Modifying UPX stub - howto

Discussion in 'С/С++, C#, Rust, Swift, Go, Java, Perl, Ruby' started by Doisti74, 1 Mar 2014.

  1. Doisti74

    Doisti74 New Member

    Joined:
    12 Feb 2014
    Messages:
    1
    Likes Received:
    2
    Reputations:
    6
    I started building my own crypter service (soon will be on the market), I choose UPX to see how hard it would be to modify the assembler stub to add my own fake randomness - it turned that UPX doesn't fit my needs at all for now, so I am publishing this:

    The UPX development guys hardcoded opcodes with "jmp short" all over the stub (to make it harder to modify or to save space, who knows) - so adding random API calls between instructions, was harder.

    If you take a look into this file:

    upx-3.91-src/src/stub/src/arch/i386/macros.S

    which is included in the beginning of:

    upx-3.91-src/src/stub/src/i386-win32.pe.S

    you will see a lot of macros like these ones:

    .macro jmps target
    .byte 0xeb, \target - . - 1
    .endm

    .macro jos target
    .byte 0x70, \target - . - 1
    .endm

    .macro jnos target
    .byte 0x71, \target - . - 1
    .endm

    I was in need of pure assembly code to be parsed by my bash script to insert my junk API calls and other garbage, so I modify the "i386-win32.pe.S" to have all the assembly lines in one place, and also replace all the conditional shorts like this:

    original:

    ja _abc

    modified by me:

    jbe rebuild_abc
    jmp abc
    rebuild_abc:

    Now it is possible to insert up to 127 bytes between EACH instruction in the stub, and even more between others which aren't short conditionals - including API calls to unused DLLs to stop the damn emulation that kills our babies and make the life of AVers easier.

    I have included the modified sources and the bash script to inser 112 dummy nop's between each instruction in the stub, here:

    notes:

    you need upx source code 3.91

    you need to download upx-tools and place "multiarch-objcopy-2.17" and "multiarch-objdump-2.17" in your linux path to re-compile the stub

    to modify the stub with the script, run this way:

    ./nop.sh upx-3.91-src/src/stub/src/i386-win32.pe.S

    to build all, use build.sh included. need to adjust the paths

    I hope you find this useful and build your own FUD crypter :)

    http://68.234.27.178/i386-win32.pe.S.zip
     
    #1 Doisti74, 1 Mar 2014
  2. #colorblind

    #colorblind Moderator

    Joined:
    31 Jan 2014
    Messages:
    637
    Likes Received:
    246
    Reputations:
    42
    Read Microsoft Portable Executable and Common Object File Format before posting drivel. "Crypt service", well...ok
     
    #2 #colorblind, 1 Mar 2014
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.