Crypter Blueprint

The Crypter BluePrint
The Most in Depth BluePrint of Everything You Wanted to Know About Crypters
How to Create Your own FUD Crypter [The Right Way]
...In Less Than a Week
Version 1.00
July 2010
Limits of Liability & Disclaimer of Warranty
The author and publisher of this Ebook and the associated materials have used
their best efforts in preparing this material. The author and publisher make no
representations or warranties with respect to the accuracy, applicability, fitness,
or completeness of the contents of this material. They disclaim any warranties
expressed or implied, merchantability, or fitness for any particular purpose. The
author and publisher shall in no event be held liable for any loss or other
damage, including but not limited to incidental, consequential, or other damage.
If you have any doubts about anything, the advice of a competent professional
should be sought.
About the Author
My name is Shawn and I'm 17 at the

time of writing this.
Things i like to do are playing guitar,

surfing, hanging with friends, and chilling a
lot on the laptop :)
Everyone starts out somewhere,and me?

There’s nothing special about my story. I
am no greater than you. I just had interest
with many things related to hacking.
So, I read and read, searched and searched, for a long time. The only thing that
pmakes me different, is that I have a desire to help others in the situation I was
once in.
Table of Contents
About the Author

Table of Contents
Introduction
What You Can Expect From This Ebook
What's Covered In This Ebook?
Chapter 1 - What Really Is A Crypter? Core Fundamentals
What's the Difference Between A Runtime and Scantime Crypter?
How Do I Know Which Anti-Viruses Detect My File?
Types and Forms of Crypters
Chapter 2 - The Most Important Factors You Should Know About Crypters
Chapter 3 - VB6 and Crypters
Chapter 4 - Programming and VB6 Fundamentals
Chapter 5 - VB6 Crypter Techniques BluePrint
Finding and Pinpointing What's Causing Detection
Chapter 6 - The Universal Undetection Process
Changing the Order of All Code Aspects
String manipulation
Changing and Encrypting Strings/APIs
Resources
Introduction
First i just want to give major credits to all the links to threads used in this ebook.
Massive credits to all the forum members that made them, thank you.
What you can expect from This EBook
I would just like to mention that if you even have the slightest interest in Crypters
and making your own, you are in the right place. You will be provided with the
most informative, in depth blueprint on Crypters ever put into one package
before.
I am going to be real and remind you to be aware of whats required from you to
get the most out of this ebook. There is no magic buttons.. no magic pills..
Especially when programming, you have to put effort and take action on what
you learn in order to succeed.
Whats covered in this eBook?
This ebook will consist of all the aspects that will get you on a flawless track for
creating your own FUD Crypter ..or anything FUD to be honest.., this way you will
gain a huge advantage. I will be giving my 100% into this ebook so all i ask from
you is to never be discouraged from the looks of anything and put your 100%.
the layout of this ebook is constructed as follows,

the first half is pretty much aimed toward the beginner level to intermediate
and the second half is aimed toward the intermediate to advanced.
just to remind you to not exagerate and be unrealistic, I will be teaching you all of
what you need to know about Crypters and making them, getting you up to the
right point, but once your at that point, you have to be aware that your set on
your own.. thats life. But I do have to say, It is truly an awesome and thrilling
experience..
So lets get started
Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Chapter 1 - What Really Is A Crypter? Core Fundamentals
Ok before we get into the good stuff, lets first clear up all your desperate..
desperate questions you been having by really getting into all the
fundamentals of Crypters. Oh and if you have any questions of anything
throughout this ebook, always refer and search on http://Hackforums.net
for answers
If you dont already know.. A Crypter is usually used to encrypt files like
viruses, rats, and keyloggers usually for the sole purpose of bypassing
antivirus detection.
Whats the difference between Crypter and a Packer?

A Crypter Encrypts your files and a Packer packs your files usually with
the intention of making it smaller in size and sometimes for scantime
undetection.
Whats the difference between a Runtime and Scantime

Crypter?
Both can look exactly the same so you better watch out..
A Runtime Crypter encrypts the specified file and when executed (ran), it
is decrypted in memory. This way antiviruses aren’t able to analyse the
file before executed and after executed.
A scantime Crypter encrypts the specified file so antiviruses aren’t able to

analyse the file only before executed but NOT when executed.

How do i know which antiviruses detect my file?
There are many sites with this same purpose of scanning files and giving a
report of which antiviruses detect your files. The main issue leading
to crypters becoming detected is because if you or someone who is in
posession of your crypted file, scans it on some of these scanner sites, the
crypted file will be distributed to the antivirus vendors, thus causing the
crypted code overwritten on your file to become detected, which in turn
causes your crypter to turn out detected.
It is recommended to scan all files you crypt on

http://scanner.novirusthanks.org – while making sure the “do not
distribute sample” checkbox is checked!
What is EOF and what is it used for?

