R0 CREW

PE-Crypt

Нашел исходник криптора, довольно таки популярный в сети, но автор неизвестен.

https://gist.github.com/ximerus/bf148801978087574e2a

#pragma comment(linker, "/OPT:NOREF") // this tells the linker to keep the machine code of unreferenced source code
#pragma optimize("", off) // disable all optimizations in order for our stub to run smootly, though im not sure if it really helps, i just saw some guy doing it this way lolz <span class="wp-smiley emoji emoji-smile" title=":)">:)</span>
 
#include <windows.h> // familiar?
#include <stdio.h> // i wonder what this might be, hmm...
 
// gets the first sections header offset
#define SECHDROFFSET(a) ((LPVOID) ( (LPBYTE) a           + \
                        ((PIMAGE_DOS_HEADER)a)->e_lfanew + \
                        sizeof(IMAGE_NT_HEADERS)))
 
// those are the offsets to the
#define OEP_o 21 // original entry point
#define SEG_o 11 // virtual address of section
#define BSZ_o 1  // block size, must be a multiple of 8
#define  SZ_o 6  // section size, must be a multiple of the chosen block size
                 // values in the stub
 
// a simple block xor
// every byte in the given block is XOR'ed with its index
void _xor_block(unsigned char *pblock, unsigned int blocksize)
{
    unsigned int i;
 
    for(i = 0; i < blocksize; i++)
        pblock[i] ^= i;
 
    return;
}
 
// just a wrapper around the above function
int _xor_chunk(unsigned char* pchunk, unsigned long chunksize, unsigned int blocksize)
{
    if(chunksize % blocksize || blocksize % 8)
        return -1;
 
    unsigned long index = 0;
 
    while(index < chunksize)
    {
        _xor_block(pchunk + index, blocksize);
        index += blocksize;
    }
 
    return 0;
}
 
// this is our stub and the new entry point for the encrypted PE
__declspec(naked) void __stdcall _stub(void)
{
    __asm
    {
        push 0xFEFEFEFE //blocksize
        push 0xFDFDFDFD //chunksize
        push 0xFCFCFCFC //pchunk
 
        call _xor_chunk //decrypt
 
        mov eax, 0x7FFFFFFF //oep
        jmp eax //go go
    }
}
 
// a placeholder, used for stub size calculation
__declspec(naked) int _end(void)
{
    __asm ret 8
}
 
// so basicly the ASM code of the above 3 (w/o _end) functions will be added to the end of the ".text" section
// after updating the proper values in the stub, ofc
// then the PE header is updated along with the section header
// and with the entry point at _stub's code its all done! wow that was easy oO
 
// GO GO POWER RANGERS!!!
int main(void)
{
    // im not going to lecture you about those, if you are not familiar with these structures, you should go read about PE format...
    PIMAGE_DOS_HEADER     pDosH;
    PIMAGE_NT_HEADERS     pNtH;
    PIMAGE_SECTION_HEADER pSecH;
 
    // variables
    HANDLE hFile;
 
    DWORD  dwFileSize, dwSectionSize, dwStubSize,
           dwVSize, dwOldProt, dwSpot, dwGap, bytes;
 
    LPBYTE FileBuffer, SectionBuffer;
    CHAR FileName[MAX_PATH];
 
    // get the filename to encrypt
    printf("File to encrypt: ");
    scanf("%s", &FileName);
 
    // open it and get the size
    hFile = CreateFile(FileName, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
    dwFileSize = GetFileSize(hFile, 0);
 
    // load in memory
    FileBuffer = (LPBYTE) malloc(dwFileSize);
    ReadFile(hFile, FileBuffer, dwFileSize, &bytes, 0);
 
    pDosH = (PIMAGE_DOS_HEADER) FileBuffer;
 
    // check if it is valid PE, i would say that this is merely a proper check, for a proper one you would need to calculate all the RVA's and see if they are valid
    if(pDosH->e_magic != IMAGE_DOS_SIGNATURE)
        return -1;
https://github.com/jozemberi/PE-Crypter
 
    pNtH = (PIMAGE_NT_HEADERS) (FileBuffer + pDosH->e_lfanew);
 
    if(pNtH->Signature != IMAGE_NT_SIGNATURE)
        return -2;
 
    pSecH = (PIMAGE_SECTION_HEADER) SECHDROFFSET(FileBuffer);
 
    while(memcmp(pSecH->Name, ".text", 5)) // get the ".text" section header
        pSecH++;
 
    dwVSize          = pSecH->Misc.VirtualSize; // the virtual size of the section, later this will be used as chunksize in our stub, after proper alignment
    dwSectionSize    = pSecH->SizeOfRawData; // speaks for itself
    dwStubSize       = (DWORD) _end - (DWORD) _xor_block; // the stubsize, in bytes
 
