What is a Crypter?
Okay before we get into the good stuff, lets first clear up all your questions you have been having by really getting into all the fundamentals of Crypters. Oh and if you have any questions of anything throughout this tutorial, always refer and search on Hackforums for answers. If you don't already know, A Crypter is usually used to encrypt files like viruses, rats, and keyloggers usually for the sole purpose of bypassing antivirus detection.
What's the difference between a Crypter and a Packer?
A Crypter Encrypts your files, while a Packer packs your files usually with the intention of making it smaller in size and sometimes for it to be undetectable on virus scans.
What's the difference between a Runtime and Scantime Crypter?
Both can look exactly the same so you better watch out..
-A Runtime Crypter encrypts the specified file and when executed (ran), it is decrypted in memory. This way antiviruses aren’t able to analyse the file before executed and after executed.
-A Scantime Crypter encrypts the specified file so antiviruses aren’t able to analyse the file only before executed but NOT when executed.
How do i know which antiviruses detect my file?
There are many sites with this same purpose of scanning files and giving a report of which antiviruses detect your files. The main issue leading to Crypters becoming detected is because if you or someone who is in posession of your crypted file, scans it on some of these scanner sites, the crypted file will be distributed to the antivirus vendors, thus causing the crypted code overwritten on your file to become detected, which in turn causes your Crypter to turn out detected. I recommend that you scan your files on www.novirusthanks.org - But MAKE SURE the "Do not distribute sample" check box is checked
What is EOF and what is it used for?
EOF stands for End Of File. Some files like Bifrost, Medusa, and Cybergate require the end of file data in order to run without corruption. So If Crypters don’t preserve this end of file data, your crypted file will become corrupt.
What is a USG?
A USG is part of a crypter that generates a unique version of the stub (stub is part of a crypter used to encrypt and decrypt the specified file). The purpose of this is because FUD crypters don’t last forever, eventually crypters become detected over a period of time. You will understand
this better later on in the tutorial.
What is a File Binder?
A File Binder is pretty self explanatory. It “binds” or puts 2 files together as one so as a result when someone opens this one file, 2 files will execute. You would usually use a file binder when being even more stealth then just simply a crypted file. The biggest question people have when first learning what a binder is and what it does is, can you bind a .exe with something different? like a .jpg for example? The answer is Yes, BUT.. the output of both binded files will be shown as .exe, so in a way it can defeat the purpose.
What are "Antis" on Crypters?
Anti’s are an extra feature that come with some Crypters. For example anti-vm, anti-debugger, anti-avira...etc. These refer to bypassing or preventing something specified, so anti-debugger meaning it will prevent it from being debugged.
What is a File Pumper?
A File Pumper will “pump” your file - referring to adding more bytes to it making your file larger. The benefit of this is usually not so great but it can be okay to have and may lose a detection or 2.
Types and Forms of Crypters
Crypters can range in many types and forms and it is important to understand these types and forms because it will help you choose a quality crypter to solve your needs or help you realize what options and features you would want to implement in your own Crypter.
The Most IMPORTANT Factors You Should Know
As I'm sure many of you know, finding Crypters and Crypters themselves can be a huge pain. I know when i first started out, I hated the fact that i just couldn’t find a FREE FUD CRYPTER anywhere. I got so pissed, but didn’t give up just yet. I kept on searching and reading a diverse range of forums. Overtime, once I learned enough about them i realized the actual undetection vs antivirus concept. This is the eye opener point which you will all eventually end up and at this point you will then realize why.
The Antivirus vs Crypter Concept
Have you ever wondered how all the virus’s, rats, and bots..etc become detected by antiviruses? I'm sure you have, and this concept will give you all the answers. Antiviruses can be alot more complex then you would imagine, so learning the ways they are notified of malicious files and how they detect are essential for bypassing them. Okay there are 2 ways antiviruses are notified of malicious files and eventually flag your file as detected.
1.The First One is:
From online file scanner sites where people upload files they think might be
suspicious looking, and want to know if its actually a virus or not. They upload their files to one of these sites to check which antiviruses detect it and flag it as a virus. Once the files are uploaded, based on certain elements they are then distributed to the antivirus vendors labs. On some online scanners there is an option available for you to check for no distribution. I am not aware if this actually does what we all think because i heard they will still distribute, but with a price to the av vendors. Even though this may be true or false, it is still always a good idea to scan on these sites that have this option available.
