modding morphine is (filtered) though and is certaintly not easy

about armadillo, nice tip, if im not mistaken common programs and games use that protection aswell. Think its deffently something to look into.

yes armadillo is really nice and has hidden alot stuff from AV. only problem with it is that only about 50% of the crypted executable work the stable way they did before. morphine was far better.

you cannot mod morphine since AV delete every file where the crypting algorithm is found.
you would need to recode it all over and only take morphine as a "that's the way it works" example.

/edit
double post

you asked what AV delete morphine packed files? KAV, McAfee, Norton
not sure about the others

KAV doesn't detected morphined exe as virus, but it can unpack it, and of course, see if its really a virus.

i taking about Av software that detected the decryption routine of morphine (wich need to be modified) as virus (even if the packed file is not dangerous)
i'll try mcafee

peraps you have packed a real virus or thing like that.
i've just tested and KAV says that my file is packed with morphine12, but no virus found.


However, how do you know i don't know what i'm talking about ^^, i always mod my upxed file "with the hand ^^", KAV nor PEID doesn't see that its packed anymore.
my problem is that it still easy to see "with the hand" that its upx packed, and so to dump the compressed pe file.

morphine is interesting because it crypt the entire EP and IMPORT section

anyway, let's try ^^, it's my time that i waste

A method I tested working for both antivirus norton & virusscan enterprise , is the splitting method , a bit long , but you can find the detected signature.

Method is to sort out of the ~100 files (your .exe splitted), 1 file detected & the previous file non detected. Then repeat the split & file sorting processus to be able to find finally the detected sig at 10B.

The bad is that u have to do it for each AV on each files you want to "patch".
not tested on KAV but it should work.

UKsplitter is the tool to split, search the net if u want a better text about this , i know my english sux.

bye

//EDIT: If you search about this method , eXeco said "do not do that on a packed exe!" , thats wrong , I tested with a servu packed with aspack 681Ko, found the detected signature by VirusScan Enterprise (it was a 00 to mod in FF),
now no more detected.

Really true ? I also have done that.

I split a trojan into two parts with Hex editor and checked with McAfee,it showed me that no virus found. So how to find the signature?

upx + yoda crypter 1.2 but now is detected only by kav.

yoda 1.2 is open source asm,c++ change some line to make ur trojan undetectable ;-) .

OK OK, this is rediculus..... I have posted more than once tuts. on HEXING your trojans. Its not that hard, it just takes time.. And with some of the new tools out (DONT ASK ME WICH READ MY POSTS AND YOULL FIND THEM!) it isnt very much time. As for someone sending your hexed server to AV, well just change one more letter or number in the signature and walla! Undetectable once again... There are SOOOOO many variations that you could enter that AV couldnt possible include them all. I think the mods should close this thread as it is usless. Maybe make the various posts on making trojans and viri undetectable stickys.... Packing,scrambling,encrypting are all viable meathods as well they just dont work as long... I end in saying, STFU n00b, and also read my sig. Thanks for listening


-Eyeless Master

Making files beeing undetected by antivirus is easy, no and u don't need vb.net.
If u know reall vb u know how to use the native dlls and ocx from the operating system and the program won't be very big.

Yes, upx + yoda's crypter moded is undetected by kaspersky and f-secure i tested it myself.

Good luck with your program

I think somebody else mentioned it, but using Software-Passport/Armadillo works and always will since it is a commercial program to protect files from being cracked.

Just a few clicks and it's done, way more efficient than hexing.

Molebox Aspack Mew2 and Morphine try various combinations of order of packing aswell remember aspack can be used more then 1 time but can corrupt certain exes while others just get larger ... KAV can be beaten but just like anything you will need to change the packers every week or 2 so get a few ready before you let 1 out into wild then after abit let 2nd 3rd etc

http://virusscan.jotti.dhs.org/

decent spot to test the outcome exes

write your own packer and keep it private, it will always works

Does that method still work?

I wrote a tutorial on that ages ago, i think i still have it on my computer...does anyone want me to post it?
I stopped distributing it after i thought that method no longer worked.




Not if you have to upload the exes, always remember some AV sites set up shit like that so they can get undetected binders and stuff.

