Find out what I'm doing, Follow Me :)

Wednesday, April 20, 2011


Before we start, let me tell u one thing straight. This document is purely intended for educational purposes. I do not want anyone to use this information (or any information on this blog) to actually hack into computers or do other illegal things. So I cannot be held responsible for the acts of other people who took parts of this document and used it for illegal purposes. If you don't agree, then you are not allowed to continue to access this leave this website immediately. Always remember one thing


I am writing this article to inform you about how Hexing is actually done using Dsplit. Dsplit is a software used to detect virus signature. Hexing is very much important for us to evade antivirus detection. If you will learn how to bypass antivirus by hexing, you don't have to search for FUD key loggers and Trojans. You can hex files to make them FUD.

I will be using Dsplit as virus signature detector and Ice Gold Freezer as virus over here. You can use any other virus containing file you want.
Download these two files:
1. Avira antivirus (Because I've used it in tute).

2. Ice Gold Freezer and Dsplit.exe programme (used for detecting virus signature).

Fast of all. let me tell you one thing Ice Gold Freezer is detected as "SPR/Tool.Freezer.8" virus (actually malware as by my Avira antivirus which I use on my computer. So, I will be telling you how to bypass Avira detection for Ice Gold Freezer. So, let's start.

STEP 1: Download Avira antivirus, Dsplit and Ice Gold Freezer from links provided above. Extract Dsplit folder to desktop.

STEP 2: Scan Ice Gold Freezer.exe file you have downloaded with antivirus. My Avira says its "SPR/Tool.Freezer.8" malware. So, let's work on it.

STEP 3: Copy Ice Gold Freezer.exe to Dsplit folder.

STEP 4: Now open Command Prompt. Change directory to Dsplit folder.

STEP 5: Now, type this command:
dsplit.exe 0 max 1000 IceGoldFreezer.exe
what does this command means? Simple, Dsplit is command line software and requires this command for its running. The meaning of command:
Dsplit.exe startbyte endbyte numberofbytesinbetween target

STEP 6: Now, Dsplit.exe will create around 234 files in current directory. Now, scan all these 234 files created with Avira antivirus. Avira will detect all files form 8000.exe to 233472.exe as virus. So, there is something (virus signature) and hence not detected by avira, while 8000.exe has virus signature. Delete all files except 7000.exe, 8000.exe, dsplit.exe and original IceGold Freezer.exe

STTEP 7: Move on to command prompt and type this:
dsplit.exe 7000 8000 100 IceGoldFreezer.exe

And you will get 10 files created in current directory. Scan all these 10 created files with Avira anitvirus. Avira will detect all files except 7000, 7100.exe as virus. So, again we can say that there is something (actually virus signature) in 7200.exe which is not present in 7100.exe. Delete all files except 7100, 7200, Dsplit.exe and IceGoldFreezer.exe.

STEP 8: Now, type in command prompt:
Dsplit.exe 7100 7200 10 IceGoldFreezer.exe

And you will get 10 new files created in current directory. Scan, all 10 files with avira and avira will give all file except 7100.exe as virus. So, 7100.exe contains virus signature which 7200.exe doesn't have.

STEP 9: Now, type in command prompt:
Dsplit.exe 7100 7200 10 IceGoldFreezer.exe

And you will get 10 new files created. Scan with avira antivirus and avira will detect 7108, 7109, and 7110.exe as virus. So, 7108.exe contains virus signature which 71007.exe lacks. Science, these two files are just 1 byte different, this different 1byte is actually the virus signature which is detected by avira.

So, we have to change this one byte contained in 7108.exe to make it UD from Avira. We can change this using Hex editor. If you have any problem in using Dsplit to detect virus signature, please mention it in comments section

1 comment: