Você está na página 1de 46

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

The Crypter BluePrint


The Most in Depth blueprint of Everything you wanted to know about Crypters

How to Create Your own FUD Crypter [The Right Way] ...In Less Than a Week

Brought to you by, http://crypters.net Version 1.00 July, 2010 Limits of Liability & Disclaimer of Warranty
I AM NOT AN ATTORNEY. DO NOT USE THE FOLLOWING TEXT UNLESS YOU HAVE YOUR OWN ATTORNEY REVIEW IT FIRST.

The author and publisher of this ebook and the associated materials have used their best efforts in preparing this material. The author and publisher make no representations or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents of this material. They disclaim any warranties expressed or implied, merchantability, or fitness for any particular purpose. The author and publisher shall in no event be held liable for any loss or other damages, including but not limited to special, incidental, consequential, or other damages. If you have any doubts about anything, the advice of a competent professional should be sought. This material contains elements protected under International and Federal Copywright laws and treaties. Any unauthorized reprint or use of this material is prohibited.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

About the Author Little bit about me: My name is Shawn and im 17 ..at the time of writing this. Things i like to do are, playing guitar, surfing, hangin with friends, and of course.. chilling alot on the alienware laptop :) Everyone starts out somewhere.. and me..? well theres nothing special about my story.. I am no greater than any of you. I just had alot of interest and desire with many things related to hacking. So i read and read, searched and searched, for a very long time.. The only thing that probably makes me different, is that i also have a desire to help others in the situations i was once in. jk that was a lie... but i do think im good at putting myself in others situations..helping them.. then making money off it XD funny thing is.. after i ended up creating a successful Crypter i started losing interest in hacking itself.. and ended up doing nothing but some ethical hacking. I dont even use crypters myself anymore :). You can reach me at http://crypters.net

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Table of Contents (only roughly accurate lol)


About the Author Table of Contents (only roughly accurate lol) Introduction What you can expect From This Ebook Whats covered in this ebook? Chapter 1 - What Really Is A Crypter? Core Fundamentals Whats the difference between a Runtime and Scantime Crypter? How do i know which antiviruses detect my file? Types and forms of Crypters Chapter 2 - The most important factors you should know about Crypters Chapter 3 - Vb6 and Crypters Chapter 4 - Programming and Vb6 Fundamentals This section is intended for all these people and if you can code and you think you wont benefit from it, you can either just scim through it or just read it all and refresh your memory.. Chapter 5 - vb6 Crypter Techniques BluePrint Finding and pinpointing Whats causing detection Chapter 6 - The Universal Undetection Process Changing the order of all code aspects. String manipulation Changing and encrypting strings/apis Resources

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Introduction
First i just want to give major credits to all the links to threads used in this ebook. Massive credits to all the forum members that made them, thank you.

What you can expect from This EBook I would just like to mention that if you even have the slightest interest in Crypters and making your own, you are in the right place. You will be provided with the most informative, in depth blueprint on Crypters ever put into one package before. I am going to be real and remind you to be aware of whats required from you to get the most out of this ebook. There is no magic buttons.. no magic pills.. Especially when programming, you have to put effort and take action on what you learn in order to succeed. Whats covered in this eBook? This ebook will consist of all the aspects that will get you on a flawless track for creating your own FUD Crypter ..or anything FUD to be honest.., this way you will gain a huge advantage. I will be giving my 100% into this ebook so all i ask from you is to never be discouraged from the looks of anything and put your 100%. the layout of this ebook is constructed as follows, the first half is pretty much aimed toward the beginner level to intermediate and the second half is aimed toward the intermediate to advanced. just to remind you to not exagerate and be unrealistic, I will be teaching you all of what you need to know about Crypters and making them, getting you up to the right point, but once your at that point, you have to be aware that your set on your own.. thats life. But I do have to say, It is truly an awesome and thrilling experience.. So lets get started

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 1 - What Really Is A Crypter? Core Fundamentals


Ok before we get into the good stuff, lets first clear up all your desperate.. desperate questions you been having by really getting into all the fundamentals of Crypters. Oh and if you have any questions of anything throughout this ebook, always refer and search on http://Hackforums.net for answers If you dont already know.. A Crypter is usually used to encrypt files like viruses, rats, and keyloggers usually for the sole purpose of bypassing antivirus detection. Whats the difference between Crypter and a Packer? A Crypter Encrypts your files and a Packer packs your files usually with the intention of making it smaller in size and sometimes for scantime undetection. Whats the difference between a Runtime and Scantime Crypter? Both can look exactly the same so you better watch out.. A Runtime Crypter encrypts the specified file and when executed (ran), it is decrypted in memory. This way antiviruses arent able to analyse the file before executed and after executed. A scantime Crypter encrypts the specified file so antiviruses arent able to analyse the file only before executed but NOT when executed.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

