You have to have a photo in ur folder for example:sample.jpg.
After that,just open notepad and write:
Save it as "desktop.ini"
THIS IS WHERE YOU CAN LEARN REAL HACKING...
Sunday 29 January 2012
Make Your Pirated Windows XP Genuine
Windows Genuine Ballon Hack The fix works a treat.
1. C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data
inside you will find a file called Data.dat open that file with notepad and
delete all the stuff in it… now save the file and set it as read only and restart pc but in SAFE mode ** Yes, this step is required ** ** Will NOT immediately solve problem until rest of steps completed **
Now go to c:\windows\system32 folder: MUST be in safemode
wgalogon.dll ** You CANNOT delete this file. RENAME it to wgalogon.bbb ***
spmgs.dll ** This is a spelling error. File is actually spmsg.dll. RENAME it to spmsg.aaa **
wgatray.exe *** DELETE this file ***
Now go to C:\WINDOWS\Software\Distribution\Download and DELETE the following folder
6c4788c9549d437e76e1773a7639582a
REBOOT & all should be resolved
End the process wgatray.exe in Windows TaskManager and restart Windows XP in safe mode. Now delete the following files:
Delete WgaTray.exe from c:\windows\system32
Delete WgaTray.exe from c:\windows\system32\dllcache
Start Windows Registry editor and delete the folder "WGALOGON" located in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\WinlogonNotify. Delete all references in your registry to WgaTray.exe
Another alternative suggest that three files are installed Windows XP System Folder:
\WINDOWS\system32\WgaLogon.dll
\WINDOWS\system32\WgaTray.exe
\WINDOWS\system32\LegitCheckControl.dll
The wgatray.exe process makes the check for genuine windows software. You can disable WGA by removing the execute bit on WgaLogon.dll. That way, winlogon can't call it as a notification package at boot, and since WgaLogon is responsible for running and maintaining WgaTray.exe, no more tray popups either.
To change the execute bit of WgaLogon.dll, first turn off Simple File Sharing. Now right click the file in Windows Explorer and open the Security Tab. Hit the Advanced button, uncheck the Inherit box at the bottom, hit the Copy button, then hit OK. Go through each listed user/group and remove the "Read & Execute" permission for that file, leaving the "Read" permission as-is.
Hit OK to apply the permission changes and close the file properties dialog. Restart the machine. You can now turn "Use simple file sharing" back on, if you want.
A third alternative posted on the internet suggest that users clear the content of file data.dat located in the following directory:
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data
1. C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data
inside you will find a file called Data.dat open that file with notepad and
delete all the stuff in it… now save the file and set it as read only and restart pc but in SAFE mode ** Yes, this step is required ** ** Will NOT immediately solve problem until rest of steps completed **
Now go to c:\windows\system32 folder: MUST be in safemode
wgalogon.dll ** You CANNOT delete this file. RENAME it to wgalogon.bbb ***
spmgs.dll ** This is a spelling error. File is actually spmsg.dll. RENAME it to spmsg.aaa **
wgatray.exe *** DELETE this file ***
Now go to C:\WINDOWS\Software\Distribution\Download and DELETE the following folder
6c4788c9549d437e76e1773a7639582a
REBOOT & all should be resolved
End the process wgatray.exe in Windows TaskManager and restart Windows XP in safe mode. Now delete the following files:
Delete WgaTray.exe from c:\windows\system32
Delete WgaTray.exe from c:\windows\system32\dllcache
Start Windows Registry editor and delete the folder "WGALOGON" located in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\WinlogonNotify. Delete all references in your registry to WgaTray.exe
Another alternative suggest that three files are installed Windows XP System Folder:
\WINDOWS\system32\WgaLogon.dll
\WINDOWS\system32\WgaTray.exe
\WINDOWS\system32\LegitCheckControl.dll
The wgatray.exe process makes the check for genuine windows software. You can disable WGA by removing the execute bit on WgaLogon.dll. That way, winlogon can't call it as a notification package at boot, and since WgaLogon is responsible for running and maintaining WgaTray.exe, no more tray popups either.
To change the execute bit of WgaLogon.dll, first turn off Simple File Sharing. Now right click the file in Windows Explorer and open the Security Tab. Hit the Advanced button, uncheck the Inherit box at the bottom, hit the Copy button, then hit OK. Go through each listed user/group and remove the "Read & Execute" permission for that file, leaving the "Read" permission as-is.
