rcrypt 1.3

Added functionality:
– breaks certain automated analysis engines
– added polymorphism to various other existing functionlities

If you don’t know what rcrypt is check out the original post

md5 sum: 80cc3105b0f035daa0cd19e85bc7c379
sha1 sum: 345fb729fcda1ef5bf004869abc1634092685718

download rcrypt

archive pw: 0xrage.com


Last time I posted about this topic I had planned to support tuxonice for suspend to RAM and disk. However since then I’ve decided to drop that aspect for two reasons.

1 TOI is way behind in terms of kernel versions

2 The default in kernel suspend to RAM/disk seems to work just fine

Instead of just continuing from the last post I wanted to create a new one that is hopefully a bit more clear. Again we will start at the part of the Gentoo handbook installation where we partition our disks.

Normally we’d create partitions for boot, swap, and root. Instead we will create two partitions. One for boot and the other for encrypted LVM. This LVM partition will use logical volume management to contain an arbitrary number of logical volumes which in our case will be used for swap and root.

Creating your encrypted partition

As before using fdisk (or whatever partition tool you prefer) create to partitions.



sda1 above is set to bootable and is of filesystem type 83 (linux). sda2 is of the same filesystem type.

I normally use ext2 for my boot partition but you can use whatever you like.

mkfs.ext2 /dev/sda1

Now we will prepare our encrypted partition. Load the following modules if they aren’t already available.

modprobe dm-crypt
modprobe aes
modprobe sha256

Now format the partition with cryptsetup.

cryptsetup luksFormat /dev/sda2

Create your password and be sure to memorize it.

Now open the encrypted partition.

cryptsetup luksOpen /dev/sda2 main

Enter your password.

You will now have access to your partition in /dev/mapper/main. Keep in mind the name “main” was chosen randomly and is just the name of the file that will represent the unlocked partition. You can change it every time you unlock it if you want.

Now create the physical volume and volume group.

pvcreate /dev/mapper/main
vgcreate [vgname] /dev/mapper/main

Now we create two logical volumes in our new volume group [vgname].

lvcreate -L 1G -n swap [vgname]
lvcreate -L XG -n root [vgname]

Here I chose 1G for the swap partition size. X is just the size of the remaining space available to be for the root partition. You can find the remaining space available with the following command.


If you look at the value for the field “PE Total” you will see how much space is available for allocation. Other fields can also be helpful to such as “allocated” and “free”.

At this point you now have two logical volumes for swap and root respectively. You can now format them as you normally would.

mkswap /dev/vg/vg-swap
mkfs.ext4 /dev/vg/vg-root

At this point the rest of the gentoo handbook applies as normal. The exception is that you will need an initramfs to perform the unlocking of your encrypted partition. After you create your initramfs you will need to make sure to reference it in your grub config or whatever you use to bootstrap your OS installation.

Creating the initramfs

Now onto creating the minifilesystem loaded by the kernel first. This is necessary to decrypt your encrypted partition to allow the boot process to continue.

Create a directory to work under, as we’ll be creating a filesystem.

mkdir initramfs
cd initramfs

Now create the directories with the following.

mkdir -p bin lib dev etc mnt/root proc root sbin sys

Now copy of the usual device nodes from your existing filesystem into your initramfs.

cp -a /dev/{null,console,tty,sda1,sda2} .

Feel free to copy other devices as needed. Also if your drive is not sdaX change it accordingly.

You will want to copy over various utilities that you might want to use as well. Just be sure they are compiled with the “static” use flag as any dependencies binaries have will also need to be copied. To avoid copying over huge chains of dependencies just compile the files you want statically so you won’t have to worry about this.

Since we are using cryptsetup and lvm we will need to copy our cryptsetup and lvm binaries (built statically)  onto the filesystem.

Once you build them statically just copy them into the ./sbin directory.

Its also typical to build busybox and add it to ./bin so feel free to customize.

The main part of the initramfs is the init script in the root of the initramfs. It is what gets executed immediately after the kernel boots and then it, once the real root partition is decrypted, calls the main init script.

Below is part of my initramfs init script. This is the minimum requirement to accomplish the decryption and booting we need.

