Comments for X-N2O's Blog

Comment on AES Explained by Kewal

Kewal — Thu, 10 Nov 2011 14:40:27 +0000

Thank’s a lot.. :)

Comment on AES Explained by Advanced Encryption Standard From Wikipedia, the free encyclopedia | WorldWright's …

Sat, 15 Oct 2011 15:30:01 +0000

[...] An in-depth description of the Advanced Encryption Standard and the maths behind it. C implementatio… [...]

Comment on Clever tricks against antiviruses by Hav0c

Hav0c — Thu, 21 Jul 2011 18:19:28 +0000

I see, thanks for clearing things out :p

Comment on Clever tricks against antiviruses by X-N2O

X-N2O — Wed, 20 Jul 2011 14:05:31 +0000

In order to decrypt the .data what you need is a decryption stub. The decryption stub is already there, but it needs to be called before the original entry point. This decryption stub is new_ep. We need to change the EP of the executable to the RVA of new_ep. That’s what the NEW constant is. Next, after new_ep is done with decrypting, it should call/jump to the original EP. Hence we need to patch the placeholder (0×41414141) with the original EP VA. The REP constant contains the offset of the placeholder in the executable file.

Comment on Clever tricks against antiviruses by Hav0c

Hav0c — Tue, 19 Jul 2011 23:01:08 +0000

heh, yeah, but metamorphisme is way to much of a pain in the ass. I would start-off with simple polymorphisme, and than update it if the need arise. :)

Btw, i dont really undersand, in the .data encryption code, could you specify the macros NEW and REP? i know they’re offsets, but what i don’t know is what they’re for, or to what i should change them to for other executables (sorry if this sounds noobish, messing with PE structs aren’t an habit for me, and as such i don’t quite get most of that code). Btw, at VXChaos, there’s a pdf on “how to build your own PE protector” or something alike, can’t really recall on what section it is though. But then again, that pdf’s for .text, not really .data, and even less .bss

On a last note, please make more of these guides, as i enjoy reading them, and also, i changed the gpa() function to only search for hashes rather than name (CRC32, a technique which i belive was created by some vx’er to save some space on one of his viruses), which i belive was what ‘whocares’ said on his post. Anyway, i can borrow you the source (not just the CRC32 functions, i really mean the whole thing) if you’re interested. And if you are, you know how to contact me :)

tl;dr: more info on NEW and REP macros, and more guides. that is all

Comment on Clever tricks against antiviruses by X-N2O

X-N2O — Mon, 18 Jul 2011 12:46:25 +0000

You’re most welcome to use it Hav0c.
Encrypting .text isn’t that hard, and it’s done similarly to this method. Making a metamorphic engine would be way more challenging :)

Comment on Clever tricks against antiviruses by Hav0c

Hav0c — Sun, 17 Jul 2011 00:18:33 +0000

hey X-N2O, i’ll be using a modification of the code in this guide on my botnet
hope you don’t mind :p

also, i’m using mingw32, which uses AT&T syntax for inline assembler, and it sucks balls, so a tip to anyone using mingw32, i used nasm to compile an object file (.obj), and linked it to the rest of the C code.

And finally, X-N2O, you should put online a guide on how to encrypt the .text section, not just the .data :p. Also, im sure that there is a way to encrypt the data in memory using offsets instead of poking around with those damn pe headers.

Comment on Clever tricks against antiviruses by Mẹo nhỏ qua mặt antivirus | asmreverse

Mẹo nhỏ qua mặt antivirus | asmreverse — Wed, 01 Jun 2011 13:22:47 +0000

[...] quangthiennguyen tham khảo từ http://www.x-n2o.com/clever-tricks-against-antiviruses/ GetIP source: [...]

Comment on Clever tricks against antiviruses by Ducky

Ducky — Sun, 01 May 2011 16:47:18 +0000

Never mind, i compiled it as c++.

Comment on AES Explained by X-N2O

X-N2O — Tue, 29 Mar 2011 21:06:53 +0000

It does not use any blocking mode, since I only needed to test it with one block (in main.c). Both ECB and CBC however are fairly simple to implement.