Pastilatu' Posted August 8, 2006 Report Posted August 8, 2006 Goal: To learn how to hex edit "trojans" or anything else making them UD to AV programs.Definitions:UD: UndetectedAV: Anti-VirusFW: FireWall*Make sure the program which you are reading this in has WORD WRAP *ON**And the word *Click* in the tutorial is written that way so you can easily scim through the tutorial if you would like._________________________________ To begin, HexEditing is a difficult and partially effective method used to make "trojans" UD. In some cases this method will not work because the AV has tagged a vital part of the code. There are a few necessities you will need:Hex Workshop or another HexProgram (Hex Workshop is used in this tutorial): Download Linkhttp://www.download.com/3000-2352-10004918...page&tag=button:Your Server is needed (this is what you are hexing):A little time and a good attitude (alwayz good) : )__________________________________Ok lets begin...1) First open up "Hex Workshop" and *Click* File:open: Find your server or whatever you are hexing and *Click* it and then *Click* open.2) In you workfield all the HexValues should pop-up. Get familiar with the file look at certain bytes this will help you understand more.3) Scroll down to about the middle and *Click* the first offsett on the left side. Grab it and drag down as you drag down do NOT let go or you will have to return and do it again. Keep holding it down until your at the bottom of the file Offsett 1.4) Seeing half the file highlighted. Right *Click* and *Click* Fill. A new window should open, in the textbox instead of 0 put 00. Then *Click* Ok.5) What you have just done is cut the file in half. The 00 byte has no values at all, another common used byte used in hexing is 90 it is the no-operation byte.6) Ok now you have half the file filled with 00's right? Good... Point your arrow to the left hand corner. *Click* File: Save As. Save the file 1.exe. Be sure to remember the offsett you cut the file at.7) Go to the directory you saved 1.exe in, and right *Click* it and find a tab called Scan It For Viruses with your AV logo beside it. Once its done scanning if it is detected that means the detected string is not in that half which you filled with 00's._How an AV detects Malware_An AV program is very powerfull it stops about 98% of common malware from infecting your PC. Our goal like said earlier is to be apart of that 2%. An AV when it scans a file looks for a string it could be anywhere in the file. Most likely it is in the most vulnerable spot, via if you arn't carefull you could corrupt your server. The detected string is a digital string that is in the database of the AV. Have you ever seen your AV connect to the internet and look for updates? This is your AV downloading new strings that it will later use to defend your computer against malware. That is how a common AV works! Ok lets move on once again, right now you should have your original server, and the detected half of your server (1.exe). Now in HexWorkshop open up your Original Server. Why we are doing this is, because the AV when it detected (1.exe) it deleted all the bytes. So now find the offsett in the middle which you started at, and pull it down or up again, but this time do not go all they way (cutting it in half). Bring it down or up about 5-10,000 offsetts from the middle point. Fill the highlighted area with 00's. Then save the file as Scan.exe, also save it as scanbackup.exe. FootNote: The names are examples you may name them whatever you like just remember them. Also me personally i record all the offsetts i stop and start at in notepad.9) Now in the directory you saved Scan.exe right click it and Scan it for viruses once more. If it is still detected then you have not found the offsett yet.How you know when you find it? You know that you have found the offsett when your AV no longer detects the file. Be sure to remember that if your AV detects the file you scanned it will delete the whole file. This is why you should always keep a backup.10) Ok by now you should get the jist of how to find the detected string. Most AV's detect 2-3 strings sometimes though it could be as little as 2 bytes or as large as 10 strings. Continue until you find the detected strings.....11) Ahh yes you have found them. Congratulations!!! Now your not through quite yet, just a little more to go. You have located the detected strings now you must edit them ever so slightly to make the file UD and the server to still work. Change the numbers around using the fill option explained earlier to do this. If you do it just right and things aren't to different you will have successfully HexEdited.________________________ PACE Quote