Hit OK to apply the permission changes and close the file properties dialog. Restart the machine. You can now turn "Use simple file sharing" back on, if you want.
A third alternative posted on the internet suggest that users clear the content of file data.dat located in the following directory:
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data
Hide Or Lock Your Drive(s)
Open Registry (go to run command, type "regedit" and press enter)
Then go to this key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now right click in right side pane and create DWORD Value (blue color)
Rename it as "NoViewOnDrive" (for locking drive)
or
Rename it as "NoDrives" (for Hiding drive)
Double click on it and put some numbers to lock ur desired Drive and click ok.
Finally restart or log-off the computer to take effect.
Keep in mind that "0" is Default Value to Disable or remove this setting..
After locking the drive when u try to open it, u will see a msgbox like this
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator"
Then go to this key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now right click in right side pane and create DWORD Value (blue color)
Rename it as "NoViewOnDrive" (for locking drive)
or
Rename it as "NoDrives" (for Hiding drive)
Double click on it and put some numbers to lock ur desired Drive and click ok.
DRIVE NOS.
FOR A : 1
FOR C : 4
FOR D : 8
FOR E : 16
FOR F : 32
FOR G : 64
FOR H : 128
Finally restart or log-off the computer to take effect.
Keep in mind that "0" is Default Value to Disable or remove this setting..
After locking the drive when u try to open it, u will see a msgbox like this
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator"
Hide Your User Account In Windows XP
If your parents have recently locked you out of their computer, then
there is a way to make your account invisible, so they wont know that
your account exists, and you can still log in.
You have to edit your registry for this, so if you dont want to take the risk, then dont do it.
First off, you have to create your account.
1) Turn on computer and keep hitting F8 untill you are at the safe mode screen selection.
2) Log in the administrator account, it shouldnt require a password, if it does, that means that your parents locked that account and you cant create you account.
3) If you are in, then go to control panel and create your account.
4) Restart your computer, and logg in your account. After everything is loaded, go to Start > Run > Regedit. The registry will popup.
Ok, now follow this root to make your account invisible.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Now right click, and go to New > DWord Value and name it YOUR EXACT USER NAME, like if your use name is JunglePrince then make it JunglePrince, if its jUNGLEpRINCE, then name it jUNGLEpRINCE.
Now the value should be zero, if it isnt, the right click the value you just made and go to Modify, and make sure Value data is 0.
Now restart, and at the log in screen, you want see your username, now hit CTRL+DEL+ALT twice, and it will switch to a diffrent loggin screen. Once it happens, logg in with your name, and TADA!.
You have to edit your registry for this, so if you dont want to take the risk, then dont do it.
First off, you have to create your account.
1) Turn on computer and keep hitting F8 untill you are at the safe mode screen selection.
2) Log in the administrator account, it shouldnt require a password, if it does, that means that your parents locked that account and you cant create you account.
3) If you are in, then go to control panel and create your account.
4) Restart your computer, and logg in your account. After everything is loaded, go to Start > Run > Regedit. The registry will popup.
Ok, now follow this root to make your account invisible.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Now right click, and go to New > DWord Value and name it YOUR EXACT USER NAME, like if your use name is JunglePrince then make it JunglePrince, if its jUNGLEpRINCE, then name it jUNGLEpRINCE.
Now the value should be zero, if it isnt, the right click the value you just made and go to Modify, and make sure Value data is 0.
Now restart, and at the log in screen, you want see your username, now hit CTRL+DEL+ALT twice, and it will switch to a diffrent loggin screen. Once it happens, logg in with your name, and TADA!.
Send Anonymous Emails
Have you ever think about sending emails to someone from any address? It is called email spoofing.
What is the aim of sending anonymous mails? You can:
How to?
1) Visit HERE and fill in the form.
2) Done! You had sent the email with the address you choose.
What is the aim of sending anonymous mails? You can:
- Catch a cheating spouse husband or wife.
- Find out if your friend is are real friend
- Give warnings to people
- Inform the police about illegal activities
- Inform the tax office about tax cheaters
- Confess your love to somebody
- Play an email joke with your friends
- When your own email service doesn’t work
- If your private email is banned by the recipient
- Report fraud to your boss or institution
- And many more reasons…
How to?
