Hi all, I found this; I didnt write it but it decribed my exact meathod. For all of you that keep crying noone will tell you how, well you should learn to use google; but ive dun it 4u. This is a example, if you follow it exactly it WILL work. Just follow the directions, maybe even download YAB and try it on that one first to get the hang of it.
Full Version: Hexing- The End All Thread!
| QUOTE |
How to make Yab v2.01 Undetectable to anti-viruses as off 11-9-02. Unzip the zip file to my documents, or anywhere you like. Uncompress Yab.exe with upx (if you can not do this please stop now, email bill gates and tell him he owns you). Next copy avpoffset.exe to C:\Program Files\Common Files\KAV Shared Files\Bases\. Now start a command prompt, again (if you can not do this please stop now, email bill gates and tell him he owns you), go to the directory C:\Program Files\Common Files\KAV Shared Files\Bases\ and Type avpoffset Yab.exe. You will have to wait awhile but you should get these results: Yab.exe infected: TrojanDropper.Win32.Yabi Signature 1 found: Offset: 340276 ( 53134h) Length: 7 ( 7h) Checksum: (DFAA3D83h) Signature 2 found: Offset: 340351 ( 5317Fh) Length: 255 ( FFh) Checksum: (75593A94h) Now before we move on lets look at this. A digital signature is a string in a program that is very unique and basically a certain number of values in a certain order. So we know yab.exe has 2 of these. One is 7 characters long and the other is 255! Next we get to "hexing". Now we need to install Hex Workshop. Once installed goto yab.exe in C:\Program Files\Common Files\KAV Shared Files\Bases\ right click this and hit "Edit in Hex Workshop". Now we are thinking holy shit look at all this crap. Don't worry its easy once you do it a couple times. Hold down the control key and press g; this will bring up the goto box. Make sure Dec is selected and put in our first signature, 340276. Now hit go. This takes us to the offset value 00340276. We look at where our cursor is, _B. But we remember this signature is 7 characters long so the signature is really "Bound %". Now we change this lets just change it to "BoNnd %" (refer to figure1.jpg for help). ( If you add or subtract extra character the program will not run !!!) Now to signature 2. We must do the same thing, hold down the control key and press g; this will bring up the goto box. Make sure Dec is selected and put in our first signature, 340351. This shows us the signature starting at ".E.." etc. But we know this one is 255 characters long. So this signature is really ".E....R...N..|IF3..E.P.E..E..E...M....E..8.W..E..E..E...U........>E..<7...U..E......CNu..E.P.E..E..E...E.......E..E...T[E..E..E...X[E..E..E...U........>E...6...E..........N..~#......E..D.......P.E..3...Z.T..CNu..E...........E...-..;....3.ZYYd..h.>E..E....". Well we decided to replace IF3 with a ID3 (after some testing because I have no clue which ones will work and wont work so u must do trial and error), Refer to figure 1. Save this as Yab1.exe After a quick scan with KAV we notice yab1.exe is no longer detected! YAY! Or is it? So we make a file and notice the bound file is detected. Son of a bitch! Well back to good old avpoffset (thank you senna spy). So we scan yab1.exe. Low and behold 2 more (filtered) signatures. You should get: Yab1.exe infected: TrojanDropper.Win32.Yabi Signature 1 found: Offset: 461310 ( 709FEh) Length: 7 ( 7h) Checksum: (1C0F7B3Dh) Signature 2 found: Offset: 474658 ( 73E22h) Length: 255 ( FFh) Checksum: (BF333759h) Son of a bitch !! Well I guess we need to hex these to. Go to the directory C:\Program Files\Common Files\KAV Shared Files\Bases\ right click Yab1.exe and click "edit in Hex Workshop". Now hold down the control key and press g; this will bring up the goto box. Make sure Dec is selected and put in our first signature, 461310. Now hit go. This takes us to the offset value 00461310. So we know by know the signature here is "del "%s" so we change this to "Del "%s" refer to figure2.jpg. Time to go to the second offset so we hold down the control key and press g; this will bring up the goto box. Make sure Dec is selected and put in our first signature, 474658. Now hit go. This takes us to the offset value 00474658. We should know by now the signature here is "j.j.......E.1....j.j.S.C..... Sj.j..E.P.*.........uH.U...B...@@..B..1.....u....3P.l.....3...C...v..E..t)@.......................E.P........e.[^_..U.....WVS.]...u.......q...j.j................j.j.S....... Sj.j.V...........u01...t&.......3P.......3...C...v." Soooo we change this to "j.j.......E.1....j.j.S.c..... Sj.j..E.P.*.........uH.U...B...@@..B..1.....u....3P.l.....3...C...v..E..t)@.......................E.P........e.[^_..U.....WVS.]...u.......q...j.j................j.j.S....... Sj.j.V...........u01...t&.......3P.......3...C...v." (Changed the first C to c, refer to figure3.jpg) Now we save this as yab2.exe Whew I think were done. So we make a file and scan it &_#8230;. WHA LA!! The author of this tutorial would like the thank all the members at trojanforge for posting all there information on this subject. Pyrator |
kinda cool example always wanted to know how to change the sig's thanx's : ).
