[Tutorial] Make tools undetected [File CRC Checks]

Yo!

I decided to create again tutorial about scripting in AutoIt. This time I will show you, how to make your trainers undetected!

Some anti-hackshields use fielchecks (crc) to detect some tools (hgwc does it in games like S4 League, Crossfire etc.). I will show you a special way to bypass that. Ofc, you can do some byte patches in the programs that checks it, or hooks some apis but I wanna show you this way :3

In the theory, it looks like that:

Encrypt the binary of your file you want to make undetected
Write it in a sourcefile (you can do it in other ways, its just an example)
Create a stubfile wich will run your tool from the memory (known as RunPE >> no additional processes)

So lets start! First we have to create a program that encrypts our tool (wich we wanna make undetected). I do it in this way:

Spoiler

In this source, we open the file, read the binarys, encrypt them and save them in a new file.

Ofc you can use other UDF's instead of the Crypt.au3, I choosed it because its already addet to the includes in AutoIt ;o In my example, I use sourcefiles, you can directly write the encrypted filebytes in the executable, its your decision how you do it. This is just a tutorial for suggest you some ideas ^^

After we have crypted the filebinary and saved it to a file we can start now with the stub:

Spoiler

Code:

If @Compiled = 0 Then
	MsgBox(0, "Error", "Compile file first!")
	Exit
ElseIf @AutoItX64 = 1 Then
	MsgBox(0, "Error", "Please compile as 32 bit executable!")
	Exit
EndIf

#RequireAdmin ;better to req for admin rights

#include <Crypt.au3>

If FileExists("filesrc.txt") = 0 Then
	MsgBox(0, "Error", "Filesource not found!")
	Exit
EndIf

$aFile = FileOpen("filesrc.txt", 0) ;open src file
$aEncryptedBinary = FileRead($aFile) ;read it

$aDecrypted = _Crypt_DecryptData($aEncryptedBinary, "randompw", $CALG_RC4) ;decrypt it (remembe to use same pw & algorithm as in the encryption!)
_RunBinary($aDecrypted, @ScriptFullPath)

Func _RunBinary($hBinary, $hPath) ;credits to pinguin, i only cleaned it up

	Local $hInput, $hPointer, $hStartupInfo, $hProcessInfo, $hProcess, $hThread, $hContext, $hDOSHeader, $hMagic, $hSig, $hFileHeader, $hNrSections, $hOptionalHeader, $aMagic, $hEP
	Local $hImageBase, $hImageBaseSize, $hPEB, $hBaseAdr, $tmpCall, $hRemoteCode, $hNewHeader, $hNewHeaderSize, $hImageSecHeader, $hSizeRawData, $hPointerRawData, $hVirtualAdress

	$hInput = DllStructCreate("byte[" & BinaryLen($hBinary) & "]")
	DllStructSetData($hInput, 1, $hBinary)
	$hPointer = DllStructGetPtr($hInput)

	$hStartupInfo = DllStructCreate("dword cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;ushort ShowWindow;ushort Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")
	$hProcessInfo = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")

	DllCall("kernel32.dll", "int", "CreateProcessW", "wstr", $hPath, "ptr", 0, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($hStartupInfo), "ptr", DllStructGetPtr($hProcessInfo))

	$hProcess = DllStructGetData($hProcessInfo, "Process")
	$hThread = DllStructGetData($hProcessInfo, "Thread")
	$hContext = DllStructCreate("dword ContextFlags;dword Dr0;dword Dr1;dword Dr2;dword Dr3;dword Dr6;dword Dr7;dword ControlWord;dword StatusWord;dword TagWord;dword ErrorOffset;dword ErrorSelector;dword DataOffset;dword DataSelector;byte RegisterArea[80];dword Cr0NpxState;dword SegGs;dword SegFs;dword SegEs;dword SegDs;dword Edi;dword Esi;dword Ebx;dword Edx;dword Ecx;dword Eax;dword Ebp;dword Eip;dword SegCs;dword EFlags;dword Esp;dword SegS")

	DllStructSetData($hContext, "ContextFlags", 0x10002)
	DllCall("kernel32.dll", "int", "GetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($hContext))

	$hDOSHeader = DllStructCreate("char Magic[2];ushort BytesOnLastPage;ushort Pages;ushort Relocations;ushort SizeofHeader;ushort MinimumExtra;ushort MaximumExtra;ushort SS;ushort SP;ushort Checksum;ushort IP;ushort CS;ushort Relocation;ushort Overlay;char Reserved[8];ushort OEMIdentifier;ushort OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $hPointer)
	$hPointer += DllStructGetData($hDOSHeader, "AddressOfNewExeHeader")

	$hMagic = DllStructGetData($hDOSHeader, "Magic")
	$hSig = DllStructCreate("dword Signature", $hPointer)
	$hPointer += 4

	$hFileHeader = DllStructCreate("ushort Machine;ushort NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;ushort SizeOfOptionalHeader;ushort Characteristics", $hPointer)
	$hNrSections = DllStructGetData($hFileHeader, "NumberOfSections")