#mount proc and sys filesystems

mount  -t proc none /proc

mount -t sysfs none /sys

echo 0 > /proc/sys/kernel/printk

# decrypt

/sbin/cryptsetup luksOpen /dev/sda2 main

/sbin/lvm vgscan –mknodes

/sbin/lvm lvchange -aly vg/swap

/sbin/lvm lvchange -aly vg/root


mount /dev/mapper/vg-root /mnt/root


umount /proc

umount /sys

# and we continue

exec switch_root /mnt/root /sbin/init

Save this into your init script.

chmod u+x init

Some of the things I put in here could use a bit of explanation.

The echo 0 disables kernel printk debug messages. I did this because these kernel messages come up a lot, even during typing of my password. I found it irritating so I disabled it during the initramfs process.

The cryptsetup line is pretty straightforward as it lets us unlock our encrypted partition. The following lvm lines are to enable our logical volumes and make the representative device nodes in /dev/mapper.

The final part is where the script hands off control to the decrypted init script on the root partition. Keep in mind that there is a space between the /mnt/root and /sbin/init.

Once you’ve created the filesystem to your needs you must build this mini filesystem into an initrd gzipped cpio type file to be included along with your kernel. To build the initramfs file you can issue the following command.

find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/my-initramfs.cpio.gz

Name your initramfs.cpio.gz file however you like and make sure to include it in your bootloader. For grub it would look something like the following.

title=My Linux

root (hd0,0)

kernel /boot/my-kernel

initrd /boot/my-initramfs.cpio.gz

At this point you can reboot your system and test your setup. Your initramfs should load and allow you to enter your encrypted partition password. After that bootup should continue as usual. You can of course make your init script smarter by checking for a correct login or spawning a busybox shell if you need to. These options are left to you.

LVM device nodes

Another thing you might want to do is add a startup script to be executed by your system during boot that will re-create the lvm device nodes as they will no longer exist when the initramfs is removed from memory after it is done. If you use swap your system won’t be able to find /dev/vg/swap since the node for it wouldn’t have been created. I’m not sure why lvm doesn’t automatically see this but I added a simple script to my /etc/local.d/ called 40_fixlvmnodes.start that has the following contents.


echo “creating lvm nodes”

/sbin/lvm vgscan –mknodes

echo “enabling swap”

swapon /dev/vg/swap

Don’t forget to make this script executable too.

chmod u+x 40_fixlvmnodes.start

Be sure to update your /etc/fstab with your root and swap filesystems with the appropriate device paths. Mine looks like this.

/dev/vg/root / ext4 noatime 0 1

/dev/vg/swap none swap sw 0 0

Additional LVM usage

It is useful to become more familiar with lvm as it can be needed if you have to make any changes. For example when I did this on my new laptop I had created the root logical volume too small. It was using only 172G leaving over 500G unallocated! Using lvextend you can add unallocated space to a logical volume provided the physical volume can accommodate it.

lvextend -L+500G /dev/vg/root

Using lvextend I was able to use the full free space for my root partition as I had originally intended. The filesystem used for my root partition is ext4. In order for this already existing filesystem to see the available space I had to expand the filesystem as well.

I was able to do this, after resizing the logical volume above, with the following.

resize2fs /dev/mapper/vg-root

Keep in mind I did this from my livecd so the filesystem was not mounted during these operations. I’ve read that ext4 can be resized during runtime however I prefer not to chance potential filesystem corruption.

Once this was done I just rebooted and verified that my root partition was as large as it should be. All was good.

Final notes on full disk encryption

Other notes are that this is not entirely full disk encryption. The boot partition is obviously left unencrypted. If you truly want your entire disk to be encrypted you would have to perform the same operations but for all things involving the /boot partition you would use a USB drive of some kind. You will need this USB disk to boot your system. This offers more protection but managing a physical item is overkill for me. I just want to mention it in case someone is interested in doing this.

Now your root and swap partitions are fully encrypted at rest! Once your system is on however the disk is obviously unencrypted so disk encryption is only really useful “at rest”. This means if you shut down your system your content is safe. However once you boot up your filesystem is available if you are, say, nabbed while your system is on. In addition to this your crypto key is in memory at a probably known location (cryptsetup/dm-crypt are open source afterall). Its unlikely you will be in a scenario where this matters as only feds and those with some fun tools can make use of this information. I just want to be complete with this article so you are more aware. Knowing the ins and outs of security is very important.