1) Visit HERE and fill in the form.
2) Done! You had sent the email with the address you choose.
Internet Download Manager 5.12 FULL CRACKED
Internet Download Manager
(IDM) is a tool to increase download speeds by up to 5 times, resume and schedule downloads. Comprehensive error recovery and resume capability will restart broken or interrupted downloads due to lost connections, network problems, computer shutdowns, or unexpected power outages. Simple graphic user interface makes IDM user friendly and easy to use.Internet Download Manager has a smart download logic accelerator that features intelligent dynamic file segmentation and safe multipart downloading technology to accelerate your downloads. Unlike other download managers and accelerators Internet Download Manager segments downloaded files dynamically during download process and reuses available connections without additional connect and login stages to achieve best acceleration performance.
Internet Download Manager supports proxy servers, ftp and http protocols, firewalls, redirects, cookies, authorization, MP3 audio and MPEG video content processing. IDM integrates seamlessly into Microsoft Internet Explorer, Netscape, MSN Explorer, AOL, Opera, Mozilla, Mozilla Firefox, Mozilla Firebird, Avant Browser, MyIE2, and all other popular browsers to automatically handle your downloads. You can also drag and drop files, or use Internet Download Manager from command line. Internet Download Manager can dial your modem at the set time, download the files you want, then hang up or even shut down your computer when it's done.
Other features include multilingual support, zip preview, download categories, scheduler pro, sounds on different events, HTTPS support, queue processor, html help and tutorial, enhanced virus protection on download completion, progressive downloading with quotas (useful for connections that use some kind of fair access policy or FAP like Direcway, Direct PC, Hughes, etc.), built-in download accelerator, and many others.
Internet Download Manager supports proxy servers, ftp and http protocols, firewalls, redirects, cookies, authorization, MP3 audio and MPEG video content processing. IDM integrates seamlessly into Microsoft Internet Explorer, Netscape, MSN Explorer, AOL, Opera, Mozilla, Mozilla Firefox, Mozilla Firebird, Avant Browser, MyIE2, and all other popular browsers to automatically handle your downloads. You can also drag and drop files, or use Internet Download Manager from command line. Internet Download Manager can dial your modem at the set time, download the files you want, then hang up or even shut down your computer when it's done.
Other features include multilingual support, zip preview, download categories, scheduler pro, sounds on different events, HTTPS support, queue processor, html help and tutorial, enhanced virus protection on download completion, progressive downloading with quotas (useful for connections that use some kind of fair access policy or FAP like Direcway, Direct PC, Hughes, etc.), built-in download accelerator, and many others.
Version 6.07 adds IDM download panel for web-players that can be used to download flash videos from sites like YouTube, MySpaceTV, and Google Videos. It also features
complete Windows 7 and Vista support, YouTube grabber, redeveloped scheduler, and MMS protocol support.
The new version also adds improved integration for IE and IE based browsers, redesigned and enhanced download engine, the unique advanced integration into all latest browsers, improved toolbar, and a wealth of other improvements and new features.
Download FULL CRACKED Version
Cracked by, ANON.h3
Cracked by, ANON.h3
View Blocked Youtube Videos! Working 2012
How to view any blocked, copyrighted, or 18 rated videos on youtube! This post is updated and works on 2012. I tried it today.
If the video is blocked or requires you to login before viewing the video, then you will probably need to read this post.
1- View the URL of the video:
2- Edit the URL:
*Remove /watch
*Change ? to / and = to /
http://www.youtube.com/v/ayJ_HvFwa0M
3- Then go to the address and try.
If the video is blocked or requires you to login before viewing the video, then you will probably need to read this post.
1- View the URL of the video:
2- Edit the URL:
*Remove /watch
*Change ? to / and = to /
http://www.youtube.com/v/ayJ_HvFwa0M
Useful Javascript Codes For Browser
How to use these codes? Copy and paste it the the address bar, press enter and get the effect.
Make your browser move it self -- Click here to see the effect
Edit any part in the webpage -- Click here to see the effect
Make your browser move it self -- Click here to see the effect
Edit any part in the webpage -- Click here to see the effect
Send A DDOS Attack Using CMD
DoS Attack With Your Home Pc To Any WebSite U Want To Be Killed!!
