Hacker
Professional
- Messages
- 1,044
- Reaction score
- 813
- Points
- 113
In pursuit of my topic on installations and methods of obtaining them from sellers, I decided to write perhaps the most important article on a topic that stands apart, sparkling with all the colors of the rainbow, and about which you will not find any information anywhere. Anywhere at all, I guarantee it
So, welcome - a bloody blister, a purulent abscess and a headache for everyone who works with logs, traffic and installations - a crypt file!
What you will learn from this article:
~ What is the crypt of the file, what is included, what is not included, and what is generally from another opera.
~ Why 99% of crypto services on the market are useless dummies, with a hell of an overpayment of money.
~ The difference between "unique" and "public" stub.
~ What is the difference between scantime and runtime?
~ Runtime - why is it not quite a crypt and not quite a simple thing?
~ Load the file in the browser
~ Smartscreen
~ What to do in the end and how to solve the issue with the crypt?
~ And much, much, much more!
The article is based strictly on the rich empirical experience of working with the extraction of logs and, as a result, crypts of various kinds of files. As a result, I had to completely abandon public services, then private services, and then plunge headlong into the ins and outs of this niche. I will just introduce you to the results in this article.
To whom will this be useful?
~ For complete beginners, to immediately understand the big picture of the world and pitfalls.
~ Experienced people who are already tired of paying the devil knows what, which one fig either does not work, or works crookedly.
~ Cryptors who decided to raise the level of their service (what the hell is not kidding, maybe there will be such here).
Who should pass by:
~ Mamka's warriors and monkeys with 200% clicks you can't prove anything to you, and any information that doesn't fit into your square-nest way of thinking is useless to explain to you.
3 nuances at once
First. This time, I will write the article in a simple and common language, without epithelial phrases and neuromuscular phrases together with conlingivistic neologisms. In general, we will do without language antics, because the topic is really complicated. Professionals can find many simplifications, with the correct transfer of the essence - I have to focus on the average user.
Second. I'm not going to obfuscate services here and show that I am the smartest and so on. If some kind of crap doesn't work, then there is no need to explain in complicated words (which usually cover their own professional worthlessness) why it actually works. In this case, I will tell you how to check the performance and why most of the cryptors are monkeys who can only press one button. EVERYTHING! Not more. If you have a good service that suits your conditions, that's great, rejoice. If your service also passes my verification methods, then in general, be doubly happy. A rare bird was caught by the tail.
Third. I'm not going to paint everything in purely professional and technical terms. At least I'm not an ultra-class techie. My task is to correctly convey the essence and explain on fingers what should be and how to work as a result. And also personal experience suggests that the more smart words and terms a person dumps, the more he pisses that his level as a professional is to strive for zero. Why? Besides, a real expert can explain any topic both in simple words for a beginner and in scientific words for a professional.
What is file crypt and why is it needed?
If this article is read by completely newbies, then you will have to explain from scratch. Roughly speaking, the file is encrypted to make it look white and fluffy for antivirus software. That is, it can be downloaded and run, without any consequences from this very AB.
In general, this is where the crypt's task ends. But folk legends gradually began to ascribe absolutely magical properties to it (crypt, that is), and now in 2020, "literate crypt" does not really treat stage 4 leukemia.
Systems of active and proactive OS defenses
We figured out what crypt is. Now let us sort through the next question, which few people understand in general and over some aspects in particular. So, let's consider all protection systems from and to in order. We will go over each of the points further in the future.
1) Downloading a file in the browser - means the "ability" of the file to pass the browser check and not issue all kinds of alerts (the file is dangerous, the file is potentially dangerous, the file is rarely downloaded, the file is blocked, etc.). The download should work simply - the file has been downloaded and is ready to open. Everything! No other options.
2) Static scan of antivirus or ScanTime - AB checks directly inside the browser when downloading a file. A good crypt is responsible for the successful passage. This option can sometimes be disabled, for some antiviruses, so the scantime scan will not be performed.
