Hexing for Beginners

Discussion in 'Forum for discussion of ANTICHAT' started by bxN5, 31 Jan 2009.

  1. bxN5

    bxN5 Elder - Старейшина

    8 Jan 2006
    Likes Received:
    Hexing for Beginners

    This Tutorial is For Making ur Trojans or Rats into AV Undetectable

    Hexing for n00bs
    I Warpboy do NOT take responsibility for what you do with the Information given during this tutorial.

    Goal: To learn how to hex edit "trojans" or anything else making them UD to AV programs.


    UD: Undetected
    AV: Anti-Virus
    FW: FireWall

    *Make sure the program which you are reading this in has WORD WRAP *ON*
    *And the word *Click* in the tutorial is written that way so you can easily scim through the tutorial if you would like.

    To begin, HexEditing is a difficult and partially effective method used to make "trojans" UD. In some cases this method will not work because the AV has tagged a vital part of the code. There are a few necessities you will need:

    Hex Workshop or another HexProgram (Hex Workshop is used in this tutorial)

    : Download Link
    :Your Server is needed (this is what you are hexing)

    :A little time and a good attitude (alwayz good) : )

    Ok lets begin...

    1) First open up "Hex Workshop" and *Click* File:Open: Find your server or whatever you are hexing and *Click* it and then *Click* open.

    2) In you workfield all the HexValues should pop-up. Get familiar with the file look at certain bytes this will help you understand more.

    3) Scroll down to about the middle and *Click* the first offsett on the left side. Grab it and drag down as you drag down do NOT let go or you will have to return and do it again. Keep holding it down until your at the bottom of the file Offsett 1.

    4) Seeing half the file highlighted. Right *Click* and *Click* Fill. A new window should open, in the textbox instead of 0 put 00. Then *Click* Ok.

    5) What you have just done is cut the file in half. The 00 byte has no values at all, another common used byte used in hexing is 90 it is the no-operation byte.

    6) Ok now you have half the file filled with 00's right? Good... Point your arrow to the left hand corner. *Click* File: Save As. Save the file 1.exe. Be sure to remember the offsett you cut the file at.

    7) Go to the directory you saved 1.exe in, and right *Click* it and find a tab called Scan It For Viruses with your AV logo beside it. Once its done scanning if it is detected that means the detected string is not in that half which you filled with 00's.

    _How an AV detects Malware_

    An AV program is very powerfull it stops about 98% of common malware from infecting your PC. Our goal like said earlier is to be apart of that 2%. An AV when it scans a file looks for a string it could be anywhere in the file. Most likely it is in the most vulnerable spot, via if you arn't carefull you could corrupt your server. The detected string is a digital string that is in the database of the AV. Have you ever seen your AV connect to the internet and look for updates? This is your AV downloading new strings that it will later use to defend your computer against malware. That is how a common AV works!

    Cool Ok lets move on once again, right now you should have your original server, and the detected half of your server (1.exe). Now in HexWorkshop open up your Original Server. Why we are doing this is, because the AV when it detected (1.exe) it deleted all the bytes. So now find the offsett in the middle which you started at, and pull it down or up again, but this time do not go all they way (cutting it in half). Bring it down or up about 5-10,000 offsetts from the middle point. Fill the highlighted area with 00's. Then save the file as Scan.exe, also save it as scanbackup.exe.

    FootNote: The names are examples you may name them whatever you like just remember them. Also me personally i record all the offsetts i stop and start at in notepad.

    9) Now in the directory you saved Scan.exe right click it and Scan it for viruses once more. If it is still detected then you have not found the offsett yet.

    How you know when you find it?
    You know that you have found the offsett when your AV no longer detects the file. Be sure to remember that if your AV detects the file you scanned it will delete the whole file. This is why you should always keep a backup.

    10) Ok by now you should get the jist of how to find the detected string. Most AV's detect 2-3 strings sometimes though it could be as little as 2 bytes or as large as 10 strings. Continue until you find the detected strings.....

    11) Ahh yes you have found them. Congratulations!!! Now your not through quite yet, just a little more to go. You have located the detected strings now you must edit them ever so slightly to make the file UD and the server to still work. Change the numbers around using the fill option explained earlier to do this. If you do it just right and things aren't to different you will have successfully HexEdited.

    #1 bxN5, 31 Jan 2009
    Last edited: 31 Jan 2009
    1 person likes this.
  2. 12usver12

    12usver12 Elder - Старейшина

    12 Dec 2007
    Likes Received:
    it is a big pain in the butt, without any warranties that it would help to hide vir and remain .exe working
    #2 12usver12, 1 Feb 2009
    Last edited by a moderator: 2 Feb 2009
Similar Threads - Hexing Beginners
  1. bxN5