YceFire Posted August 9, 2006 Report Posted August 9, 2006 ohhh , mersi caddy ,a incercat careva pana acuma ??? :@ Quote
djradu Posted August 9, 2006 Report Posted August 9, 2006 io nu prea inteleg... dar iam cerut ajutorul lu xavier si a zis ca il traduce el il va posta tradus !! multumiri lu Xavier , baiat bun !! Quote
B_Real Posted August 9, 2006 Report Posted August 9, 2006 Ii bun tutorial-ul am inteles cum sta treaba, numa ca necesti foarte muuuult timp la fisierele mai mari Quote
BeGineR Posted August 9, 2006 Report Posted August 9, 2006 Sall all si respekt !! Am si eu o nelamurire ...am inceput si eu sa lucrez la un trojan ..dar m-am impotmolit la Nr.3 al tutorialului care spune asa : 3) Scroll down to about the middle and *Click* the first offsett on the left side. Grab it and drag down as you drag down do NOT let go or you will have to return and do it again. Keep holding it down until your at the bottom of the file Offsett 1 !! Nu inteleg ce trebuie sa fac.. dak mi-ar putea spune cineva ..si care sunt "offset" ?!Ms AnticipatP.S : Sunt incepator Quote
BeGineR Posted August 9, 2006 Report Posted August 9, 2006 Gata am rezolvat problema , ms oriqm d ajutor !! Bafta Quote
Screech Posted August 10, 2006 Report Posted August 10, 2006 <div class='quotetop'>QUOTE("djradu")</div>io nu prea inteleg... dar iam cerut ajutorul lu xavier si a zis ca il traduce el il va posta tradus !! multumiri lu Xavier , baiat bun !!Ok lets begin...1) Mai intai deschide hex workshop ->file:open:gaseste serverul tau sau ceea ce vrei sa zbarcesti, apoi click pe el si click iar ptr a-l deschide.2) In campul de lucru, toate hex value trebuie ridicate.obisnuieste-te cu cu fisierul , asta te va ajuta sa intelegi mai bine.3) .Scroll in jos pana aproape de mijloc, si click pe primul offsett de pe partea stanga.Apuca-l si trage-l in jos (cu drag and drop) dar NU II DA DRUMUL ..va trebui sa te intorci iar la el si sa o iei de la capat.Trage-l in jos pana ai ajuns in dreptul fisierului Offsett 1.4) Vei vedea jumatate de fisier evidentiat. click dreapta -> click fill.se va deschide o noua fereastra ,in textbox inlocuieste 0 cu 00 apoi -> OK.5) Ceea ce ai facut acum a fost sa tai fisierul in 2. 00 byte nu are nici o valoare, un alt byte folosit in hexing este 90 si este no-operation byte.6) Ok, acum ai jumatate de fisier umplut cu 00-uri, corect?bun.....pune sageata in corltul din partea stanga, click file-> save as.salveaza fisierul 1.exe. Ai grija sa nu uiti offsettul la care ai impartit fisierul.7) Te duci in folderul in care ai salvat 1.exe , si click dreapta si gaseste tabul cu denumirea scan it for viruses cu logoul av langa el.Odata ce-l scaneaza, dak il detecteaza, inseamna ca stringul nu este in jumatatea umpluta cu 00-uri._How an AV detects Malware_Un program AV este foarte puternic si opreste aproape 98% din ceea ce poate infecta pc-ul.Tinta noastra, este (asa cum am spus si mai devreme), sa fim o parte din acei 2%.Cand AV scaneaza dupa un string, acesta poate fi oriunde in fisier.De obicei se afla in locurile cele mai vulnerabile, astfel, dak nu esti atent, poti corupe serverul.Stringul detectabil este un string digital care se afla in baza de date a AV-ului.Ai vazut vreodata AV-ul tau conectandu-se a internet si cautand update-uri?Acesta dld noi stringuri care sa apere mai tarziu calcxulatorul impotriva infectiilor.Acum, ar trebui sa ai serverul original si jumatatea detectabila (1.exe) . deschide acum in workshop serverul tau original.de ce facem asta? pentru k atunci cand av detecteaza, el sterge toate sectoarele (1.exe) .si astfel gasim offsettul sin mijloc, ce de la care am pornit, si il tragem iar in jos, dar de data asta nu il mai impartim. Trage-l doar la distanta de 5-10.000 de offsetturi de punctul din mijloc. Umple zona luminoasa cu 00-uri.salveaza-l apoi ca Scan.exe si de asemenea salaveaza-l ca scanbackup.exe.FootNote: numee sunt doar exemple, tu le poti denumi cum vrei, doar sa nu le uiti.eu le trec pe toate intr-un notepat.9) Acum te duci in directorul unde ai salvat Scan.exe click pe el si scaneaza-l de virusi inca o data.Daca inca mai este detectat, inseamna k nu ai gasit inca offsettul.How you know when you find it?Iti dai seama ca ai gasit offsettul atunci cand antivirusul nu il mai detecteaza. tine minte antivirusul care l-a gasit iti va sterge intreg fisierul. de aceea trebuie sa ai mereu backup.10) Ok, acum ar trebui sa ai idee cum sa gasesti stringul detectabil. majoritatea av detecteaza 2-3 stringuri, care sunt cateodata de dimensiuni mici 2 bytes sau mari cat 10 stringuri. continua pana il gasesti pe cel detectabil....11) Acum k l-ai gasit...felicitari. dar inca nu ai terminat. dak ai localizat stringul detectabil, acum trebuie sa-l editeziMai jos intelegi tu.. nu maia m timp si asa ma grabesc tare. Quote