3) UAC - sometimes services like to show that they have implemented a User Account Control bypass. It has nothing to do with a request to open a file when downloading from a browser. In general, you do not need an extra alert, so you should be puzzled by the bypass, since it is not difficult.
4) Dynamic AB check at startup or the so-called RunTime - when the AV file is launched, it begins to actively check it according to its algorithms. The crypt is responsible for the passage, which must pass this test. If you don't like something - a bolt. We'll talk about the difference between scant-time and runtime a little later. And about the runtime, where everything is extremely difficult, we will devote a separate block of the article.
5) Smartscreen is another proactive protection system that is not associated with antivirus. Verifies the signature of the file and its certification. If you don't like something, he starts asking questions on the topic: "Are you sure you want to run the file?" The logic of work is outside the human sphere of understanding. Let's consider it separately, because you will not find information about the smartscreen anywhere else.
That is, let's summarize the final result - in order for the file to start without problems, 2 more protection systems must be passed - dynamic antivirus and smartscreen checks. If your build is working (and many crypts kill the build's performance, by the way) - get the long-awaited knock on the panel.
We check the quality of the crypt - step one
If you have a brain or already have experience, then you should immediately think that the encrypted file needs to be checked somewhere for operability and the ability to bypass protection systems, in particular antiviruses. And if checking a file for the same load is quick and easy, then checking the file for bypassing the protection of antiviruses, of which there are 3 dozen of them, is already a problem, to put it mildly, a problem.
That is why all sorts of checkers for viruses were invented - from the well-known Total Virus (VT), which merges everything to enemies (logically, this is his job), to supposedly shadow checkers who do not merge anything (avchek, scanmaybin and dinchek).
The logic of the work is simple - you upload a file, mark the AB boxes that interest you. Press the button and wait for the test results. The dinchek service (the only one) also has the ability to check for runtime - you can configure the parameters and check how your file will behave when launched.
Checking the crypt for quality - step two
Attention! ALL checkers on AV are a global scam and a scam of the century!
Comrade, before you ran, sticking out your tongue, to check your crypt on the same dinchek, read this article, especially the current paragraph, and your world will turn upside down.
So, I will not beat around the bush. If you have already visited the forums specializing in certain services a la crypt file, then you may have noticed that everywhere the measure of success is zero detections for scant-time via dinchek (usually everyone uses it). Someone calls it FUD = 0, someone differently, but the essence is simple - the file is checked somewhere and with an important look you are shown a link like “here, by zeros, get and sign”.
Software creators usually show statistics on runtime a la: "We have only N detections, everything is cool and awesome."
And all the pulp I have is that the data shown by the checkers are WRONG!
It all started at one time when antiviruses on machines detected a file where it could not be detected by default, because all checkers showed that the file was clean.
"What the hell?" - I thought, and we decided to delve deeper into this issue.
1) 15 machines were created on WIN 10, on which 15 official antiviruses were installed.
2) We went through most of the well-known public and semi-public crypt services and tested it in live conditions. Precisely alive. Taking the file and personally pumping it through the browser to the machine and trying to run it.
Output for scantime and Runtime - the discrepancy was up to 80% with a live check
Again. In eight cases out of 10, where the checkers showed that everything was clean, in reality a detection was observed! Especially on top antiviruses such as avast, node, eset and others.
Since I already directly feel that the readers are beginning to burn a fart and their hands, are ready to type angry messages about "their personal response in 90%", I will immediately make certain adjustments.
Let me give you an example.
I made, gentlemen, a cryptic from my file. It is loading, my dear, everything with him is glorious and blissful. I decided to download it from my own machine. So what? An extra check will not hurt. Yes, and I have it on my own typewriter AVAST, such a dog, does not miss a single muck. And then, gentlemen, I download the file, and he, such an infection, is detected! Well, I'm not a bastard, again I quickly do a scan for scant-time - everything is clean, fuck it!