EOF stands for End
Of File. Some files like
Bifrost, Medusa, and
Cybergate require the
end of file data in
order to run without
corruption, So If
Crypters Don’t
Preserve this end of
file data, your crypted
file will become
corrupt.

What is a USG?
A USG is part of a
crypter that generates a
unique version of the
stub (stub is part of
crypter used to encrypt
and decrypt the
specified file). The
purpose of this is
because FUD crypters
don’t last forever, eventually crypters become
detected over a period of time. You will understand
this better later on in the ebook. (The USG is to the
right and above it is the Crypter)(But this is
probably one of the most advanced USG’s you
will find, some can be very simple)

What is a File Binder?
A File Binder is pretty self explanetory.. It “binds” or puts to files together as one
so as a result when someone opens this one file, 2 files will execute. You would
usually use a file binder when being even more stealth then just simply a crypted
file.
The biggest question people have when first learning what a binder is and what it
does is, can you bind a .exe with something different? like a .jpg for example? The
answer is Yes, BUT.. the output of both binded files will be shown as .exe, so in a
way it can defeat the purpose.
What are “anti’s” on Crypters?
Anti’s are an extra feature that come with some Crypters. For example anti-vm,
anti-debugger, anti-avira...etc these refer to bypassing or preventing something
specified, so anti-debugger meaning it will prevent it from being debugged.
What is a file pumper?
A File Pumper will “pump” your file - refering to adding more bytes to it making
your file larger. The benefit of this is usually not so great but it can be ok to have
and may lose a detection or 2.
Types and forms of Crypters
Crypters can range in many types and forms and it is important to understand
these types and forms because it will help you choose a quality crypter to solve
your needs or help you realize what options and features you would want to
implement in your own Crypter.
Here are some simple and advanced crypters to give you a good idea, or picture
in your head.

Simple GUI (graphical interface) Crypters

Here’s to give you an idea of some Advanced GUI Crypters

Chapter 2 - The most important factors you should know
As im sure many of you know.. finding Crypters and Crypters themselves can be
a huge pain. I know when i first started out, i hated the fact that i just couldn’t find
a FREE FUD CRYPTER anywhere. I got so pissed.. but didn’t give up just yet, i
kept on searching and reading a diverse range of forums.
Overtime, once i learned enough about them i realized the actual undetection vs
antivirus concept. This is the eye opener point which you will all eventually end
up and at this point you will then realize why..
The Antivirus vs Crypter Concept
Have you ever wondered how all the virus’s, rats, and bots..etc become detected
by antiviruses?
..im sure you have.. and this concept will give you all the answers.
Antiviruses can be alot more complext then you would imagine, so learning the
ways they are notified of malicious files and how they detect are essential for
bypassing them.
Ok there are 2 ways antiviruses are notified of malicious files and eventually flag
your file as detected,
1. the first one is
From online file scanner sites where people upload files they think might be
suspicious looking, and want to know if its actually a virus or not. They upload
there files to one of these sites to check which antiviruses detect it and flag it as
a virus. Once the files are uploaded, based on certain elements they are then
distributed to the antivirus vendors labs. On some online scanners there is an
option available for you to check for no distribution. I am not aware if this actually
does what we all think because i heard they will still distribute, but with a price to
the av vendors. Even though this may be true or false, it is still always a good
idea to scan on these sites that have this option available, for example
http://scanner.novirusthanks.org
Here are some multi antivirus scanners
http://scanner.novirusthanks.org
http://virustotal.org

www.virustotal.com/
And there is also individual antivirus scanners, for example:
http://www.kaspersky.com/scanforvirus
http://www.bitdefender.com/scanner/online/free.html
2. The Second factor is
From the antiviruses themselves. You may be thinking.. oh really? yes.. and to
tell you the sad truth.. hardly anyone even knows about this, Its sad isn’t it? this
is essential information that everyone must know when using or making Crypters.
most of the time, the antivirus will automatically send the files out when any
certain file becomes detected. Antivirus also owners have the option to send off a
file to the vendor with a click of a button through there desktop antivirus.
What can you do about this?
well you can change the settings on your antivirus. The setting usually come in
slightly different forms, sometimes you are also asked during setup, and
sometimes you just have to go into the settings or options manually, for

example:

All of what you just read is essential to keep in mind when making an FUD
Crypter. The sole reason behind why public Crypters always become detected
..and usually fast, is because the majority of people do not know the antivirus vs
Crypter concept.. therefore they either blindly upload there crypted files to one of
the scanner sites that distribute
also.. the antiviruses themselves are uploading there crypted files without them
even noticing. Even people who make there own Crypters arent aware of this
which is why they are always wondering why there crypted files always become
detected so fast.