Screech Posted August 10, 2006 Report Posted August 10, 2006 <div class='quotetop'>QUOTE("J3t")</div>misto tutorialu! oare voi reusi? Daca vrei cu adevarat o sa reusesti. Quote
B_Real Posted August 10, 2006 Report Posted August 10, 2006 eu am reusit ceva , sa nu fie detectat de Bit defender , dar restu AV il detecteaza, necesita fooooooooooaaaaarte mult timp operatiunea asta Problema ii sa si merite Quote
Screech Posted August 10, 2006 Report Posted August 10, 2006 <div class='quotetop'>QUOTE("B_Real")</div>eu am reusit ceva , sa nu fie detectat de Bit defender , dar restu AV il detecteaza, necesita fooooooooooaaaaarte mult timp operatiunea asta  Problema ii sa si merite Altcineva? A mai incercat cineva? Quote
BeGineR Posted August 10, 2006 Report Posted August 10, 2006 <div class='quotetop'>QUOTE("Xavier")</div>Altcineva? A mai incercat cineva?Da, am incercat eu e bun tutorialul si merita urmat ...dar dupa cu B_Real spune , este ff mult de lucru ..necesita foarte mult timp si nervi Mai am si eu o problema , am nevoie de un link unde pot scana fara sa astept atat d mult , foloseam virustotal.com pana acum' dar este foarte solicitat si trebuie sa astept cate 10-15 min la fiecare scan si cum trebuie sa scannez din 5 in 5 min nu-mi permite timpul sa astept de fiecare data cate 10-15min!! Deci dak stie careva vreunsite nu ezitati sa postati aici !!Multumiri lui Xavier si Caddy !! Respect Quote
Alexxp Posted August 11, 2006 Report Posted August 11, 2006 salut ! asta e primu post al meu pe forum Quote
virusz Posted August 11, 2006 Report Posted August 11, 2006 good job! ... folositil cat mai rpd pana nu se trezesc si alealalte av-uri.... noroc Quote
!_30 Posted August 11, 2006 Report Posted August 11, 2006 is curios daca chir tine chestia ? :@ Quote
Screech Posted August 11, 2006 Report Posted August 11, 2006 <div class='quotetop'>QUOTE("!_30")</div>is curios daca chir tine chestia ? :@Tine dar e pe duca Quote
Cristtyan Posted August 12, 2006 Report Posted August 12, 2006 tine ...dar nu prea ..am gasit offset-urile pe care le detecteaza kav la serverul de Optix, dar acestea sunt functii vitale ale serverului care odata modificate fac executabilul sa devine nefuctional (cred ca asta se intampla la toate serverele)Alexxp tu ai mai incercat daca merge serverul modificat ??banuiesc ca nu Quote
0x90 Posted August 12, 2006 Report Posted August 12, 2006 cu metoda asta de cele mai multe ori serveru nu mai functioneza.... se poate face prin hexedit dar e ceva mai complicat, nu doar modifici valorile alea.... si oricum nu va fi UD fata de TOTI av pt ca fiecare av are semnatura in offsett-uri diferite. Quote
Sad_Dreamer Posted August 12, 2006 Report Posted August 12, 2006 ma oricum chestiile astea daca sunt publice sigur le au si programatorii de la firmele de antivirusi si normal ca au gasit patch:) poate serverul nu mai merge si de asta nu il gaseste ca troian Quote
0x90 Posted August 12, 2006 Report Posted August 12, 2006 daca il modifici cum trebuie serverul va merge 100% Quote
Sad_Dreamer Posted August 12, 2006 Report Posted August 12, 2006 daca...dar la cat te chinui sa inveti si sa modifici in hex e mai usor sa iti faci tu troian Quote
Cristtyan Posted August 12, 2006 Report Posted August 12, 2006 metoda asta este publica de fffffff mult timp si un patch pt asa ceva nu exista insa la majoritatea troienilor av are ca semnatura parti vitale din acesta, care odata modificate fac ca executabilul sa nu mai poata fi rulat. cea mai buna metoda este sa va creeati propriul troian ..ceea ce este putin mai complicat. ...sau puteti sa folositi troianul preferat, DETECTABIL in felul urmator:luati programul "Telnet Trojan" din sectiunea "Programe H4ck", il dati victimei sa-l ruleze, va conectati prin telnet la aceasta, dezactivati av-ul apoi rulati un server de trojan in systemul acesteia si BINGO !! ati infectat victima cu un troian detectabil !!! Quote