We are going to do some TitanEngine coding in order to make it do a complete opposite of what it is meant for. We are going to force our good friend Titan to recreate a crypter we already made an unpacker for. Crypter we are recreating is called LameCrypt. So, what does LameCrypt do?

Its a very very simple crypter designed only to crypt the first executable section by XORing with 0x90. Extremely simple protection mechanism which looks just like this:

  PUSHAD
  PUSHFW
  MOV EBX,4C000
L003:
  XOR BYTE PTR DS:[EBX+401000],90
  DEC EBX
  CMP EBX,-1
  JNZ L003
  POPFW
  POPAD
  MOV EAX,0044CF38
  JMP NEAR EAX

That is the entire crypter code. To recreate it we will copy the binary for the code above and leave the constants blank. After processing that binary data looks like this:

60 66 9C BB 00 00 00 00 80 B3 00 00 00 00 90 4B
83 FB FF 75 F3 66 9D 61 B8 00 00 00 00 FF E0

All the zeroes above will be filled with the following data: virtual size of the first section, virtual offset of the first section and the address of the original entry point. This data, once filled to code above, will be written to the new section. List of actions to perform for this would be:

• Read necessary PE32 data
• Fill the  binary data from above
• Add new section to PE32 file
• Fill written data to it
• Encrypt the first section by XORing it with 0x90
• Update PE header data

Since this is a very simple crypter its code is very short. What makes this a Halloween post is the spooky fact that TE can be forced to create his own worst enemies, crypters! Until next time...

TitanEngine ReversingLabs Corporation

LameCrypter (Package contains binary and source files)