------------------------
DoS Attack Stands For Denial of Service Attack
------------------------
What Is DoS?
A: Denial of Service (DoS) attackes are aggressive attacks on an individual Computer or WebSite with intent to deny services to intended users.
DoS attackes can target end-user systems, servers, routers and Network links(websites)
Requirments:
1- Command Prompt (CMD or DOS) Which is usually integrated in all Windows.
2- Ip-Address of Targeted Site.
How TO GET IP OF ANY SITE??"
No problem.. here is the solution..
open ur CMD (command prompt).. and type
--------------------------------------------------
nslookup Site-Name
--------------------------------------------------
(e.g nslookup www.google.com)
It will show u ip of the site.
ohk now write this command in CMD For Attack on Any Site/ Server..
---------------------------------------------------
ping SITE-IP -l 65500 -n 10000000 -w 0.00001
---------------------------------------------------
-n 10000000= the number of DoS attemps.. u can change the value "10000000" with ur desired value u want to attempt attack.
SITE-IP= Replace the text with the ip address of the site u want to be attacked..
-w 0.00001 = It is the waiting time after one ping attack.
NOTE: Dont Change or Remove -l, -n and -w in this command.. otherwise u will not able to attack
------------------------
DoS Attack Stands For Denial of Service Attack
------------------------
What Is DoS?
A: Denial of Service (DoS) attackes are aggressive attacks on an individual Computer or WebSite with intent to deny services to intended users.
DoS attackes can target end-user systems, servers, routers and Network links(websites)
Requirments:
1- Command Prompt (CMD or DOS) Which is usually integrated in all Windows.
2- Ip-Address of Targeted Site.
How TO GET IP OF ANY SITE??"
No problem.. here is the solution..
open ur CMD (command prompt).. and type
--------------------------------------------------
nslookup Site-Name
--------------------------------------------------
(e.g nslookup www.google.com)
It will show u ip of the site.
ohk now write this command in CMD For Attack on Any Site/ Server..
---------------------------------------------------
ping SITE-IP -l 65500 -n 10000000 -w 0.00001
---------------------------------------------------
-n 10000000= the number of DoS attemps.. u can change the value "10000000" with ur desired value u want to attempt attack.
SITE-IP= Replace the text with the ip address of the site u want to be attacked..
-w 0.00001 = It is the waiting time after one ping attack.
NOTE: Dont Change or Remove -l, -n and -w in this command.. otherwise u will not able to attack
How To Find IP Address From A Sender
When you receive an email, you receive more than
just the message. The email comes with headers that carry important
information that can tell where the email was sent from and possibly
who sent it. For that, you would need to find the IP address of the
sender. The tutorial below can help you find the IP address of the
sender. Note that this will not work if the sender uses anonymous proxy
servers.
Finding I.P Address In Gmail
1. Log into your Gmail account with your username and password.
2. Open the mail.
3. To display the headers,
* Click on More options corresponding to that thread. You should get a bunch of links.
* Click on Show original
4. You should get headers like this:
Gmail headers : name
Look for Received: from followed by a few hostnames and an IP address between square brackets. In this case, it is
65.119.112.245.
That is be the IP address of the sender!
5. Track the IP address of the sender
Finding I.P Address In Yahoo Mail
1. Log into your Yahoo! mail with your username and password.
2. Click on Inbox or whichever folder you have stored your mail.
3. Open the mail.
4. If you do not see the headers above the mail message, your headers are not displayed. To display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on General Preferences
* Scroll down to Messages where you have the Headers option
* Make sure that Show all headers on incoming messages is selected
* Click on the Save button
* Go back to the mails and open that mail
5. You should see similar headers like this:
Yahoo! headers : name
Look for Received: from followed by the IP address between square brackets [ ]. Here, it is 202.65.138.109.
That is be the IP address of the sender!
6. Track the IP address of the sender
Finding I.P Address In Hotmail
1. Log into your Hotmail account with your username and password.
2. Click on the Mail tab on the top.
3. Open the mail.
4. If you do not see the headers above the mail message, your headers are not displayed. To display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on Mail Display Settings
* In Message Headers, make sure Advanced option is checked
* Click on Ok button
* Go back to the mails and open that mail
5. If you find a header with X-Originating-IP: followed by an IP address, that is the sender's IP address
Hotmail headers : name ,In this case the IP address of the sender is [68.34.60.59]. Jump to step 9.
