首页
社区
课程
招聘
[原创]GandCrab4.0勒索软件解密工具
发表于: 2020-9-21 20:13 4582

[原创]GandCrab4.0勒索软件解密工具

2020-9-21 20:13
4582

GandCrab是由一个十分猖狂的团队研发的勒索软件病毒,2018年开始活跃,一年内勒索了将近20亿美元。2019年可谓臭名远扬的勒索软件之王:GandCrab背后的运营团队在俄语论坛中发表官方声明称,GandCrab勒索病毒将停止更新。

为什么停止更新了呢?答案竟是,钱赚够了。然而这么猖狂的犯罪团伙,至今都没有被找到幕后团伙是谁。这就是GandCrab勒索软件的神奇传说。

今天分享去年写的一个解密工具,没有遍历文件,只是一次解密一个文件而已。
代码有些变量和数量不太优雅,还望见谅。

FBI公布GandCrabv4.0原始公钥链接:(需访问国外网站)
https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/

\ProgramData\
\IETldCache\
\Boot\
\Program Files\
\Tor Browser\
\All Users\
\Local Settings\
\Windows\

desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
KRAB-DECRYPT.html
KRAB-DECRYPT.txt
CRAB-DECRYPT.txt
ntldr
NTDETECT.COM
Bootfont.bin

所有被加密文件的后缀都会被改为.KRAB。

定义RSA2048非对称加密算法的私钥和salsa20流加密算法的Key和iv(key和iv在不同主机并不固定,这里定义固定是针对一个测试用例),其中RSA2048的私钥FBI已经公开,salsa20的key和iv在被感染主机的HKEY_CURRENT_USER\Software\keys_data\data注册表中。

勒索病毒一定有解密的后门和配置,这些需要事先进行病毒分析深入了解病毒行为。首先读取隐藏在注册表中的key。

核心的解密逻辑,具体解密过程的实现一定要完全看懂解密流程图再分析。注释比较多,这里不再多说。

基于Crypto库实现的RSA2048解密函数。

基于Crypto库实现的salsa20流加密算法的解密函数。

https://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis--new-shell--same-old-menace.html

 
 
