30 May 2011

[Tut hack] How to FUD your trojan with a HEX editor


Bài viết liên quan:

How to FUD your trojan/server with a HEX editor.

With pictures??
OMG your F***ing awsome



Our FUDDING tool requirements and download links.

First of course an AV what I am going to be using is AVAST the free edition.


File splitter to split our servers to find out where the virus signature is to modify it.

Best hex editor I have found and its free of charge.



Now lets begin.

Now go grab the server you want to edit mine is going to be a Spyrex keylogger server.

Before we begin turn AV off.
You result may vary on AV your using. 

Now place you server in a folder I recommend naming it A trust me on this. Now my server name is test.exe.

Okay now once you have placed the server in a file lets scan it.
And.......
OMG it got caught 

 

Ok now where to start open The File Splitter and Calc.exe to split the  file.
In the file splitter browse to the server you want to split and choose Custom size. Now it tells me that this server is exactly 53,495 bytes and I want to split it into 4 pieces. So I go to Calc and divide it by 4 now place the number you got after dividing it and place it in the splitter custom size box like I have at the bottom. Now click on Split.




Now you should get the files in the same directory like I have below.




Now scan each of them to figure out witch file we have to split again.
 Now once you have figured it out make a new folder named the part number that was detected now I got part 3 so I'm gonna make a new folder named 3 . 





Now I hope you didn't close file splitter if so reopen it and browse to test.exe.3 to split and change the output folder to 3 like I have in the picture below. We are also going to split this file into 4 pieces again so open up Calc and divide by 4.
I made a drawing on this if your confused 



Now you should have this inside folder named 3.



Now scan each file again to figure out witch file we need to split but also be aware of how small the file is getting. Once you figure out witch file needs splitting make a new folder with the parts name. I got part test.exe.3.3 so I am going to make a new folder and name it 3.




Now once you made new folder named 3 open up file splitter and browse to the file that got detected mine was test.exe.3.3 and pick the output directory to the folder we just made witch was the folder named 3.





Now browse to the new folder and scan the new files we split. As you can see test.exe.3.3.4 was detected so I'm gonna make a new folder and name it 4.





Now in file splitter pick the file that got detected witch was test.exe.3.3.4 and choose the new folder we made named 4.




 Now lets scan the new files and see witch got detected ocne we find it open it up with the HEX editor and see if its still to big to figure out what we need to change.




Ok so it's test.3.3.4.1 that we need to edit do open it up with your favorite hex editor or use the one I provided earlier. Once you open it it will look something like this.




Now the virus signature is in here don't get scared its not that hard now my method of figuring it is looking for something that stands out or guesssing. All you really have to do is change a letter from capital to a lower case one now what worked for me was changing D to a lower case from the word DLLHOOKSTRUCT. 





Now save it exit and scan it it should be undectable.


  
Congratz now its FUD now all you need to do it compile it and scan it one more time and run it to test.

Now compiling I will show you one example and you can figure out the rest by your own.

Now you see the splitter icon inside your folder click on it and it will recompile the file.




Now once you made that file copy it and go back one directory and past it then it will ask you to replace it click yes and keep doing this till you go back to first directory. And your done.


I really hope you learn something this took me like 3 hours.

Source: http://enc0de.blogspot.com/

0 comments:

Post a Comment

Để lại góp ý của bạn để blog của mình hoàn thiện hơn :))