6. If you find a header with Received: from followed by a Gmail proxy like this
Hotmail headers : name
Look for Received: from followed by IP address within square brackets[].
In this case, the IP address of the sender is [69.140.7.58]. Jump to step 9.
7. Or else if you have headers like this
Hotmail headers : name
Look for Received: from followed by IP address within square brackets[].
In this case, the IP address of the sender is [61.83.145.129] (Spam mail). Jump to step 9.
8. * If you have multiple Received: from headers, eliminate the ones that have proxy.anyknownserver.com.
9. Track the IP address of the sender
Finding I.P Address In Gmail
1. Log into your Gmail account with your username and password.
2. Open the mail.
3. To display the headers,
* Click on More options corresponding to that thread. You should get a bunch of links.
* Click on Show original
4. You should get headers like this:
Gmail headers : name
Look for Received: from followed by a few hostnames and an IP address between square brackets. In this case, it is
65.119.112.245.
That is be the IP address of the sender!
5. Track the IP address of the sender
Finding I.P Address In Yahoo Mail
1. Log into your Yahoo! mail with your username and password.
2. Click on Inbox or whichever folder you have stored your mail.
3. Open the mail.
4. If you do not see the headers above the mail message, your headers are not displayed. To display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on General Preferences
* Scroll down to Messages where you have the Headers option
* Make sure that Show all headers on incoming messages is selected
* Click on the Save button
* Go back to the mails and open that mail
5. You should see similar headers like this:
Yahoo! headers : name
Look for Received: from followed by the IP address between square brackets [ ]. Here, it is 202.65.138.109.
That is be the IP address of the sender!
6. Track the IP address of the sender
Finding I.P Address In Hotmail
1. Log into your Hotmail account with your username and password.
2. Click on the Mail tab on the top.
3. Open the mail.
4. If you do not see the headers above the mail message, your headers are not displayed. To display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on Mail Display Settings
* In Message Headers, make sure Advanced option is checked
* Click on Ok button
* Go back to the mails and open that mail
5. If you find a header with X-Originating-IP: followed by an IP address, that is the sender's IP address
Hotmail headers : name ,In this case the IP address of the sender is [68.34.60.59]. Jump to step 9.
6. If you find a header with Received: from followed by a Gmail proxy like this
Hotmail headers : name
Look for Received: from followed by IP address within square brackets[].
In this case, the IP address of the sender is [69.140.7.58]. Jump to step 9.
7. Or else if you have headers like this
Hotmail headers : name
Look for Received: from followed by IP address within square brackets[].
In this case, the IP address of the sender is [61.83.145.129] (Spam mail). Jump to step 9.
8. * If you have multiple Received: from headers, eliminate the ones that have proxy.anyknownserver.com.
9. Track the IP address of the sender
Making Your Remote Keylogger Or server.exe Undetectable
Hello people. Since I had many people asking me how to hexedit, I decided to write
this little tutorial. I will try to explain how to hexedit your favourite Trojan in order to
make it undetected by certain antivirus programs. I will try to put this as simple as
possible so everyone understands it.
Content:
1. General info about hexediting .
2. What tools you need to get started.
3. How to hex.
-step 1
-step 2
__________________________________________________ ___________________
1. General info about hexediting?
If you want to make your server undetectable, you need to know how AVs work and
how they detect your files, right? There are a few ways that AVs use to detect your
server heuristics, sandboxing, etc., and one of them is using so called "definition files"
that carry information about strings inside your server. Well, that�s the way we�re
going again in this tutorial because hexing is pretty much useless for other methods of
detection. So when AVs scan your files it searches for specific stings on specific parts
in your server, and if strings match with strings in the AV database, your file is
detected.
Let�s say that detected strings are "XX" so we need to change that string to something
else (e.g. "XY","YY") that isn�t in the AV definition database so the file can�t be
matched with any of the AV definitions and that way the file will be undetectable.