From the dog! I took a couple of RDP on a dozen, put AVAST there, killed, gentlemen, half a day. Downloading - detectives! Detectives, fuck his mother by the leg! And the checker shows that everything is clean!
What is this for me, if you personally check a file on a live machine with a certain AB, or even on several machines with the same AB, and a sign about the presence of rubbish in the file is strenuously crawling to you - what are your conclusions? Who is right - the checker or your personal observations? I'll leave the question open.
Still disagree with me? Then read on, I will consider this issue additionally in the section "How then does everything work with such detections"?
Checking the crypt for quality - step three
So, if I shook the picture of the world for you, and you decided to check my words for the truth yourself. Then your next step is simple - you need to make / buy at least 10 machines (top 10 antiviruses provide coverage of 90%) and personally check the encrypted build for detections.
Yes, with pens. Yes, in such a hemorrhoid way. But this is the only way you can be sure of the quality of the work that you have done!
Similarly, check the runtime. And you will be able to see the real picture of the world, and then calculate the approximate loss when the file is picked up.
And finally - no one bothers to use checkers for an indirect assessment of the "crypt's standard of living". And if, after the download, detectors began to appear in the dinchek, then with a probability of 80-90% this is so.
What is the difference between scantime and runtime?
In this post, I immediately answer 2 specific questions:
~ What is a crypt file process?
~ Why are 99% of cryptors not engaged in rheintime?
So. Let's make it very simple for speed, otherwise you can safely sit down to write here.
To make a crypt, first of all, you need a "cryptographic module". Which is bought or made from scratch. Further, on the basis of this module, a stub is created (I simplify the explanation as much as I can without unnecessary theory). Well, then you can plant any monkey that will press the button, and get the finished file.
Therefore, if you meet a support who is not in the teeth at all in the subject and yells with mats, which are all stupid, then monkey is detected. The person was just put to press a button and that's it. He won't help you anymore.
Now attention!
All of the above is true ONLY for scantime. For modules that would allow automatically encrypting files for runtime do not exist due to the difference in ... let's call it so ... the technological nature of the process. And it turns out that cleaning the runtime is strictly manual and painstaking work.
What is runtime?
Let's repeat. Runtime is when you run a file, the antivirus scans it and makes sure that the process is not dangerous. Meanwhile, the file is doing its dark deeds. Already on this basis, one can be convinced that the process of cleaning a runtain is much more complicated than making a clean scantime. And cleaning runtime no relation to the crypt HAS .
Runtime does not use the algorithms of the same module that is used for crypt on scanttime. Again, the cleanliness of the runtime largely depends on the cleanliness of the build that the creator of your software is doing. Runtime is of two types - static detect and dynamic detect.
Scant-time and runtime are completely two different operations, lying in completely different areas! And they do not intersect with each other in any way.
Conventionally, a crypt at runtime is done as follows:
1) The algorithms of work of AB are studied
2) Studying scanning methods
3) Weak points of scanning are found
4) The file is "cleaned up"
As you can imagine, any AV does not have a magic button "decompile the file and get into the guts", otherwise any tricks would be useless.
Therefore, when the file is launched, roughly speaking, "primary processing" of the data is carried out according to the algorithms established by AV. The task of the cryptor is to identify them and bypass them. Next, the file will most likely be sent for an in-depth examination at the office. And then your crypt dies and you have to start all over again. It is precisely in this window that you need to work. For a unique high-quality crypt, it can last for many days.
Why 99% of crypto services on the market are useless dummies. Did you ask? We answer!
I don't want to offend anyone, the post has a neutral connotation. Some have a business, others have information about this business.
So, based on the above, we take 3 points:
~ Difference between checker reading (avchek / dinchek / scanmaybin) and real data. The difference can be so critical (especially if the stub is old and has not been updated for a long time) that the meaning of the crypt as a crypt disappears altogether.
