unbeliever Posted March 13, 2012 Report Share Posted March 13, 2012 So here it goes...What you need:- Detected Crypter Stub (shouldn't be a crypter with public sourcecode and not very old)- AVFucker- Offset Changer (sometimes AvFucker is not enough)- Virus ScannerThis is my setup:1. Split your stubWe are now going to use AvFucker to split the stub.AvFucker is using the so called "replace byte signature" technique. It replaces the stubs' byte sections and creates a copy of the original with the modified section.By editing byte sections you can eliminate the detected sections of the stubSo let's begin...First of all we need to open the AvFucker.Now chose your stub as source file, an empty folder as destination folder.Leave start and end offset on default.Change the value "bytes" to 1000 (this means your are replacing 1000 bytes at a time).It should now look like this:Now hit "Start" and wait till the splitting is finished.2. Scan splitted filesNow you will find a lot of copies of the original stub with the modified byte sections.Scan the folder with your virus scanner. It will show you a lot of detections, but some remain undetected.Delete all detected files. With my AV-Scanner those files were undetected:The names of the files indicate which byte sections was modified.We can not use these files because changing 1000 bytes will most likely corrupt the file. But now we know which byte sections we need to edit.Avoid the first sections because modifying them often corrupts the file.I will chose 0096000_1000 which means the byte section 96000-97000 has been modified.3. Split the stub (only the undetected sections)Now we use AvFucker once again, but we change the start offset to the beginning of the undetected section (in this case 96000) and the end offset to the end (97000).We also change the value "bytes" to 1 (which means we are now overwriting only one byte at a time)Click start and wait for AvFucker to finish splitting the stub (this takes longer than the first time)Now scan the folder with the splitted files wit your AV-Scanner and delete the detected files.Now check which of the undetected files is still working (the first step is to click on the modified files and check if they are corrupted). If you find a non corrupted file you have to check if it's still working when using it with the crypter (just rename the file to "stub", make a backup of the original and check if the new file is working)In my case the file 0096258_1 is still working.Congratulations, your stub is now undetected against the AV-Scanner you are using.4. Repeat with other AV-ScannersIn order to make your stub FUD you have to do this all over again with other AV-Scanners. I know this takes a lot of time, but when you are done you have your own unique stub which should be FUD for a while.!Attention: When your done with one AV-Scanner make sure you will now modify the new stub, not the original!5. Advanced TipsSome scanners are harder to bypass than others. I will name some examples of what could happen:1) All undetected files are corruptedIf all your undetected files do not work you have to use a different method of overwriting the byte sections.In this case we use the "Offset Changer"Start it and click on open, select your stub.Then click on parting, set "from offset" to 1000 and "to offset" to the number given in "total offset" (in my case 125951)"Offsets Crypt" is the same as "byte" in AvFucker, so change it to 1000 at first."Hex Values" is the new feature we need, this will decide with what we overwrite the bytes (default is 00), changing it to other digits (for example 11) sometimes helps to create more undetected files.So you have a higher chance of finding a non corrupt and undetected file.change "steps offset" to 1.It should now look like this:Click on the green tick and follow the same steps as you did with AvFucker.2) All files are detectedIn this case try the same as in 1)If this doesn't work you may try to change the value "byte" (in AvFUcker) or "Offsets Crypt" (in Offset Changer) to 100 instead of 1000Still not working? change the value "start offset"/"from offset" to 1 instead of 1000 (this means the bytes 1-1000 will also be overwritten. In most cases editing this section will corrupt the file but in rare cases this can work outIf your splitted files are still detected there is another possibility.After splitting the files and scanning them with your AV-Scanner, DON'T delete all the detected files but check what the detection is called.Different modified sections can cause different detections...so sometimes it helps to find a working modified stub with a different detection than the original.Then split the new stub and see if you can find any undetected files now or if there are other different detections.If all this doesn't work you can only try to use a different AV-Scanner first, then try the other one again.But this only helps in rare cases.Still not working?...then I'm affraid but this method won't work on this stub. This happenes to stubs which are either old or use public sourcecodes.I hope this helps some of you to get your own FUD stubs for crypters,binders or whatever...With this method and the example crypter I made it FUD in a day...this was 4 weeks ago and its still FUD.Here are the scans:Before:After:I also uploaded the crypter and the tools I used:Tut.rarNo Pass, use at own risk! Checked all of them in Sandboxie, but you never know...Luat HF. Quote Link to comment Share on other sites More sharing options...
gogusan Posted March 13, 2012 Report Share Posted March 13, 2012 ai incercat macar tutorialul asta inainte sa-l postezi aici? Quote Link to comment Share on other sites More sharing options...
Scorpionadi Posted March 13, 2012 Report Share Posted March 13, 2012 Eheeeeee..... de ar fi asa de simplu.Aste mergeau acum multi ani, acum trebuie mult mai multe chestii facute Quote Link to comment Share on other sites More sharing options...
