Crypter Handbook part 1 - security land

Learn Crypter from scratch.

Crypters are programs created in order to “obfuscate” (hide) the source code from a file. They can encrypt the binary code of a file with an encryption algorithm like DES, AES etc.  The basic goal of a crypter (or any form of encryption) is to take some form of data and encrypt it so that to the normal eye it is incomprehensible and nonsensical, and then give it the ability to be decrypted, and put back into comprehensible and sensible terms.

However, nowadays we use a bit more complex ciphers than just shifting each letter down one. We now call our ciphers, algorithms. Algorithms are sort of like mathematical formulas that can be applied to data and encrypt and decrypt it.

Sort of crypters

The scantime crypter: This crypter encrypts a file and adds a
part to decrypt it on the hard disk when openned. It is named
scantime because of the capacity to bypass Antiviruses when they
are scanned.

The runtime crypter: The runtime crypter is like the scantime
crypter but can also bypass AntiViruses when the programm is ran.
It decrypts the programm in memory (RAM) and encrypts it again
when closed.

Examples of different crypters

Example of Carrot Crypter
Example of Razor Crypter

Crypters work by crypting (encrypting) the data (bits) of a program. It works by applying an encryption algorithm (basically a cipher of sorts) to the actual code of the program, then reassembling the program into a working form. There are generally three parts of a crypter. There’s the GUI with which we interact with, often called the Client. The second part is the stub, this is the part that actually gets the file we put into the GUI and encrypts it, then decrypts it when it comes time.The last part is a virus signature, a part of the binary code of a file that is detected by an Antivirus.

Learning from scratch

Scantime – A ScanTime crypter encrypts the file so antiviruses won’t be able to analyze the file before execution, not when executed (when the file is first scanned by the antivirus).Runtime – A RunTime crypter encrypts the file so that when executed (when it is run by the user), it is decrypted in the memory. This way antiviruses can’t analyze the file before and after executed. A RunTime is typically more secure than a ScanTime – generally good crypters are both ScanTime and RunTime.
EOF – EOF stands for End of File. Some malicious files (such as Bifrost, Medusa, or Cybergate) require the end of file data in order to run without being corrupted. If crypters don’t preserve this end of file data, the crypted file would become corrupt.
USG – A USG is part of a special type of crypter. It generates a unique version of the stub (hence the name Unique Stub Generator) each time used. The purpose of this is to help FUD crypters.
Stub – The stub is part of the crypter used to encrypt and decrypt the specified encrypted file.
Client – The client is the GUI of the crypter, its what users interact with and upload their file to.
Antis – Antis (anti’s) are extra features found on some crypters. They are dedicated to bypassing/preventing a specific thing. For example, an anti-debugger might prevent it from being debugged, and an anti-avira would specifically protect against being detected by the antivirus called “Avira”.
File pumper – A file pumper “pumps” your file, meaning it adds more bytes to a file to make it appear larger. The benefit of this is not usually great, however it can be useful, and you might even lose a detection.
FUD – FUD stands for Fully Undetectable. A FUD crypter is completely undetected by all antiviruses. UD stands for Undetected, meaning the crypter is mostly undetectable on most antiviruses. Nobody uses the term D (they just say “detected” or “no longer working”) however in theory that would stand for a completely detectable crypter on virtually all antivirus systems.