Thoughts on AMMYY?

[ell]

I have used ASProtect in the past to lower false positives with ammyy however I have not used it in a few years since I'm now a screenconnect user. I also managed to create a UI replacement using AHK I will try to find my old documentation and example code when I return home.

cool, thanks, I'll play with it. I just zipped it and put a simple password on it to encrypt and it passed all but 1 on virustotal, and I could download it in chrome, but ie Smart Screen still totally blocks it. Still gets blocked when opening it of course.
I played around with ammyy with ollydbg (I don't have a clue, I just dumped it) and used UPX.gui to pack it and got it down to 4 / 56 on virustotal which I was pretty excited about, but when I tried to open it in my vm with norton, says its ok, but then changes its mind and blocks it. Norton is one I need to get through, it seems its the most commonly installed antivir

 

[madcow007]

Sorry haven't had a chance to upload the information yet but if I have time tonight will find my documents and maybe run some new test with asprotect

 

[ell]

Sorry haven't had a chance to upload the information yet but if I have time tonight will find my documents and maybe run some new test with asprotect

Thanks, that would be great. I've been struggling to do it myself but not with much success, I know zero about coding, but I like to try.

 

[madcow007]

Did a little testing with asprotect it lowered the detection ratio but still 6/56

https://www.virustotal.com/en/file/...9261e040124749a3e3e051f2/analysis/1443488424/

tested with asprotect v.1.35 build 06.26 using the following options

Resources Protection
Use max. compression
Protect Original EntryPoint

the rest of the options were left as default.

Looks like my AHK code for pulling the ammyy ID from memory is no longer working as the address is now dynamic I will however look for a new solution when I get a little time.

I also found the following list of commands in a document.

-connect
-set_proxy_
-dosas_
-elevated
-log
-lunch
-nogui
-service
-debug
-remove
-install
-outid
-setsettings
-rstid
-showversion
-notstartclient
-startclient
-minimize

Sorry I couldn't been of more help its been a few years since I have played with this.

 

[MDD1963]

While looking for something on 'a budget', I have tested BeAnywhere Support Express, and like it; their free edition allows up to 5 connections per day.

http://www.beanywhere.com/supportexpress/buyus.php

Also, IMPCRemote has a free Professional version that allows 30 connections per month, but, I think I recall that it restricts numbers of computers that can be controlled to perhaps 5? (There is also an instant version with separate download halves, essentially technician/customer roles, easy to use, quick.)

http://remote-control-desktop.com/buy/compare-products/

 

[ell]

While looking for something on 'a budget', I have tested BeAnywhere Support Express, and like it; their free edition allows up to 5 connections per day.

http://www.beanywhere.com/supportexpress/buyus.php

Also, IMPCRemote has a free Professional version that allows 30 connections per month, but, I think I recall that it restricts numbers of computers that can be controlled to perhaps 5? (There is also an instant version with separate download halves, essentially technician/customer roles, easy to use, quick.)

http://remote-control-desktop.com/buy/compare-products/

Did a little testing with asprotect it lowered the detection ratio but still 6/56

https://www.virustotal.com/en/file/...9261e040124749a3e3e051f2/analysis/1443488424/

tested with asprotect v.1.35 build 06.26 using the following options

Resources Protection
Use max. compression
Protect Original EntryPoint

the rest of the options were left as default.

Looks like my AHK code for pulling the ammyy ID from memory is no longer working as the address is now dynamic I will however look for a new solution when I get a little time.

I also found the following list of commands in a document.



Sorry I couldn't been of more help its been a few years since I have played with this.

Thanks for your efforts! Whats "lunch" in the document list? LOL I don't have asprotect yet. May have to give it a try.

 

[madcow007]

Not sure honestly perhaps launch unfortunately my documentation on the commands didn't have any notes lol.

 

[ell]

While looking for something on 'a budget', I have tested BeAnywhere Support Express, and like it; their free edition allows up to 5 connections per day.

http://www.beanywhere.com/supportexpress/buyus.php

Also, IMPCRemote has a free Professional version that allows 30 connections per month, but, I think I recall that it restricts numbers of computers that can be controlled to perhaps 5? (There is also an instant version with separate download halves, essentially technician/customer roles, easy to use, quick.)

http://remote-control-desktop.com/buy/compare-products/

I just tried out IMPCRemote cuz it looked promising but my hopes were dashed when it crashed twice then when it did connect the mouse was unresponsive. Ammyy works so great and has all the features I need... its just too bad its reputation is so smeared.