You are right on both parts, somebody said it before but I forget who it was. Yorn, I think and using Software-Passport/Armadillo works, even after exe is exed. It works on everything I have tried, for now anyway.

kent

Armadillo does not keep undected from kav , stop saying it does

Yes please Post it here Never hurts to learn some more even if it's a little outdated

in german ...

http://mitglied.lycos.de/varnafun2002/show...d=255&Bereich=8

This is really pointlesss. Either code your own or use program encyrption programs such as armadillo and pc gaurd. I have tested pc gaurd and it works on all the av'sI have come across. (Haven't tested on KAV ) This little tut was posted on another thread by someone, can't remember who.



This is not my tutorial nor do i claim to have taken any part in writing it.

-toe

i´ve tried it, to make my rbot undetected , but the exe crashes :/

hmm ... posted by crafty and atleast it had beaten Nod32

looks like theres still no way

using pc guard works for me, try a different trojan. i tried it with minimo and it worked fine.

-toe

yep .... thats one thing with pcguard .... it crashes the exe sometimes .... so, we i have to test the file after each packing

Alot of exe files get corrupted (or so it seems ) when packed by certain packers or incrypted with something like morphine . If you know any hex editing then alot of the time theese corrupted files can be fixed simply by replacing what the packer erased from the file, this is normaly found in the end of the file

About making the Morphine stub undetected, you have the source code. Add some NOP bytes, randomize the code.
Second, learn to code. Nothing will be difficult. There is no such thing as a 'FREE' Meal! !

I like to thank the author of that guide. Being trying for ages to make
an exe pass kaspersky with all different tools from upx morphine molebox
ASPACK and none of them worked nor their combinations.

However as the guy say taking winhex and your exe u can identify the virus
signature that the antivirus prog detects. I intially tried to break my exe in
two as the guide said. However neither part was detected, so I new this was
wrong unless of course I cut in the place of the antivirus signature which
would have been one hell of a lucky stroke!

So instead what I did was I started from the bottom of the file upwards and deleted
chunks until the kasp didnt see it any more. Then I went back just as he says and
start deleting line by line till I got the line it was on then simply delete 2 char block
till i found the block responsible for the signature. You would be surprise it didnt
actually take that long.

Next was changing the code some changes broke the prog so I either made
subtle changes from 0 to 1 or moved the changes downstream/upstream
and this worked.

Note in the case of my rat I found two av signatures. Interestingly I compared
3 different antivirus engines nood kaspersky and mceef and each of them
have diff tags for the rat. So be careful when hexing the rat as u may get it
past one detector but another may have a diff signature.

im glad to see my PC Guard tutorial is still being used.

don't forget to try the DOS version of pc guard if your trojan becomes wrecked.

The reason why most of the packers screws up your EXE is because this option is turned on:
"strip_overlays = 1"
But that is what makes trojan easily detected anyway..

Okay... I coded a stupid crypter(long time back), but it did the job! The idea was to encrypt the file in Base64. In the stub, add a decrypter. No MZ signatures, no bull shit. If you must, you can use other encryption methods, create a new one of your own just to be on the safe side. I did it in Base64 due to my limited programming capabilites at that time.
The stub was in VC++, which added about 2.5 kbs to the file size.

i wrote a crypter for AsPack'ed files and called it AsCrypt. It is written in C++. Some parts of the code i've assumed from UpolyX.
It crypts the Stub and modifies the section names so AVs doesn't recognise files crypted with AsCrypt as AsPack'ed files.
Maybe I will release it to public.

Very interesting....I guess the point of your post was just to tease us eh.

If on the other hand you are releasing to select few, I would be interested in a copy...

im sooooo jealous

is it possible to get the crypter??? Would be cool

I've heard about packers that would extract the packed file directly in ram and so the source file is undetected to AVs.

A better option is to download a new 'server' file everytime the server is reboot.
Some tool by Aphex does it.. you can also code a similar one so that it stays undetected!
After it being executed -> HTTP/FTP, it should just execute the file.
On reboot, if the same file name exists, delete it & download a new copy.
Best part about this technique is that if your 'server' is detected & removed, tomorrow it will not be, because you might've placed a updated 'server'!