1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HEXing for PPI

Discussion in 'Black Hat SEO Tools' started by trakout, Mar 28, 2008.

  1. trakout

    trakout Newbie

    Dec 16, 2007
    Likes Received:
    I trakout do NOT take responsibility for what you do with the Information given during this tutorial.

    NOTE: this is not my tutorial. All credit goes to warpboy of DataStronghold.com.

    Goal: To learn how to hex edit "questionable files" or anything else making them UD to AV programs. Extremely reliable for Pay-per Install


    UD: Undetected
    AV: Anti-Virus
    FW: FireWall

    To begin, HexEditing is a difficult and partially effective method used to make "questionable files" UD. In some cases this method will not work because the AV has tagged a vital part of the code. There are a few necessities you will need:

    Hex Workshop or another HexProgram (Hex Workshop is used in this tutorial)

    : Download Link for Hex Workshop

    :Your file is needed (this is what you are hexing)

    :A little time and a good attitude (alwayz good) : )

    Ok lets begin...

    1) First open up "Hex Workshop" and *Click* File:Open: Find your file or whatever you are hexing and *Click* it and then *Click* open.

    2) In your workfield all the HexValues should pop-up. Get familiar with the file look at certain bytes this will help you understand more.

    3) Scroll down to about the middle and *Click* the first offsett on the left side. Grab it and drag down as you drag down do NOT let go or you will have to return and do it again. Keep holding it down until your at the bottom of the file Offsett 1.

    4) Seeing half the file highlighted. Right *Click* and *Click* Fill. A new window should open, in the textbox instead of 0 put 00. Then *Click* Ok.

    5) What you have just done is cut the file in half. The 00 byte has no values at all, another common used byte used in hexing is 90 it is the no-operation byte.

    6) Ok now you have half the file filled with 00's right? Good... Point your arrow to the left hand corner. *Click* File: Save As. Save the file 1.exe. Be sure to remember the offsett you cut the file at.

    7) Go to the directory you saved 1.exe in, and right *Click* it and find a tab called Scan It For Viruses with your AV logo beside it. Once its done scanning if it is detected that means the detected string is not in that half which you filled with 00's.

    _How an AV detects Malware_

    An AV program is very powerfull as it stops about 98% of common malware from infecting your PC. Our goal is to be apart of that 2%. An AV when it scans a file looks for a string it could be anywhere in the file. Most likely it is in the most vulnerable spot, via if you arn't carefull you could corrupt your server. The detected string is a digital string that is in the database of the AV. Have you ever seen your AV connect to the internet and look for updates? This is your AV downloading new strings that it will later use to defend your computer against malware. That is how a common AV works!

    Cool Ok lets move on once again, right now you should have your original server, and the detected half of your server (1.exe). Now in HexWorkshop open up your Original Server. Why we are doing this is, because the AV when it detected (1.exe) it deleted all the bytes. So now find the offsett in the middle which you started at, and pull it down or up again, but this time do not go all they way (cutting it in half). Bring it down or up about 5-10,000 offsetts from the middle point. Fill the highlighted area with 00's. Then save the file as Scan.exe, also save it as scanbackup.exe.

    Note: The names are examples you may name them whatever you like just remember them. Also me personally i record all the offsetts i stop and start at in notepad.

    9) Now in the directory you saved Scan.exe right click it and Scan it for viruses once more. If it is still detected then you have not found the offsett yet.

    How you know when you find it?
    You know that you have found the offsett when your AV no longer detects the file. Be sure to remember that if your AV detects the file you scanned it will delete the whole file. This is why you should always keep a backup.

    10) Ok by now you should get the jist of how to find the detected string. Most AV's detect 2-3 strings sometimes though it could be as little as 2 bytes or as large as 10 strings. Continue until you find the detected strings.....

    11) Ahh yes you have found them. Congratulations!!! Now your not through quite yet, just a little more to go. You have located the detected strings now you must edit them ever so slightly to make the file UD and the server to still work. Change the numbers around using the fill option explained earlier to do this. If you do it just right and things aren't to different you will have successfully HexEdited.

    Well, hope this was useful for you guys, there's several variations of this theme, such as using different HEX editors and such. Find one you like and stick with it!

    • Thanks Thanks x 2
  2. Therookie

    Therookie BANNED BANNED

    Mar 17, 2008
    Likes Received:
    Many thanks.
  3. blackrain010

    blackrain010 Junior Member

    Dec 13, 2007
    Likes Received:
    Good info. Have to improve my hexing skills.
  4. BadHacker

    BadHacker Newbie

    Sep 23, 2007
    Likes Received:
    use AV Devil to get the signature offsets its much quicker ;)