Jump to content
unbeliever

[TUT] Beginner Tutorial: How to FUD your detected stub (detailed and with pictures)

Recommended Posts

Posted

So here it goes...

What you need:

- Detected Crypter Stub (shouldn't be a crypter with public sourcecode and not very old)

- AVFucker

- Offset Changer (sometimes AvFucker is not enough)

- Virus Scanner

This is my setup:

setupmx.jpg

1. Split your stub

We are now going to use AvFucker to split the stub.

AvFucker is using the so called "replace byte signature" technique. It replaces the stubs' byte sections and creates a copy

of the original with the modified section.

By editing byte sections you can eliminate the detected sections of the stub

So let's begin...

First of all we need to open the AvFucker.

Now chose your stub as source file, an empty folder as destination folder.

Leave start and end offset on default.

Change the value "bytes" to 1000 (this means your are replacing 1000 bytes at a time).

It should now look like this:

avfucker1.jpg

Now hit "Start" and wait till the splitting is finished.

2. Scan splitted files

Now you will find a lot of copies of the original stub with the modified byte sections.

Scan the folder with your virus scanner. It will show you a lot of detections, but some remain undetected.

Delete all detected files. With my AV-Scanner those files were undetected:

undetected.jpg

The names of the files indicate which byte sections was modified.

We can not use these files because changing 1000 bytes will most likely corrupt the file. But now we know which byte sections we need to edit.

Avoid the first sections because modifying them often corrupts the file.

I will chose 0096000_1000 which means the byte section 96000-97000 has been modified.

3. Split the stub (only the undetected sections)

Now we use AvFucker once again, but we change the start offset to the beginning of the undetected section (in this case

96000) and the end offset to the end (97000).

We also change the value "bytes" to 1 (which means we are now overwriting only one byte at a time)

avfucker2.jpg

Click start and wait for AvFucker to finish splitting the stub (this takes longer than the first time)

Now scan the folder with the splitted files wit your AV-Scanner and delete the detected files.

Now check which of the undetected files is still working (the first step is to click on the modified files and check if they are corrupted).

If you find a non corrupted file you have to check if it's still working when using it with the crypter (just rename the file to "stub", make a backup of the original and check if the new file is working)

In my case the file 0096258_1 is still working.

Congratulations, your stub is now undetected against the AV-Scanner you are using.

4. Repeat with other AV-Scanners

In order to make your stub FUD you have to do this all over again with other AV-Scanners. I know this takes a lot of time,

but when you are done you have your own unique stub which should be FUD for a while.

!Attention: When your done with one AV-Scanner make sure you will now modify the new stub, not the original!

5. Advanced Tips

Some scanners are harder to bypass than others.

I will name some examples of what could happen:

1) All undetected files are corrupted

If all your undetected files do not work you have to use a different method of overwriting the byte sections.

In this case we use the "Offset Changer"

Start it and click on open, select your stub.

Then click on parting, set "from offset" to 1000 and "to offset" to the number given in "total offset" (in my case 125951)

"Offsets Crypt" is the same as "byte" in AvFucker, so change it to 1000 at first.

"Hex Values" is the new feature we need, this will decide with what we overwrite the bytes (default is 00), changing it to other digits (for example 11) sometimes helps to create more undetected files.

So you have a higher chance of finding a non corrupt and undetected file.

change "steps offset" to 1.

It should now look like this:

offsetchanger.jpg

Click on the green tick and follow the same steps as you did with AvFucker.

2) All files are detected

In this case try the same as in 1)

If this doesn't work you may try to change the value "byte" (in AvFUcker) or "Offsets Crypt" (in Offset Changer) to 100

instead of 1000

Still not working? change the value "start offset"/"from offset" to 1 instead of 1000 (this means the bytes 1-1000 will also

be overwritten. In most cases editing this section will corrupt the file but in rare cases this can work out

If your splitted files are still detected there is another possibility.

After splitting the files and scanning them with your AV-Scanner, DON'T delete all the detected files but check what the

detection is called.

Different modified sections can cause different detections...so sometimes it helps to find a working modified stub with a

different detection than the original.

Then split the new stub and see if you can find any undetected files now or if there are other different detections.

If all this doesn't work you can only try to use a different AV-Scanner first, then try the other one again.

But this only helps in rare cases.

Still not working?...then I'm affraid but this method won't work on this stub. This happenes to stubs which are either old or use public sourcecodes.

I hope this helps some of you to get your own FUD stubs for crypters,binders or whatever...

With this method and the example crypter I made it FUD in a day...this was 4 weeks ago and its still FUD.

Here are the scans:

Before:

detectionbefore.jpg

After:

detectionafter.jpg

I also uploaded the crypter and the tools I used:

Tut.rar

No Pass, use at own risk! Checked all of them in Sandboxie, but you never know...

Luat HF.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...