bytecode77
[ QUESTION ] — Hey @bytecode77, I have some doubts about this very interesting old project. 💭
Well, first of all... 💭
I hope you are well and everything is going great in your life! 💕
Well, I've been keeping an eye on this project and I've got some interesting ideas! But... I also have some doubts that I hope you can help me to solve! 💯
————————————————————————————————————————
Well, in your web page, you say the following about the executable named “payload.exe”: “Remember, that the payload is a separate and replaceable executable file.” -bytecode77
Now, I have tried to simply replace the payload.exe file with another one, like for example the “$77-Example.exe” file from your r77 project, but apparently, when trying to run the auto-morphic launcher, “$77-Example.exe” is never executed. 🤔
Is there something I'm not understanding or something should I need to know @bytecode77? 😓
Thanks for everything @bytecode77 and I hope you can get back to me when you have some free time, thanks! 🙏 💕
Hey there. This is just a PoC that demonstrates a C# executable that morphs its own code. It isn't in and of itself useful, so you can't swap out the Payload to "chain together" your own payload. It's merely a code demo.
Also, Payload.exe is a .NET payload, which I assume you replaced by a native payload.
Hey there. This is just a PoC that demonstrates a C# executable that morphs its own code. It isn't in and of itself useful, so you can't swap out the Payload to "chain together" your own payload. It's merely a code demo.
Also, Payload.exe is a .NET payload, which I assume you replaced by a native payload.
ㅤ So... there is no way to do exactly the same thing, ㅤbut importing a non-.NET binary? 🥴
I mean, instead of compressing/encrypting the code, ㅤjust encrypt the payload.exe stored in the resources. 🤔
Because the truth would be a very good way to protect a project... ㅤI mean, if there was a way to use as an executable launcher, ㅤㅤyour automorphic project, it would be awesome! 💯💯
Nah... To protect a project from AV, use in-memory techniques. This is really just a PoC and can't be combined with unrelated techniques.
Nah... To protect a project from AV, use in-memory techniques. This is really just a PoC and can't be combined with unrelated techniques. ㅤ
ㅤ Wow, what a disappointment I just got «@byte», because I've been all night, ㅤtrying with all my strength to make such a loader come true. 🥴🤦♂️ ㅤ ㅤ As an automorphic loader, that would be able to carry a binary (an *.EXE, but not ONLY .NET, any *. EXE) ㅤas an embedded resource in encrypted form and that when running the automorphic launcher, decrypt the ㅤㅤ resource in memory, execute the resource in memory using P/Invoke, re-encrypt the resource with a random ㅤㅤㅤ key and compile the whole launcher morphing and obfuscating all variables, strings, etc... as it already does... 🔎 ㅤ ㅤ But if you say that's NOT possible... I guess I'm going to abandon my little project of being able to ㅤ create an automorphic launcher that can and will be able to host any binary executable as an embedded ㅤㅤ resource and be able to decrypt it and run it in memory. 😞 ㅤ ㅤ For me you are a real inspiration @bytecode77, ㅤ seriously, for me you are the best. 💕💯 ㅤ ㅤ And if apparently, it's you, who tells me that this is not possible, ㅤ...then I won't be the one to question it, really. 😓 ㅤ
If you're developing your own crypter and decided that it should be morphing, then you can implement that, sure. All I'm saying is that you cannot use this PoC as it is and swap out the Payload, as a PoC is generelly not designed to be used in-place as it is.
So, if you're working on your own crypter, then you can look at how polymorphism and morphing stubs work from my project, etc. and do your own implementation.
Keep going...
If you're developing your own crypter and decided that it should be morphing, then you can implement that, sure. All I'm saying is that you cannot use this PoC as it is and swap out the Payload, as a PoC is generelly not designed to be used in-place as it is.
So, if you're working on your own crypter, then you can look at how polymorphism and morphing stubs work from my project, etc. and do your own implementation.
Keep going... ㅤ
ㅤ So I'm not wasting my time? 🥴 ㅤIs it possible to do what I say? 🔎 ㅤ ㅤ I mean, create a launcher which has as an embedded resource my own *.exe payload, native, not .NET ㅤand when running the launcher, in turn, decrypt the payload in memory and run the payload directly in ㅤㅤmemory to avoid any kind of footprint on the disk and then, after having run the payload, encrypt the resource ㅤㅤㅤwith a new random key and use polyformism to mutate the launcher code and auto-compile itself? 💭 ㅤ ㅤ Is it worth it? Is it possible to create something like that? 🤔 ㅤI wouldn't want to go round in circles for nothing. 😓 ㅤ ㅤ Any advice @byte for choosing ㅤthe best way or practice to follow? 🧐 ㅤ
Not sure what exactly you're up to. You can achieve a morphing binary, or any other type of obfuscation. AV isn't affected as much by the morphing of the binary as by the evasion techniques used.
Not sure what exactly you're up to. You can achieve a morphing binary, or any other type of obfuscation. AV isn't affected as much by the morphing of the binary as by the evasion techniques used.
ㅤ What I am looking for is to create a launcher which can store in an encrypted way a *.EXE binary, ㅤwhich does not have to be a .NET binary and that when executing the launcher, let's call it ‘LOADER.EXE’, ㅤㅤthis in turn, decrypts the embedded binary that is inside, let's call it, ‘PAYLOAD.EXE’ and is executed directly ㅤㅤㅤin memory, without at any time is written to disk, to avoid leaving any trace or track. 🗒️🪶💭 ㅤ
And at the end of the execution of ‘PAYLOAD.EXE’, then, the launcher ‘LOADER.EXE’, ㅤapplies the automorphosis that you show in this project, encrypting with a new random ㅤㅤkey the embedded binary ‘PAYLOAD.EXE’. 🤔🧐 ㅤ
More than a technique to evade AV's, it would be extremely useful to protect ㅤmy projects against reverse engineering techniques, debugging, etc... 🔎 ㅤ
I hope you now understand much ㅤbetter what I want to do @bytecode77. 💯💕
RunPE is the keyword for you, if you want to run a native executable in memory.
Good luck!
RunPE is the keyword for you, if you want to run a native executable in memory.
Good luck!
Okay @bytecode77, thanks for the tip. 🙏💕