Well, this may be my last tutorial for a whiel(check open topic) but it could aslo be my most malicious. I have my reservations about releasing this but figure hey, why not.


Anyways, this guide will cover how you can manually pack your backdoor, trojan, whatever, to successfully beat any AV's detection.

This guide does not go over running morphine, doesnt go over running asprotect,
This guide goes over opening the file up in ollydgb(a debugger) and manually packing your malware by hand. It is not really so hard, Trust me.

I didnt feel i was to clear on some parts(on purpose) but you can use this thread to discuss issues and alternate methods.

The benefits of using your own packer are somewhat apparent, AV's often look for a packer like Morphine and UPX, but, as an antivirus cannot detect a virus you make, it cant detect a packer you made.

I go over how to manually pack the dcmd trojan posted by digital spirit. so its a real situation.

Special tahnks to the guys in #rainbowcrack. they gave me the idea

here is the link



Enjoy

edit: oh yea and to the topic


Yea, the one i made does

Thanks a lot for this. It really opened my eyes to a lot that will happen in the future. I am not sure that I have ever seen a tutorial better than this. Your work is very much appreciated. I am kinda bummed that this will be your last one for a while.

dcmd isn't written by digital spirit, its written by drocon with CensoredNET (www.censorednet.org).

You simply ripped the comment block out and replaced his MZ DOS stub with your name, how _fucking_ lame.

*Sigh* well, i never said digital spirit made it, i dont know who made it...

looking at the source, all i could find was this reference


going by that, i have no idea who made it, but based upon the post he made, and his wording, his context was worded well enough to tell he didnt make it....

but whoever made it, thank you

p.s. if you skimmed over the above, i know digital didnt make it, but i dont/didnt know who did.


of course, your welcome to point out where anyof us put our names....

now lets just look at what i wrote 1 more time...


now lets emphasize a few words


yep thats pretty apparent

I never claimed to have made it. If you go to my original post you will see that I gave credit to the creator. I never changed a thing. I compiled with the same batch script that was included in the original zip.

bullshit, your a _fucking_ liar.



your name is digital right, or is there another digital with the possession of this file.

Nice tut again Pitty that you're going for a time, but you must have your reasons for this.

Hey m8

Its always nice to see those tuts from you. Keep up the good work

Well when your right, your right.... sorry guys from what digital pm'ed me(while i was offline)
He said he was well i will just quote it


So yea, our mistake i guess...

There is good news however!

in the Header.inc the stub reamins intact

stub:
db "coded by Drocon",0
mov ah, 4ch
int 21h

atleast thats there, we really did mess up big time here, (just took the incidence to look at all the source today) so sorry everyone, especially Drocon, whom rightfully deserves all the credit for the dcmd.

Well, thats probably my second ever mistake, the first one was in bufferoverflow part2.... see if you can find it .

Well honestly of course, i'd imagine the source to be the first place to look at rather than the decompiled PE, but dunno, im really sorry guys, but well i can only do so much.

I am so sorry, and I apologize to ALL members of government security that this happened. It was an honest mistake. The exe version of dcmd that I had in the folder at the time was precompiled, the reason it said "digital" was because I was testing to see if 1 extra plaintext byte in the header would throw off the program like it would on an exe after it is compiled. If you will notice in the source code of the post, the stub is there, and I gave credit to Drocon. It was a mistake on my part, and I am sorry.

jees attacking DS like that, just over a silly mistake. archphase, damn n00b if u have read the other stuff DS posted u would know that he wouldnt need to steal code and most likely just played around with it.

You could have gentily asked how 'digital' (which not even needs to be linked to Digital Spirit, For the same fact 'sucking' could have stand there, would u then attack someone called suckballs ?) came inside the file. Something which makes it even less looking like DS was trying to steal it is that IDESpinner posted the damn app, without even revering to DS.

anyhow, nice tut idespinner, good work as ever
And everyone a nice christmass, even u archphase

i think this is a really nice tut
maybe i will be able to beat KAV finally
ps i like my name at the end in the credits
u do nice tuts

i love the style of you video guides ide, nice work.

hope you have a good (and inspirational break) - see you in 2 years!

sure, w/e, i don't buy your story and B3T4 you have no idea what your talking about, drocon is a close friend and part of our crew, don't steal shit anymore or "test".

omg be careful all, it seems we have upset an uber l337 script kiddie and his crew!

/me smells the p33r

see ewrywhere you go you make shit!!!Grow up 1 day...and people dont mind about him...ewrybody knows him hes a lame ass...that is making chaos and flames on all (filtered) boards...so just learn to ignore him!

Thanx for the tut nice 1!

HEY NEWSFLASH: THE SKRIPT-KIDDIES code is being hosted on Flowbys site, I don't incite flames, I defend the right of a copyright of another person, you shamelessly trying to take credit for anothers work is demeaning and doesn't incourage them to further develop.

tibbar: were not in an IRC chatroom so /me really doesn't work.

I'm really waiting for a moderator to step in at this point and like silence you but can't expect that, right now I feel like Galileo and you guys are the catholic church.

