dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
The antivirus software uses two methods to protect our PC: 1 - Analyze the files comparing them with the database of malicious software (Signatures) would be like a police reconnaissance wheel or when trying to identify a criminal with a photo: The antivirus compares each file on the hard drive with a "dictionary" of known viruses. If any piece of code (signatures) in a file on the hard drive matches the virus known in the dictionary, the antivirus software comes into play and 2 the constant monitoring of the behavior of files that may be infected.
For example
Seeing it from Binary, let's suppose that for Avast this code is a virus signature "12 55 40 05" when analyzing the binary and find this:
Automatically Skip as a virus
Av Fucker Method
With this method we will look for the signature and we will change its code so that Avast or any antivirus does not recognize it anymore
Code detected as virus
Modified code indented
It's simple right? the issue is that when we modify one of those numbers (offset) it has to be functional
Let's see it Step by step
Step 1 tools
Undetectable offset locator 2.6 (is that I use but can be any locator)
Hex Workshop
This Crypter: LVL23 Crypter
I used this little ball: LVL23 Ball
Step 2
We grab the crypter and encrypt a small ball
Step 3
We open in offset locator and in "file" we choose the ball and in "directory" the folder where we will create the offsets (Create a new folder and call it offsets) in initial bytes we put "100" and fill in the number "90"
It would have to stay more or less ASi
We start and wait for it to finish creating the offset ... When finished we scan the offset folder with Avast and delete the detected ones
Step 4
Let's show offset
and we double click on the range that appears 2370 - 2410
now the locator will stay like this
For example
Seeing it from Binary, let's suppose that for Avast this code is a virus signature "12 55 40 05" when analyzing the binary and find this:
Automatically Skip as a virus
Av Fucker Method
With this method we will look for the signature and we will change its code so that Avast or any antivirus does not recognize it anymore
Code detected as virus
Modified code indented
It's simple right? the issue is that when we modify one of those numbers (offset) it has to be functional
Let's see it Step by step
Step 1 tools
Undetectable offset locator 2.6 (is that I use but can be any locator)
Hex Workshop
This Crypter: LVL23 Crypter
I used this little ball: LVL23 Ball
Step 2
We grab the crypter and encrypt a small ball
Step 3
We open in offset locator and in "file" we choose the ball and in "directory" the folder where we will create the offsets (Create a new folder and call it offsets) in initial bytes we put "100" and fill in the number "90"
It would have to stay more or less ASi
We start and wait for it to finish creating the offset ... When finished we scan the offset folder with Avast and delete the detected ones
Step 4
Let's show offset
and we double click on the range that appears 2370 - 2410
now the locator will stay like this
