You must use Hex workshop or some of this wont make sense!
1.Cut Code in half by selecting some code from the middle of the dump (ie. Cut at Offset: 96068) to the BOTTOM and right-click. Select "Fill" and fill code with "00" Make sure to make note of where you cut it!!!!Now SAVE AS "TOPCODE.exe"
2.Next, Open your original server and cut code in half by selecting some code from the middle of the dump (ie. Cut at Offset: 96040 next line above offset you cut at in no.1) to NEAR the top.. I would give it 15-25 lines from top and right-click. Select "Fill" and fill
code with "00". Now SAVE AS "BottomCODE.exe"
3.Now scan both EXE's you created (ie. TOPCODE.exe & BOTTOMCODE.exe) At this point I know that I have Isolated BOTH signatures, this is because BOTH halfs are detected.If one isnt
detected, then both sigs are in the half that is detected.Sooo we repeat the operation of
splitting the code into two executables using the half that is detected.(you only want to
split the part that actually has code, not the part you filled!)! Soo just repeat number 1!
With some files there will vary the amount of signatures that AV uses to detect it. For the
most part there are 2 signatures for EACH AV that detects your malware, however sometimes
there is only one and sometime there are 3 (I have never seen more than 3) you will have to
use your brain to figure out how to find these signatures.
4.OK, now you have two detected halfs! (hopefully) Now we must isolate the detected code. To
do this, I go down the code 10 lines at a time. Select 10 lines of code, then right-click
and select "Fill" again. Fill it with "00" and saveing the file.
5.So open "TOPCODE.exe" and after those first 15 lines I told you NOT to "Fill" start
filling code 10 lines at a time. After every ten lines you fill, save the changes by
clicking File>Save as and save it as "editTOPCODE.exe"
6. Now Scan the file with whatever AV you are trying to bypass. If the file is detected,
then the signature was NOT inside the 10 lines of code we "Filled". OK now some of you are
saying, but it isnt detected anymore!Then make note of the offsets that is at the beging and
at the end of the 10 lines of code that you last filled and Jump Down too 1A. if not OPEN
"editTOPCODE.exe" and just keep filling 10 lines at a time till it isnt detected. Just
follow 5 using "editTOPCODE.exe"
User: "Wee hehe haha hoho hehe haha, thank you eyeless I have found the 10 lines of code
that my AV Detects!"
Eyeless: "OK, calm down sunny... There is MORE!"
User: "MORE!"
Eyeless: "Untwist the panties, You're almost there!"
OK, enuf senseless rambling, on to buisness!
1A OK, you dont need "editTOPCODE.exe" anymore, so we dont complicate things, just delete
this file.
2A. OK, so you got the 10 lines of code! Your first half isnt detected, you've almost
isolated the AV signature. Now, what we do is open up "TOPCODE.exe"
3A. Now go to the offset that your 10 lines starts at. Select the first 5 lines, and again
"Fill" the code with "00" and SAVE AS "AVTOPCODE.exe" and scan with youre AV. Detected? Move
to 3B! Not detected by AV? Move to 1C!
3B. OK, the signature wasnt in the first five of the 10 lines.... But thats ok! Cause it IS
in the last five! So now what you want to do is open up the file you saved "AVTOPCODE.exe"
select the line after the first 5 you filled and Fill this line. Now save, Detected? Move to
then continue to do this line by line for the rest of the ten lines; IT WILL BE ONE OF THEM!
Once not detected by AV, Move to 1D "The Grand Finnaly (Is that how you spell it?)"! (Make
sure to make note of what offset the line is on!)
1C. OK, The AV sig WAS inside the first 5 lines, so open up your "TOPCODE.exe" and find the
offset where the 10 lines Begins.Next, Starting with the first line, fill it line by line.
Do this by slecting a line and righ-clicking>Fill. After the first line is "Filled" you must
SAVE AS "AVTOPCODE.exe". Scan this file with you're AV.. Is it detected, then this isnt the
line with the signature, so repeat on the next line and so on.... Till it isnt detectd, then
make note of what offet the line was on!!
The Grand Finnaly (Is that how you spell it?)
OK, Your a solider, you made it this far means you can make it the rest of the way.Cut off
that green toe, and muck up man!
1D.Open up "TOPCODE.exe" in your editor. Delete "AVTOPCODE.EXE" it is not needed anymore!