How do i know which antiviruses detect my file? There are many sites with this same purpose of scanning files and giving a report of which antiviruses detect your files. The main issue leading to crypters becoming detected is because if you or someone who is in posession of your crypted file, scans it on some of these scanner sites, the crypted file will be distributed to the antivirus vendors, thus causing the crypted code overwritten on your file to become detected, which in turn causes your crypter to turn out detected. It is recommended to scan all files you crypt on http://scanner.novirusthanks.org while making sure the do not distribute sample checkbox is checked!

What is EOF and what is it used for? EOF stands for End Of File. Some files like Bifrost, Medusa, and Cybergate require the end of file data in order to run without corruption, So If Crypters Dont Preserve this end of file data, your crypted file will become corrupt.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

What is a USG? A USG is part of a crypter that generates a unique version of the stub (stub is part of crypter used to encrypt and decrypt the specified file). The purpose of this is because FUD crypters dont last forever, eventually crypters become detected over a period of time. You will understand this better later on in the ebook. (The USG is to the right and above it is the Crypter)(But this is probably one of the most advanced USGs you will find, some can be very simple)

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

What is a File Binder? A File Binder is pretty self explanetory.. It binds or puts to files together as one so as a result when someone opens this one file, 2 files will execute. You would usually use a file binder when being even more stealth then just simply a crypted file. The biggest question people have when first learning what a binder is and what it does is, can you bind a .exe with something different? like a .jpg for example? The answer is Yes, BUT.. the output of both binded files will be shown as .exe, so in a way it can defeat the purpose.

What are antis on Crypters? Antis are an extra feature that come with some Crypters. For example anti-vm, anti-debugger, anti-avira...etc these refer to bypassing or preventing something specified, so anti-debugger meaning it will prevent it from being debugged.

What is a file pumper? A File Pumper will pump your file - refering to adding more bytes to it making your file larger. The benefit of this is usually not so great but it can be ok to have and may lose a detection or 2.

Types and forms of Crypters Crypters can range in many types and forms and it is important to understand these types and forms because it will help you choose a quality crypter to solve your needs or help you realize what options and features you would want to implement in your own Crypter. Here are some simple and advanced crypters to give you a good idea, or picture in your head.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Simple GUI (graphical interface) Crypters

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Heres to give you an idea of some Advanced GUI Crypters

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 2 - The most important factors you should know


As im sure many of you know.. finding Crypters and Crypters themselves can be a huge pain. I know when i first started out, i hated the fact that i just couldnt find a FREE FUD CRYPTER anywhere. I got so pissed.. but didnt give up just yet, i kept on searching and reading a diverse range of forums. Overtime, once i learned enough about them i realized the actual undetection vs antivirus concept. This is the eye opener point which you will all eventually end up and at this point you will then realize why..

The Antivirus vs Crypter Concept Have you ever wondered how all the viruss, rats, and bots..etc become detected by antiviruses? ..im sure you have.. and this concept will give you all the answers. Antiviruses can be alot more complext then you would imagine, so learning the ways they are notified of malicious files and how they detect are essential for bypassing them. Ok there are 2 ways antiviruses are notified of malicious files and eventually flag your file as detected, 1. the first one is From online file scanner sites where people upload files they think might be suspicious looking, and want to know if its actually a virus or not. They upload there files to one of these sites to check which antiviruses detect it and flag it as a virus. Once the files are uploaded, based on certain elements they are then distributed to the antivirus vendors labs. On some online scanners there is an option available for you to check for no distribution. I am not aware if this actually does what we all think because i heard they will still distribute, but with a price to the av vendors. Even though this may be true or false, it is still always a good idea to scan on these sites that have this option available, for example http://scanner.novirusthanks.org Here are some multi antivirus scanners http://scanner.novirusthanks.org http://virustotal.org

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

www.virustotal.com/ And there is also individual antivirus scanners, for example: http://www.kaspersky.com/scanforvirus http://www.bitdefender.com/scanner/online/free.html

2. The Second factor is From the antiviruses themselves. You may be thinking.. oh really? yes.. and to tell you the sad truth.. hardly anyone even knows about this, Its sad isnt it? this is essential information that everyone must know when using or making Crypters. most of the time, the antivirus will automatically send the files out when any certain file becomes detected. Antivirus also owners have the option to send off a file to the vendor with a click of a button through there desktop antivirus.