That said, enjoy!



rcrypt version 1.2 is now released!

rcrypt is a Windows PE binary crypter (a type of packer) that makes use of timelock techniques to cause a delay in execution. This delay can cause analysis to fail on time constrained systems such as on disk scanners. rcrypt can pack exes and dll files. PEs that use tls or other interesting features of the PE spec are not currently supported. I may add support for more spec features as time permits. In version 1.0 and 1.1 your funky active X and COM files will not work. If there is enough interest I will consider adding other features/support.

rcrypt features include:

encryption of all code/data

timelock puzzle

This is just a proof of concept tool to showcase the potential use of these techniques as well as potential shortcomings of various detection systems.

rcrypt is being released for educational purposes. I do not condone malicious or illegal use of this tool. Using this tool might also cause you to experience light headedness or fatigue. I also take no responsibility for any of these potential outcomes. Use your own discretion.

rcrypt 1.2

Minor re-addition of some internal functionality that was removed from versions 1.0 and 1.1 due to issues with windows xp/7 and 32/64 bit. Issues resolved and 1.2 is now out.

File MD5 sum: 1c0989a751038a49052a4e37f8879f43

File SHA1 sum: 4c22b51e466fd2516c68c94c2dd5f4dbf1bc395b

rcrypt v1.2 (File archive password: 0xrage.com)


rcrypt 1.1

Added in rcrypt version 1.1 is the optional switch -trick0. Read the readme for details.

File MD5 sum: 6c53c7d7dc6b342174b1eda13597c771

File SHA1 sum: 30f6fbf6c615269b6c894f7eec125a03c4cd5afd

rcrypt 1.1 (File archive password: 0xrage.com)


Hey guys. So after much speculation that most people won’t just run arbitrary binaries that require root (despite being signed etc) I’ve decided to release the source to sessionlist on github! I guess after deving for windows all these years I just assumed people just double click everything and select ok ;P

Anyway if you don’t know what sessionlist is see the post below. Feel free to use this tool as you see fit, and if you find bugs and feel like sharing I’d be grateful! I’m sure this tool can be improved upon so let those creative juices flow!

Github: https://github.com/iamrage/sessionlist



It’s been a little while huh. Well I’ve decided to release the finished v0.1 beta of my sessionlist tool.

A little about it and why I created it.

HTTP is a simple protocol, and many use it to create “program-like” websites. With asynchronous requests available in almost every browser (including mobile ones) it’s no surprise that many people create a zillion and one sites for almost any purpose. The underlying issue with HTTP is that it is stateless. How do you create the illusion of program state in a naturally stateless protocol? The correct answer is to create a new protocol that is designed for this purpose however that didn’t happen. Instead we have silly hacks that allow us to pretend to have state while using HTTP. How is this accomplished? Well, we pass variables and their values back and forth with every single request! It will cause overhead but they’re websites not real programs! To make this more manageable many web scripting languages support sessions which can reduce the overhead by storing a session id in browser cookies instead of all the variables/values and use the session id to look up server stored variable/values. Of course now all you need to facilitate authentication is the session id.

So if a website relies on cookies to store authentication details, be it via session id or other state information, a user can simply nab this information and present it as if they were the user and they should be authenticated as if they logged in with valid credentials.

Sessionlist v0.1 is a network sniffer that simply observes cookies sent over HTTP (via port 80 or user configured port via cmd line) and keeps track of them. It will save a list of sites and cookie data along with user-agent strings which should be sufficient to effectively spoof the user who generated the traffic. All you need is a plugin that allows you to set your own user agent and cookie data. I personally have found Firefox’s modify headers plugin to work perfectly but I’m sure others are fine as well. Using this tool to sniff traffic you can basically collect authentication data as it passes over the wire (or air). This will work on unencrypted HTTP traffic but if you’re familiar with SSL MITM attacks you can make this work on those sites as well. Generally for wireless sniffing you don’t need to perform any MITM attack but if you’re on a switched network then obviously a regular MITM attack will be needed. There are many tools that perform those functionalities so use your favorite.

As mentioned before this tool is a beta so there are bound to be bugs so please let me know as you find them so I can squash them and make this a better tool! I’ve included 32 and 64 bit builds. I may release this tool as open source sometime in the future.