BYTE privatekey[] = {             //FBI公布的BLOB格式RSA2048私钥
    0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00, 0x08, 0x00, 0x00
    , 0x01, 0x00, 0x01, 0x00, 0xBB, 0xEF, 0x02, 0x46, 0x0B, 0x5E, 0x8C, 0x72, 0x8E, 0xA0, 0xA0, 0x31
    , 0xAE, 0x95, 0x33, 0x82, 0xD6, 0x67, 0x89, 0x32, 0xB2, 0xED, 0x92, 0xA8, 0x16, 0x0A, 0xBC, 0x28
    , 0xC1, 0x4D, 0x3E, 0x00, 0xA3, 0xDC, 0x48, 0x47, 0x3D, 0xE9, 0x9A, 0xC1, 0x31, 0xAE, 0x41, 0xC5
    , 0xE8, 0x22, 0x70, 0x6A, 0x7F, 0x75, 0x98, 0x8F, 0xC6, 0xEB, 0xEE, 0x65, 0x9B, 0x1B, 0x96, 0xD3
    , 0x4D, 0xAA, 0x3F, 0x75, 0x0B, 0xA5, 0x75, 0xE7, 0x71, 0xCD, 0x88, 0xA0, 0x77, 0xE0, 0xCB, 0x2F
    , 0x33, 0xA2, 0x0D, 0xAB, 0xE4, 0xE3, 0x40, 0x82, 0x3F, 0xD9, 0x95, 0x50, 0xA4, 0x92, 0x56, 0xAA
    , 0x77, 0x61, 0x05, 0x75, 0xF2, 0x25, 0x81, 0xDA, 0xA1, 0xBE, 0x30, 0xA7, 0xCB, 0xDA, 0x2B, 0xA3
    , 0x9E, 0x85, 0xAB, 0x03, 0x8D, 0xBB, 0xD3, 0xF0, 0xBB, 0x9C, 0x71, 0x9A, 0xD4, 0x98, 0xCF, 0xC6
    , 0xC2, 0xA8, 0x62, 0x84, 0x32, 0x85, 0x4C, 0x1B, 0x2C, 0xFF, 0xE4, 0xD8, 0xD9, 0xE5, 0x2A, 0xBB
    , 0x18, 0x06, 0x08, 0x6A, 0xF4, 0xD8, 0xD1, 0x8D, 0x00, 0xE3, 0x41, 0xFC, 0xE7, 0xC5, 0x20, 0x25
    , 0xD2, 0xDD, 0x47, 0xFF, 0x27, 0x09, 0x1F, 0x6D, 0x34, 0x6C, 0x8A, 0x0A, 0xEB, 0xAB, 0x13, 0x48
    , 0x09, 0xF6, 0x24, 0x24, 0x98, 0x84, 0x22, 0xDD, 0xC1, 0xA1, 0x1C, 0x60, 0x63, 0x06, 0x71, 0xEE
    , 0x00, 0x4A, 0x21, 0xBA, 0x1F, 0xAF, 0x4C, 0x03, 0xD2, 0xC7, 0x3F, 0xBA, 0x64, 0x39, 0x35, 0xB4
    , 0x44, 0x0B, 0x17, 0x5F, 0xB5, 0x2C, 0x8C, 0x4E, 0xB2, 0xE6, 0x61, 0xB2, 0x23, 0x21, 0x4D, 0xAD
    , 0xFB, 0xD4, 0x1D, 0x96, 0x4B, 0xA1, 0xFC, 0x7F, 0xBF, 0x98, 0x78, 0xBB, 0xD3, 0x72, 0xF1, 0xE3
    , 0x46, 0x1F, 0x03, 0x4C, 0x05, 0x18, 0x96, 0xC1, 0x47, 0xC0, 0xA0, 0x6F, 0x17, 0x07, 0x11, 0x10
    , 0x2B, 0x2D, 0xD4, 0xC8, 0x79, 0xBF, 0xB4, 0x83, 0x75, 0x3D, 0x68, 0x60, 0x33, 0xBB, 0xA4, 0x7A
    , 0xC8, 0x52, 0x66, 0x2E, 0xE6, 0xFA, 0x44, 0x32, 0x4A, 0xAE, 0x06, 0xAB, 0x5A, 0x9F, 0xBE, 0x29
