Meteor2142 Posted March 28, 2015 Posted March 28, 2015 Hello guys! I'm now on finding out how cryptor works (more on my previous topic)So there is some stub, with randomly generated method names, and randomly generated byte array that crypts the file: Sample of decryptin code: string text = (string)ResourceManager...byte[] array = new byte[text.Length];// and decrypt method string text = (string)resourceManager.GetObject(...... //using the string from crypted resources (i dont how its even store in resouces like that) byte[] array = new byte[text.Length]; for (int i = 0; i < text.Length; i++) { array[i] = (byte)text[i]; // decryption }//the most simple maybe... how to make encoder from this? ByteKey used in resourcemanager to decode encrypted string Second sample:same:string text...byte[] array... for(int i=0; i < text.Length; i++){ for(int j=0; j < bytekey.length; j++) { array[i] = text[i] ^ bytekey[j]; // creating an decrypted array from resources using bytekey }} ByteKey looks like:private static byte[] ByteKey = new byte[]{198, 155, 210, 181, 170, 198, 80, 247, 165, 134, 249, 215, 18, 204, 212, 8, 71, 122, 144, 187, 164, 225, 159, 57}; 3rd sample: for (int j = 0; j < text.Length; j++) { array[i] ^= text[j]; } Sorry for bad engl and post, but i really need to know how to mape an encryptor! If there is some people can help me, in few day i will release a simple encryptor using this methods! TY!
Encrypto Posted March 28, 2015 Posted March 28, 2015 This is simply XOR encoding. Encrypt==Decrypt. Simply replicate the decrypting procedure and you are done. Btw if you are using this to encrypt a file(to avoid AV detection?) this is a terrible choice of algorithm. Heuristics will detect it.
Meteor2142 Posted March 29, 2015 Author Posted March 29, 2015 This is simply XOR encoding. Encrypt==Decrypt. Simply replicate the decrypting procedure and you are done. Btw if you are using this to encrypt a file(to avoid AV detection?) this is a terrible choice of algorithm. Heuristics will detect it. It's only a main method of encoding, there even more methods as RunPE, steganography etc. More here - http://blogs.cisco.com/security/talos/reversing-multilayer-net-malware
Encrypto Posted March 30, 2015 Posted March 30, 2015 RunPE used to be the main choice, however due to the progression of API's (VirtualAlloc, VirtualProtect, WriteProcessMemory, CreateRemoteThread etc.) it is highly classified as a malicious operation. Going back to the xor encoding, while effective at scrambling data, it can and will be detected by AV's or even in a sandbox environment. Also I dont know if the forum is appropriate for such topics.(I don't know though, I am just assuming because of the nature of malware topics)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now