There are going to be a few tagged strings in your server - not only one, depending on
what trojan you�re using and how popular is. Less popular trojans tend to have less
tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can
change old tagged parts, and once your AV is updated, new definition files are
downloaded and your once undetected server might become detected again. Also not
all AVs use the same tagged parts - this way you need to hex your server against more
AVs to make it fully undetected. This can be annoying because you need to download
wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs
tag critical parts of the server, and if that part is altered will corrupt the server. Also,
heavily edited servers can become unstable, some functions might not work, or even
you can corrupt your server and make it useless.
That�s why you need to check your server if it�s still working after every single
change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding 00�s to
one half and scanning it until you find the detected string (which is slow and time
consuming); use file splitters like UKSplitter that are going to split your server into
bytes, and after that scan all split files and find out what byte is detected then alter it
in original exe, or you can use an offset finder like AV Devil.
2. What tools we need.
- Unpacked trojan server.
(your favorite trojan server)
- Hex editor.
(I will use Hex WorkShop, you can find it at www.hexworkshop.com)
- Offset finder
(AVDevil, you can find it at www.trojanfrance.com)
3. How to hex:
-Step 1.
Turn your AV real-time protection �OFF� . Make your Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server msg will pop up
click OK, and the next msg will popup asking you to turn your AV real-time
protection back �ON�. After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click on "Skip" and let
AV Devil finish.
After its done you will see something like this:
As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at 5476.
Also you can see where the second offset starts and ends. That�s the part that the AV
is checking in this definition database. If the part in the server matches with part in
AV database your server is detected. You can hex beginning and ending offset or in
between.
Step 2.
Now when we have detected offsets, we open our server in Hex WorkShop. Type
"Ctrl+G" and this will come up:
Type the first offset in, select from �Beginning of File,� and make sure that you
selected "hex," because offsets in AV Devil are displayed in that manner. Unless you
save via AV Devil, then they are converted into a decimal. Click �Go� and you will
be sent to that offset location. Now we need to change that �31� to something else, so
we will change it to �32�.
Select �31� right click to it and select fill.
You will see the window below. In �Fill with the following hex byte� we are going to
fill in �32� and hit OK.
After clicking �OK,� the changed hex byte going to be shown in red.
__________________________________________________ __________________
Now repeat this for every offset that you found in AV Devil.
__________________________________________________ ___________________
Going to change it �FE� to �EE� and so on for all other detected offsets.
Once you�ve completed editing all offsets, save your server and scan if it�s UD, and
then you�re done. If the AV still detecting it, repeat steps 1 and 2.
Here�s a little tip on how to change detected bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one character up/down
for each - that�s the best way and will minimize chances to corrupt your server. If that
doesn�t work for some reason, you can try and change it to something completely
different, but always check your server after editing bytes. That way you can see if the
server works or if it�s corrupted (you can keep track of what change caused the
corruption and you can try and edit that byte with some other character).
Another thing in some Trojans servers is that AV Devil can�t find the beginning of the
first offset and will mark it with �0.� Let�s say you�ve hexed all other found offsets
but your server is still detected. Split the file into half and run AV Devil on the first
half. That way you will be able to find the first offset that is missing and finish your
hexing. If some tagged part is a letter, e.g. �Y� change it to �y� or just PlAy wItH
ThE CaPs.
Ex:
So there you have it! Now you know how to hex your server and make it undetected
from wanted AVs.
Note: AV=Anti-Virus
this little tutorial. I will try to explain how to hexedit your favourite Trojan in order to
make it undetected by certain antivirus programs. I will try to put this as simple as
possible so everyone understands it.
Content:
1. General info about hexediting .
2. What tools you need to get started.
3. How to hex.
-step 1
-step 2
__________________________________________________ ___________________
1. General info about hexediting?
If you want to make your server undetectable, you need to know how AVs work and
how they detect your files, right? There are a few ways that AVs use to detect your
server heuristics, sandboxing, etc., and one of them is using so called "definition files"
that carry information about strings inside your server. Well, that�s the way we�re
going again in this tutorial because hexing is pretty much useless for other methods of
detection. So when AVs scan your files it searches for specific stings on specific parts
in your server, and if strings match with strings in the AV database, your file is
detected.
Let�s say that detected strings are "XX" so we need to change that string to something
else (e.g. "XY","YY") that isn�t in the AV definition database so the file can�t be
matched with any of the AV definitions and that way the file will be undetectable.