| QUOTE |
| The author of this tutorial would like the thank all the members at trojanforge for posting all there information on this subject. |
Its good to see some compliments...well i was one amongst the many who have posted this technique on TrojanForge.....
thx alot!
actually a gr8 tutorial
actually a gr8 tutorial
yeah thx a lot,
this a usefull tutorial.
this a usefull tutorial.
yeah thx a lot,
this a usefull tutorial.
this a usefull tutorial.
yeah, very nice... this should come in handy 
yes indeed, very handy 
will try to use this. thank you for this tutorial
will try to use this. thank you for this tutorial
thanks m8 ,very handy indeed ..
nice
but there is one thing
avpoffset.exe
dosn't work since long time ago
Find youre way whith out it
cheers
but there is one thing
avpoffset.exe
dosn't work since long time ago
Find youre way whith out it
cheers
LOL, your not uptodate either use AVP clone 2.0 if you can get it.
nice tut, congrats to your hard work in writing all that down (writing tuts can be a bish )
)
@neoragexxx Nice to be compared, but im not m8
some good ideas, thanks
seen that before on trojanfroge we had a big discusion about it.. but at the end it didn't work so well as it supose to be . the problem was that the trojan insite didn't work anymore..
so it become unusefull for me..
so it become unusefull for me..
ksv
Yap 2.01 Signature
7595 (00001DAB)
have fun
Yap 2.01 Signature
7595 (00001DAB)
have fun
thanks for this tutorial
It is still usefull even if it does not work. Learning how things used to work will give you an idea of how future things will work. Most new technologies are based off of older ones. Great tut, thx for posting it!
you can use an undetected generator
php coder
Group: Protected
Posts: 69
Member No.: 3055
Joined: 24-March 03
Warn: (0%)
lol
download
---------------------------------------------------
av tester v1.22 By roger girardin
init : 2004-1-18 end : 2004-2-28
---------------------------------------------------
This script is for advanced user only
General requirement :
a) software :
· windows os - apache - php - antivirus
hardware :
· CPU : 1500 Mz - RAM : 512 Mo - Free HD : 20 Go
What does this tool is for
This tool generates anti virus undetected malwares
The first step is the anti virus offset detection
Take a malware, put it in the exes directory, open the home page and click on the clone gen button, choose the default rule file
Then click clone button
For each bit, the script will create a clone, it will change the loop char position by hexa (00) and will name the clone by the loop number
Then you make an anti virus scan on the result directory, deleting the malware detected files
Then you click the offsets + exa edit button
It will show you the anti virus offsets
Then you can hexa edit the file you want by clicking on the offset char
How to use it
1) clone gen button
this part allows you to choose a file to clone it
options
· rule file it contents a char table
· ini clone (bit) you can start the clonning process from a selected bit
· end clone (bit) you can end the clonning process to a selected bit
2) offsets + exa edit button
this part allows you to hexa edit a cloned file by the bit modified
options
· offset exa string ==> click to exa edit : Then you can hexa edit the file you want by clicking on the offset char
· ascii offset string ==> click to download : the offsets by ascii char
· file changed bit position ==> filename : the offset char's file position
· CRC32 : the file's result crc32
· MD5 : : the file's result MD5
3) offset + adv gen button
by clicking on any offset char, you will generate another clonning (255 files)
it will take the offset char position and change it by all the ascii content char (255)
the destination clonning directory is " advanced_clone " by default
4) hexa editor button
you can choose any file to hexa edit and modificate it
5) rule table
you can create a rule table or edit and modificate an existing one
6) cleaner
you can delete files and directory
Disclamer
Malware can damage your computer and computer's data
I don't code any malware and take NO responsibility for the way you the av detector If you do not agree to these terms, delete this software NOW!
