Sunday, April 20, 2008

OBFUSCATION BY COMPRESSION AND BINDING

Table of Context
1: Disclaimer
2: Introduction
3: What you need
4: How to
5: End notes

NOTE: This tutorial may seem a little "Childesh" but when I wrote this, like right now, august 5th, 2006, at 7:34 PM, I had a hangover, and didn't feel to compelled to do it in a scientific, or professional/serious matter. This is just for the heads up. xyr0x

1: Disclaimer:
I hold zero responsibility for any illegal, Blah, I can't even right a disclaimer anymore. You know that this tutorial is bad news, and if you get caught breaking any copyright violations, or unfair treaties, that you'll go meet Mr. Bubba in big pen down town and have a new lifestyle, being gay, having a boyfriend, being a mans bitch, and all, so don't get caught, and I'm not responsible; This tutorial was made for education purposes only; Ok? Great!

2: Introduction:
I bet you get a prompt every so often about some runtime component being missing, or what not, for example, you go and download a "Booter" from some lame anti-yahoo website and it says, for example... "Kewlbuttons.OCX" is not registered, or cannot be found, and so therefor it makes the "Booter" not work, am I right? Good. Well, here this tutorial isn't about Booting kids off of yahoo, but about how to conserve yourself the risk of being "suspected" of compromising another machine using tricky tactics and well, the creative minded methods that we hackers tend to run upon. We're going to be using for example an "Detectable" virus. Or, one that you made. What that relies on certain components, such as Winsck32.ocx for example. Alot of people run into issues with this runtime, becuase it often doesn't register with 3rd party applications for "Security issues" besides this, since it has issues we're going to do something about it for our virus/trojan or whatever you want to do. Also, on the flip side of this rant, it may make your .EXE/.PIF/.SCR/.COM file a little bigger, there's nothing bad about that. I get kids saying to me, why's your file only 32kb's? LOL I'm not gonna download that from you, xyr0x. Well, why should they? They have every right to be "Suspicious" So enforce it with methods that are kind of fruity, and if you're on dialup? Don't complain about a file transfer taking to long. Get wireless, and leech off of a WIFI. That's what I've been doing for that last 2 months, and I've gotta say, that the Speed is pretty decent. Better than your run around, buy DSL for $26,99 a month rip-off.

3: What you need:
So in order to "Include" our runtimes into our project we're going to need a few things, and you're going to need to be aware of what OS you're using. This doesn't work so well with Linux, so use windows. I love windows, cause I'm to lazy to relax and learn the schematics and commands that linux offers for the moments that lay between me.


You'll need

1: A Binder, use => IEXPRESS. (It used to be some "SECRET" utility in the WinNT Platform, but how was it secret again? If you got Windows, just goto System32/ and look, there's nothing secret in there. It's already there, isn't it?)

For Non NT users Download: http://rapidshare.de/files/27498900/IEXPRESS.zip.html (I uploaded IEXPRESS.zip as I authored this tutorial at the prior link)

2: A Packer. A Good packer is, UPX, but it's often detected as a "Bloodhound" if there's something phishy with the payload. But there are others. But we'll focus on UPX in this article.

Download: http://upx.sourceforge.net/

3: You're components/Runtimes. Now, it's easy to know what components are needed "IF INCASE" you don't want to have any goofs upon execution with your victim. Now if you don't you can review the procedures within a Disassembler. It'll tell you what Runtimes are being used, for example, MSVB60.DLL --- ok, that's all for what you need, and what to be aware of.

If you're missing runtimes yourself, you can goto www.dll-files.com and get them.

4: How to do it:
First open IEXPRESS, by doing the following:
Start | Run | IEXPRESS
Click, Ok, or enter.
Now, you know what runtimes are needed, so we're going to do the following steps with the IEXPRESS utility...
1: Create new Self Extraction directive file, click Next
2: Extract files and run an installation command, click Next
3: Name your package, click Next
4: No Prompt, click Next
5: Do not display a license, click Next
6: Now, here is where you'll add ALL the runtimes, and that special application(s) once done, click next.
7: Install program > Method -> Your .EXE or Binary file. (The runtimes, just bind within don't worry) If you want to make sure it doesn't screwup, or you have a secondary applications, you can configure the "Post install command" with your other file. Never with the same, it'll screw up up the process... and if it's a trojan, you don't want this.
8: show windows: Default's ok, but hidden is a better idea, it's more stealthy, y'know?
9: Finished message: No, messages.
10: package name and options: Select hide file extracting progress animation from user, and keep the store files, unchecked. Click next, (Also if you want to name the path, do C:\ ) Click Next.
11: Config Restart: No restart, is best. But if it requires Registry modifications, Restart is needed.
12: Don't save... Click, Next
13: Create package, Click next
14: A Black DOS Screen will popup, showing you the progress, once it's done binding, it'll go away, click finish on IEXPRESS and it'll close.

DAAAMN That was exhuasting. You're lucky, I wouldn't never thought that I could've done that. What a mind that was.

Ok, on with "COMPRESSION" Yeah, making the file size a bit smaller, but not to small.

Once you've installed UPX, it'll be in Dir, C:\UPX\ and the UPX.EXE is, C:\UPX\upx.exe Remember this, or if it's not there right now do it. (in C:\upx\upx.exe) It'll make things a whole lot easier.

So we're going to compress for example. a virus in our C:\ directory, and it's called... xyr0x.pif yeah, pretty cool huh? A virus as my handle. My virus is located at C:\xyr0x.pif - now read the following:
Start | Run | CMD
Once the command prompts open, we're going to type in the below format:
Call C:\xyr0x pif C:\upx\upx.exe -9

Now, -9 is "BETTER COMPRESSION" with upx's latest release. But you can do other compression formats if you feel the need. Now what we did was we called our Archived IEXPRESS crap, and told UPX to compress it, in "Better compression format" thus makes it "un-extractable" which I'll elaborate for you below.

So, you maybe questioning yourself, What the hell? I don't understand. Well, duh. Let me re-elaborate what I did, and what I did, to make you think. Cause It's not easy being a Hacker. We collaborated our Runtimes which would run with our Virus/Malware/Worm/Trojan or whatever it was that you are wanting to abuse. We then took the runtimes which are needed incase of malfunctioning issues on the victims behalf, becuase one wasn't declared as being Registered. We made our Binded file, xyr0x.pif (We can't make it .PIF, in IEXPRESS) So use your head. We then took it to our UPX to compress the archive, and thus doing this means that it cannot be "EXTRACTED" it runs as a WHOLE, and therefor by doing this, it obfuscates the virus and confuses and therefor bypasses the A/V hueristics. You get the idea.

5: End Notes:
I wrote this becuase well, some folks on informationleak.net inspired me to define how something that seem's so hard, can be done so easy, if thought of properly. Security, insecurity, it's never what it seem's so take care of yourself, and I'll see you behind the bluescreen. Anyways, I'm going to finish with a few hello's and what's up for some of my friends and then give you some methods on how you can reach me, if you don't know any of them already.

Greets to sintakz, fab, ouwop, 3D, Josh Tha Ninja, infektid, 7sean, murder mouse, halla, infoleak, ignitus, aelphaeis_mangarae, alchemist, DanielG, Flowby, MeGa-ByTe, ZOD, SMiRL.com, trikk, dv0id, mbeers.geo, and to the rest of you, hi, and hello. I forgot you

No comments:

Post a Comment