~ Lack of crypt for runtime. If the build itself already stinks like a rotten egg and real detections at runtime have passed far beyond 6-7, then what's the point even from a perfectly clean scant-time crypt? The most popular 7-8 ABs account for approximately 80-90% of global usage.
~ And of course, very few people will use an expensive unique stub (which else the hell will do), which generally brings the crypt to zero.
How to identify services / specialists with whom you do not need to work?
~ When asked about the runtime, he either falls into a stupor, or says that this is not their problem - an adequate service will explain that they do not do this and the software creator should monitor the cleanliness of the runtime. Cool service - will clean the runtime with an adequately clean build.
~ Spits poison when reading this article and says that this is all a lie and a lie.
~ When asked "Why is such a supposedly pure crypt fired on a living machine?" begins to behave inappropriately and sprinkles with shit.
A logical question - why then do installs come at all and people work with them? Some are even quite successful.
This is a good question and I think it is imperative to sort it out!
First of all, let's define a critical nuance. Do you get installs from your traffic or do you buy them?
In the first case, you will hear a widespread tale on the topic: "It is useless to send traffic to an exe file, no one pumps it, it's all bullshit, this is already the last century." Or hear a lot of sad stories about the low envelope. Or hear how hard it is to upload files, because "the envelope does not please."
This is logical - such a crypt will cut almost the entire envelope 5-10 times. Believe me, a good landing for porn traffic will give 10-15% of the envelope as a native one. With good traffic, of course. But instead of 10-15 installs from 100 clicks, you will get 1-2-3 installs with difficulty.
Buying installations, the picture is different. First of all, most of the traffic there is motivated. And the shkolota will not care about all AB alerts and actively install software in the hope of cheats from CS or GTA. Otherwise, there is the so-called survivor bias.
The difference between "unique" and "public" stub
As I already wrote, the current crypt from the point of view of children and other sudra, except that it does not cure the last stage of oncology. It also gives enlightenment and generates bitcoins every day. Cryptors get fucked up by such claims, and the public market is deprived of the last adequate professionals.
First of all, "unique stub" means that it is made individually for the software you need. For those who have not yet understood: module - stub - crypt. Thus, if we assume that the cryptor "created" a unique stub for a specific client, based on the indicators of "live machines" and reduced it to FUD = 0 by scant-time. Then you can take the build, shove it into the archive under a password, hold it for a week on the cloud, then get it, check it and there will still be FUD = 0
In turn, the public "stub" is made according to the principle - one for all. And the lifespan of such a crypt is extremely limited. Therefore, it is usually done immediately before the strait and it is hoped that it will not die in 5 minutes.
Well, you need to understand that a high-quality unique-stub for your software usually has a price tag for rent per month for an unlimited crypt file. For no one is interested in how many times you are going to use it. Price from 1K and above.
Loading the file in the browser
This is where the path of your earth file begins. Ideally, there should be no alerts a la - the file is dangerous, the file is potentially dangerous, the file is rarely downloaded, the file is locked. Otherwise, you can forget about 99% of the sound.
First of all, you need to understand two basic things:
~ Loading the file itself in the browser does not DEPEND on the crypt! The opposite is also true - even the best crypt will not help the load! For these are two different things. They are completely different.
~ Checking a file by a browser and an antivirus are two different checks.
Preparing a file for loading in a browser is a complex and multifactorial task. And, of course, no one will fire on the ways to solve it. As a bonus, Google also does not stand still and constantly introduces new conditions. In general, to solve the problem, you need to have at a minimum:
1) Certain signature \ signature
2) Certificate
3) Crypt (well, this is already logic - for a clean build is better not to fire up in Google)
4) Pure IP domain and hosting
That is, as you noticed, the crypt file and the preparation of an already encrypted file for loading in the browser are completely different tasks. An adequate cryptor with straight arms can help with this problem, but usually does not want to. Why? Thanks to the shkolota who began to demand this almost with complaints and hysteria.
