Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      dEEpEst

      Tutorial On modding Level 0 For beginners

      Recommended Posts

      Staff

      The antivirus software uses two methods to protect our PC: 1 - Analyze the files comparing them with the database of malicious software (Signatures) would be like a police reconnaissance wheel or when trying to identify a criminal with a photo: The antivirus compares each file on the hard drive with a "dictionary" of known viruses. If any piece of code (signatures) in a file on the hard drive matches the virus known in the dictionary, the antivirus software comes into play and 2 the constant monitoring of the behavior of files that may be infected. 


      For example 

      Seeing it from Binary, let's suppose that for Avast this code is a virus signature "12 55 40 05" when analyzing the binary and find this: 

      Hidden Content

        Give reaction to this post to see the hidden content.


      Automatically Skip as a virus 


      Av Fucker Method 

      With this method we will look for the signature and we will change its code so that Avast or any antivirus does not recognize it anymore 


      Code detected as virus 

      Hidden Content

        Give reaction to this post to see the hidden content.



      Modified code indented 

      Hidden Content

        Give reaction to this post to see the hidden content.



      It's simple right? the issue is that when we modify one of those numbers (offset) it has to be functional 


      Let's see it Step by step 


      Step 1 tools 

      Undetectable offset locator 2.6 (is that I use but can be any locator) 
      Hex Workshop 
      This Crypter: LVL23 Crypter
      I used this little ball: LVL23 Ball

      Step 2 

      We grab the crypter and encrypt a small ball 

      Step 3 


      We open in offset locator and in "file" we choose the ball and in "directory" the folder where we will create the offsets (Create a new folder and call it offsets) in initial bytes we put "100" and fill in the number "90" 

      Hidden Content

        Give reaction to this post to see the hidden content.


      It would have to stay more or less ASi 

      Hidden Content

        Give reaction to this post to see the hidden content.


      We start and wait for it to finish creating the offset ... When finished we scan the offset folder with Avast and delete the detected ones 

      Step 4 

      Let's show offset 

      Hidden Content

        Give reaction to this post to see the hidden content.


      and we double click on the range that appears 2370 - 2410 

      now the locator will stay like this 

      Hidden Content

        Give reaction to this post to see the hidden content.


       

      Share this post


      Link to post
      Share on other sites
      Staff

      We delete all the files in the offsets folder and we give it again to start then we scan with Avast the offsets folders delete the detected ones and we would have these offsets 

      Hidden Content

        Give reaction to this post to see the hidden content.




      We click to show offsets again 


      Hidden Content

        Give reaction to this post to see the hidden content.



      And we chose the rank 2370 - 2410 

      the locator will remain like this: 

      Hidden Content

        Give reaction to this post to see the hidden content.


      We delete the files of the offset press and start again ... scan with avast ... we delete the detected ones 

      and we have these offsets 

      Hidden Content

        Give reaction to this post to see the hidden content.


      When we are 1 byte 

      we must try what works ... 

      We open the first 2380 

      And ... Perfect works 

      Hidden Content

        Give reaction to this post to see the hidden content.


      How do we know if it works? if you have to open the little ball that we encrypt ... 

      Step 5 

      We open the hex workshop 
      We open the stub 
      Right button 
      Goto 
      offset 
      and we put the one that was functional 2380 

      Hidden Content

        Give reaction to this post to see the hidden content.



      We change the number that appears in that offset by the number that we put in "fill in" 

      Hidden Content

        Give reaction to this post to see the hidden content.


      Hidden Content

        Give reaction to this post to see the hidden content.


      And we save File Save as ... 

      Stub modifica.exe 

      We scanned the stub and .... 


      Hidden Content

        Give reaction to this post to see the hidden content.



      Well this is the most basic if you have questions ask ... in a few days we move ...

      Share this post


      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.
      Sign in to follow this  

      • Similar Content

        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. xeca is a project that creates encrypted PowerShell payloads for offensive purposes.
          Creating position independent shellcode from DLL files is also possible.
          How It Works
              Identify and encrypt the payload. Load encrypted payload into a powershell script and save to a file named “launch.txt”
              The key to decrypt the payload is saved to a file named “safe.txt”
              Execute “launch.txt” on a remote host
                  The script will call back to the attacker defined web server to retrieve the decryption key “safe.txt”
                  Decrypt the payload in memory
                  Execute the intended payload in memory
          Changelog v0.3
              ETW and Script Block Logging bypass added to all payloads.
              The bypasses can be disabled with –disable-etw and –disable-script-logging.


          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. HawkScan
          Security Tool for Reconnaissance and Information Gathering on a website. (python 2.x & 3.x)
          This script uses “WafW00f” to detect the WAF in the first step.
          This script uses “Sublist3r” to scan subdomains.
          This script uses “waybacktool” to check in waybackmachine.
          Features
               URL fuzzing and dir/file detection
               Test backup/old file on all the files found (index.php.bak, index.php~ …)
               Check header information
               Check DNS information
               Check whois information
               User-agent random or personal
               Extract files
               Keep a trace of the scan
               Check @mail in the website and check if @mails leaked
               CMS detection + version and vulns
               Subdomain Checker
              Backup system (if the script stopped, it take again in the same place)
               WAF detection
               Add personal prefix
              Auto-update script
               Auto or personal output of scan (scan.txt)
               Check Github
              Recursive dir/file
              Scan with an authentication cookie
               Option –profil to pass profil page during the scan
               HTML report
               Work it with py2 and py3
              Add option rate-limit if the app is unstable (–timesleep)
              Check-in waybackmachine
               Response error to WAF
              Check if DataBase firebaseio exist and accessible
              Automatic threads depending on the response to a website (and reconfig if WAF detected too many times). Max: 30
               Search S3 buckets in source code page
               Testing bypass of waf if detected
               Testing if it’s possible scanning with “localhost” host
          Changelog v1.5.3
               – add setup.sh


          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. CRACKMAPEXEC
          CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
          CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques.
          Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfiguration, and simulate attack scenarios.
          CrackMapExec is developed by @byt3bl33d3r
          This repository contains the following repositories as submodules:
              Impacket
              Pywinrm
              Pywerview
              PowerSploit
              Invoke-Obfuscation
              Invoke-Vnc
              Mimikittenz
              NetRipper
              RandomPS-Scripts
              SessionGopher
              Mimipenguin
          Changelog v5.1.1dev
          💫 Features 💫
              Switched from Pipenv to Poetry for development and dependency management.
              Now has Windows binaries!


          Hidden Content
          Give reaction to this post to see the hidden content.
        • By dEEpEst

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Security Onion
          Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
          Below are several diagrams to represent the current architecture and deployment scenarios for Security Onion on the Elastic Stack.
          Core Components
          Logstash – Parse and format logs.
          Elasticsearch – Ingest and index logs.
          Kibana – Visualize ingested log data.

          Auxiliary Components
          Curator – Manage indices through scheduled maintenance.
          ElastAlert – Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information.
          FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
          DomainStats – Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.
          Changelog v2.2 RC3
              First, we have a new so-analyst script that will optionally install a GNOME desktop environment, Chromium web browser, NetworkMiner, Wireshark, and many other analyst tools.
              Next, we’ve collapsed Hunt filter icons and action links into a new quick action bar that will appear when you click a field value. Actions include:
               
                  Filtering the hunt query
                  Pivot to PCAP
                  Create an alert in TheHive
                  Google search for the value
                  Analyze the value on VirusTotal.com
              Finally, we’ve greatly improved support for airgap deployments. There is more work to be done in the next release, but we’re getting closer!

          Hidden Content
          Give reaction to this post to see the hidden content.