Chapter 3 - Vb6 and Crypters
Now we are going to dive into how Crypters work, and.. how they are MADE. You
will be shown the actual steps of the exact code used to create Your own
Crypter.
i found these pics and info on HF somewhere ..so credits to that dude.. And if it
seems a little too complicated, don’t worry, as long as you get the basic idea.
What do anti-viruses look for in a file?
First off, you will need some basic understanding of how anti-viruses actually
work.
Exe files are simply lines of instruction, and each line is called an offset.
(This is a screenshot of Hex Workshop)
Anti-virus’s have databases of these lines that are known to be associated with
malicious files. They use that database to check against your file to see if it
matches. If it does, then it is marked as infected. They do use other methods
of detection, but this is the one you will learn how to avoid.

What will the program need to do?

Your crypter is going to take the contents of an infected file, encrypt them,
and place it at the bottom of a seemingly virus-free file called your “stub”.
Your stub file will then extract the encrypted data from itself, decrypt it, then
extract and run it. So just imagine if this stub file that is joined together with
the cryped infected file is detected? well.. then all the files you crypt will also
show up as detected since this stub is used with all the crypted files. This may
sound like a complicated and confusing process, but it isn’t and i will explain
more about it later on.

Heres another pic i found, (credits to hackhound) this explains all this in a
slightly different way, maybe you will understand it better:

Chapter 4 - Programming and Vb6 Fundamentals
Ok now.. your either one of 3 people..

● someone who has no idea how to make/code a program
● someone who knows and can code a program
● someone who can code but not in visual basic 6
This section is intended for all these people and if you can code and you think
you wont benefit from it, you can either just scim through it or just read it all and
refresh your memory..
First we must download Visual Basic 6 of course.

If you aren’t aware of what torrents are and how to download them, then follow
step 1 if you do know about torrents and already have torrent downloading
software go to step 2
1. download and install u torrent here http://www.utorrent.com/

2. now we must download the vb6 torrent here
http://btjunkie.org/search?q=visual+basic+6 (just download the first one or
something)
3. it should then open with utorrent, and just press ok to download.
now to get a quick picture of the interface in vb6 and understand how most of it
works, (you can just scroll down to the pictures on this site)
http://www.profsr.com/vb/vbless01.htm
Intro to programming with vb6
You must be aware that in order to make your own FUD Crypter, you must
atleast know the basics of programming, so if you don’t, this is a very important
section to read, so read through it all and if theres something you don’t
understand i encourage you to do some google searching about it or read
around/ask through this forum http://www.vbforums.com/forumdisplay.php?f=1
Without getting so in depth and complicated, i am going to first have you learn
the basic concepts of programming in order for you to just understand enough to
be able to first understand the most essential parts of what a program is doing so
you will be able to understand other sources when you read them and modify
them. You most likely will have questions that i will not be able to answer, so if
your unsure about some of these basic concepts, search vb6 tutorial or visual
basic tutorials on http://youtube.com ..this way always seems to be best because

seems people learn drastically easier to from video. If you have a more specific
question or issue, search google.
Ok so, from searching for a long time, i came to the conclusion that this site
teaches vb6 in the best most understandable/appealing way
http://www.vbtutor.net/vbtutor.html
just go through the table of contents and please try to go up until, not higher then,
lesson 18 and ignore all the ads on the sides and in between. You don’t have to
go through all of them at once, or in the same day even. I would encourage you
to just refer back to the lessons at any given time and consistently, but slowly
moving forward each day. And remember.. to get more clarification or understand
more of it, always search youtube and google.
Basic Vb6 Outline for Creating a Crypter
Crypters in Vb6 consist of two parts:
the Crypter Client which is the actual user interface that the user uses for
specifying the file to encrypt, the settings...etc
The Stub file, which is part of the Crypter but it is not used by the user, it is
simply just there, in the same directory as the crypter client, because it is being
used by it.
So programming a Crypter comes in these 2 parts and are made seperately in 2

different projects. They only interact with each other when compiled into finished
.exe’s.
You might be wondering,

well what project gets detected so i will know which to modify?
The Stub project is only what you have to always undetect and... re-undetect
when the crypted files become detected BECAUSE the stub file is what is
actually injected into all the crypted output files. So common sense being.. when
eventually, for example someone that you infected runs the crypted file and
maybe uploads it to virustotal (which distributes) or the antivirus itself distributes,
the crypted file has your stub code in it aswell as the crypted malicious code..
therefore the antivirus will then detect and put signatures causing the stub code
to become detected. Basically this stub code is injected into all crypted files so
obviously all the crypted files will then also become detected since it caries these
detected signatures.