2.The Second One is:
From the antiviruses themselves. You may be thinking, oh really? Yes.. and to tell you the truth, hardly anyone even knows about this. It's sad isn’t it? This is essential information that everyone must know when using or making Crypters. Most of the time, the antivirus will automatically send the files out when any certain file becomes detected. Antivirus owners also have the option to send off a file to the vendor with a click of a button through their desktop antivirus.
What can you do about this?
You can change the settings on your antivirus! The setting usually come in slightly different forms, sometimes you are also asked during setup, and sometimes you just have to go into the settings or options manually to change them. All of what you just read is essential to keep in mind when making an FUD Crypter. The sole reason behind why public Crypters always become detected, and usually fast is because the majority of people do not know the antivirus vs Crypter concept. Therefore they either blindly upload there crypted files to one of the scanner sites that distribute, Also, the antiviruses themselves are uploading there crypted files without them
even noticing. Even people who make there own Crypters arent aware of this, which is why they are always wondering why there crypted files always become detected so fast.
What do AntiViruses look for in a file?
First off, you will need some basic understanding of how anti-viruses actually work. .Exe files are simply lines of instruction, and each line is called an offset. Anti-virus’s have databases of these lines that are known to be associated with malicious files. They use that database to check against your file to see if it matches. If it does, then it is marked as infected. They do use other methods of detection, but this is the one you will learn how to avoid.
What will the program need to do?
Your Crypter is going to take the contents of an infected file, encrypt them,and place it at the bottom of a seemingly virus-free file called your “stub”. Your stub file will then extract the encrypted data from itself, decrypt it, then extract and run it. So just imagine if this stub file that is joined together with the crypted infected file is detected? Well, then all the files you crypt will also show up as detected since this stub is used with all the crypted files. This may sound like a complicated and confusing process, but it isn’t and I will explain more about it later on.
Okay before we get into the good stuff, lets first clear up all your questions you have been having by really getting into all the fundamentals of Crypters. Oh and if you have any questions of anything throughout this tutorial, always refer and search on Hackforums for answers. If you don't already know, A Crypter is usually used to encrypt files like viruses, rats, and keyloggers usually for the sole purpose of bypassing antivirus detection.
What's the difference between a Crypter and a Packer?
A Crypter Encrypts your files, while a Packer packs your files usually with the intention of making it smaller in size and sometimes for it to be undetectable on virus scans.
What's the difference between a Runtime and Scantime Crypter?
Both can look exactly the same so you better watch out..
-A Runtime Crypter encrypts the specified file and when executed (ran), it is decrypted in memory. This way antiviruses aren’t able to analyse the file before executed and after executed.
-A Scantime Crypter encrypts the specified file so antiviruses aren’t able to analyse the file only before executed but NOT when executed.
How do i know which antiviruses detect my file?
There are many sites with this same purpose of scanning files and giving a report of which antiviruses detect your files. The main issue leading to Crypters becoming detected is because if you or someone who is in posession of your crypted file, scans it on some of these scanner sites, the crypted file will be distributed to the antivirus vendors, thus causing the crypted code overwritten on your file to become detected, which in turn causes your Crypter to turn out detected. I recommend that you scan your files on www.novirusthanks.org - But MAKE SURE the "Do not distribute sample" check box is checked
What is EOF and what is it used for?
EOF stands for End Of File. Some files like Bifrost, Medusa, and Cybergate require the end of file data in order to run without corruption. So If Crypters don’t preserve this end of file data, your crypted file will become corrupt.
What is a USG?
A USG is part of a crypter that generates a unique version of the stub (stub is part of a crypter used to encrypt and decrypt the specified file). The purpose of this is because FUD crypters don’t last forever, eventually crypters become detected over a period of time. You will understand
this better later on in the tutorial.
What is a File Binder?