What can you do about this? well you can change the settings on your antivirus. The setting usually come in slightly different forms, sometimes you are also asked during setup, and sometimes you just have to go into the settings or options manually, for

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

example:

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

All of what you just read is essential to keep in mind when making an FUD Crypter. The sole reason behind why public Crypters always become detected ..and usually fast, is because the majority of people do not know the antivirus vs Crypter concept.. therefore they either blindly upload there crypted files to one of the scanner sites that distribute also.. the antiviruses themselves are uploading there crypted files without them even noticing. Even people who make there own Crypters arent aware of this which is why they are always wondering why there crypted files always become detected so fast.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 3 - Vb6 and Crypters


Now we are going to dive into how Crypters work, and.. how they are MADE. You will be shown the actual steps of the exact code used to create Your own Crypter. i found these pics and info on HF somewhere ..so credits to that dude.. And if it seems a little too complicated, dont worry, as long as you get the basic idea. What do anti-viruses look for in a file? First off, you will need some basic understanding of how anti-viruses actually work. Exe files are simply lines of instruction, and each line is called an offset. (This is a screenshot of Hex Workshop)

Anti-viruss have databases of these lines that are known to be associated with malicious files. They use that database to check against your file to see if it matches. If it does, then it is marked as infected. They do use other methods of detection, but this is the one you will learn how to avoid.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

What will the program need to do?

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Your crypter is going to take the contents of an infected file, encrypt them, and place it at the bottom of a seemingly virus-free file called your stub. Your stub file will then extract the encrypted data from itself, decrypt it, then extract and run it. So just imagine if this stub file that is joined together with the cryped infected file is detected? well.. then all the files you crypt will also show up as detected since this stub is used with all the crypted files. This may sound like a complicated and confusing process, but it isnt and i will explain more about it later on.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Heres another pic i found, (credits to hackhound) this explains all this in a slightly different way, maybe you will understand it better:

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 4 - Programming and Vb6 Fundamentals


Ok now.. your either one of 3 people.. someone who has no idea how to make/code a program someone who knows and can code a program someone who can code but not in visual basic 6 This section is intended for all these people and if you can code and you think you wont benefit from it, you can either just scim through it or just read it all and refresh your memory.. First we must download Visual Basic 6 of course. If you arent aware of what torrents are and how to download them, then follow step 1 if you do know about torrents and already have torrent downloading software go to step 2 1. download and install u torrent here http://www.utorrent.com/ 2. now we must download the vb6 torrent here http://btjunkie.org/search?q=visual+basic+6 (just download the first one or something) 3. it should then open with utorrent, and just press ok to download. now to get a quick picture of the interface in vb6 and understand how most of it works, (you can just scroll down to the pictures on this site) http://www.profsr.com/vb/vbless01.htm

Intro to programming with vb6 You must be aware that in order to make your own FUD Crypter, you must atleast know the basics of programming, so if you dont, this is a very important section to read, so read through it all and if theres something you dont understand i encourage you to do some google searching about it or read around/ask through this forum http://www.vbforums.com/forumdisplay.php?f=1 Without getting so in depth and complicated, i am going to first have you learn the basic concepts of programming in order for you to just understand enough to be able to first understand the most essential parts of what a program is doing so you will be able to understand other sources when you read them and modify them. You most likely will have questions that i will not be able to answer, so if your unsure about some of these basic concepts, search vb6 tutorial or visual basic tutorials on http://youtube.com ..this way always seems to be best because

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

seems people learn drastically easier to from video. If you have a more specific question or issue, search google. Ok so, from searching for a long time, i came to the conclusion that this site teaches vb6 in the best most understandable/appealing way http://www.vbtutor.net/vbtutor.html just go through the table of contents and please try to go up until, not higher then, lesson 18 and ignore all the ads on the sides and in between. You dont have to go through all of them at once, or in the same day even. I would encourage you to just refer back to the lessons at any given time and consistently, but slowly moving forward each day. And remember.. to get more clarification or understand more of it, always search youtube and google.

