You must use Hex workshop or some of this wont make sense!
This was written by eyeless and eddited by carlo:
-------------------------------------------------------------------
*.Cut Code in half by selecting some code from the middle of the dump (ie. Cut at Offset: *6068) to the BOTTOM and right-click. Select "Fill" and fill code with "00" Make sure to make note of where you cut it!!!!Now SAVE AS "TOPCODE.exe"
2.Next, Open your original server and cut code in half by selecting some code from the middle of the dump (ie. Cut at Offset: *6040 next line above offset you cut at in no.*) to NEAR the top.. I would give it *5-25 lines from top and right-click. Select "Fill" and fill
code with "00". Now SAVE AS "BottomCODE.exe"
*.Now scan both EXE's you created (ie. TOPCODE.exe & BOTTOMCODE.exe) At this point I know that I have Isolated BOTH signatures, this is because BOTH halfs are detected.If one isnt
detected, then both sigs are in the half that is detected.Sooo we repeat the operation of
splitting the code into two executables using the half that is detected.(you only want to
split the part that actually has code, not the part you filled!)! Soo just repeat number *!
With some files there will vary the amount of signatures that AV uses to detect it. For the
most part there are 2 signatures for EACH AV that detects your malware, however sometimes
there is only one and sometime there are * (I have never seen more than *) you will have to
use your brain to figure out how to find these signatures.
4.OK, now you have two detected halfs! (hopefully) Now we must isolate the detected code. To
do this, I go down the code *0 lines at a time. Select *0 lines of code, then right-click
and select "Fill" again. Fill it with "00" and saveing the file.
5.So open "TOPCODE.exe" and after those first *5 lines I told you NOT to "Fill" start
filling code *0 lines at a time. After every ten lines you fill, save the changes by
clicking File>Save as and save it as "editTOPCODE.exe"
6. Now Scan the file with whatever AV you are trying to bypass. If the file is detected,
then the signature was NOT inside the *0 lines of code we "Filled". OK now some of you are
saying, but it isnt detected anymore!Then make note of the offsets that is at the beging and
at the end of the *0 lines of code that you last filled and Jump Down too *A. if not OPEN
"editTOPCODE.exe" and just keep filling *0 lines at a time till it isnt detected. Just
follow 5 using "editTOPCODE.exe"
User: "Wee hehe haha hoho hehe haha, thank you eyeless I have found the *0 lines of code
that my AV Detects!"
Eyeless: "OK, calm down sunny... There is MORE!"
User: "MORE!"
Eyeless: "Untwist the panties, You're almost there!"
OK, enuf senseless rambling, on to buisness!
*A OK, you dont need "editTOPCODE.exe" anymore, so we dont complicate things, just delete
this file.
2A. OK, so you got the *0 lines of code! Your first half isnt detected, you've almost
isolated the AV signature. Now, what we do is open up "TOPCODE.exe"
*A. Now go to the offset that your *0 lines starts at. Select the first 5 lines, and again
"Fill" the code with "00" and SAVE AS "AVTOPCODE.exe" and scan with youre AV. Detected? Move
to *B! Not detected by AV? Move to *C!
*B. OK, the signature wasnt in the first five of the *0 lines.... But thats ok! Cause it IS
in the last five! So now what you want to do is open up the file you saved "AVTOPCODE.exe"
select the line after the first 5 you filled and Fill this line. Now save, Detected? Move to
then continue to do this line by line for the rest of the ten lines; IT WILL BE ONE OF THEM!
Once not detected by AV, Move to *D "The Grand Finnaly (Is that how you spell it?)"! (Make
sure to make note of what offset the line is on!)
*C. OK, The AV sig WAS inside the first 5 lines, so open up your "TOPCODE.exe" and find the
offset where the *0 lines Begins.Next, Starting with the first line, fill it line by line.
Do this by slecting a line and righ-clicking>Fill. After the first line is "Filled" you must
SAVE AS "AVTOPCODE.exe". Scan this file with you're AV.. Is it detected, then this isnt the
line with the signature, so repeat on the next line and so on.... Till it isnt detectd, then
make note of what offet the line was on!!
The Grand Finnaly (Is that how you spell it?)
OK, Your a solider, you made it this far means you can make it the rest of the way.Cut off
that green toe, and muck up man!
*D.Open up "TOPCODE.exe" in your editor. Delete "AVTOPCODE.EXE" it is not needed anymore!
2D. OK, YOU HAVE THE LINE THE CODE IS ON! You are very close to finding the signature.
now you will notice that when you select ONE offset such as *6068 ( you may have this offset
or not depending on how bigyour malware is.) it highlights TWO numbers or letters in the HEX
view. (View of numbers and letters on the left).Go to the line your came up with from *B or
*C Select ONE offset and "Fill" with "00". Now save as "UNDETECTTOP.exe" Scan it! Still
detected? Go to the next offset and "FILL" then save etc... Do this in'till when you scan it
and it isnt detected then move to *D. If you fill the whole line and it is detected. You
(filtered) up. Start over.
*D. USER: "Wholly shit I deleted this one offset and now it isnt detected!"
OK That last offset you delted before it became undetectd is the AV signature (or part of
it, this will be explined in "TROUBLESHOTING") Sooo Make note of this Offset!
4D. OK open up the "TOPCODE.exe" and find the Offset! and modify it! A good rule to follow
here is, if the offset was a "G" make it a "H" or little "g". and now scan with AV. It isnt detected is it?!?!? Hoorrrra!
Finishing it up!
*E. OK so reapet everything on the second half of the server, remember "SECONDHALF.EXE" we made? I am not typing it over again modifying everything to "***SECONDHALF.EXE".
MAKE YOUR EXE'S BACK TO ONE!
*F. Now, this is easy, remember how I said make note of where you split the file in *.?
While open "BOTTOMCODE.exe" and select the code from the offset you originally split and right-click>copy.
2F. Now open "TOPCODE.exe" and find where you split the code and select all the code you "filled". Now right click on the code a select "Paste". Now click File>Save AS and save it as UNDETECTED******.exe making ***** the name of your malware!
*F. THATS ALL FOLKS!
TROUBLE SHOOTING!
OK, so you did it all right and now your malware doesnt work right. It wont open, does nothing, gives errors etc... Here are some tips to try.
* Try modifying the values directly to the side of the offset, some times a signature is 5 offsets long and modifying the ANY of them will make it undetected. Modifying one of them might cause the server to crash, while modifying the one next to it may allow it to slip by av and still work perfectly.
2 Try modifying the value of the offset to something else in hex, there is 00 to FF; try all f them
Reply With Quote
eXe-Stub.G ~ *00% UD (+2* Av's Guarantee)