A File Binder is pretty self explanatory. It “binds” or puts 2 files together as one so as a result when someone opens this one file, 2 files will execute. You would usually use a file binder when being even more stealth then just simply a crypted file. The biggest question people have when first learning what a binder is and what it does is, can you bind a .exe with something different? like a .jpg for example? The answer is Yes, BUT.. the output of both binded files will be shown as .exe, so in a way it can defeat the purpose.
What are "Antis" on Crypters?
Anti’s are an extra feature that come with some Crypters. For example anti-vm, anti-debugger, anti-avira...etc. These refer to bypassing or preventing something specified, so anti-debugger meaning it will prevent it from being debugged.
What is a File Pumper?
A File Pumper will “pump” your file - referring to adding more bytes to it making your file larger. The benefit of this is usually not so great but it can be okay to have and may lose a detection or 2.
Types and Forms of Crypters
Crypters can range in many types and forms and it is important to understand these types and forms because it will help you choose a quality crypter to solve your needs or help you realize what options and features you would want to implement in your own Crypter.
The Most IMPORTANT Factors You Should Know
As I'm sure many of you know, finding Crypters and Crypters themselves can be a huge pain. I know when i first started out, I hated the fact that i just couldn’t find a FREE FUD CRYPTER anywhere. I got so pissed, but didn’t give up just yet. I kept on searching and reading a diverse range of forums. Overtime, once I learned enough about them i realized the actual undetection vs antivirus concept. This is the eye opener point which you will all eventually end up and at this point you will then realize why.
The Antivirus vs Crypter Concept
Have you ever wondered how all the virus’s, rats, and bots..etc become detected by antiviruses? I'm sure you have, and this concept will give you all the answers. Antiviruses can be alot more complex then you would imagine, so learning the ways they are notified of malicious files and how they detect are essential for bypassing them. Okay there are 2 ways antiviruses are notified of malicious files and eventually flag your file as detected.
1.The First One is:
From online file scanner sites where people upload files they think might be
suspicious looking, and want to know if its actually a virus or not. They upload their files to one of these sites to check which antiviruses detect it and flag it as a virus. Once the files are uploaded, based on certain elements they are then distributed to the antivirus vendors labs. On some online scanners there is an option available for you to check for no distribution. I am not aware if this actually does what we all think because i heard they will still distribute, but with a price to the av vendors. Even though this may be true or false, it is still always a good idea to scan on these sites that have this option available.
2.The Second One is:
From the antiviruses themselves. You may be thinking, oh really? Yes.. and to tell you the truth, hardly anyone even knows about this. It's sad isn’t it? This is essential information that everyone must know when using or making Crypters. Most of the time, the antivirus will automatically send the files out when any certain file becomes detected. Antivirus owners also have the option to send off a file to the vendor with a click of a button through their desktop antivirus.
What can you do about this?
You can change the settings on your antivirus! The setting usually come in slightly different forms, sometimes you are also asked during setup, and sometimes you just have to go into the settings or options manually to change them. All of what you just read is essential to keep in mind when making an FUD Crypter. The sole reason behind why public Crypters always become detected, and usually fast is because the majority of people do not know the antivirus vs Crypter concept. Therefore they either blindly upload there crypted files to one of the scanner sites that distribute, Also, the antiviruses themselves are uploading there crypted files without them
even noticing. Even people who make there own Crypters arent aware of this, which is why they are always wondering why there crypted files always become detected so fast.
What do AntiViruses look for in a file?
First off, you will need some basic understanding of how anti-viruses actually work. .Exe files are simply lines of instruction, and each line is called an offset. Anti-virus’s have databases of these lines that are known to be associated with malicious files. They use that database to check against your file to see if it matches. If it does, then it is marked as infected. They do use other methods of detection, but this is the one you will learn how to avoid.
What will the program need to do?
Your Crypter is going to take the contents of an infected file, encrypt them,and place it at the bottom of a seemingly virus-free file called your “stub”. Your stub file will then extract the encrypted data from itself, decrypt it, then extract and run it. So just imagine if this stub file that is joined together with the crypted infected file is detected? Well, then all the files you crypt will also show up as detected since this stub is used with all the crypted files. This may sound like a complicated and confusing process, but it isn’t and I will explain more about it later on.