Basic Vb6 Outline for Creating a Crypter Crypters in Vb6 consist of two parts: the Crypter Client which is the actual user interface that the user uses for specifying the file to encrypt, the settings...etc The Stub file, which is part of the Crypter but it is not used by the user, it is simply just there, in the same directory as the crypter client, because it is being used by it. So programming a Crypter comes in these 2 parts and are made seperately in 2 different projects. They only interact with each other when compiled into finished .exes. You might be wondering, well what project gets detected so i will know which to modify? The Stub project is only what you have to always undetect and... re-undetect when the crypted files become detected BECAUSE the stub file is what is actually injected into all the crypted output files. So common sense being.. when eventually, for example someone that you infected runs the crypted file and maybe uploads it to virustotal (which distributes) or the antivirus itself distributes, the crypted file has your stub code in it aswell as the crypted malicious code.. therefore the antivirus will then detect and put signatures causing the stub code to become detected. Basically this stub code is injected into all crypted files so obviously all the crypted files will then also become detected since it caries these detected signatures.
Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Here is example crypter/stub projects in its simplest form that you can learn from, there are comments explaining each part throughout the code http://crypters.net/example-source.rar just scim through it and try and get an idea of the different parts and what there for, get familiar with it, if you dont fully understand it, its fine for now. The best way for you to learn is by showing you a diverse set of tutorials, so throughout this ebook, i will keep linking you different tuts. Heres one of the best tutorials on how to make a simple Crypter from HF (hackforums.net if you arent already a member, go sign up) http://www.hackforums.net/showthread.php?tid=204038 With this you might get some more understanding of how it all fits together in a different way and Remember, by knowing how it all works together, the more easier it will be to undetect the code One of the biggest issues that I should address are compatibility with different OSs. Basically what affects the compatibility of certain OSs for example 32bit/64bit win7, xp is almost always the RunPE module that you are using. What I would do is really read up on the source im using and test it out first before I go ahead and modify it. The way i learned how to make crypters and different methods of undetecting them is from constantly reading and modifying every Crypter i got my hands on. I encourage you to do the same and just start searching and browsing through the coding/vb sections on, http://hackforums.net http://hackhound.org
http://www.opensc.ws/forum.php

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 5 - vb6 Crypter Techniques BluePrint


Since Vb6 is the most popular programming language, the only disadvantage is that it is harder to undetect the code. With this disadvantage, we have to keep a few things in mind before creating a Crypter vb6 and undetection - what to do and what not to do When Making a Crypter, first always keep in mind to have the project placed directly in the C:/ location on your drive because if it is for example in your documents folder like (C:/user/john/crypter/stub) this whole string of text will be shown and easily read by antiviruses and cause your crypted files to become detected or provide an easy target for antiviruses to develop a signiture for. Now this is only one factor to keep in mind but it is definitely something you should know. Ok now that you have your whole Crypter/stub projects on your C:/ drive, Lets open up the project and do some of the main essential tasks for preventing antiviruses from detecting these sources. Changing Assembly information First we are going to change the compilation settings for the .exe, like the file version, description...etc These files settings are one of the first things antiviruses check and is something you should always do when picking up and modifying new sources without even thinking about it.. just make this a habit Open the Stub Project and Right click in the project space on the top right and click project Properties

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Once your there, you should see few options like project name, startup object, if you want to change any of that then do it. So now go into the next tab called Make. Here you should see the version info, title of application, icon, and in the middle you will see version Information with comments, version, company name, file description..etc All these options should be changed to anything random.. especially when starting from someone elses source.

The Antivirus Signatures concept


Whats going to be explained here, you should always keep in mind when undetecting, Read every bit of this section, some things you may know already but there are definitely things you do not know which are very important. To my experience there are 2 types of signatures, which i like to call.. Specific Signatures Broad Signatures Throughout making FUD Crypters you will come to realize that overtime all crypters, private or public, will eventually become detected. Now the reason for this is because not only do the people you spread the crypted files to have antiviruses that automatically distribute..etc but also, antiviruses in cases where they get alot of similar files distributed, try to create signatures for the most unique parts of the code that all these malicious files have in common. Now what i mean by that is for example Avira antivirus will detect a certain set of apis thats being used in a certain variation of ways, corresponding to, and interacting with, other certain parts of code. This is a broad type of signature, unlike specific signatures that just detect a certain string of text in a certain part of the code, this broad signature will then cause all the crypters using this api related to this situation to become DETECTED. This is the very disadvantage of programming in the most popular languages where crypters are most popular to program with. So now if you think about it, a stub can also only go so far in being unique because antiviruses are always updating and populated their databases with not only specific signitures but, these broad signitures which eventually overtime will cause your crypter to become detected... no matter how unique your stub is, a part of this code in relation to broad signitures will become detected. even if you
Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

