diff options
| author | segfault <segfault@secmail.pro> | 2019-06-04 21:13:14 +0200 |
|---|---|---|
| committer | segfault <segfault@secmail.pro> | 2019-06-04 21:13:14 +0200 |
| commit | 5032c0c407c2fbe5455ce51f84f1fac11c46eecc (patch) | |
| tree | f8a044275728a37727b02509bf0fad75ca951e67 | |
| parent | 954a7be6b2cfe22f854c60ad7ab872708d28a8de (diff) | |
Signed-off-by: segfault <segfault@secmail.pro>
| -rw-r--r-- | README | 5 | ||||
| -rw-r--r-- | TORUM.txt | 47 |
2 files changed, 52 insertions, 0 deletions
@@ -0,0 +1,5 @@ +This is the source related to a torum6uvof666pzw.onion tutorial. + +The torum tutorial can be accessed via: +http://torum6uvof666pzw.onion/viewtopic.php?f=34&t=4931 +or as backup via the included TORUM.txt diff --git a/TORUM.txt b/TORUM.txt new file mode 100644 index 0000000..e0f90a5 --- /dev/null +++ b/TORUM.txt @@ -0,0 +1,47 @@ +This is a small&simple tutoial due lack of time. + +The goal was to write a simple function based crypter +to complicate analysis of machine instructions. +Since the initial encryption is done at runtime, +it is not very effective against AV's at the moment. +But I'm sure you will solve this issue as !skid. ;) + +[b]Get the repo[/b]: +The source is located at Tochka's GIT service. +You can access it here: +[code]http://qxklmrhx7qkzais6.onion/segfault/Torum-Tutorial-02[/code] + +[b]Build it[/b]: +You will require a host-gcc, a i686-mingw-gcc or a x86_64-mingw-gcc +depending on your target system. +The source code should compile/run out of the box on Windows/Linux. +[code] +make # build the crypter with your host-gcc +make test # run the crypter +make full # build crypter with host-gcc, i686-mingw-gcc and x86_86-mingw-gcc and run all executables +[/code] + +[b]Run it[/b]: +You can run the examples either with e.g. +[code]make test[/code] +[code]make test WIN32=1 WIN64=1[/code] +or directly via e.g. +[code]./example_x86[/code] +[code]wine ./example_x86.exe[/code] + +[b]Function Crypter[/b]: +[list=] +[*] CRYPT_PROLOGUE places a marker and some metadata (beginning of a "suspicious" function) +[*] CRYPT_EPILOGUE places another different marker and a 8 byte pad (end of "suspicious" function) +[*] CRYPT_PROLOGUE and CRYPT_EPILOGUE places non-executable data in an executable section, so we need to use [code]asm volatile goto(...);[/code] ([b]gcc only[/b]) to jump after that data +[*] CRYPT_PROLOGUE metadata contains a XOR 64 bit key and an additional flag to check if the function is actually encrypted or not +[*] simple XOR 64 bit encryption (ECB) +[*] initial encryption is done at runtime with: [code]crypt_func((void *)func_ptr);[/code] (function gets used by CRYPT_PROLOGUE) +[*] real function body gets executed if and only if it can be decrypted, means that it has to be [b]successfully encrypted before[/b] +[/list] + +[b]Your task[/b]: +Implement an initial function crypter to encrypt "suspicious" functions before the binary is actually loaded into memory and executed e.g. by writing an additional external function crypter or use the current example binary to modify and encrypt itself. + +happy hacking +(*segfault) |