It doesnt work for me o.0 it just says it's injecting and remains there, then perX goes away and nothing happens. LOL
I did the same thing but mine still doesn't work. Help please.
It doesnt work for me o.0 it just says it's injecting and remains there, then perX goes away and nothing happens. LOL
If we don't end war, war will end us.
when i try opening it, it immidietly crashes
Good work Shim but this is not polymorphic... otherwise you wouldn't need to encrypt it again after is gets detected... just in case you have mistaken the difference https://en.wikipedia.org/wiki/Polymorphic_code beside from that great job, I haven't tested yet But I can already picture your method..
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
No patronizing about it, just stating facts, I 100% agree that each time the stub is built it is different, but that is not polymorphic, as the code is not mutating each time it is executed. And strangely enough encryption is one of my favorite topics as an active member in the malware and RCE scenes for last 6 years.
Last edited by Departure; 08-26-2012 at 12:32 PM.
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
I 100% agree Polymorphic and polymorphism are 2 different things..
https://en.wikipedia.org/wiki/Polymorphic_code
Polymorphism (computer science) - Wikipedia, the free encyclopedia
Luckily we are all talking about Polymorphic as stated in the topic....
Anyway at the end of the day he has done an excellent job, but it just simply is not Polymorphic..
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
It's quite impossible to build a true polymorphic engine into the hack without having access to the original source code. Since hacks don't exactly abide by normal coding conventions, it's impossible to predict what I can and can't change about the code and the structure. And don't even mention the packers, 'encryption' and compression all the coders throw over their hacks before dumping them here. As you can see allot of people already have problems with that and there's simply nothing I can do about it, aside from spending a huge amount of time on making this crypter 100% transparent.
I hear what you say about the hacks themselves not being polymorphic, and you're right there. What I meant was that the stub is different each time, but you got that already. I wonder though, how one would go go about building a mutating engine into a file that's static. As far as I know itt just can't be done. Either the mutation engine would be static or the hack would be static there's no middle ground.
The method I use is really quite simple, it's very alike the one I posted on the site a few weeks ago and the source can be found in the previous version. It permutates the instructions used for decryption, swaps all registers and links with jumps.
On another note, are you only interested in fighting malware? Or have you written some samples too?
Last edited by .::SCHiM::.; 08-27-2012 at 06:26 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
I never really write malware(except maybe a small Remote Admin Tool for personal use), but I have coded "cryptors" before and other small tools for the malware scene, nothing too special but I am mainly in this scene for coding reasons only, There is lots to learn from the malware scene(well use to be lots to learn) but these days its about money instead of coding practices, which has put me off a little... My Other interest is the RCE scene, mainly for the coding side of it also but I have released a few keygens for known Reverse Teams, Keygening and Encryption is my favorite subjects, Done a couple of tutorials on larger Software companies and there registration of there products algorithm.
Anyway sorry for the off topic, I did have a quick look through the source code you post last week(I think) and thought it was a good job, If I remember correctly Morphine source is freely available to get some mutation ideas from, But like you said... its probably not worth the effort considering most of these hacks have already been packed or protected by some other product, or they have been patched already. its only small few that it will be useful on. Good job keep it up...
I like RCE too, I've been building an universal unpacker. It's far from finished, but I ahve a great idea. The code will run inside an emulator (almost finished) it will keep track of new memory allocated and each time execution jumps to a new region or 'dirty region' the image in memory is saved to disk and restarted in the emulator. Once the program enters a windows loop or message pump, you know the executable is full unpacked. I'll simply save and fix the last saved binary as the 'clean executable' the last jump location into this binary is the OEP.
Ohh and there is loads of sources available on the internet, win32!evol, mistfal and lothan are all methamorphic and documented online. It isn't about the lack of ideas, it's just how to poperly implement them and the easiest way to go about it.
Thoughts?
Last edited by .::SCHiM::.; 08-28-2012 at 04:33 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
How in any way is that polymorphic?
Isnt polymorphic the editing of code during runtime OR one class being able to call different functions like virtual functions , stuff like that.
I just like programming, that is all.
Current Stuff:
- GPU Programmer (Cuda)
- Client/Server (Cloud Server)
- Mobile App Development