do nothing with it. Now it may be more unlikely depending on how unique, but the point is that ..even if your doing nothing with your stub and never crypt files, eventually it will become detected, all will. So to clarify, The fact that from all the other Crypters being distributed that for example that use a specific method of execution using a specific api which has slight relation to how your Crypter was made, will cause your crypter to also become detected. Now with all this in mind, i want to make sure your not getting the impression that all vb6 crypters suck and they will all get detected easily.. because this is not completely true. As long as you use the right techniques and have your own unique and creative way of doing things, the longer the Crypter will last.. and just to let you know, when a crypted file is distributed, its not like it will become detected right away.. It takes about a week to a few weeks for a signature to made on the file and updated into the database. So a point i want to also get across while you understand this concept is that, The most honest true approach you will learn in this ebook, is the fact that no matter what undetection technique or method you use, there is no one technique that will last forever, they all eventually become detected, which means that theres no garantee for giving you a technique to easily just copy and paste to make your fud crypter and live happily ever after, that would be a lie.. What This Ebook will give you, is a layout of the universal, proven techniques that you can keep in mind so you can learn how they work, improve upon them, and make variations of them to successfully make your own FUD Crypters.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Finding and pinpointing Whats causing detection


To accomplish the process of finding and pinpointing detection it is required that you understand the different parts of code and know what most of it does because you will be literally taking apart the code when finding the cause of detection. I find that alot of people try undetecting there sources blindly by just throwing a whole series of undetection methods at the code.. This is fine if your first starting out from scratch on a fully Detected source.. but when there are only a few antiviruss detecting the source, you must start finding exactly whats causing detection. This will save you tons of heart ache and make the whole undetection process a whole lot easier. Aright This is where all the learning happens, you will realize and learn alot of how what code certain antiviruss will detect. You will then be able to easily mitigate certain antiviruss and find that some antiviruss are easier then others to undetect from. You will then not only have a good set of knowledge from experience of finding what causes detections for certain avs, but you will also easily gain a set of skills and new and improved techniques that build upon the previous ones for undetecting against certain avs. Finding whats causing detection can be very easy or somewhat difficult depending on if its a broad signature or a specific signature. The majority of the time they will be specific signatures. I will be giving you an example of both. Basically you will be pulling apart your code deleting them one by one, then drilling down further deleting more specific, smaller bits of code until you end up at whats exactly causing detection. When going through this process it can seem like its time consuming but its actually not if you have the specific antivirus which is detecting your file downlaoded and installed on your system so you can instantly scan each compiled stub with certain bits taken out. A specific signature detection in this example will be a small string in the RunPE module So we will be taking apart the code and to do this, there are a few steps involved 1.The first logical step to take would be to first check if the detection is caused somewhere in the first start of the program execution so delete everything in the sub main() ..then compile the stub and scan it. no detection found so we move on and put the code back. 2. delete all the code in each module one after another until the detection doesnt come up anymore. We then find out once we take out the runpe module the detection goes away.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

3. Now that we know the detection is coming from the RunPE module, we will put the code back and drill down by first deleting each sub and function in the module. We then find out the detection is coming from the CallAPIbyname function 4. Now that we know which function is detected, we will then drill down further by deleting each line of code. (depending on the size of the func, just delete each segment and drill down from there, you can do the same for the modules, for example you can delete the first half and second half of the function first) 5. Then once you found the string in the function thats causing detection the whole undetection process comes into play. You can basically just recode the portion of code thats causing detection in a very different or even slightly different way and combine this what you will learn in the next chapter, or simply only use whats in the next chapter alone. Broad Signatures For detecting broad signatures, its pretty much the same process, The only difference is that you have to be aware of a few more things throughout the process. I will show you some examples of a broad signature in this situation, Lets say the RtlMoveMemory api is causing detection. Now if we are taking apart the code using the process i just showed, you will realize that the detection is coming from the module but you wouldnt realize what is being detected inside the module by doing the standard, remove each sub/func at a time. The reason for this is that this api is used in multiple places throughout the module. Sometimes you will even come across situations where variations of the same piece of code is used throughout the module.