    , 0x1D, 0x3D, 0xB8, 0xA6, 0xC0, 0xCA, 0x0B, 0x10, 0x38, 0xA4, 0x52, 0x27, 0xBA, 0x61, 0xAC, 0x0A
    , 0x3B, 0x0E, 0x86, 0x8F, 0x7A, 0xAF, 0xBA, 0x89, 0x9D, 0x4A, 0x52, 0x33, 0x81, 0x74, 0x6B, 0xDE
    , 0x61, 0x26, 0xA5, 0xB4, 0x53, 0xA5, 0x48, 0x47, 0x8E, 0xA8, 0xD7, 0x01, 0x08, 0xA5, 0xDF, 0xF2
    , 0x06, 0xDD, 0xD5, 0x45, 0xDC, 0xF3, 0xE0, 0xAD, 0xCB, 0xFD, 0x1E, 0x55, 0x2C, 0x08, 0x63, 0xE2
    , 0xF0, 0x5B, 0x39, 0x81, 0x75, 0x50, 0xFB, 0x5C, 0x7E, 0x36, 0x2C, 0x13, 0xBD, 0x8F, 0x6F, 0xE2
    , 0xAE, 0xBC, 0xA3, 0x1D, 0x0D, 0x96, 0x2D, 0x91, 0x88, 0xE4, 0x8F, 0x39, 0xE0, 0x99, 0x71, 0x09
    , 0xE0, 0xE3, 0x80, 0xEE, 0xD3, 0x57, 0xEF, 0x91, 0x53, 0x3C, 0x5D, 0x00, 0x30, 0x7C, 0x7B, 0x00
    , 0x0D, 0x66, 0x28, 0x7E, 0xC9, 0xEA, 0x67, 0x18, 0xAE, 0xD2, 0xC2, 0xB6, 0x25, 0xDD, 0xA4, 0xB7
    , 0x1D, 0x92, 0x7A, 0x53, 0xA1, 0xBB, 0xD3, 0xA2, 0x31, 0xF8, 0x2E, 0x49, 0x50, 0x6E, 0xF8, 0x8E
    , 0x07, 0x86, 0x16, 0x01, 0x15, 0x47, 0x05, 0x2F, 0x89, 0xBA, 0xD5, 0xE4, 0x8C, 0x29, 0x61, 0xEB
    , 0x6E, 0x72, 0x62, 0x47, 0x56, 0xF3, 0x96, 0x70, 0x5C, 0x70, 0xA3, 0x2E, 0x7F, 0x9F, 0x52, 0x66
    , 0x54, 0xDD, 0xB2, 0xD0, 0x6A, 0xA8, 0xE0, 0x70, 0xE0, 0xF6, 0xE9, 0xEC, 0x8A, 0xAF, 0x67, 0x10
    , 0x9B, 0x7F, 0xBA, 0x32, 0x4D, 0x33, 0xCA, 0xB3, 0xC4, 0x9B, 0xB6, 0x66, 0xDE, 0x62, 0x17, 0x21
    , 0x20, 0x90, 0x0C, 0x37, 0x16, 0x50, 0x77, 0x98, 0xDA, 0x50, 0xE0, 0xF7, 0xB5, 0x84, 0xAB, 0x1C
    , 0xFB, 0xC0, 0x8F, 0xD7, 0xF1, 0x11, 0x84, 0xE0, 0x8C, 0x1D, 0x57, 0xB0, 0x6D, 0x6E, 0x82, 0x96
    , 0x1E, 0xCC, 0x78, 0xBD, 0x3B, 0xA9, 0xC3, 0x83, 0x7C, 0xD5, 0x3F, 0x8F, 0x93, 0xAD, 0xB7, 0x8A
    , 0x45, 0x96, 0x21, 0xA6, 0xD5, 0x1D, 0x5D, 0xDC, 0x50, 0x3C, 0x39, 0x71, 0x53, 0xC1, 0x71, 0xE3
    , 0x60, 0x42, 0x11, 0x07, 0x06, 0xC1, 0x01, 0xEE, 0x56, 0x5D, 0xED, 0xCA, 0x78, 0xD2, 0x4C, 0xC4
    , 0xBE, 0x40, 0x35, 0x9B, 0x54, 0x27, 0x3E, 0x82, 0xE7, 0x48, 0x37, 0xCD, 0x72, 0x3A, 0x95, 0xF9
    , 0x8E, 0x25, 0x70, 0x62, 0x98, 0x59, 0xD2, 0x9D, 0x71, 0x06, 0x74, 0xE3, 0x32, 0xA8, 0x1E, 0xB6
