crypter tutorial : only for hackers

Common terms related to crypters:
For understanding and designing crypters, hackers must be aware of certain terms, most of you already know these terms, but as i am writing this tutorial starting from novice level and take it to elite level at the end. So if you know these terms just read them one more time, as that might help you to clear some of your doubts.

1. FUD or UD : Fully undetectable(FUD) means that your virus is not detected by any of the existing antiviruses while undetectable(UD) means detectable by few antiviruses. FUD is our only goal and elite hackers always rely on that. 
Note: Crypter will remain FUD until you have openly shared on internet. Public crypters remains FUD up to maximum 2 to 3 days then they become UD. So if you want to use crypter for long time so never publish and share that on internet. Use it anonymously.

2. STUB : A stub is a small piece of code which contains certain basic functionality which is used again and again. It is similar to package in Java or simply like header files in C ( which already has certain standard functions defined in it). A stub basically simulates the functionality of existing codes similarly like procedures on remote machines or simply PC's. In crypters, client side server is validated using stubs, so never delete stub file from your crypter. Stubs adds portability to crypter code, so that it can be used on any machine without requiring much procedures and resources on other machines.
Let me explain with small example:
Suppose you are writing a code that converts bytes to bits, so we know formula or method for converting bytes to bits will remain same and it will be independent of machine. So our stub (or method stub or procedure) will contain something like this:

BEGIN
    totalBits = calculateBits(inputBytes)
    Compute totalBits = inputBytes * 8
END
Now what we will pass is only number of bytes to this stub. And it will return the resulting bits. Similarly, we include some common machine independent checks and functions in our stub, and in main code we only passes linkage and inputs to these stubs, which in return provides suitable results.
Note: Most of times it happens, suppose you downloaded some keylogger and you complain to provider its not working, only reason for that is stub. Also always kept in your mind, if you are downloading any keylogger or crypter  always check stub is present in it. If not, don't download it, its just a piece of waste and for sure hacker is spreading his virus using that. I recommend that never download any hacking tool on your real machine, always use virtual machine or sandbox to test hack tools.

3. USV: Unique stub version or simply USV is a part of crypter that generates a unique version of stub which differentiates it from its previous stub, thus makes it more undetectable against antiviruses. For detecting this antivirus companies has to reverse engineer your crypter stub, that is not that easy to do, so it will remain undetectable for long time. This consist of one most important component USG ( unique stub generation) which is the actual part of crypter that encrypts and decrypts the original file means its the heart of your algorithm and i will recommend never write this part in stub, rather include this part in main code. Why i am saying this, stub is part of code which is shared with victim, so it will become public and hence your Crypter will not remain FUD for much long time.


Different types of crypters:
1. External Stub based crypters : This category consists of public crypters (those you have downloaded till date :P (noobish one's) and you complains to provider that its detectable by antiviruses. That really foolish complaint, if crypter is public then it can never remain FUD. So don't ever complain to me also after my next article for such noobish things. Ahahah.. i got deviated for real thing.
External Stub based crypters are those crypters in which most of the functionality of the crypter depends of external stub, if your delete that stub file, your crypter is useless. :P Most antivirus only do that. These type of crypters contains two files one is client.exe and other is stub.exe . Stub contains the main procedures and client contains the global functions that call those procedures.

2. Internal or Inbuilt stub based crypters: The crypters that contains only one exe file (i.e client) fall under this category. This client file has inbuilt stub in it. You can separate stub and client part here too using RCE (reverse code engineering) but it is not recommended.

Note: External or Internal stub doesn't make much difference as antivirus detects files on the basis of strings related to offsets. Whenever you reverse engineer any application or program, the program execution flow will gonna remain the same but offsets may change. USV will come into picture at this point. If you include your encryption algorithm separately then it will be more harder for antivirus to detect your crypter.

3. Run time crypters: Run time crypters are those crypters which remain undetected in memory during their execution. We are looking for these type of crypters only. :P These can any of the two above.

4. Scan time crypters: Those crypters which will remain undetected while encrypting the files but will become detectable when resultant file is generated. :P Fking one's that wastes all effort we have put. This really annoys everything is working fine and at last you get your file being detected by noob antiviruses.

So friends, this is for today, i will share more about crypters like how to make internal and external stubs based crypters, how to make stubs absolutely FUD by using packers and obfuscators. So remain connected..
If you have any queries, ask me in form of comments. A comment of appreciation is always heartily accepted.

11 comments:

  1. Really good post....tell us more

    ReplyDelete
  2. WHAT ABOUT THE CLASSES BDAY BOY

    ReplyDelete
  3. Is there class today.

    ReplyDelete
  4. sir actualy i dont ubderstand the topic stub,usv.and also different types of crypter.tell in easy and simple way plzzzzzzzzzzzz

    ReplyDelete
  5. @anonymous 4

    I think you are from different domain means not from computer engineering or IT field. Ok i explain things in more clear and simpler way.

    Suppose you have written a program, this program contains some procedures which are being called in the same program using global variables again and again, which is similar to functions in C language and classes in Java. Now you want to use these methods globally means call the same methods using other programs just using method calls. That means you are using functionality of common method in several different programs, technically we call this reusability. In field of crypters the same thing happens, there are certain codes or methods which are already written that we normally call stubs or method stubs which are nothing just a group of certain methods or simply functionalities like input validation, file allocation, timer or delay settings, encryption algorithm etc. We call these methods from our other file called client file and reuse the existing functionality.

    USV stands for Unique Stub Version, whenever we encrypts any file using crypter we generate a random encryption key which is different every time you encrypt the file, which is technically considered as USV. USV is important because if our encryption generate the same encryption code again and again then it will be easily detectable the antivirus and your crypter will no longer remain FUD.

    I hope this clears your doubts. If you have more doubts let me know..

    ReplyDelete
  6. very informative although i would like to see better examples of code to show how you would write a USV.

    Most of the crypters i have used only use one encryption code and thus do not remain FUD for long.

    ReplyDelete
  7. lokesh i need help from people like you..lucky i found your blog..perhaps can you accept my request.. i need your aid .. please help me.is there any ways to remove trojan sirefef.o completely ..if you have one..please help me..you can email me at cyeeha@yahoo.com or contact me at facebook watanabe kazuma ...i would be grate full if you hand me your aid.. :)

    ReplyDelete
  8. @anonymous 7
    Yes you can remove it completely using super trojan remover. Google it, you will get and scan your system and remove it.

    ReplyDelete
  9. i my on my way making my own crypter plz help me understand crypter concept more deeply, thank you

    ReplyDelete
  10. hello lokesh sir can u send me a link to download crome crypter latest version to use with blackshade.
    my email ID is p_r_o_t_o_n_2@yahoo.com.

    thanks in advance :P

    ReplyDelete
  11. Sir, can you please tell me how to find the virus and malwares that has been hiddeen by cryptors?

    ReplyDelete

Please do not spam.

Designed by Hackingloops.