packer

Happy [after] April Fools!

I was wondering how long I’d let my site be “defaced” but then decided the novelty wore off pretty quickly (especially since the layout looked even better! ha). It was enjoyable watching a crap load of people download the dumped source to rcrypt. If you compile and run it you’ll enjoy a nice lil surprise. If you didn’t do this already, well, you should have =]

Anyway if you want to check out the defaced site feel free to click [april fools].

There will be a new tool coming soon. I’ve been super swamped with work and find almost no time these days for my own personal projects which is a bit depressing. I will continue to code but my free time seems to be dwindling. I hope to have this next tool released sometime soon.

I’ve finally released rcrypt 1.5 via a newly launched website over at (http://rcrypt.0xrage.com). Not only is rcrypt 1.5 available there but some other classic packers as well! The purpose of this site is to allow users to play with various packers without having to mess around with the packer binaries themselves. Not everyone wants to run a random exe and feel safe afterwards. As for me, I triple click all exes especially from emails from people I’ve never spoken to before!

In anycase rcrypt 1.5 is available to all users of the website and as an added bonus I’ll be creating custom ones for users who are interested and making them available to them via the rcrypt web frontend website. This makes it easier for me and hopefully the user as well.

If anyone wants to contribute their own packers or just any packer please contact me and I’ll be happy to add it to the list! There are only a few currently in the system but as time goes on I will add support for more.

 

rcrypt 1.5

rcrypt 1.5

 

For users of the command line versions of rcrypt there have always been easter eggs built into the binary. Since noone has actually bothered to look I will simply share one of them now!

rcrypt.exe [your binary] -h4x

This of course works with the optional parameters as well.

Have fun!

After making rcrypt public it almost immediately became detected. This is not surprising as when something like this becomes more public it will also become detected. Whats important to realize is rcrypt 1.4, being the current released version, is detected but the in progress (fully functional) 1.5 remains undetected.

oh n0ez

oh n0ez

 

Now does this mean I will rush out and release 1.5? Well not exactly. I want to make clear the types of detection there are and the kinds of things you can do about it. There seems to be no end to incorrect information and lack of understanding so I am hoping to address at least some of that now.

There are two primary methods of detecting binaries employed by AVs.

  • signature detection
  • dynamic detection

The first method is the oldest and least useful. It requires the ability to detect known static patterns in a binary to function. The second one however is far more powerful.

Signature detection is barely more technical than grepping for byte sequences. Perhaps more advanced types have a sort of error tolerance but otherwise this is trivially bypassed by slight modifications in code.

Dynamic detection completely defeats code modification because this form of detection simply executes binaries in a sandbox and observes behavior. This is the important part that I think people don’t seem to understand.

When people try to evade AVs I see techniques employed such as:

  • leetsauce METASM ninja
  • leetsauce polymorphic stuff
  • and more recently leetsauce shellcode injection into random PEs

These techniques are ALL excellent however they all bypass signature detection ONLY. They are absolutely useless against sandbox analysis. Anytime I read somewhere techniques for making msf payloads or random other payloads undetected I see people talk about projects that will, in a nutshell, modify their shellcode in some way.

I’m not knocking any of these techniques as they are all interesting and do something cool. However they don’t address the goal of evading the two main AV detection mechanisms. Another thing I’ve noticed, and I could be wrong, is that these techniques and tools don’t work on binaries at all. They only work on shellcode. This, for me, is useless.

The aim of rcrypt is to show how sandbox analysis can be defeated by, in this case, timing out the analysis engine. So how, you ask, is 1.4 detected? Seeing as how it completely defeats the strongest method of detection, sandbox analysis, it means that the detection is merely a signature match. Which means changing 1 or 2 bytes is all thats necessary to evade this weak detection (nice job KAV). The fact that 1.5 without any changes defeats this shows that the detection is quite weak and trivial to evade.

I won’t go into just how to perform these modifications as I trust that if you understand you can perform these modifications yourself. The fact is that rcrypt has, as of now, completely defeated the strong detection option and evading trivial signature matches is simply a function of swapping bytes around.

Version 1.4 adds support for eof data. I hadn’t realized until someone commented but rcrypt destroyed any extraneous data which caused issues with any binaries that made use of this data. This has since been fixed!

MD5 Sum: 40fba75715011b13fd4521163151dbb9
SHA1 Sum: c95dc3708ba8ffafb37e21d5f12b635806fd4a00
Download: rcrypt 1.4

archive pw: 0xrage.com

This is a writeup I did about rcrypt a few months back in PDF format for those interested in how rcrypt works. In addition to some general information this writeup shows some reverse engineering analysis and a test case given a sample of known malware in the context of AV evasion. Fun for the whole family!

File: rcrypt writeup

MD5 Sum: 10c73cc7f922c7baea6d33c35180d19a

SHA1 Sum: c05775934ab46c69bb53164a7c3fca3d9ec75b15

 

 

rcrypt 1.3

Added functionality:
– breaks certain automated analysis engines
– added polymorphism to various other existing functionlities

If you don’t know what rcrypt is check out the original post

md5 sum: 80cc3105b0f035daa0cd19e85bc7c379
sha1 sum: 345fb729fcda1ef5bf004869abc1634092685718

download rcrypt

archive pw: 0xrage.com

rcrypt version 1.2 is now released!

rcrypt is a Windows PE binary crypter (a type of packer) that makes use of timelock techniques to cause a delay in execution. This delay can cause analysis to fail on time constrained systems such as on disk scanners. rcrypt can pack exes and dll files. PEs that use tls or other interesting features of the PE spec are not currently supported. I may add support for more spec features as time permits. In version 1.0 and 1.1 your funky active X and COM files will not work. If there is enough interest I will consider adding other features/support.

rcrypt features include:

encryption of all code/data

timelock puzzle

This is just a proof of concept tool to showcase the potential use of these techniques as well as potential shortcomings of various detection systems.

rcrypt is being released for educational purposes. I do not condone malicious or illegal use of this tool. Using this tool might also cause you to experience light headedness or fatigue. I also take no responsibility for any of these potential outcomes. Use your own discretion.

rcrypt 1.2

Minor re-addition of some internal functionality that was removed from versions 1.0 and 1.1 due to issues with windows xp/7 and 32/64 bit. Issues resolved and 1.2 is now out.

File MD5 sum: 1c0989a751038a49052a4e37f8879f43

File SHA1 sum: 4c22b51e466fd2516c68c94c2dd5f4dbf1bc395b

rcrypt v1.2 (File archive password: 0xrage.com)

 

rcrypt 1.1

Added in rcrypt version 1.1 is the optional switch -trick0. Read the readme for details.

File MD5 sum: 6c53c7d7dc6b342174b1eda13597c771

File SHA1 sum: 30f6fbf6c615269b6c894f7eec125a03c4cd5afd

rcrypt 1.1 (File archive password: 0xrage.com)