---------------------------------------------------
Any interesting comment to : roger.girardin@caramail.com
php coder
Group: Protected
Posts: 69
Member No.: 3055
Joined: 24-March 03
Warn: (0%)
lol
download
---------------------------------------------------
av tester v1.22 By roger girardin
init : 2004-1-18 end : 2004-2-28
---------------------------------------------------
This script is for advanced user only
General requirement :
a) software :
· windows os - apache - php - antivirus
hardware :
· CPU : 1500 Mz - RAM : 512 Mo - Free HD : 20 Go
What does this tool is for
This tool generates anti virus undetected malwares
The first step is the anti virus offset detection
Take a malware, put it in the exes directory, open the home page and click on the clone gen button, choose the default rule file
Then click clone button
For each bit, the script will create a clone, it will change the loop char position by hexa (00) and will name the clone by the loop number
Then you make an anti virus scan on the result directory, deleting the malware detected files
Then you click the offsets + exa edit button
It will show you the anti virus offsets
Then you can hexa edit the file you want by clicking on the offset char
How to use it
1) clone gen button
this part allows you to choose a file to clone it
options
· rule file it contents a char table
· ini clone (bit) you can start the clonning process from a selected bit
· end clone (bit) you can end the clonning process to a selected bit
2) offsets + exa edit button
this part allows you to hexa edit a cloned file by the bit modified
options
· offset exa string ==> click to exa edit : Then you can hexa edit the file you want by clicking on the offset char
· ascii offset string ==> click to download : the offsets by ascii char
· file changed bit position ==> filename : the offset char's file position
· CRC32 : the file's result crc32
· MD5 : : the file's result MD5
3) offset + adv gen button
by clicking on any offset char, you will generate another clonning (255 files)
it will take the offset char position and change it by all the ascii content char (255)
the destination clonning directory is " advanced_clone " by default
4) hexa editor button
you can choose any file to hexa edit and modificate it
5) rule table
you can create a rule table or edit and modificate an existing one
6) cleaner
you can delete files and directory
Disclamer
Malware can damage your computer and computer's data
I don't code any malware and take NO responsibility for the way you the av detector If you do not agree to these terms, delete this software NOW!
---------------------------------------------------
Any interesting comment to : roger.girardin@caramail.com
Can someone plz post avpoffset.exe for donwload ?
I have an avpoffset.exe but it crashes when i use it with a trojan . (uncompressed troj)
Is it the avpoffset.exe that i have or is it that avpoffset.exe works fine only with the old sigs ?
thx
I have an avpoffset.exe but it crashes when i use it with a trojan . (uncompressed troj)
Is it the avpoffset.exe that i have or is it that avpoffset.exe works fine only with the old sigs ?
thx
Nice tut 
Got passed kav fine... But didnt fool sophos, will just pack to get it past that... unless there is a method to get the sigs for other AVs?
any way heres that avpoffset.exe tool that was a pain to find
https://vx.helith.net/~sennaspy/avpoffset.zip
Got passed kav fine... But didnt fool sophos, will just pack to get it past that... unless there is a method to get the sigs for other AVs?
any way heres that avpoffset.exe tool that was a pain to find
https://vx.helith.net/~sennaspy/avpoffset.zip
hi, im using avpoffset.exe and the latest kav definitions, but avp offset is just crashing after loading the defenition files 
does it not work any more, and is there any way to get around this?
does it not work any more, and is there any way to get around this?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