Also here is another technique you can use as a last resort http://www.hackforums.net/showthread.php?tid=33874

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 6 - The Universal Undetection Process


Like I mentioned earlier, The most honest true approach you will learn in this ebook, is the fact that no matter what undetection technique or method you use, there is no one technique that will last forever, which means that theres no guarantee for giving you a technique to easily just copy and paste to make your fud crypter and live happily ever after, that would be a lie.. What This Ebook will give you, is a layout of the universal, proven techniques that you can keep in mind so you can learn how they work, improve upon them, and make variations of them to successfully make your own FUD Crypters. Ok so basically lets say you found a certain specific or broad portion of your code thats causing detection, THIS is when the whole undetection process comes into play. So you have some options at this point depending on if youre a beginner or experienced programmer. (More programming knowledge and how crypters are made will give you a huge advantage when undetecting code) So you can either just recode the portion of code thats causing detection in a very different or even slightly different way and combine this with the examples I am about to show you or you can only use the examples alone, using your own variations, of course, and extensive amounts of them. Sometimes though, you will eventually realize that no matter what undetection techniques and how much you use them based, you have to actually end up recoding, or using a different variation of that same code which do the same overall task, And this is very simple for someone who has well rounded programming knowledge so this is why I say, you will have a big advantage if you do too.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

There are some vb6 crypter sources in the crypter sources section on this page http://crypters.net/crypter-sources/ So pick which source you want to modify for the purposes of learning how to use the techinques i will show you for undetection. To some people, modifying another source and making it undetected, that you didnt make from scratch yourself, means your a fake or a skid.. Now when undetecting, alot of effort and work usually has to be done.. so why make it harder on yourself when theres already sources out there all doing the same thing just in different forms..? Why Reinvent the Wheel?? In alot of cases, to undetect and keep your Crypter undetected, you have to change around code, replace code, add code... to the point where making the Crypter from scratch is almost the same thing.. Some people have different way of doing things and have their reasons.. but from what im teaching for learning purposes and for beginners, you will start by reading other sources and modifying them, then eventually you can just code a very sophisticated one from scratch someday in the future. So again.. my point is, for now especially there is no need to reinvent the wheel..

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Heres the basic outline of the whole universal undetection process summed up in the most brief way Adding junk code for modifying execution flow and various other reasons Changing the order of all code aspects. Changing variable names String manipulation. Change Assembly information Add or change icon

The list goes can go on and on if you want to get specific and no specific technique lasts forever, so The main thing to remember is to be very creative and to try many.. MANY variations of ideas and techniques that you think may confuse/distract/deceive antiviruses. Some antiviruses will be deceived and bypassed easily with one technique even.. and another av can be alot harder, so you would have to use variations of all these techniques. This will definitely require dedication and effort, but can be easy with a good set of techniques and practice. It all comes down to experience and learning from it. I will be giving you and showing you many examples that fall into the category of each of these methods so you will get a perfect idea of how it all works so you can then use and improve upon them with your own. I will also be getting into automation tools that can do alot of these undetection techniques for you instead of manually, but it is very important that you understand how it all works manually because eventually you will have to manually apply them.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

About Unique Stubs and USGs Ok so you know how a USG comes with some Crypters right? Well these USGs also known as stub generators, generate unique versions of the stub for that Crypter. How all of these USGs generate unique stubs are from using all these methods of undetection but in a click of a button. How? A set of techniques and methods are implemented into the USG using variations of the same undetection method/techinque by randomizing the strings, variables, and the order within these undetection techniques (like variations of junk code). Also giving the user the ability to choose specific undetection options/methods to use thus creating a unique version of the stub, This way, when someones stub becomes detected there is a high chance another persons stub, using the same Crypter, wont get detected. Since the majority of the stub might have a different variation and layout of the code from all the undetection options/methods used in the usg, there is a high chance the signiture that causes the other stub to be detected will not be shown, or in the same place in this other unique version of it because it might be 90% different. So basically USGs ultimately give an advantage for how long the stub will last undetected. If you dont fully understand this, its fine because you will better understand it once you actually start learning and applying these actual methods and techniques. lets start with.. Adding junk code Ok heres pretty much all the types of junk code: junk subs/functions fake calls fake variables junk strings of text fake loops fake if/else

Basically all junk code is, is randomized portions of regular code which you spread across your program that can either just be in between and/or throughout your programs code, it can deceive or confuse execution but never actually interferes too much with the process of execution to the point where it will corrupt.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Here are some Examples of junk sub/functions with variations of junk variables/if-else/loops...etc Just to give you an idea...

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Heres a simple example of a Fake Call to a junk sub at beginning of sub main() for slightly modifying execution flow

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

So be creative, use variations of techniques over variations.. develop your own techniques from these ideas. Never stop trying things and being creative, this is the whole journey and thrill of making Your own FUD Crypter. One example of being creative is, you can add a whole bunch of junk subs/func...etc, into a series of junk modules and classes with nothing else but junk in them and fake execution.

Changing the order of all code aspects.


