I started building my own crypter service (soon will be on the market), I choose UPX to see how hard it would be to modify the assembler stub to add my own fake randomness - it turned that UPX doesn't fit my needs at all for now, so I am publishing this:
The UPX development guys hardcoded opcodes with "jmp short" all over the stub (to make it harder to modify or to save space, who knows) - so adding random API calls between instructions, was harder.
If you take a look into this file:
upx-3.91-src/src/stub/src/arch/i386/macros.S
which is included in the beginning of:
upx-3.91-src/src/stub/src/i386-win32.pe.S
you will see a lot of macros like these ones:
.macro jmps target
.byte 0xeb, \target - . - 1
.endm
.macro jos target
.byte 0x70, \target - . - 1
.endm
.macro jnos target
.byte 0x71, \target - . - 1
.endm
I was in need of pure assembly code to be parsed by my bash script to insert my junk API calls and other garbage, so I modify the "i386-win32.pe.S" to have all the assembly lines in one place, and also replace all the conditional shorts like this:
original:
ja _abc
modified by me:
jbe rebuild_abc
jmp abc
rebuild_abc:
Now it is possible to insert up to 127 bytes between EACH instruction in the stub, and even more between others which aren't short conditionals - including API calls to unused DLLs to stop the damn emulation that kills our babies and make the life of AVers easier.
I have included the modified sources and the bash script to inser 112 dummy nop's between each instruction in the stub, here:
notes:
you need upx source code 3.91
you need to download upx-tools and place "multiarch-objcopy-2.17" and "multiarch-objdump-2.17" in your linux path to re-compile the stub
to modify the stub with the script, run this way:
./nop.sh upx-3.91-src/src/stub/src/i386-win32.pe.S
to build all, use build.sh included. need to adjust the paths
I hope you find this useful and build your own FUD crypter
http://68.234.27.178/i386-win32.pe.S.zip
The UPX development guys hardcoded opcodes with "jmp short" all over the stub (to make it harder to modify or to save space, who knows) - so adding random API calls between instructions, was harder.
If you take a look into this file:
upx-3.91-src/src/stub/src/arch/i386/macros.S
which is included in the beginning of:
upx-3.91-src/src/stub/src/i386-win32.pe.S
you will see a lot of macros like these ones:
.macro jmps target
.byte 0xeb, \target - . - 1
.endm
.macro jos target
.byte 0x70, \target - . - 1
.endm
.macro jnos target
.byte 0x71, \target - . - 1
.endm
I was in need of pure assembly code to be parsed by my bash script to insert my junk API calls and other garbage, so I modify the "i386-win32.pe.S" to have all the assembly lines in one place, and also replace all the conditional shorts like this:
original:
ja _abc
modified by me:
jbe rebuild_abc
jmp abc
rebuild_abc:
Now it is possible to insert up to 127 bytes between EACH instruction in the stub, and even more between others which aren't short conditionals - including API calls to unused DLLs to stop the damn emulation that kills our babies and make the life of AVers easier.
I have included the modified sources and the bash script to inser 112 dummy nop's between each instruction in the stub, here:
notes:
you need upx source code 3.91
you need to download upx-tools and place "multiarch-objcopy-2.17" and "multiarch-objdump-2.17" in your linux path to re-compile the stub
to modify the stub with the script, run this way:
./nop.sh upx-3.91-src/src/stub/src/i386-win32.pe.S
to build all, use build.sh included. need to adjust the paths
I hope you find this useful and build your own FUD crypter
http://68.234.27.178/i386-win32.pe.S.zip
