Topic created on: August 25, 2007 08:35 CDT by
XackerX 
.
Hello
I wrote this program for making Peid and RDG and ... confused .
on the other words it adds a section to your exe files and change signature of file.
Download Link of TrickySigner v1.0
http://xackerx.persiangig.com/TrickySigner/TrickySigner.rar
On the subject of fooling packer detectors, skape's locreate can be used to do this in a pretty cool way. Read that paper first, or the rest of this post isn't going to make any sense. Here's an excerpt from an email that I sent him at the time:
"I spent a bit last night thinking about how to transmute arbitrary byte arrays into other byte arrays using relocations.
Imagine the relocation addend was 0x01000000; then we could generate a list of #(desired byte - starting byte) relocations at the addresses that we wanted to permute (address minus three because the 0x1 is the top byte). If the addend was 0x01, we'd do the same thing but we'd also have to model the carry flag's effect on additions for all three higher bytes, which is irritating.
It turns out we can generate another simple addend, 0x80010000, by simply mapping the executable at 0x80000000 (and assuming the relocated address is 0x10000). Then the process of applying multiple relocations to a dword looks like this:
0x80fe0000 + 0x80010000 = 0x00ff0000
0x00ff0000 + 0x80010000 = 0x81000000
Every time the addition on the third byte wraps, the result is an increase of 0x1 to the fourth byte. For every addition unconditionally, the top bit on the fourth byte is flipped.
On the whole, then, the process of increasing the third byte in a dword increases the fourth by A+B, where:
A = 0x80 if the source and target bytes have different parity; 0 otherwise
B = 0x01 if the target is less than the source; 0 otherwise
Permuting a byte array is therefore straightforward:
for(i = 0; i < 5; ++i)
{
// Generate #(DestByte[i] - SrcByte[i]) relocs at the address minus two
// this may be zero, in which case we skip it
GenerateRelocs( OepAddress + i - 2, DestByte[i] - SrcByte[i] );
// model the effects on the next byte sequentially by adding A + B described above
if(i != 4)
SrcByte[i+1] += (((SrcByte[i] & 0x1) ^ (DestByte[i] & 0x1)) << 7) + (SrcByte[i] > DestByte[i]);
}
The worst case is N * 0xFF relocations for changing N bytes. Note that we may spoil the sixth byte at packer EIP by 0x80, 0x81, or 0x0, but this is irrelevant.
So now we can replicate arbitrary packers' signatures and fool PEiD.
* Rip PEiD's signature database. Select a random packer signature from it.
* Map executable at 0x80000000; safe on 32-bit non-/3GB systems.
* Create a new section, LoCreate.
* Copy the bytes from the signature to the beginning of that section.
* Work out what a jump from the packer EP to the OEP would look like (0xe9 ?? ?? 0xf? 0xff probably).
* Create a sequence of relocations that transmute the original packer entrypoint bytes into that jump, add them to the LoCreate section, and point the relocation data in the PE header to them.
Pretty silly ultimately, but I bet you could crash some AV engines' static scanners and irritate amateur reverse engineers with this."
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}