This is a simple example so you can get an idea. Changing the order of your code can get very complex and is essential. If you want you can even move a whole set of functions and subs in another module or class.. be creative.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Changing variable names Changing variable names is highly important and must be done. Press ctrl + H and you will see a small replace form popup. It is very important that you dont messup the code, so always make sure you use the right options when changing a certain variable or set of veriables in your code. For example you could be changing a public variable which is used throughout your whole project and without noticing, only selecting the current module option, causing only the variables to be changed in that current module.. so always keep these things in mind when changing variables.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

String manipulation Changing and encrypting strings/apis Just like changing variables, changing strings can mess up your code if you arent too cautious.. Especially when encrypting strings and apis. Encrypting strings and apis are very powerful and is a must when it comes to successfully creating a fully undetectable Crypter. Some examples of string manipulation Encrypt Strings Reverse Strings String conversion There are many types of encryption algorithms to encrypt strings with for example the most popular are xor, rc4, Rot, string to hex. A big issue most people arent aware of is the fact that sometimes when encrypting strings with some RunPE modules.. bad things happen, files become corrupt, the Crypter itself can become corrupt...etc So always be cautious of your string manipulation. There are some important strings to always make sure are changed or encrypted in your Crypter. The first to take note of is, The Key Split which is, in the example below: meEncPass = thepassword. Change the string to something like: aksefiaIUEHF@q#)*!qJFIAUEHFIwqNEOGq)# and remember, this string has to be the same key split in both the stub project and the crypter project or the crypter will not work and give you a subscript 9 out of range error when running the crypted file. The second to take note of is, all the strings in the RunPE module. 99% of the time these have to be encrypted no matter which runPE module you use. So always remember to encrypt these..

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

For this example we are going to use a simple Src Undetector http://www.mediafire.com/?uzqym10ttom (First go in the OCX folder and run the registrar, then run the program) Before you go any further, always keep a backup of your source because some programs will mess up your code alot.. and you might also..

1. Once downloaded and ocxs registered, Load the stub project. 2. Click one of the 3 string obfuscation buttons or right click in the project window and select anything you want to try 3. if you encrypted the strings, remember to add the encryption function by right clicking and selecting Add Xor Function keep on doing it.. try many things, theres no right or wrong way pretty much.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Add or change icon Adding or changing an icon isnt too good of an undetection technique but it can undetect from 1 or 2 avs in some situations. Also changing an icon can corrupt files aswell but its actually pretty rare. The reason this would happens is most likely because the icon size is different then the size the file can handle. it is very simple to change an icon and i can show you in a few easy steps.. If you search around you can find many icon changers easily but for this example we will use reshacker.

1. download reshacker here: http://crypters.net/ResHacker.rar 2. drag the file you want into the window 3. Click through the icon folders until you cant anymore then Right click on icon or icon group and click replace resource 4. simply choose the .ico (icon filetype) to replace it with.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Tools and automation


The beauty of undetection is that there are tools which automate the universal undetection process using variations of techniques and methods. These tools are usually referred to as, Undetectors, or src undector..etc. If you think about it.. undetectors are very similar to USGs. The only difference between a USG and a undetector is that a USG, choosing and setting certain paramters, will undetect and create a unique stub based on the scrambling/randomizing set of undetection techniques in only a click of a button. The USGs comes with a certain Crypter which it will only create unique stubs for. On the other hand, a undetector is for undetecting actual source codes using a set of options and techniques. These options and techniques tend to be alot more flexible compared to USGs. Since you now understand the basic concept of how undetection is applied, i thought i would mention a link i found with tons of random tutorials on undetection and automation.. the only problem is that most of them arent in english but you may still benefit from some, heres link (tuts are in the manuals section): http://www.level-23.org/ See you will come across valuable info like this if you just always search and read around the different forums and remember to always download and read more and more vb sources from vb sections of forums then modify them..etc Heres another amazing and perfect thread with a video and download link on using an undetector (massive credits to Rusty)
http://www.hackforums.net/showthread.php?tid=173217&highlight=undetector

Earlier in the chapter i used a src undetector for an example of encrypting strings. This src undetector can be used for many other undetection techniques aswell Heres a thread with almost all the free undetectors around.. (Sorry about those shitcash links.. if it was my thread they wouldnt be there)
http://www.hackforums.net/showthread.php?tid=231066

If you dont want to, or cant download from those links, what i would do is search through different forums with the names of the undetectors to see if there are any other download links people are giving.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

you might be wondering, well what tool did i use to undetect my crypter? I bought a pretty advanced undetector from pr!ngles on HF called pringles undetector or src undetector for around $50 usd, i would highly recommend it but im pretty sure he doesnt sell it anymore and also not sure if its techniques are outdated. Heres one of the threads with one of the versions of it (hopefully link is still alive) http://www.hackforums.net/showthread.php?tid=220642&highlight=undetector There should be others very similar to it or maybe even better nowdays, just search through the sellers section of HF for undetector or something.