    , 0xB6, 0x91, 0x64, 0xCD, 0xDC, 0x35, 0x42, 0x1C, 0xDA, 0x57, 0xCB, 0x1F, 0x12, 0x23, 0x21, 0x53
    , 0xF4, 0xC6, 0xD5, 0x10, 0x13, 0x24, 0x6C, 0x82, 0x11, 0x63, 0x15, 0xB1, 0x78, 0x61, 0x4E, 0x6D
    , 0x87, 0x69, 0xEA, 0x4D, 0xAB, 0xED, 0xF4, 0x2A, 0xB3, 0xB6, 0xE0, 0x6D, 0xDF, 0x20, 0x1F, 0x04
    , 0xF4, 0x56, 0xCC, 0xC8, 0xD9, 0x4B, 0x32, 0x3F, 0x9E, 0x10, 0x54, 0xA4, 0xA5, 0xFF, 0xC5, 0x01
    , 0x8E, 0xF3, 0x3C, 0x9F, 0xB1, 0x8B, 0x4D, 0xAE, 0x25, 0x94, 0x87, 0x80, 0x70, 0x18, 0xFA, 0xA8
    , 0x45, 0xA4, 0x0D, 0xC5, 0xF2, 0xE3, 0x67, 0x08, 0xF8, 0x54, 0x30, 0xF6, 0x9E, 0x3A, 0x05, 0x39
    , 0xE4, 0xE8, 0x72, 0x51, 0x47, 0x2F, 0x81, 0x41, 0xF2, 0xE3, 0xE9, 0xEE, 0x9F, 0x76, 0xA3, 0xBC
    , 0x94, 0x08, 0xB5, 0x46, 0x11, 0x12, 0x13, 0xBA, 0x53, 0xB0, 0xB6, 0x67, 0xF0, 0xE5, 0x2E, 0x0A
    , 0xCA, 0xB2, 0x57, 0x26, 0x2C, 0xCC, 0x2E, 0x19, 0x50, 0xDA, 0xD2, 0x4A, 0xBD, 0xDA, 0x69, 0xEC
    , 0xA7, 0x01, 0xD7, 0x95, 0x98, 0x92, 0x49, 0xB4, 0xD6, 0x41, 0x09, 0x1A, 0x39, 0x04, 0x89, 0xD6
    , 0xDA, 0xC2, 0x49, 0xB9, 0xDE, 0x98, 0xDB, 0x43, 0x51, 0x66, 0x80, 0x85, 0x6E, 0xA3, 0x11, 0x05
    , 0x5B, 0x9F, 0xC3, 0x55, 0x77, 0x7B, 0xC9, 0xE0, 0x52, 0x9E, 0xCE, 0x0A, 0x08, 0xBC, 0x05, 0xE1
    , 0xC0, 0xA7, 0x29, 0x3D, 0xB5, 0x2F, 0x8E, 0x3D, 0x84, 0xB8, 0xBD, 0xDF, 0x38, 0x49, 0x65, 0xB4
    , 0x1F, 0xB0, 0xC2, 0xEE, 0x7B, 0x57, 0xFE, 0x39, 0x8D, 0x93, 0x12, 0x1E, 0xFB, 0x16, 0x7E, 0x2F
    , 0xAF, 0x07, 0x60, 0x78, 0xD9, 0x72, 0x22, 0x53, 0x4C, 0xB4, 0x96, 0xB6, 0xFC, 0xA0, 0x51, 0x45
    , 0x2C, 0x1C, 0x81, 0x34, 0x26, 0xE2, 0xA9, 0xF9, 0xA4, 0x20, 0x3F, 0x6B, 0x9B, 0xA4, 0xD8, 0x33
    , 0x8C, 0xDC, 0x7F, 0x9D, 0x62, 0xCD, 0x0A, 0xFE, 0x17, 0x6C, 0xC4, 0xCB, 0x7D, 0x46, 0xD9, 0x68
    , 0x29, 0x71, 0x9A, 0x7C, 0x8C, 0x3B, 0xCA, 0xCA, 0xA3, 0x62, 0x85, 0x95, 0x6F, 0x7D, 0xE8, 0xAC
    , 0xEC, 0x71, 0x6D, 0xE2, 0x61, 0xBA, 0x75, 0x74, 0xCB, 0xE6, 0xBD, 0x80, 0x4D, 0x54, 0x6B, 0x32