Smartscreen
The last line of defense of Windows 10. The headache of the den. And the thing of questionable usefulness for the average user.
What is its theoretical essence?
Apparently, the system was supposed to check the certification of files and take files without a trusted certificate on a pencil.
What in fact?
In fact, smartscreen works like a drug addict under a mixture of DMT, LSD and fly agaric. Blocks good files, skips bad ones. Doesn't pay attention to untrusted files and swears at files with a valid signature. Moreover, it is completely random.
What is the problem?
On average, about 30% of cars have a smartscreen sign “do you want to install a file? The signature could not be verified. " The envelope is okay so cuts ...
How to get around?
Alas, there are no guaranteed workarounds. An ordinary valid certificate does not completely solve the problem. As practice has shown, the use of a valid certificate, which are sold for 200-300 bucks, reduces the appearance of the window by about 1.5-2 times. Is it worth the money? Here everyone decides for himself.
How to resolve the issue?
Again, either just accept it, or use a valid certificate. You can try to buy it yourself - this will significantly save money. At a comodo, it costs only $ 80-90. Go for it.
Pricing policy
I will just give my own thoughts on this matter, again from personal experience. Maybe it will help someone.
Price for a public crypt (scantime): $ 10-50 In principle, the price depends on the algorithm used and the purity of the scantime. By buying a crypt for $ 10, you get the appropriate quality. The more expensive the crypts, the better the quality. As practice shows, cryptors that still make normal and adequate public crypt remain.
In general, there is gold right - a crypt for 10-15 bucks, this is not a crypt, but an imitation.
Also check, for many in the price of the crypt (which cost $ 30-50), the service may include help with loading. At least before, I entered, until Google finally squeezed all the nuts.
Price for a unique crypt (scantime + runtime): here you need to understand 2 variants of the situation. First of all, the cryptor, which can make a unique stub, can also clean the runtime. But this does not apply to the crypt! Once again: runtime has nothing to do with the crypt! And the service will most likely have to be provided jointly. Usually a one-time crypt for a unique stub costs about $ 100 -150 + runtime cleaning. Monthly rent of a unique stub for yourself costs 1-2K.
Critical note # 19 - the price of a unique stub is based on labor costs. Who do you think will buy you such an expensive module, which is quite robust, then create a stub, debug it, clean it and all for the sake of selling you a crypt for $ 40-50. There are no idiots. If you think there is, then most likely you are an idiot
Critical note # 20 - if you are offered a unique stub for too cheap money, then this is a common divorce. Don't be fooled by scammers. The crypto is either cheap and simple. Either expensive and complex. There is no middle ground.
Price for help with downloading: By today's standards, $ 20-40, taking into account the fact that preparing a file is not the fastest, in principle an adequate price. Another thing is that the task is tedious in the sense that it is not worth your money. On the third hand, you can always agree. An extra coin won't hurt anyone.
What to do in the end?
The favorite question of everyone and everything that they ask me: "What to do now?" I am more than sure that 2/3 leafed through this text, realizing that everything is very bad and we must read the end of the “book” as soon as possible to find a ready answer.
In the last article, I was almost eaten in the comments, because I described how everything is really bad and (such an evil uncle) did not say how to make everything go well.
I am correcting myself and offer as many as 3 options to choose from:
1) We stock up on money, popcorn and go to look for all the cryptors on the market. Making a list. We clarify through what he checks the scantime. We ourselves must check the crypts on live machines. If there is no discrepancy - congratulations! If there is, we try to negotiate and provide evidence. If you didn't send the fuck, congratulations! If sent - we are looking further.
2) We are looking for a partner-technician who understands the basics of this whole badyagi. Well, or who has the skills to figure it out. I assure you there are many good and smart guys who also sit on the forums and are looking for an opportunity to join or create a team.