Here is example crypter/stub projects in its simplest form that you can learn from,
there are comments explaining each part throughout the code
http://crypters.net/example-source.rar
just scim through it and try and get an idea of the different parts and what there
for, get familiar with it, if you dont fully understand it, its fine for now.
The best way for you to learn is by showing you a diverse set of tutorials, so
throughout this ebook, i will keep linking you different tuts. Here’s one of the best
tutorials on how to make a simple Crypter from HF (hackforums.net if you arent
already a member, go sign up)
http://www.hackforums.net/showthread.php?tid=204038
With this you might get some more understanding of how it all fits together in a
different way and Remember, by knowing how it all works together, the more
easier it will be to undetect the code
One of the biggest issues that I should address are compatibility with different
OS’s. Basically what affects the compatibility of certain OS’s for example
32bit/64bit win7, xpN is almost always the RunPE module that you are using.
What I would do is really read up on the source im using and test it out first
before I go ahead and modify it.
The way i learned how to make crypters and different methods of undetecting
them is from constantly reading and modifying every Crypter i got my hands on. I
encourage you to do the same and just start searching and browsing through the
coding/vb sections on,
http://hackforums.net
http://hackhound.org
http://www.opensc.ws/forum.php

Chapter 5 - vb6 Crypter Techniques BluePrint
Since Vb6 is the most popular programming language, the only disadvantage is
that it is harder to undetect the code. With this disadvantage, we have to keep a
few things in mind before creating a Crypter
vb6 and undetection - what to do and what not to do

When Making a Crypter, first always keep in mind to have the project placed
directly in the C:/ location on your drive because if it is for example in your
documents folder like (“C:/user/john/crypter/stub”) this whole string of text will be
shown and easily read by antiviruses and cause your crypted files to become
detected or provide an easy target for antiviruses to develop a signiture for. Now
this is only one factor to keep in mind but it is definitely something you should
know.
Ok now that you have your whole Crypter/stub projects on your C:/ drive, Lets
open up the project and do some of the main essential tasks for preventing
antiviruses from detecting these sources.
Changing Assembly information
First we are going to change the compilation settings for the .exe, like the file
version, description...etc These files settings are one of the first things antiviruses
check and is something you should always do when picking up and modifying
new sources without even thinking about it.. just make this a habit
Open the Stub Project and Right click in the project space on the top right and
click project Properties

Once your there, you should see few options like project name, startup object, if
you want to change any of that then do it. So now go into the next tab called
“Make”.
Here you should see the version info, title of application, icon, and in the middle
you will see “version Information” with comments, version, company name, file
description..etc
All these options should be changed to anything random.. especially when
starting from someone else’s source.
The Antivirus Signatures concept

Whats going to be explained here, you should always keep in mind when
undetecting, Read every bit of this section, some things you may know already
but there are definitely things you do not know which are very important.
To my experience there are 2 types of signatures, which i like to call..
Specific Signatures
Broad Signatures
Throughout making FUD Crypters you will come to realize that overtime all
crypters, private or public, will eventually become detected. Now the reason for
this is because not only do the people you spread the crypted files to have
antiviruses that automatically distribute..etc but also, antiviruses in cases where
they get alot of similar files distributed, try to create signatures for the most
unique parts of the code that all these malicious files have in common.
Now what i mean by that is for example Avira antivirus will detect a certain set of
api’s that’s being used in a certain variation of ways, corresponding to, and
interacting with, other certain parts of code. This is a broad type of signature,
unlike specific signatures that just detect a certain string of text in a certain part
of the code, this broad signature will then cause all the crypters using this api
related to this situation to become DETECTED.
This is the very disadvantage of programming in the most popular languages

where crypters are most popular to program with.
So now if you think about it, a stub can also only go so far in being unique
because antiviruses are always updating and populated their databases with not
only specific signitures but, these broad signitures which eventually overtime will
cause your crypter to become detected... no matter how unique your stub is, a
part of this code in relation to broad signitures will become detected. even if you

do nothing with it. Now it may be more unlikely depending on how unique, but
the point is that ..even if your doing nothing with your stub and never crypt files,
eventually it will become detected, all will.
So to clarify, The fact that from all the other Crypters being distributed that for
example that use a specific method of execution using a specific api which has
slight relation to how your Crypter was made, will cause your crypter to also
become detected.
Now with all this in mind, i want to make sure your not getting the impression that
all vb6 crypters suck and they will all get detected easily.. because this is not
completely true. As long as you use the right techniques and have your own
unique and creative way of doing things, the longer the Crypter will last.. and just
to let you know, when a crypted file is distributed, its not like it will become
detected right away.. It takes about a week to a few weeks for a signature to
made on the file and updated into the database.
So a point i want to also get across while you understand this concept is that,
The most honest true approach you will learn in this ebook, is the fact that no
matter what undetection technique or method you use, there is no one technique
that will last forever, they all eventually become detected, which means that
there’s no garantee for giving you a technique to easily just copy and paste to
make your fud crypter and live happily ever after, that would be a lie..
What This Ebook will give you, is a layout of the universal, proven
techniques that you can keep in mind so you can learn how they work, improve
upon them, and make variations of them to successfully make your own FUD
Crypters.