 

[OaksLabs]

Well, I have a not too bad result (4/55): https://www.virustotal.com/en/file/...35ef82f602b79bcfc21cf634/analysis/1443582941/

Check it out @ www.oakslabs.com/Ammyy.exe

 

[ell]

Well, I have a not too bad result (4/55): https://www.virustotal.com/en/file/...35ef82f602b79bcfc21cf634/analysis/1443582941/

Check it out @ www.oakslabs.com/Ammyy.exe

Awesome! I'm going to test it against Norton tomorrow. What tools did you use? I tried playing with asprotect today but couldn't get it to import my custom ammyy, something about wrong platform.Then I took a brain break and went for a walk and a big Mastiff bit me in the leg meanwhile the win 8 machine I had just reset got stuck reverting a gazillion updates while I was gone....trying day.

 

[MDD1963]

I just tried out IMPCRemote cuz it looked promising but my hopes were dashed when it crashed twice then when it did connect the mouse was unresponsive. Ammyy works so great and has all the features I need... its just too bad its reputation is so smeared.

Aeroadmin seems pretty similar to AMMYY, and per their own website "free for personal use and business"...

http://www.aeroadmin.com/en/

 

[ell]

Aeroadmin seems pretty similar to AMMYY, and per their own website "free for personal use and business"...

http://www.aeroadmin.com/en/

Yes,I like that one, its kind of a pain to install it on remote pc as a service, you have to configure it manually in task scheduler,anybody know how to create a script to do it? It flies right through virustotal with a 0/56! and norton likes it!

 

[OaksLabs]

Awesome! I'm going to test it against Norton tomorrow. What tools did you use? I tried playing with asprotect today but couldn't get it to import my custom ammyy, something about wrong platform.

I wouldn't want to rob you of all your fun if you wanted to build your own version, but here's the gist of what I did:

1. Reverse engineer the original executable to get the icon.
2. Encrypt the original executable, so AV's don't recognize it.
3. Write a script to decrypt and run the executable on the fly.
4. Compile all of the above into a wrapper executable, and tweak the compile setting to appear as innocent as possible.

Little things like this are free of charge, but if you feel so inclined, feel free to use the donate button on my website.

 

[madcow007]

Seems like some obfuscation would be necessary as once the exe is unpacked it could be detected by the AV. Another thing I would like to note is that its very important to password protect the client I have seen multiple attempts at brute forcing IDs.

 

[ell]

I think I'm switching to Aeroadmin, the only hang up is its not configured for unattended, I'm struggling with trying to create a batch script to toggle it off/on as a service. Ammyy does it with a click, there must be a way.

 

[madcow007]

I would suggest dumping strings you may find some commands in aero that are useful perhaps it has -nogui like ammyy if that's the case you could just add it to startup

 

[ell]

I would suggest dumping strings you may find some commands in aero that are useful perhaps it has -nogui like ammyy if that's the case you could just add it to startup

I don't have a clue what that means, but google is my friend!

 

[ell]

Seems like some obfuscation would be necessary as once the exe is unpacked it could be detected by the AV. Another thing I would like to note is that its very important to password protect the client I have seen multiple attempts at brute forcing IDs.

That is true, mine's password protected and my attempts to obfuscate caused it to crash. I had to remove my ammyy id when I got another pc and swapped the drives Ammyy won't let me apply the id to the new pc with the same drive, I contacted them and they said wait a week, I did, it still won't accept it. Time for something else.

 

[OaksLabs]

Seems like some obfuscation would be necessary as once the exe is unpacked it could be detected by the AV.

The AV would need to be turned off. A person can't hide the original binary forever. The program must run in it's original form at some point (unless you REALLY love assembly language programming, and want to disassemble the .exe, alter the code (enough to make the program have different strings, entry points, etc.), and then recompile it and re-link it.)

 

[ell]

I would suggest dumping strings you may find some commands in aero that are useful perhaps it has -nogui like ammyy if that's the case you could just add it to startup

I set it to run as admin and created a desktop shortcut and dragged it to the startup folder and it starts with windows in normal boot no problem. But the real need is for it to start in safe mode w/networking. Struggled half the day trying to get it using various Google results, not giving up yet.