2D. OK, YOU HAVE THE LINE THE CODE IS ON! You are very close to finding the signature.
now you will notice that when you select ONE offset such as 96068 ( you may have this offset
or not depending on how bigyour malware is.) it highlights TWO numbers or letters in the HEX
view. (View of numbers and letters on the left).Go to the line your came up with from 3B or
1C Select ONE offset and "Fill" with "00". Now save as "UNDETECTTOP.exe" Scan it! Still
detected? Go to the next offset and "FILL" then save etc... Do this in'till when you scan it
and it isnt detected then move to 3D. If you fill the whole line and it is detected. You
(filtered) up. Start over.
3D. USER: "Wholly shit I deleted this one offset and now it isnt detected!"
OK That last offset you delted before it became undetectd is the AV signature (or part of
it, this will be explined in "TROUBLESHOTING") Sooo Make note of this Offset!
4D. OK open up the "TOPCODE.exe" and find the Offset! and modify it! A good rule to follow
here is, if the offset was a "G" make it a "H" or little "g". and now scan with AV. It isnt detected is it?!?!? Hoorrrra!
Finishing it up!
1E. OK so reapet everything on the second half of the server, remember "SECONDHALF.EXE" we made? I am not typing it over again modifying everything to "***SECONDHALF.EXE".
MAKE YOUR EXE'S BACK TO ONE!
1F. Now, this is easy, remember how I said make note of where you split the file in 1.?
While open "BOTTOMCODE.exe" and select the code from the offset you originally split and right-click>copy.
2F. Now open "TOPCODE.exe" and find where you split the code and select all the code you "filled". Now right click on the code a select "Paste". Now click File>Save AS and save it as UNDETECTED******.exe making ***** the name of your malware!
3F. THATS ALL FOLKS!
TROUBLE SHOOTING!
OK, so you did it all right and now your malware doesnt work right. It wont open, does nothing, gives errors etc... Here are some tips to try.
1 Try modifying the values directly to the side of the offset, some times a signature is 5 offsets long and modifying the ANY of them will make it undetected. Modifying one of them might cause the server to crash, while modifying the one next to it may allow it to slip by av and still work perfectly.
2 Try modifying the value of the offset to something else in hex, there is 00 to FF; try all f them!
Who loves ya babby!
OK I want you to tell me what you think, but if I get any emails,pms,icq messages etc. I will remove the post. If you cant follow this you are too stupid.
Edit: Enless of course its I wanna pay you to hex my malware!
Articles
Metasploit Framework Windows Tutorial The Archives General GSO | Full Version: Hexing Your Malware!
Wow
this is one amazing tut. You know ive waited for something like this for ages. its about time someone has posted something this good, im sure it will be helpfull to alot of people. I havent tryed it myself yet, but i will soon i will let you know how it goes Thanks for the tut < Jase >
Is there an easyer way than holding down the mouse for about 4 years to highlight the hex
QUOTE(jase_uk @ May 4 2005, 07:08 PM) Is there an easyer way than holding down the mouse for about 4 years to highlight the hex  Dont know what program your using but wouldn't "shift+pagedown" work?
1. 99% u'll corrupt ur .exe file if it's packed, if unpacked u might have a chance for this to work.
2. maybe an AV offset finder would be better? & then hex the file. 3. i feel like pissing in the wind when trying to find AV offsets by splitting/adding in hex mode..u need 2pages max hex code for this to work, or for more than 2pages, u have to be gastone{very lucky} for this to work. 4. that's just my opinion thx for your tut eyeless QUOTE(hottzo @ May 4 2005, 08:43 PM) 1. 99% u'll corrupt ur .exe file if it's packed, if unpacked u might have a chance for this to work. 2. maybe an AV offset finder would be better? & then hex the file. 3. i feel like pissing in the wind when trying to find AV offsets by splitting/adding in hex mode..u need 2pages max hex code for this to work, or for more than 2pages, u have to be gastone for this to work. 4. that's just my opinion thx for your tut eyeless Gastone? QUOTE Dont know what program your using but wouldn't "shift+pagedown" work? I was using hex workshop  I dont know if it works but i will try it later, the tut says you should highlight half of the hex (please telll me this dosent mean hold down the mouse for a year while trying to highlight all of it, anyone who uses hex workshop should know what i mean) is there a way around this or could i just use a file splitter? QUOTE 1. 99% u'll corrupt ur .exe file if it's packed, if unpacked u might have a chance for this to work. No you unpack it first (upx) before you start messing about with it, most of the population of this forum should know that
QUOTE(hottzo @ May 4 2005, 09:43 PM) 1. 99% u'll corrupt ur .exe file if it's packed, if unpacked u might have a chance for this to work. 2. maybe an AV offset finder would be better? & then hex the file. 3. i feel like pissing in the wind when trying to find AV offsets by splitting/adding in hex mode..u need 2pages max hex code for this to work, or for more than 2pages, u have to be gastone{very lucky} for this to work. 4. that's just my opinion thx for your tut eyeless lol w0rd!
sorted the problem now thanks to thesource
what about heuristic analyzing? I think it won't work there...