Finding and pinpointing Whats causing detection
To accomplish the process of finding and pinpointing detection it is required that

you understand the different parts of code and know what most of it does
because you will be literally taking apart the code when finding the cause of
detection.
I find that alot of people try undetecting there sources blindly by just throwing a
whole series of undetection methods at the code.. This is fine if your first starting
out from scratch on a fully Detected source.. but when there are only a few
antivirus’s detecting the source, you must start finding exactly whats causing
detection. This will save you tons of heart ache and make the whole undetection
process a whole lot easier.
Aright This is where all the learning happens, you will realize and learn alot of
how what code certain antivirus’s will detect. You will then be able to easily
mitigate certain antivirus’s and find that some antivirus’s are easier then others to
undetect from. You will then not only have a good set of knowledge from
experience of finding what causes detections for certain av’s, but you will also
easily gain a set of skills and new and improved techniques that build upon the
previous ones for undetecting against certain av’s.
Finding whats causing detection can be very easy or somewhat difficult

depending on if its a broad signature or a specific signature. The majority of the
time they will be specific signatures. I will be giving you an example of both.
Basically you will be pulling apart your code deleting them one by one, then
drilling down further deleting more specific, smaller bits of code until you end up
at whats exactly causing detection. When going through this process it can seem
like its time consuming but its actually not if you have the specific antivirus which
is detecting your file downlaoded and installed on your system so you can
instantly scan each compiled stub with certain bits taken out. A specific signature
detection in this example will be a small string in the RunPE module
So we will be taking apart the code and to do this, there are a few steps involved
1.The first logical step to take would be to first check if the detection is caused
somewhere in the first start of the program execution so delete everything in the
sub main() ..then compile the stub and scan it. no detection found so we move on
and put the code back.
2. delete all the code in each module one after another until the detection doesn’t
come up anymore. We then find out once we take out the runpe module the
detection goes away.

3. Now that we know the detection is coming from the RunPE module, we will put
the code back and drill down by first deleting each sub and function in the
module. We then find out the detection is coming from the CallAPIbyname
function
4. Now that we know which function is detected, we will then drill down further by
deleting each line of code. (depending on the size of the func, just delete each
segment and drill down from there, you can do the same for the modules, for
example you can delete the first half and second half of the function first)
5. Then once you found the string in the function thats causing detection the
whole undetection process comes into play. You can basically just recode the
portion of code that’s causing detection in a very different or even slightly
different way and combine this what you will learn in the next chapter, or simply
only use whats in the next chapter alone.
Broad Signatures
For detecting broad signatures, its pretty much the same process, The only
difference is that you have to be aware of a few more things throughout the
process.
I will show you some examples of a broad signature in this situation,
Lets say the “RtlMoveMemory” api is causing detection. Now if we are taking
apart the code using the process i just showed, you will realize that the detection
is coming from the module but you wouldn’t realize what is being detected inside
the module by doing the standard, remove each sub/func at a time. The reason
for this is that this api is used in multiple places throughout the module.
Sometimes you will even come across situations where variations of the same
piece of code is used throughout the module.
Also here is another technique you can use as a last resort

Chapter 6 - The Universal Undetection Process
Like I mentioned earlier,
The most honest true approach you will learn in this ebook, is the fact that no
matter what undetection technique or method you use, there is no one technique
that will last forever, which means that there’s no guarantee for giving you a
technique to easily just copy and paste to make your fud crypter and live happily
ever after, that would be a lie..
What This Ebook will give you, is a layout of the universal, proven
techniques that you can keep in mind so you can learn how they work, improve
upon them, and make variations of them to successfully make your own FUD
Crypters.
Ok so basically lets say you found a certain specific or broad portion of your code
thats causing detection, THIS is when the whole undetection process comes into
play.
So you have some options at this point depending on if you’re a beginner or
experienced programmer.
(More programming knowledge and how crypters are made will give you a huge
advantage when undetecting code)
So you can either just recode the portion of code that’s causing detection in a
very different or even slightly different way and combine this with the examples I
am about to show you
or you can only use the examples alone, using your own variations, of course,
and extensive amounts of them. Sometimes though, you will eventually realize
that no matter what undetection techniques and how much you use them based,
you have to actually end up recoding, or using a different variation of that same
code which do the same overall task, And this is very simple for someone who
has well rounded programming knowledge so this is why I say, you will have a
big advantage if you do too.

There are some vb6 crypter sources in the crypter sources section on this
page http://crypters.net/crypter-sources/
So pick which source you want to modify for the purposes of learning how
to use the techinques i will show you for undetection.
To some people, modifying another source and making it undetected, that

you didn’t make from scratch yourself, means your a fake or a skid..
Now when undetecting, alot of effort and work usually has to be done.. so
why make it harder on yourself when theres already sources out there all
doing the same thing just in different forms..? Why Reinvent the Wheel??
In alot of cases, to undetect and keep your Crypter undetected, you have
to change around code, replace code, add code... to the point where
making the Crypter from scratch is almost the same thing..
Some people have different way of doing things and have their reasons..
but from what im teaching for learning purposes and for beginners, you
will start by reading other sources and modifying them,
then eventually you can just code a very sophisticated one from scratch
someday in the future.
So again.. my point is, for now especially there is no need to reinvent the
wheel..