    SectionBuffer = (LPBYTE) malloc(dwSectionSize); // allocate memory enough to hold our raw section data
    memcpy(SectionBuffer, FileBuffer + pSecH->PointerToRawData, dwSectionSize); // ... copy the data
 
    _xor_chunk(SectionBuffer, dwSectionSize, 256); // aaand encrypt it! you can use different block sizes here - 8, 16, 32, 64, 128, 256, 512...
    memset(SectionBuffer + pSecH->Misc.VirtualSize, 0, (dwSectionSize - pSecH->Misc.VirtualSize)); // fill with zeros after the end of actual data
 
    dwSpot = pSecH->Misc.VirtualSize; // this will be the offset (relative to the beginning of the section) where we will place our stub
 
    while(dwSpot % 16) // align it to 16 byte boundary
        dwSpot++;
 
    dwSpot += 256; // this is in order to prevent the stub from corruption by overwriting its own code, since we will place it after the end of the section data
    dwGap   = dwSpot - pSecH->Misc.VirtualSize; // the gap between our stub and the end of the data
 
    DWORD oep = pNtH->OptionalHeader.AddressOfEntryPoint + pNtH->OptionalHeader.ImageBase; // the original entry point, this is a linear address
    DWORD seg = pSecH->VirtualAddress + pNtH->OptionalHeader.ImageBase; // the section address, you guessed right, this too is a linear one
    DWORD bsz = 256; // you know what this is
 
    while(dwVSize % bsz) // we need to align it to block size
        dwVSize++;
 
    VirtualProtect(_xor_block, dwStubSize, PAGE_EXECUTE_READWRITE, &dwOldProt); // to be able to update the stub...
 
    // and update it, blah, blah, blah...
    memcpy((void *)((unsigned long) _stub + OEP_o), &oep, 4);
    memcpy((void *)((unsigned long) _stub + SEG_o), &seg, 4);
    memcpy((void *)((unsigned long) _stub + BSZ_o), &bsz, 4);
    memcpy((void *)((unsigned long) _stub +  SZ_o), &dwVSize, 4);
 
    memcpy(SectionBuffer + dwSpot, _xor_block, dwStubSize); // place the damn thing already!
 
    pSecH->Characteristics                        = 0xE0000060; // R/W/E, executable code, initialized data. although my experience shows that you are just fine with R/W...
    pSecH->Misc.VirtualSize                      += dwStubSize + dwGap; // update the virtual size of the section
    pNtH->OptionalHeader.AddressOfEntryPoint  = pSecH->VirtualAddress + dwSpot + ( (DWORD)_stub - (DWORD)_xor_block ) ;
 
    // and finally update the file
    SetFilePointer(hFile, pSecH->PointerToRawData, 0, FILE_BEGIN);               //new section data
    WriteFile(hFile, SectionBuffer, dwSectionSize, &bytes, 0);
 
    SetFilePointer(hFile, pDosH->e_lfanew, 0, FILE_BEGIN);                       //new PE header
    WriteFile(hFile, pNtH, sizeof(IMAGE_NT_HEADERS), &bytes, 0);
 
    SetFilePointer(hFile, ((DWORD) pSecH - (DWORD) FileBuffer), 0, FILE_BEGIN); //new section header
    WriteFile(hFile, pSecH, sizeof(IMAGE_SECTION_HEADER), &bytes, 0);
 
    // some good habits <span class="wp-smiley emoji emoji-smile" title=":)">:)</span>
    CloseHandle(hFile);
 
    free(FileBuffer);
    free(SectionBuffer);
 
    return 0;
}

Так же нашел репу с каким-то криптором:

https://github.com/jozemberi/PE-Crypter

Может кому пригодится. :slight_smile:

Еще парочка реп, детально не рассматривал:

https://github.com/Joshf2k/Kryptonite
https://github.com/juja256/crypt_perm

Во вложени Yoda Cryptor + SRC

Пароль: reverse4you

http://www.nullsecurity.net/tools/binary.html

Понапостили баянов.

Запости не боян. :wink:

а есть что нить рабочее под Win7 и старше? ну кроме того что я писал