tool

I’ve finally released rcrypt 1.5 via a newly launched website over at (http://rcrypt.0xrage.com). Not only is rcrypt 1.5 available there but some other classic packers as well! The purpose of this site is to allow users to play with various packers without having to mess around with the packer binaries themselves. Not everyone wants to run a random exe and feel safe afterwards. As for me, I triple click all exes especially from emails from people I’ve never spoken to before!

In anycase rcrypt 1.5 is available to all users of the website and as an added bonus I’ll be creating custom ones for users who are interested and making them available to them via the rcrypt web frontend website. This makes it easier for me and hopefully the user as well.

If anyone wants to contribute their own packers or just any packer please contact me and I’ll be happy to add it to the list! There are only a few currently in the system but as time goes on I will add support for more.

 

rcrypt 1.5

rcrypt 1.5

 

For users of the command line versions of rcrypt there have always been easter eggs built into the binary. Since noone has actually bothered to look I will simply share one of them now!

rcrypt.exe [your binary] -h4x

This of course works with the optional parameters as well.

Have fun!

Version 1.4 adds support for eof data. I hadn’t realized until someone commented but rcrypt destroyed any extraneous data which caused issues with any binaries that made use of this data. This has since been fixed!

MD5 Sum: 40fba75715011b13fd4521163151dbb9
SHA1 Sum: c95dc3708ba8ffafb37e21d5f12b635806fd4a00
Download: rcrypt 1.4

archive pw: 0xrage.com

This is a writeup I did about rcrypt a few months back in PDF format for those interested in how rcrypt works. In addition to some general information this writeup shows some reverse engineering analysis and a test case given a sample of known malware in the context of AV evasion. Fun for the whole family!

File: rcrypt writeup

MD5 Sum: 10c73cc7f922c7baea6d33c35180d19a

SHA1 Sum: c05775934ab46c69bb53164a7c3fca3d9ec75b15

 

 

rcrypt 1.3

Added functionality:
– breaks certain automated analysis engines
– added polymorphism to various other existing functionlities

If you don’t know what rcrypt is check out the original post

md5 sum: 80cc3105b0f035daa0cd19e85bc7c379
sha1 sum: 345fb729fcda1ef5bf004869abc1634092685718

download rcrypt

archive pw: 0xrage.com

rcrypt version 1.2 is now released!

rcrypt is a Windows PE binary crypter (a type of packer) that makes use of timelock techniques to cause a delay in execution. This delay can cause analysis to fail on time constrained systems such as on disk scanners. rcrypt can pack exes and dll files. PEs that use tls or other interesting features of the PE spec are not currently supported. I may add support for more spec features as time permits. In version 1.0 and 1.1 your funky active X and COM files will not work. If there is enough interest I will consider adding other features/support.

rcrypt features include:

encryption of all code/data

timelock puzzle

This is just a proof of concept tool to showcase the potential use of these techniques as well as potential shortcomings of various detection systems.

rcrypt is being released for educational purposes. I do not condone malicious or illegal use of this tool. Using this tool might also cause you to experience light headedness or fatigue. I also take no responsibility for any of these potential outcomes. Use your own discretion.

rcrypt 1.2

Minor re-addition of some internal functionality that was removed from versions 1.0 and 1.1 due to issues with windows xp/7 and 32/64 bit. Issues resolved and 1.2 is now out.

File MD5 sum: 1c0989a751038a49052a4e37f8879f43

File SHA1 sum: 4c22b51e466fd2516c68c94c2dd5f4dbf1bc395b

rcrypt v1.2 (File archive password: 0xrage.com)

 

rcrypt 1.1

Added in rcrypt version 1.1 is the optional switch -trick0. Read the readme for details.

File MD5 sum: 6c53c7d7dc6b342174b1eda13597c771

File SHA1 sum: 30f6fbf6c615269b6c894f7eec125a03c4cd5afd

rcrypt 1.1 (File archive password: 0xrage.com)

 

Hey guys. So after much speculation that most people won’t just run arbitrary binaries that require root (despite being signed etc) I’ve decided to release the source to sessionlist on github! I guess after deving for windows all these years I just assumed people just double click everything and select ok ;P

Anyway if you don’t know what sessionlist is see the post below. Feel free to use this tool as you see fit, and if you find bugs and feel like sharing I’d be grateful! I’m sure this tool can be improved upon so let those creative juices flow!

Github: https://github.com/iamrage/sessionlist

Enjoy!

 

Android malware is everywhere. If you want to quickly get listings of permissions used by APK files check out my scanperms program.

Here is an example output on a trojanized app called AndroidDogwar mentioned on this site: http://www.sleetherz.com/2011/08/beware-of-android-app-dog-war-trojan-horse-malware/

Found permission VIBRATE which has the following attribute:
Allows access to the vibrator

Found permission INTERNET which has the following attribute:
Allows applications to open network sockets.

Found permission ACCESS_COARSE_LOCATION which has the following attribute:
Allows an application to access coarse (e.g., Cell-ID, WiFi) location

Found permission READ_PHONE_STATE which has the following attribute:
Allows read only access to phone state.

Found permission SEND_SMS which has the following attribute:
Allows an application to send SMS messages.

Found permission WRITE_SMS which has the following attribute:
Allows an application to write SMS messages.

Found permission READ_CONTACTS which has the following attribute:
Allows an application to read the user’s contacts data.

Found permission RECEIVE_BOOT_COMPLETED which has the following attribute:
Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.

 

This app had been modified to send SMS messages to everyone on your contact list. Namely that you enjoy hurting small animals.

I find this useful for scanning directories full of APKs.

Note: new vesion v02b updated APKtool to 1.4.3

Note: new version adds fixes. Download the latest below.

scanperms02b.tar.gz

md5: d41a4f57dd0833dc1612ebbf40e024fb