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

Chapter 7 - What you will learn from Undetecting Crypters


This is highly likely to be the most important sections in this ebook, so i advise you to read it all. There is no doubt you will learn alot from making and undetecting Crypters.. Everything you learn will help you along the way making things alot easier. If some things discourage you right now, do NOT let it... just take immediate action and start making your own right now. Use all of what i tought you and constantly improve and add to everything. Combine methods and create your own. Once you gain momentum and practice, the experience will pay off big time. Things will become alot easier and you will have your own fully undetectable Crypters in no time. Ok now i want to let you in on some important things to keep in mind which will help you benefit from the practice and experience you will gain. Antivirses are alot more complex then you think.. so the main focus from undetecting your crypters should be to always, on a consistent basis, learn and understand more and more of how antiviruses detect and what they detect. With this focus, you will have many realizations and insights for easily creating new and improved techniques for bypassing certain avs. The more you learn about the antiviruses, the easier it will be for you to undetect parts of your code that are detected by that certain antiviruse and creating new and improved techniques that will not only just bypass the detection but also keep the code undetected for long periods of time from that av by creatively coming up with unique techniques that decieve or distract antiviruses in ways that are harder for that av to detect it. Another piece of knowledge you will come to realize is the kinds of things certain avs will detect and the usual kind of techniques that will bypass those certain avs Heres a simple example alot of people can relate to, All the people that have successfully created FUD Crypters i think, know that the av, Avira antivir usually will detect apis in your code, and certain techniques that will bypass this is for example, adding the callapibyname function to your code and calling this function everytime you use the detected api. what you should know though is that techniques that may bypass a certain av will not ALWAYS bypass it in a month from now.. Antiviruss are constantly being
Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

updated, But just because they are constantly being updated, dont let that discourage you because usually a simple tweek to the method that worked a month ago can work now and easily bypass the new detection, This is why you must always be creative and learn from how the certain av works, what they detect, and how they detect because it will help you GREATLY

keeping your Crypters undetected


Now that you understand the huge importance of learning and understanding antiviruss. Lets dive into how you can keep your Crypter undetected. Ok so hopefully you already know that antiviruss are constantly being updated everyday, adding signatures and changing algorithms. This will not stop the average hacker though.. :) with all the communities and forum members working together, the Antivirus vs Crypter concept will never end. Hackers seem to have always been the most creative and intelligent among the rest. Ok so now i will tell you the approach to take for keeping your Crypters undetected. Basically, i would first encourage you to always read up on new posts and sources in the coding sections of these forums, http://hackforums.net http://hackhound.org http://opensc.ws Now here is probably the best advice anyone has ever give you, The best way to keep up to date with undetection and antiviruss aswell as learn which techniques and methods are appropriate and best for certain avs, is to check up and read through as much as you can of: http://hackhound.org Undetection Techniques sub-section in the malware analysis section And

Detection Thread sub-section of the Basic section (Hack Hound Programming Basic The Detection Thread) You have to
Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

register in order to view these

This section is undetection heaven.. people tell you and help eachother bypass detections. In this section, lights will start flashing in your head, insights will arise, and ideas will spark. Read through as many threads and pages as you possibly can of undetection and malware on hackhound Here another tactic to keep in mind.. basically WHENEVER a detection comes up and you are stuck, search hackhound with variations of keywords related to the av detecting it and the part of the code being detected for example, copybytes avira which is referring to the api copybytes thats being detected and avira being the av detecting it. Also what you can also do is just search with variations of these same keywords related to your situation and search google.. or any other forum, you never know what you will find. I have had so many detections solved from just doing extensive searching. Goodluck.

Resources If you have questions about something or want to learn more always refer to, and search through
http://hackforums.net

http://hackhound.org
http://www.opensc.ws

Crypter sources, http://crypters.net/crypter-sources/ Source Undetectors http://www.hackforums.net/showthread.php?tid=231066


ResHacker http://crypters.net/ResHacker.rar Awesome blog with awesome code http://www.advancevb.com.ar/

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://

What did you think of the Crypter BluePrint? Do you have any questions or suggestions for the Crypter Blueprint? Please Go to this link to tell me so I can make it better, http://www.surveymonkey.com/s/XKSVMBJ

Copyright 2005-20010 Xinfiltrate Crypters.net All Rights Reserved.

http://