[Source] Real polymorphic crypter v2

[LongBallss]

I did the same thing but mine still doesn't work. Help please.

[NSixx]

It doesnt work for me o.0 it just says it's injecting and remains there, then perX goes away and nothing happens. LOL

[ed144]

when i try opening it, it immidietly crashes

[Departure]

Good work Shim but this is not polymorphic... otherwise you wouldn't need to encrypt it again after is gets detected... just in case you have mistaken the difference https://en.wikipedia.org/wiki/Polymorphic_code beside from that great job, I haven't tested yet But I can already picture your method..

[Jason]

Good work Shim but this is not polymorphic... otherwise you wouldn't need to encrypt it again after is gets detected... just in case you have mistaken the difference https://en.wikipedia.org/wiki/Polymorphic_code beside from that great job, I haven't tested yet But I can already picture your method..

>Attempts to patronize SChiM about encryption

Lols will ensue.

[Departure]

No patronizing about it, just stating facts, I 100% agree that each time the stub is built it is different, but that is not polymorphic, as the code is not mutating each time it is executed. And strangely enough encryption is one of my favorite topics as an active member in the malware and RCE scenes for last 6 years.

[Jason]

No patronizing about it, just stating facts, I 100% agree that each time the stub is built it is different, but that is not polymorphic, as the code is not mutating each time it is executed. And strangely enough encryption is one of my favorite topics as an active member in the malware and RCE scenes for last 6 years.

Polymorphic code (self-modifying code) isn't the definition of polymorphism. In this case, the code base of the target obviously isn't polymorphic, but you can externally synthesize a single polymorphic rotation

[Departure]

Polymorphic code (self-modifying code) isn't the definition of polymorphism. In this case, the code base of the target obviously isn't polymorphic, but you can externally synthesize a single polymorphic rotation

I 100% agree Polymorphic and polymorphism are 2 different things..
https://en.wikipedia.org/wiki/Polymorphic_code
Polymorphism (computer science) - Wikipedia, the free encyclopedia

Luckily we are all talking about Polymorphic as stated in the topic....

Anyway at the end of the day he has done an excellent job, but it just simply is not Polymorphic..

[Jason]

I 100% agree Polymorphic and polymorphism are 2 different things..
https://en.wikipedia.org/wiki/Polymorphic_code
Polymorphism (computer science) - Wikipedia, the free encyclopedia

Luckily we are all talking about Polymorphic as stated in the topic....

Anyway at the end of the day he has done an excellent job, but it just simply is not Polymorphic..

Sigh, whatever.

[Departure]

Sigh, whatever.

No need to sigh... it is what it is..

Once again great job and alot better than inserting random byte at the end of a code section and changing the integrity check(aka crc) in the PE headers...

[.::SCHiM::.]

It's quite impossible to build a true polymorphic engine into the hack without having access to the original source code. Since hacks don't exactly abide by normal coding conventions, it's impossible to predict what I can and can't change about the code and the structure. And don't even mention the packers, 'encryption' and compression all the coders throw over their hacks before dumping them here. As you can see allot of people already have problems with that and there's simply nothing I can do about it, aside from spending a huge amount of time on making this crypter 100% transparent.

I hear what you say about the hacks themselves not being polymorphic, and you're right there. What I meant was that the stub is different each time, but you got that already. I wonder though, how one would go go about building a mutating engine into a file that's static. As far as I know itt just can't be done. Either the mutation engine would be static or the hack would be static there's no middle ground.

The method I use is really quite simple, it's very alike the one I posted on the site a few weeks ago and the source can be found in the previous version. It permutates the instructions used for decryption, swaps all registers and links with jumps.

On another note, are you only interested in fighting malware? Or have you written some samples too?

[Departure]

I never really write malware(except maybe a small Remote Admin Tool for personal use), but I have coded "cryptors" before and other small tools for the malware scene, nothing too special but I am mainly in this scene for coding reasons only, There is lots to learn from the malware scene(well use to be lots to learn) but these days its about money instead of coding practices, which has put me off a little... My Other interest is the RCE scene, mainly for the coding side of it also but I have released a few keygens for known Reverse Teams, Keygening and Encryption is my favorite subjects, Done a couple of tutorials on larger Software companies and there registration of there products algorithm.

Anyway sorry for the off topic, I did have a quick look through the source code you post last week(I think) and thought it was a good job, If I remember correctly Morphine source is freely available to get some mutation ideas from, But like you said... its probably not worth the effort considering most of these hacks have already been packed or protected by some other product, or they have been patched already. its only small few that it will be useful on. Good job keep it up...

[.::SCHiM::.]

I like RCE too, I've been building an universal unpacker. It's far from finished, but I ahve a great idea. The code will run inside an emulator (almost finished) it will keep track of new memory allocated and each time execution jumps to a new region or 'dirty region' the image in memory is saved to disk and restarted in the emulator. Once the program enters a windows loop or message pump, you know the executable is full unpacked. I'll simply save and fix the last saved binary as the 'clean executable' the last jump location into this binary is the OEP.


Ohh and there is loads of sources available on the internet, win32!evol, mistfal and lothan are all methamorphic and documented online. It isn't about the lack of ideas, it's just how to poperly implement them and the easiest way to go about it.
Thoughts?

[topblast]

How in any way is that polymorphic?

Isnt polymorphic the editing of code during runtime OR one class being able to call different functions like virtual functions , stuff like that.

[bobmarleyvav]

I editing in C++ ?