	$hPointer += 20
	$hOptionalHeader = DllStructCreate("ushort Magic;ubyte MajorLinkerVersion;ubyte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;ushort MajorOperatingSystemVersion;ushort MinorOperatingSystemVersion;ushort MajorImageVersion;ushort MinorImageVersion;ushort MajorSubsystemVersion;ushort MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;ushort Subsystem;ushort DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes", $hPointer)
	$hPointer += 96

	$hMagic = DllStructGetData($hOptionalHeader, "Magic")
	$hEP = DllStructGetData($hOptionalHeader, "AddressOfEntryPoint")
	$hPointer += 128

	$hImageBase = DllStructGetData($hOptionalHeader, "ImageBase")
	$hImageBaseSize = DllStructGetData($hOptionalHeader, "SizeOfImage")

	$hPEB = DllStructCreate("byte InheritedAddressSpace;byte ReadImageFileExecOptions;byte BeingDebugged;byte Spare;ptr Mutant;ptr ImageBaseAddress;ptr LoaderData;ptr ProcessParameters;ptr SubSystemData;ptr ProcessHeap;ptr FastPebLock;ptr FastPebLockRoutine;ptr FastPebUnlockRoutine;dword EnvironmentUpdateCount;ptr KernelCallbackTable;ptr EventLogSection;ptr EventLog;ptr FreeList;dword TlsExpansionCounter;ptr TlsBitmap;dword TlsBitmapBits[2];ptr ReadOnlySharedMemoryBase;ptr ReadOnlySharedMemoryHeap;ptr ReadOnlyStaticServerData;ptr AnsiCodePageData;ptr OemCodePageData;ptr UnicodeCaseTableData;dword NumberOfProcessors;dword NtGlobalFlag;ubyte Spare2[4];int64 CriticalSectionTimeout;dword HeapSegmentReserve;dword HeapSegmentCommit;dword HeapDeCommitTotalFreeThreshold;dword HeapDeCommitFreeBlockThreshold;dword NumberOfHeaps;dword MaximumNumberOfHeaps;ptr ProcessHeaps;ptr GdiSharedHandleTable;ptr ProcessStarterHelper;ptr GdiDCAttributeList;ptr LoaderLock;dword OSMajorVersion;dword OSMinorVersion;dword OSBuildNumber;dword OSPlatformId;dword ImageSubSystem;dword ImageSubSystemMajorVersion;dword ImageSubSystemMinorVersion;dword GdiHandleBuffer[34];dword PostProcessInitRoutine;dword TlsExpansionBitmap;ubyte TlsExpansionBitmapBits[128];dword SessionId")
	DllCall("kernel32.dll", "int", "ReadProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($hContext, "Ebx"), "ptr", DllStructGetPtr($hPEB), "dword", DllStructGetSize($hPEB), "dword*", 0)

	$hBaseAdr = DllStructGetData($hPEB, "ImageBaseAddress")
	DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", DllStructGetData($hContext, "Ebx") + 8, "ptr*", $hImageBase, "dword", 4, "dword*", 0)
	DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $hProcess, "ptr", $hBaseAdr)

	$tmpCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "ptr", $hProcess, "ptr", $hImageBase, "dword", $hImageBaseSize, "dword", 12288, "dword", 64)
	$hRemoteCode = $tmpCall[0]

	$hNewHeader = DllStructGetPtr($hDOSHeader)
	$hNewHeaderSize = DllStructGetData($hOptionalHeader, "SizeOfHeaders")
	DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $hRemoteCode, "ptr", $hNewHeader, "dword", $hNewHeaderSize, "dword*", 0)

	For $i = 1 To $hNrSections Step 1
		$hImageSecHeader = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;ushort NumberOfRelocations;ushort NumberOfLinenumbers;dword Characteristics", $hPointer)
		$hSizeRawData = DllStructGetData($hImageSecHeader, "SizeOfRawData")
		$hPointerRawData = DllStructGetPtr($hDOSHeader) + DllStructGetData($hImageSecHeader, "PointerToRawData")
		$hVirtualAdress = DllStructGetData($hImageSecHeader, "VirtualAddress")

		If $hSizeRawData Then
			DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $hRemoteCode + $hVirtualAdress, "ptr", $hPointerRawData, "dword", $hSizeRawData, "dword*", 0)
		EndIf

		$hPointer += 40
	Next

	DllStructSetData($hContext, "Eax", $hRemoteCode + $hEP)
	DllCall("kernel32.dll", "int", "SetThreadContext", "ptr", $hThread, "ptr", DllStructGetPtr($hContext))
	DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)

EndFunc

Hm, thats really more code then before ^^ First, we check if the file is compiled (doesnt works with an .au3, dont know if it works with a3x. I dont think so...), after that, we check if its compiled as an 64 bit executable. This wont work good, so its better to compile this in 32 bit. Then, we check if the filesource exists (if not, we would have a dead process). Now, we read it, decrypt it (remember to use the same key and algorhytm in the encrypter and the stub! Otherwise it wont work!) and run the decrypted binary. Thats all.

The complete source and all the stuff wich is needet for testing and so on can get downloadet in the attachment! VT can be found there too.

As I said, there are much thinks that you can change, its your decision how you want to do it.

Hope you like my little tutorial ^^ This tutorial is only for education! What you do with this, is your responsibility.

Regards, K1ramoX