You'll find that if you do this, after the first split, some clever AVs wont recognise either half as a virus
true
and i tryed this method, and my server stoped working
nice
it's a numerical method to find the answer of math equations in a range F(x)=0 | (x1,x2) I didn't think it would be usefull in such a case LoL Thanks thousands
1. highlight first line you want selected, then go to last line and press shift+click on end of last line.
2. YES, it MUST be unpacked for this 2 werk... I guess this isnt for the complete n00b ;lol
I tryed this, i filled the signiture with 00s and now it dosent work
QUOTE I tryed this, i filled the signiture with 00s and now it dosent work Try changing just one byte of the signature. Add one number to the byte (ie. 10 ---> 11).
Best bet - use PEiD+reloc. Ofcourse the EXE has to be unpacked, as in all cases.
Could you explain this method a little more?
I think what he means is download PE explorer from heaventools.
When u open the *UNPACKED* exe in the main screen u will see address of entery point by changing the last few nos u can alter the entery point. However just doing this wont make the thing undetectable I have tried. However as mentioned by others here if u follow the method of splitting the file to find the av signature and altering it by 1 or so bytes u can make your malware undetectable. Unlike the main post I tend to work my way from the bottom of my file upwards splitting small sections off and then scanning the remaining part of the file to check if the signature still present. When I get to the point were the remaining exe is clean. I add back parts of the file until I find the exact location of the virus tag then I try and alter it by changing 0 to 1 or 1 to 0 this tends to be an innocuous change making the thing still work but altering the virus signature so it becomes undetectable. As has been said their cases were their is more than one virus signature. However the process for finding this remains the same. Start from the bottom of the exe with hex editor. Delete chunks of code scan with AV when u find it clean. Do ctrl undo in hex editor and delete smaller pieces till u find the exact string. Note the location, go back to orig exe make some small change at that location (1 0) save it test it then scan it. Also change the remaining code with the same change scan that if its clean then u know the change makes it undetected. If the main exe still works after this change then u know the change doesnt break the exe. If after scanning the exe again after the change and its detected then u know theirs another virus signature in the exe. Repeat the process with the new modified exe deleting chunks from the bottom till ufind the second signature. The process is tedious but it works, as for heurisitic scanning yes it works for this. I set all options for example in mceef and did this process for servu and was able to identify two string codes that identified it as malware. changing these in the orig exe make it undetectable.
hello
comiple this code with visual c++ 6.0 its EXE INTO HEX converter u can convert and exe file into hex and then hex into exe but my problem is i want to change somthing in this code im not c++ coder so i have littile difficulty like i try to change code in this line CODE fputs(":00000001FF", outptr); into CODE fputs("Echo e 00000001FF", outptr); it works fine after comiple now i want to change this but donno where is problem CODE hexline[0] = ':'; into CODE hexline[0] = 'echo e'; if u r c++ programmer then plz figure out wats problem in it CODE /*\
* INTEL hex <-> binary file Converter. * * T.Bohning * 11851 NW 37 Place * Sunrise, FL 33323 * * Compiler: Microsoft C 5.1 * 2/20/89 * * Compuserve User ID: [71036,1066] * GEnie address: T.BOHNING * INTEL hex description: 8 bit codes are split into two nibbles, and each nibble stored as a hex ascii digit '0' through 'F'. Each line of the intel hex file is a record, with the following format: :NNAAAATTD1D2D3D4....DnCC The colon means start of record, NN is the number of data bytes in the record given as two hex digits. AAAA is the starting load address of the record. * TT is a record type, 00 for data records. D1,D2...Dn are the hex ASCII