Whats the reason to put up shit everywhere . U could have just informed digitalspirit or IDESPINNER abt it in pm or somewhere else and um sure he must have posted apology and gave credit to Drocon .

i think it is more likely a moderator will tell you to stop flaming. IDESpinner did a good job on this tutorial and you are kicking up a fuss about nothing.

I'm sure this isn't the approach that will get you promoted from trial...

Hey IDESpinner or anyone else who can help me out on this,

I wanted to test out this tut, so I decided to go with a (relatively) simple, common trojan; wollf 1.6.

So I download it, unrar, create my own server executable (newserver.exe, we'll call it), specify my port, pw, etc. etc.

UPX unpack it; it's now detectable by even mcafee (sad, no? )

Okay, so I follow the tut, make the newserver.exe writable, find my codecave, and I even encrypted parts of the .exe I didn't think needed it (I used 0x42 to xor the bytes above the entry pt [origin?], and 0x29 below that, just to be random, up to the code cave.) So now I upload it again, and I'm stuck; 4 AVs can still detect it! So I re-upx, not expecting this to do much, and correctly so, as all 4 can still detect it. Where should I go from here?

And btw, say I am to create my own trojan (as proof of concept) in C, where can I find an example of how to hook/tunnel/whatever it's called to grab onto a shell? Thanks, and I'm sure you'll have a great response

just to be on the safe side you did run the xor over ur trojan once already rite?

you might wanna try expanding the starting and ending points of ur packing


if all else fails Permutations prevails (for undetectablility which is the main goal here)...

very good tutorial m8.
congratz

ahem dudes ..
you didn't consider the obvious thing that in the real word this method
doesn't work very well ..
the file will be found easily by any AV in MEMORY , even if not on the disk ..
one thing is to submint a file to virusscan.jotti.org (disk scan), another is to check a running process (disk and memory scan).
Anyway nice tut
got style..

well if everyones dun with all the copyright crap on who owns/has modded dcmd, i had a SERIOUS que about the video tutorial.

If you look at time index 04:09 you see


however at time index 05:02 this has disappeaered.
I was wondering if anyone could explain this to me.

I´ve the same problem!

anyone?

hahaha

tbh im still not sure on this, its a brilliant video i just find it hard to follow it.

like 1 thing changes to another and it dosent explain how it changed.

like when the 6 F's are highlited, then it just turns into 1 F command.

i dunno what they did there

@saetji:

It explains your problem at 3:51
You probably didn't press F7 to run that command...

But what I haven't found an asnwer to is about section tables expanding, time=7:58
It says, "click on the only section table, and edit it"
But one section exists only in simple trojans such as DCMD...
When I load some more advanced program into PE editor, I got like 10 sections, while in DCMD there is only ".h4x" section:
example of Assasin Trojan:

CODE
DATA
BSS
.idata
.tls
.rdata
.reloc
.rsrc

so which one of these section should I choose to edit, and why???

old thread but I found i was being an idiot.

you only want to change the settings for the CODE section because thats the one you're editing

Yeah, old thread, but really usefull, as there is no simmilar method..
One problem though..
I tryed encrypting Bigger trojans, and I tryed UPXing and encrypting UPXed file..
And it all works flawlessly.. Code is changed etc., but when I go to virustotal.com, still at least 6 of AVs recognise it...
How is that possible and is there anything I could do to correct this??

maybe youre using encrypting methods that are too simple so the AV decrypts them...
are you using known encrypting methods?

and the same about UPX , UPX is a very known packer to all AV companies... it's extremely easy for them to unpack it and see the real file...

Can you say or PM me some other way of encrypting, or some other function beside XOR??

P.S. I am using XOR encrypting method from this tutorial...

Hello cowboys,

i am very interessted in this tutorial because i am interested how things work and modding a morphine and make everything undetectet is very boring. Would be well appreciated if somebody would do me the favor and reposte it.

There are many other ways to encrypt your file:

neg/neg
not/not
sub/add
add/sub

Certainly, you can combine multiple functions together, for example

crypter routine:
--------------------
not/neg/xor/sub

decrypter routine:
--------------------
add/xor/neg/not

Adding some trash bytes to the decrypter-routine would also be good to make detection difficult

What is correct command to ADD something to byte that is at [eax] , cause it is not as same as XOR????
Like for XORing it is:
XOR byte [eax], {key}

ADD EAX, 4 ?

add byte PTR [eax],004h

Hey guys I think I lost the tut.
is it possible some one upload it ...

He is right - I want it too

Would be great

Here is Totourial !!

Pass = Pakistan

btw , anybody knowz or have totourial to edit/manipulate the delphi source to trick the AV's !

Thx !

um can you up it somewhere else? since on the board its only 197kb/s instead of six megs

Yeah can anybody host somewhere this tut
I will be appreciated

are you taking the piss or you just want to increase you post count? the file is not exactly big!! by the time you wrote your post it would have downloaded a few times...

My thoughts exactly! It took me litterally 4 seconds to download!

it can be downloaded from here as well if you want it...

teres some videos covering the same topic located at h**p://blackpapers.net