The release archive is signed with my public pgp key which you can find on my about page. Click [here] for that. Once you’ve imported my public key simply run:

gpg [thefile.gpg]

If the signature is good then you’re set. If the signature fails then you are probably dealing with a tampered file (or you incorrectly imported my key somehow).

All feedback is appreciated and enjoy!


Released version 1.0 with MORE bug fixes and UI changes! Threading issues have been fixed as well!


Older versions:

(v0.2 changelog)

Released version 0.2 with minor bug fixes and a much better capture engine (removed idiotic threading crap; until another version pthread will remain linked).



Android malware is everywhere. If you want to quickly get listings of permissions used by APK files check out my scanperms program.

Here is an example output on a trojanized app called AndroidDogwar mentioned on this site: http://www.sleetherz.com/2011/08/beware-of-android-app-dog-war-trojan-horse-malware/

Found permission VIBRATE which has the following attribute:
Allows access to the vibrator

Found permission INTERNET which has the following attribute:
Allows applications to open network sockets.

Found permission ACCESS_COARSE_LOCATION which has the following attribute:
Allows an application to access coarse (e.g., Cell-ID, WiFi) location

Found permission READ_PHONE_STATE which has the following attribute:
Allows read only access to phone state.

Found permission SEND_SMS which has the following attribute:
Allows an application to send SMS messages.

Found permission WRITE_SMS which has the following attribute:
Allows an application to write SMS messages.

Found permission READ_CONTACTS which has the following attribute:
Allows an application to read the user’s contacts data.

Found permission RECEIVE_BOOT_COMPLETED which has the following attribute:
Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.


This app had been modified to send SMS messages to everyone on your contact list. Namely that you enjoy hurting small animals.

I find this useful for scanning directories full of APKs.

Note: new vesion v02b updated APKtool to 1.4.3

Note: new version adds fixes. Download the latest below.


md5: d41a4f57dd0833dc1612ebbf40e024fb



If you’re running a lightweight window manager then chances are you might also be interested in using a lightweight desktop manager as well.

x11-misc/slim is a super light desktop manager for running whatever WM you decide to go with, in my case evilwm. It comes with a variety of themes (available in package form via x11-themes/slim-themes) which are very nice.

Behold my Evangelion based theme, Nerv! Sexify your slim today!

Nerv Theme

To install and use the theme download and untar. You should have the directory nerv/ with three files. Move this directory into the themes directory (generally /usr/share/slim/themes). Now edit your /etc/slim.conf file and edit the following line:

current_theme nerv


nerv theme screen

Want to combine two avi files using mencoder? Well below is how its done. The mencoder binary comes with mplayer 1rc.x. When using the fork, mplayer2, you no longer get this tool which is a bit irritating. I will follow up when I get mplayer2 to provide this functionality. It is worth noting that mplayer2 has more functionality and fixes than the somewhat forgotten mplayer1. The only reason I have installed the older version on my machine is for mencoder.

mencoder -oac copy -ovc copy part1.avi part2.avi part3.avi -o combined.avi

oac copy – means to encode with the following audio codec. Since we are using copy as a parameter it just uses the same codec as the source files we are duplicating.

ovc copy – means to encode with the following videocodec. Since we are using copy as a parameter it just uses the same codec as the source files we are duplicating.

The files are parameters and the -o switch means the output filename follows in this case “combined.avi”

Ok so this is something I keep having to re-setup every time I do something to my laptop that requires wiping the disk beforehand. So instead of figuring this out every time why not document it here and also share some information with whoever might also want to do the same?

Since I run Gentoo I’ll be using portage to emerge the necessary packages but this guide will work for any distro, so you’ll just have to use your own package manager (whatever that might be).



Your kernel must be able to support wireless extensions.


Another thing you will need is support for the various cryptographic routines used in wireless ciphers (and any other cipher that you might want to support as well).

Make sure AES, SHA, and whatever else you want are supported by your kernel. I prefer to build these in but you can modularize them as long as you make sure that these get loaded automatically or when you need them.


emerge -v net-dns/dnsmasq net-misc/dhcp net-wireless/hostapd

Once these packages are emerged you’ll need to configure at least dhcp and hostapd config files. These are located at:

/etc/dhcp/dhcpd.conf and /etc/hostapd/hostapd.conf respectively.