There are going to be a few tagged strings in your server - not only one, depending on
what trojan you�re using and how popular is. Less popular trojans tend to have less
tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can
change old tagged parts, and once your AV is updated, new definition files are
downloaded and your once undetected server might become detected again. Also not
all AVs use the same tagged parts - this way you need to hex your server against more
AVs to make it fully undetected. This can be annoying because you need to download
wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs
tag critical parts of the server, and if that part is altered will corrupt the server. Also,
heavily edited servers can become unstable, some functions might not work, or even
you can corrupt your server and make it useless.
That�s why you need to check your server if it�s still working after every single
change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding 00�s to
one half and scanning it until you find the detected string (which is slow and time
consuming); use file splitters like UKSplitter that are going to split your server into
bytes, and after that scan all split files and find out what byte is detected then alter it
in original exe, or you can use an offset finder like AV Devil.
2. What tools we need.
- Unpacked trojan server.
(your favorite trojan server)
- Hex editor.
(I will use Hex WorkShop, you can find it at www.hexworkshop.com)
(AVDevil, you can find it at www.trojanfrance.com)
3. How to hex:
-Step 1.
Turn your AV real-time protection �OFF� . Make your Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server msg will pop up
click OK, and the next msg will popup asking you to turn your AV real-time
protection back �ON�. After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click on "Skip" and let
AV Devil finish.
After its done you will see something like this:
As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at 5476.
Also you can see where the second offset starts and ends. That�s the part that the AV
is checking in this definition database. If the part in the server matches with part in
AV database your server is detected. You can hex beginning and ending offset or in
between.
Step 2.
Now when we have detected offsets, we open our server in Hex WorkShop. Type
"Ctrl+G" and this will come up:
Type the first offset in, select from �Beginning of File,� and make sure that you
selected "hex," because offsets in AV Devil are displayed in that manner. Unless you
save via AV Devil, then they are converted into a decimal. Click �Go� and you will
be sent to that offset location. Now we need to change that �31� to something else, so
we will change it to �32�.
Select �31� right click to it and select fill.
You will see the window below. In �Fill with the following hex byte� we are going to
fill in �32� and hit OK.
After clicking �OK,� the changed hex byte going to be shown in red.
__________________________________________________ __________________
Now repeat this for every offset that you found in AV Devil.
__________________________________________________ ___________________
Going to change it �FE� to �EE� and so on for all other detected offsets.
Once you�ve completed editing all offsets, save your server and scan if it�s UD, and
then you�re done. If the AV still detecting it, repeat steps 1 and 2.
Here�s a little tip on how to change detected bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one character up/down
for each - that�s the best way and will minimize chances to corrupt your server. If that
doesn�t work for some reason, you can try and change it to something completely
different, but always check your server after editing bytes. That way you can see if the
server works or if it�s corrupted (you can keep track of what change caused the
corruption and you can try and edit that byte with some other character).
Another thing in some Trojans servers is that AV Devil can�t find the beginning of the
first offset and will mark it with �0.� Let�s say you�ve hexed all other found offsets
but your server is still detected. Split the file into half and run AV Devil on the first
half. That way you will be able to find the first offset that is missing and finish your
hexing. If some tagged part is a letter, e.g. �Y� change it to �y� or just PlAy wItH
ThE CaPs.
Ex:
So there you have it! Now you know how to hex your server and make it undetected
from wanted AVs.
Note: AV=Anti-Virus
Standard Anti-Virus Test
Make a test for your anti-virus and see if it is a working antivirus.
Open a notepad and paste this:
Save it as:
Your anti-virus will not let you save it or automatically delete it after you save. Then your anti-virus is working greatly.
Dont worry, this is not a virus. This is a test for anti-virus and see if it is working.This is a test manufactured by European Institute for Computer Anti-virus Research
(EICAR). So it is totally harmless.
Open a notepad and paste this:
Save it as:
Your anti-virus will not let you save it or automatically delete it after you save. Then your anti-virus is working greatly.
Dont worry, this is not a virus. This is a test for anti-virus and see if it is working.This is a test manufactured by European Institute for Computer Anti-virus Research
(EICAR). So it is totally harmless.
Subscribe to:
Posts (Atom)