representations of the data bytes. CC is a hex ASCII checksum, chosen such that the sum of all preceding byte values in the record (not just the data bytes) modulo 256 = 0. * The end of the hex file is marked by a record with a data length of 0 and a record type of 1. * * This description is for "old" INTEL hex, which could only support * 64K loads. "Extended" INTEL hex was developed when the 8086 came * along. \*/ #include <stdio.h> #include <string.h> #include <conio.h> #include <stdlib.h> enum bool { FALSE, TRUE }; /*\ * function prototypes \*/ void genbin( FILE *inptr, FILE *outptr); void genhex( FILE *inptr, FILE *outptr); int getyn( char *msg ); char get_hexbyte( char *cptr ); int hexext( char *filename ); void main( int argc, char *argv[] ); char * put_hexbyte( char *cptr, char val ); void read_exit( void ); void usexit( void ); void write_exit( void ); /* file i/o buffer size (2 allocated) */ #define FILE_BUFSIZE 0x6000 void main( argc, argv) int argc; char *argv[]; { FILE *inptr, *outptr; int tohex; /* TRUE -> binary to HEX */ char *inbuf, *outbuf; /* file I/O buffers */ /*\ * Check args. \*/ if (argc != 3) { usexit(); } /*\ * Open files, check for .HEX extension, establish * conversion direction. \*/ tohex = hexext(argv[2]) ? TRUE : (hexext(argv[1]) ? FALSE : usexit()); /*\ * Open the files. \*/ if ( (inptr = fopen( argv[1], tohex ? "rb" : "rt" )) == NULL ) { printf("can't open %s for reading", argv[1]); } /*\ * Test for output file existence first. \*/ if ( (outptr = fopen( argv[2], "rb" )) != NULL ) { if ( getyn("Output file exists, overwrite (Y/N)? ") == 'N' ) { usexit(); } else { fclose( outptr ); } } if ( (outptr = fopen( argv[2], tohex ? "wt" : "wb" )) == NULL ) { printf("can't open %s for writing", argv[1]); } /*\ * Allocate and set up file I/O buffers \*/ if ( ( (inbuf = malloc( FILE_BUFSIZE)) == NULL) || ( (outbuf = malloc( FILE_BUFSIZE)) == NULL) ) { puts("Can't allocate file I/O buffers"); exit(1); } if ( setvbuf( inptr, inbuf, _IOFBF, FILE_BUFSIZE ) || setvbuf( outptr, outbuf, _IOFBF, FILE_BUFSIZE ) ) { puts("Error setting file buffers"); exit(1); } printf("Converting: %s -> %s\n", argv[1], argv[2] ); if (tohex) { genhex(inptr, outptr); } else { genbin(inptr, outptr); } } /*\ * Print msg, Get y or n from user. * Return upper case variant. \*/ int getyn( msg ) char *msg; { int c; puts( msg ); while( 1) { c = getche(); puts(""); if ( (c == 'y') || (c == 'Y') ) { return( 'Y' ); } if ( (c == 'n') || (c == 'N') ) { return( 'N' ); } } } /*\ * Get a byte from hex ascii string, return the value. \*/ char get_hexbyte( cptr ) char *cptr; { char retval; char nbl; int shift; retval = 0; for( shift = 4; shift >= 0; shift -= 4 ) { if ((*cptr >= '0') && (*cptr <= '9')) { nbl = *cptr - '0'; } else { if ((*cptr >= 'A') && (*cptr <= 'F')) { nbl = *cptr - 'A' + 10; } else { puts("Hex file contains invalid character"); exit(1); } } ++cptr; retval |= (nbl << shift); } return( retval ); } /*\ * Convert INTEL hex at infile to binary at outfile. \*/ void genbin( inptr, outptr) FILE *inptr, *outptr; { char linebuf[256]; /* input buffer */ char c; char *bufptr; int numbytes; char chksum; int i; int linenum = 1; printf("Processing hex file line number: %5d", linenum ); /*\ * process input file 1 line at a time. \*/ while( fgets( linebuf, sizeof(linebuf)-1, inptr) != NULL ) { chksum = 0; bufptr = linebuf; if ( *bufptr++ != ':' ) { printf("Intel hex format error in line %d\n", linenum); exit(1); } /*\ * Get number of data bytes and add into checksum. \*/ numbytes = get_hexbyte( bufptr ); chksum += (char)numbytes; bufptr += 2; /*\ * Add load address and record type into checksum. \*/ for( i = 0; i < 3; ++i ) { chksum += get_hexbyte( bufptr ); bufptr += 2; } /*\ * Write the binary data. \*/ for( i = 0; i < numbytes; ++i ) { c = get_hexbyte(bufptr); bufptr += 2; putc( c, outptr); chksum += c; } if ( ferror( outptr ) ) { write_exit(); } /*\ * Sum in checksum byte and check the sum. \*/ chksum += get_hexbyte(bufptr); if (chksum != 0) { printf("Checksum error in line %d\n", linenum); exit(1); } if( numbytes == 0 ) { puts(""); exit(0); /* end of hex file */ } ++linenum; if ( (linenum & 0x3F) == 0 ) { printf("\b\b\b\b\b%5d", linenum); } } if (ferror(inptr)) { read_exit(); } puts("\nWarning: Terminator record not found, hex file probably truncated."); exit(1); } /*\ * Convert infile to INTEL hex at outfile. \*/ void genhex( inptr, outptr) FILE *inptr, *outptr; { #define DATA_BYTES 0x10 /* data bytes per record */ /* hex file line buffer, one space for a NULL, * one space for \n * : len addr 00 cks \n null */ char hexline[ DATA_BYTES*2 + 1 + 2 + 4 + 2 + 2 + 1 + 1 ]; char data_buf[ DATA_BYTES ]; unsigned int load_addr = 0; int numbytes, i; unsigned char chksum; unsigned char *bufptr; unsigned int linenum = 1; hexline[0] = ':'; /* colon always starts a record */ hexline[7] = '0'; /* type for data records is */ hexline[8] = '0'; /* ... 00 */ printf("Processing hex file line number: %5d", linenum ); /*\ * Build a line \*/ while( (numbytes = fread( data_buf, sizeof(char), DATA_BYTES, inptr)) != 0 ) { /*\ * Write out all the bytes as hex, * updating chechksum as we go. \*/ bufptr = &hexline[1]; /* skip the colon */ chksum = (char)numbytes; bufptr = put_hexbyte( bufptr, (char)numbytes ); chksum += (char)(load_addr >> 8); chksum += (char)load_addr; bufptr = put_hexbyte( bufptr, (char)(load_addr >> 8) ); bufptr = put_hexbyte( bufptr, (char)load_addr ); bufptr += 2; /* skip over data record type */ /*\ * Write out actual data bytes. \*/ for(i = 0; i < numbytes; i++) { chksum += data_buf[i]; bufptr = put_hexbyte( bufptr, data_buf[i] ); } chksum = ~chksum+1; bufptr = put_hexbyte( bufptr, chksum ); *bufptr++ = '\n'; *bufptr = NULL; /*\ * write this line of the hex file \*/ fputs( hexline, outptr ); if ( ferror(outptr) ) { write_exit(); } load_addr += numbytes; ++linenum; if ( (linenum & 0x3F) == 0 ) { printf("\b\b\b\b\b%5d", linenum); } } puts(""); if ( ferror(inptr) ) { read_exit(); } fputs(":00000001FF", outptr); /* Standard termination record */ } /*\ * Try to find .HEX extension on a filename. \*/ hexext( cptr ) char *cptr; { return( !strcmpi( cptr + strlen(cptr) - 4, ".hex") ); } /*\ * Put a byte as hex ascii, return pointer to next location. \*/ char * put_hexbyte(cptr, val) char *cptr; char val; { static char hextbl[16] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' }; *cptr++ = hextbl[ ((val >> 4) & 0x0F) ]; *cptr++ = hextbl[ val & 0x0F ]; return(cptr); } /*\ * read error on input file \*/ void read_exit() { puts("Error on input file read"); exit(1); } /*\ * Show usage and die. \*/ void usexit() { puts("\nINTEL hex <-> binary file converter"); puts("\nUsage: HEXBIN infile outfile" ); puts("\nEither infile or outfile must have .HEX extension"); puts("\nIf infile has .HEX extension, HEX to binary conversion is performed"); puts("If outfile has .HEX extension, binary to HEX conversion is performed"); exit(1); } /*\ * write error on output file \*/ void write_exit() { puts("Error on output file write"); exit(1); } /************************ EOF *************************/
Two questions (keep in mind that reading this tutorial was the first thing i ever read about doing this)
1) WHy do you skip the first 15-25 lines? and 2) When you say unpack do you mean dissassemble and how would i normally go about this? ( I would google but im kinda busy with something else at the moment )Thanks, NNP
I tried this nice tutorial out on the virus/trojan called "rxBot v0.7.7 Sass".
When I splitted the file into two parts, both parts are not detected. When I shop off the 1000 lines at the end of the file, its still detected. So I go on... lines for lines. Finally I found one dec which makes it detectable. So I changed this dec from 5D to 5E or 55 or 00... but its still detected. Am I missing something  QUOTE ............. 2) When you say unpack do you mean dissassemble and how would i normally go about this? ( I would google but im kinda busy with something else at the moment smile.gif ) ............. A packer is a program which packs your .exe so the packed program looks different then the original. Changing one small part of the packed program will 99.9% sure crash the program. Before hexxing your program you need to unpack it so you can change it. So this has nothing to do with a normal program unless you have packed it your own. (Please kick me if Im wrong  )This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc. |
||