Here’s the basic outline of the whole universal undetection
process summed up in the most brief way
● Adding junk code for modifying execution flow and various other reasons
● Changing the order of all code aspects.
● Changing variable names
● String manipulation.
● Change Assembly information
● Add or change icon
The list goes can go on and on if you want to get specific and no specific
technique lasts forever, so The main thing to remember is to be very
creative and to try many.. MANY variations of ideas and techniques that
you think may confuse/distract/deceive antiviruses. Some antiviruses will
be deceived and bypassed easily with one technique even.. and another av
can be alot harder, so you would have to use variations of all these
techniques. This will definitely require dedication and effort, but can be
easy with a good set of techniques and practice. It all comes down to
experience and learning from it. I will be giving you and showing you
many examples that fall into the category of each of these methods so you
will get a perfect idea of how it all works so you can then use and improve
upon them with your own.
I will also be getting into automation tools that can do alot of these
undetection techniques for you instead of manually, but it is very
important that you understand how it all works manually because
eventually you will have to manually apply them.

About Unique Stubs and USG’s
Ok so you know how a USG comes with some Crypters right? Well these USG’s
also known as stub generators, generate unique versions of the stub for that
Crypter. How all of these USG’s generate unique stubs are from using all these
methods of undetection but in a click of a button.
How?
A set of techniques and methods are implemented into the USG using variations
of the same undetection method/techinque by randomizing the strings, variables,
and the order within these undetection techniques (like variations of junk code).
Also giving the user the ability to choose specific undetection options/methods to
use thus creating a “unique” version of the stub, This way, when someone’s stub
becomes detected there is a high chance another persons stub, using the same
Crypter, won’t get detected. Since the majority of the stub might have a different
variation and layout of the code from all the undetection options/methods used
in the usg, there is a high chance the signiture that causes the other stub to be
detected will not be shown, or in the same place in this other unique version of it
because it might be 90% different. So basically USG’s ultimately give an
advantage for how long the stub will last undetected.
If you dont fully understand this, its fine because you will better understand it
once you actually start learning and applying these actual methods and
techniques.
lets start with..
Adding junk code
Ok here’s pretty much all the types of junk code:
● junk subs/functions
● fake calls
● fake variables
● junk strings of text
● fake loops
● fake if/else
Basically all junk code is, is randomized portions of regular code which you
spread across your program that can either just be in between and/or throughout
your programs code, it can deceive or confuse execution but never actually
interferes too much with the process of execution to the point where it will
corrupt.

Here are some Examples of junk sub/functions with variations of junk
variables/if-else/loops...etc Just to give you an idea...

Here’s a simple example of a Fake Call to a junk sub at beginning of sub main()
for slightly modifying execution flow

So be creative, use variations of techniques over variations.. develop your own
techniques from these ideas. Never stop trying things and being creative, this is
the whole journey and thrill of making Your own FUD Crypter. One example of
being creative is, you can add a whole bunch of junk subs/func...etc, into a series
of junk modules and classes with nothing else but junk in them and fake
execution.
Changing the order of all code aspects.
This is a simple example so you can get an idea. Changing the order of your code can get
very complex and is essential. If you want you can even move a whole set of functions
and subs in another module or class.. be creative.

Changing variable names
Changing variable names is highly important and must be done.

Press ctrl + H and you will see a small replace form popup. It is very important
that you don’t messup the code, so always make sure you use the right options
when changing a certain variable or set of veriables in your code. For example
you could be changing a public variable which is used throughout your whole
project and without noticing, only selecting the “current module” option, causing
only the variables to be changed in that current module..
so always keep these things in mind when changing variables.

String manipulation
Changing and encrypting strings/api’s
Just like changing variables, changing strings can mess up your code if you
aren’t too cautious.. Especially when encrypting strings and api’s.
Encrypting strings and api’s are very powerful and is a must when it comes to
successfully creating a fully undetectable Crypter.
Some examples of string manipulation

● Encrypt Strings
● Reverse Strings
● String conversion
There are many types of encryption algorithms to encrypt strings with for
example the most popular are xor, rc4, Rot, string to hex. A big issue most
people arent aware of is the fact that sometimes when encrypting strings with
some RunPE modules.. bad things happen, files become corrupt, the Crypter
itself can become corrupt...etc So always be cautious of your string manipulation.
There are some important strings to always make sure are changed or encrypted
in your Crypter.
The first to take note of is, The Key Split which is, in the example below:
meEncPass = “thepassword”. Change the string to something like:
“aksefiaIUEHF@q#)*!qJFIAUEHFIwqNEOGq)#”
and remember, this string has to be the same key split in both the stub project
and the crypter project or the crypter will not work and give you a “subscript 9 out
of range” error when running the crypted file.
The second to take note of is, all the strings in the RunPE module. 99% of the
time these have to be encrypted no matter which runPE module you use. So
always remember to encrypt these..