Sample dhcpd.conf:

default-lease-time 600;
max-lease-time 7200;
option routers;
option domain-name-servers,;

subnet netmask {
pool {
max-lease-time 600;
option routers;
option domain-name-servers,;
allow unknown-clients;

This sets up the default gateway and primary and secondary DNS servers to and gives a dhcpd server IP range from to


Sample hostapd.conf










Creates a wireless accesspoint using the now standard nl80211 drivers with an SSID of yourssid in wireless mode 80211G with channel set to auto. Note that for ME when I set a channel of anything besides 1 I got cryptic errors that were so useless that the author of hostapd should probably be questioned for being a sadist. I seriously had so many problems with creating this config due to shitty error messages I had to document this so I wouldn’t have to do that again. Another fun note is that when testing my config I used a wpa password of “test” which when trying to run caused the same useless error message. As it turns out the reason it failed was due to the wpa password being too short. It never tells you this of course unless you build this package with the debug flag on. Anyway at this point you should have a working wireless access point.

Enable dnsmasq and dhcpd services as well as hostapd. You will also have to enable iptables to forward packets to and from your interfaces if you are sharing wireless from a wired connection. Below is my iptables script:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

echo Done…

WPA for all!



tuxonice-sources 2.6.38-r2
hibernate-scripts 2.0
tuxonice_userui 1.0

One of the interesting configs needed for toi when using an initramfs, which we will due to crypto, is that you must enable

Otherwise when linux boots up it will attempt to resume before the initramfs. Obviously this is undesirable as since we are encrypting our filesystems it won’t find the resume file. This config basically tells it not to attempt it just yet. However, after initramfs is done TOI will not resume. It actually expects you to manually call the tuxonice /sys interface telling it exactly when its ok to resume. For our purposes we want to make this call in our initramfs after the user has successfully decrypted the filesystem.

What we use for encrypting our partition

dm-crypt – backend for our crypted filesystem
cryptsetup – frontend for performing initial formatting, opening and closing of encrypted filesystems.
lvm – the reason for using this in addition to our encrypted filesystem is to allow the swap partition to also be encrypted.
Essentially we are using one encrypted partition which LVM will recognize, once decrypted, as 2 logical partitions. In our case
swap and root. Using LVM you can have as many partitions as you’d like and they would all benefit from being encrypted as they are
physically one partition.

Make sure that your kernel has either built in support or modules for dm-crypt. If the latter is used make sure initramfs will load
modules you require. Personally for the Crypto APIs I build that all into the kernel for simplicity.

The initial setup of your Gentoo system is the same as the gentoo-handbook guide until the part where you are creating the filesystem partitions. Here we will deviate. Create two partitions. One for /boot and the other which will be our encrypted container partition.
For our example these partitions will be /dev/sda1 and /dev/sda2.

modprobe modules dm-crypt, aes, and sha256. At this point we can encrypt the /dev/sda2 partition.

cryptsetup luksFormat /dev/sda2
— here you can setup your password.

Now to open(decrypt) the partition just created.

cryptsetup luksOpen /dev/sda2 root — root in this case is the name of our luks device. just make sure this is consistant.

LVM – here we will create the logical drives from our now accessible partition.

pvcreate /dev/mapper/root
vgcreate vg /dev/mapper/root

Now create the logical drives as you see fit. Here we will create two logical drives (partitions). One for root and one for swap.

lvcreate -L 40G -n root vg  — here vg is the volumegroup we created before and -L specifies the size of the partition. This is /
lvcreate -L 1G -n swap vg   — and this one is for swap.

Now we continue setting up our drives as normal according to the gentoo-handbook installation guide.

mke2fs -j -L root /dev/vg/root  — just note the device path is now a bit different due to LVM. They behave as any block device tho.
mkswap -L swap /dev/vg/swap

After this part you continue the Gentoo installation as per the usual http://www.gentoo.org/doc/en/handbook/.

The next thing to note is that to properly boot up you will need an initramfs with cryptsetup and tools built statically and available on the initramfs itself. Also for tux on ice you will need to copy the tuxoniceui_text and or tuxoniceui_fbsplash as well. The details of configuring the initial ram fs will be detailed in Part 2 along with tux on ice configuration setup.


Part 2 – Creating the initramfs (Coming Soon)