12 replies to this topic

[undertaker333]

Hi,

I m using HxD i want to bypass code MZP(ANSI code) 4D 5A 50 from anti virus(its first there characters of 1st offset). i need to put something between MZ that it bypass the antivirus and do not corrupt the file.

i try try MzP which change icon of the exe file but it was bypass by anti-virus.

Is there something like ANSI or Hex code(byte) that i insert where which means nothing that it does not corrupt the exe file.

OR is there something else or u like to suggest that i can do to bypass the exe file from antiviruses.. i hav no money for this . i m learner.
sorry for my english.. Thank you

[WingedPanther]

Why on earth do you want to do this? It sounds suspiciously like you want to maliciously disable someone else's antivirus, which only makes sense if you want to create a virus that will slip past the AV.

[undertaker333]

not someone else but virtual machine install on my machine, i want to bypass that AV and thats how i can learn things... can u help me in it?

[WingedPanther]

Why not just uninstall it if it's a problem?

[undertaker333]

As i mentioned before that i m doing this to learn things... waiting for help:confused:

[Alexander]

MZ/MZP are simply headers to indicate that the file is a portable executable (PE) or new executable format (NE), changing them from one to the other does not make much sense.

In fact, it tells the antivirus nothing about it being a malware and you will have to reevaluate your path of choice.

Provided you explain what you need to do (i.e. transport the executable only if testing, or false positive) we can suggest other options.

Alexander.

[undertaker333]

Quote

MZ/MZP are simply headers to indicate that the file is a portable executable (PE) or new executable format (NE), changing them from one to the other does not make much sense.

Thank you so much Alexander for sharing useful knowledge with me.

Quote

In fact, it tells the antivirus nothing about it being a malware and you will have to reevaluate your path of choice.

Yes you are right, i find out that anti virus is detecting .....PE..L offset. (don't knw wat to do with it)

May b its something stupid question but just want to know is there something (byte or bytes which means nothing) that i can insert anywhere(b/w bytes anywhere) in any offset and it does not corrupt my exe file.

[Alexander]

0x90 (or just 90 in the editor) is a NOP, or "no operation / no operation performed" instruction for the x86 instruction set. You could try this, however the operating system requires a binary file to have a specific layout to load it as a portable executable, and an executable without a header will likely be seen as a plain binary file.

If you ask me, an antivirus that could be defeated by this (if the executable runs successfully after) would not be very good at its job.

Alexander.

[undertaker333]

Thank you sir for you guideness, could you please tel me what the Hex value of 0x90(NOP), and does P or p (changing ANSI code from P to p ) make any changes behind the scene??

[Alexander]

1) 0x90 is the hexadecial number for NOP, I am not sure what you are asking there (unless you are asking what it is, then you will have to look up an opcode reference)

2) P and p are differently encoded in ANSI/ASCII, so they will be two different hexadecimal code points.

[undertaker333]

There are alot of (0000) hex values but I did not find any NULL value(0x00) which i can replace with NOP(0x90) to bypass av. its turkojan server exe.. i am using HxD hexeditor. what i m doing wrong??

need to change in( PE..L....^B*.... ) (50 45 00 00 4C 01 08 00 19 5E 42 2A 00 00 00 00 ) :/

Edited by undertaker333, 27 September 2011 - 08:55 AM.

[Alexander]

Each of those bytes may not be correlated, 0x0000 may be 0x00 + 0x00, you may try to replace them - however you've no clue if it is an op code or a data.

I would recommend you try to disassemble the executable, many disassemblers are available, and then add the nop yourself so the assembler/compiler can construct a proper executable.