For this example we are going to use a simple Src Undetector
http://www.mediafire.com/?uzqym10ttom
(First go in the OCX folder and run the registrar, then run the program)
Before you go any further, always keep a backup of your source because some
programs will mess up your code alot.. and you might also..
1. Once downloaded and ocx’s registered, Load the stub project.

2. Click one of the 3 string obfuscation buttons or right click in the project window
and select anything you want to try
3. if you encrypted the strings, remember to add the encryption function by right
clicking and selecting “Add Xor Function”
keep on doing it.. try many things, there’s no right or wrong way pretty much.

Add or change icon
Adding or changing an icon isn’t too good of an undetection technique but it can
undetect from 1 or 2 av’s in some situations. Also changing an icon can corrupt
files aswell but its actually pretty rare. The reason this would happens is most
likely because the icon size is different then the size the file can handle.
it is very simple to change an icon and i can show you in a few easy steps..
If you search around you can find many icon changers easily but for this example
we will use reshacker.
1. download reshacker here: http://crypters.net/ResHacker.rar

2. drag the file you want into the window
3. Click through the icon folders until you cant anymore then Right click on icon
or icon group and click replace resource
4. simply choose the .ico (icon filetype) to replace it with.

Tools and automation
The beauty of undetection is that there are tools which automate the universal
undetection process using variations of techniques and methods. These tools are
usually referred to as, Undetectors, or src undector..etc. If you think about it..
undetectors are very similar to USG’s. The only difference between a USG and a
undetector is that a USG, choosing and setting certain paramters, will undetect
and create a unique stub based on the scrambling/randomizing set of
undetection techniques in only a click of a button. The USG’s comes with a
certain Crypter which it will only create unique stubs for. On the other hand, a
undetector is for undetecting actual source codes using a set of options and
techniques. These options and techniques tend to be alot more flexible
compared to USG’s.
Since you now understand the basic concept of how undetection is applied, i
thought i would mention a link i found with tons of random tutorials on
undetection and automation.. the only problem is that most of them arent in
english but you may still benefit from some, heres link (tuts are in the manuals
section): http://www.level-23.org/
See you will come across valuable info like this if you just always search and
read around the different forums and remember to always download and read
more and more vb sources from vb sections of forums then modify them..etc
Heres another amazing and perfect thread with a video and download link on
using an undetector
(massive credits to Rusty)
http://www.hackforums.net/showthread.php?tid=173217&highlight=undetector
Earlier in the chapter i used a src undetector for an example of encrypting

strings. This src undetector can be used for many other undetection techniques
aswell
Heres a thread with almost all the free undetectors around.. (Sorry about those
shitcash links.. if it was my thread they wouldn’t be there)
If you dont want to, or cant download from those links, what i would do is search
through different forums with the names of the undetectors to see if there are any
other download links people are giving.

you might be wondering, well what tool did i use to undetect my crypter?
I bought a pretty advanced undetector from pr!ngles on HF called pringles

undetector or src undetector for around $50 usd, i would highly recommend it but
i’m pretty sure he doesnt sell it anymore and also not sure if its techniques are
outdated.
Here’s one of the threads with one of the versions of it (hopefully link is still alive)
http://www.hackforums.net/showthread.php?tid=220642&highlight=undetector
There should be others very similar to it or maybe even better nowdays, just
search through the sellers section of HF for undetector or something.

Chapter 7 - What you will learn from Undetecting Crypters
This is highly likely to be the most important sections in this ebook, so i advise
you to read it all.
There is no doubt you will learn alot from making and undetecting Crypters..
Everything you learn will help you along the way making things alot easier. If
some things discourage you right now, do NOT let it... just take immediate action
and start making your own right now. Use all of what i tought you and constantly
improve and add to everything. Combine methods and create your own. Once
you gain momentum and practice, the experience will pay off big time. Things will
become alot easier and you will have your own fully undetectable Crypters in no
time.
Ok now i want to let you in on some important things to keep in mind which will
help you benefit from the practice and experience you will gain.
Antivirses are alot more complex then you think.. so the main focus from
undetecting your crypters should be to always, on a consistent basis, learn and
understand more and more of how antiviruses detect and what they detect. With
this focus, you will have many realizations and insights for easily creating new
and improved techniques for bypassing certain av’s. The more you learn about
the antiviruses, the easier it will be for you to undetect parts of your code that are
detected by that certain antiviruse and creating new and improved techniques
that will not only just bypass the detection but also keep the code undetected for
long periods of time from that av by creatively coming up with unique techniques
that decieve or distract antiviruses in ways that are harder for that av to detect it.
Another piece of knowledge you will come to realize is the kinds of things certain
av’s will detect and the usual kind of techniques that will bypass those certain
av’s
Heres a simple example alot of people can relate to,

All the people that have successfully created FUD Crypters i think, know that the
av, Avira antivir usually will detect api’s in your code, and certain techniques that
will bypass this is for example, adding the callapibyname function to your code
and calling this function everytime you use the detected api.
what you should know though is that techniques that may bypass a certain av will
not ALWAYS bypass it in a month from now.. Antivirus’s are constantly being

updated, But just because they are constantly being updated, don’t let that
discourage you because usually a simple tweek to the method that worked a
month ago can work now and easily bypass the new detection, This is why you
must always be creative and learn from how the certain av works, what they
detect, and how they detect because it will help you GREATLY
keeping your Crypters undetected
Now that you understand the huge importance of learning and understanding
antivirus’s. Lets dive into how you can keep your Crypter undetected.
Ok so hopefully you already know that antivirus’s are constantly being updated
everyday, adding signatures and changing algorithms. This will not stop the
average hacker though.. :) with all the communities and forum members working
together, the Antivirus vs Crypter concept will never end. Hackers seem to have
always been the most creative and intelligent among the rest.
Ok so now i will tell you the approach to take for keeping your Crypters
undetected. Basically, i would first encourage you to always read up on new
posts and sources in the coding sections of these forums,
http://opensc.ws
Now here is probably the best advice anyone has ever give you,
The best way to keep up to date with undetection and antivirus’s aswell as learn
which techniques and methods are appropriate and best for certain av’s, is to
check up and read through as much as you can of:
“Undetection Techniques” sub-section in the “malware analysis” section
And
“Detection Thread” sub-section of the

“Basic” section (Hack Hound »Programming »Basic »The Detection Thread) You have to
register in order to view these
This section is undetection heaven.. people tell you and help eachother bypass
detections. In this section, lights will start flashing in your head, insights will
arise, and ideas will spark. Read through as many threads and pages as you
possibly can of undetection and malware on hackhound
Here another tactic to keep in mind.. basically WHENEVER a detection comes

up and you are stuck, search hackhound with variations of keywords related to
the av detecting it and the part of the code being detected for example,
copybytes avira which is referring to the api “copybytes” thats being detected and
avira being the av detecting it. Also what you can also do is just search with
variations of these same keywords related to your situation and search google..
or any other forum, you never know what you will find. I have had so many
detections solved from just doing extensive searching.
Goodluck.
Resources
If you have questions about something or want to learn more always refer to, and
search through
http://www.opensc.ws
Crypter sources, http://crypters.net/crypter-sources/

Source Undetectors http://www.hackforums.net/showthread.php?tid=231066
ResHacker http://crypters.net/ResHacker.rar
Awesome blog with awesome code http://www.advancevb.com.ar/

What did you think of the Crypter BluePrint?
Do you have any questions or suggestions for the Crypter Blueprint?
Please Go to this link to tell me so I can make it better,

http://www.surveymonkey.com/s/XKSVMBJ

Crypter Blueprint

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Crypter Blueprint

Загружено:

Авторское право:

Доступные форматы

The Crypter BluePrint

How to Create Your own FUD Crypter [The Right Way]

...In Less Than a Week

Limits of Liability & Disclaimer of Warranty

My name is Shawn and I'm 17 at the

Things i like to do are playing guitar,

Everyone starts out somewhere,and me?

About the Author

What you can expect from This EBook

Whats covered in this eBook?

the layout of this ebook is constructed as follows,

So lets get started

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Whats the difference between Crypter and a Packer?

Whats the difference between a Runtime and Scantime

A scantime Crypter encrypts the specified file so antiviruses aren’t able to

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

It is recommended to scan all files you crypt on

What is EOF and what is it used for?

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

What are “anti’s” on Crypters?

What is a file pumper?

Types and forms of Crypters

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

The Antivirus vs Crypter Concept

1. the first one is

Here are some multi antivirus scanners

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

And there is also individual antivirus scanners, for example:

2. The Second factor is

What can you do about this?

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

What do anti-viruses look for in a file?

(This is a screenshot of Hex Workshop)

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Ok now.. your either one of 3 people..

First we must download Visual Basic 6 of course.

1. download and install u torrent here http://www.utorrent.com/

Intro to programming with vb6

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Basic Vb6 Outline for Creating a Crypter

Crypters in Vb6 consist of two parts:

So programming a Crypter comes in these 2 parts and are made seperately in 2

You might be wondering,

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

vb6 and undetection - what to do and what not to do

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

The Antivirus Signatures concept

To my experience there are 2 types of signatures, which i like to call..

This is the very disadvantage of programming in the most popular languages

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://

To accomplish the process of finding and pinpointing detection it is required that

Finding whats causing detection can be very easy or somewhat difficult

Copyright © 2005-20010 Xinfiltrate – Crypters.net All Rights Reserved. http://