    , 0xC6, 0x89, 0x24, 0x49, 0x3B, 0xB2, 0xF2, 0x6F, 0xE4, 0xCF, 0x34, 0xDA, 0x19, 0x45, 0xBE, 0x0E
    , 0x65, 0x10, 0x0A, 0x4A, 0x0D, 0xD2, 0xFA, 0x51, 0x1B, 0x9B, 0x1D, 0xCE, 0xE2, 0xA9, 0xC8, 0xC0
    , 0xFF, 0xFC, 0x63, 0x8D, 0xDE, 0x9E, 0x08, 0xF4, 0xAB, 0x10, 0xCB, 0x30, 0x3C, 0xFE, 0x93, 0x37
    , 0x68, 0xFD, 0x08, 0x10, 0x2F, 0x5B, 0x84, 0x28, 0xEB, 0x8F, 0xDC, 0xFB, 0xD8, 0xEC, 0xDB, 0x63
    , 0xD5, 0xEF, 0xCB, 0xAC, 0x84, 0xEA, 0x30, 0x92, 0x86, 0xF8, 0xC0, 0x2A, 0x7D, 0xD2, 0x42, 0xB2
    , 0x66, 0xC1, 0x0B, 0xB1, 0x88, 0xCF, 0xD7, 0x9A, 0x02, 0x60, 0xC9, 0x05, 0x04, 0x4F, 0x25, 0xB1
    , 0x70, 0xBA, 0x8B, 0x96, 0xCE, 0xFF, 0xB0, 0x52, 0x19, 0x70, 0xCD, 0x6E, 0xF5, 0x73, 0xE2, 0x45
    , 0x7F, 0x84, 0x23, 0x81, 0xDD, 0x8B, 0x2A, 0xC1, 0x4D, 0x88, 0x17, 0x8F, 0xCC, 0x13, 0x71, 0x11
    , 0x0E, 0x13, 0x3A, 0xDB, 0x3A, 0xCD, 0x65, 0xE0, 0x32, 0x51, 0xFE, 0xBA, 0x04, 0x2E, 0x8B, 0x1A
    , 0x2C, 0xF1, 0xC7, 0xF8, 0x31, 0x9B, 0xDA, 0x12, 0x9F, 0x60, 0x37, 0x17, 0x6E, 0x0B, 0x51, 0xCD
    , 0x68, 0x1F, 0x0A, 0xE9, 0x5B, 0xC1, 0x4B, 0x23, 0x1D, 0xCB, 0x53, 0x4B, 0xC1, 0xB0, 0x7D, 0x7B
    , 0xDC, 0x6A, 0x5F, 0x3B, 0xED, 0xD6, 0x48, 0xA8, 0xDB, 0xAB, 0xD9, 0xD4, 0x5D, 0x1F, 0x9C, 0xCA
    , 0x6E, 0x83, 0x06, 0x5B, 0xAD, 0xB2, 0xBB, 0x5A, 0x7E, 0xB7, 0xF5, 0x48, 0xAE, 0xB9, 0x76, 0x06
    , 0x79, 0xE5, 0x62, 0x07, 0xC7, 0x7E, 0x09, 0xC2, 0x1E, 0x45, 0x12, 0x35, 0xDA, 0x13, 0xC8, 0x77
    , 0x7F, 0xE6, 0xFC, 0x1C, 0x4A, 0x24, 0xE6, 0x5C, 0x0A, 0xA0, 0xEF, 0x1C, 0x53, 0xA3, 0xBE, 0xDD
    , 0xE7, 0x1D, 0xB1, 0xA3 };
 
BYTE mykey[] = { 0x3E, 0xEF, 0x1E, 0x4E, 0x0B, 0xC9, 0xD3, 0x92, 0xFA, 0xE3, 0xA7, 0xEF, 0xF5, 0xAF, 0x4F, 0xD4,
0x07, 0x4F, 0x61, 0x02, 0x5A, 0x96, 0xE8, 0x8D, 0xD9, 0xCC, 0x23, 0x80, 0xB2, 0xCF, 0x75, 0xBF };//
BYTE myiv[] = { 0xCB, 0x72, 0x42, 0x60, 0x86, 0x25, 0x0B, 0x91 };//
BYTE privatekey[] = {             //FBI公布的BLOB格式RSA2048私钥
    0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00, 0x08, 0x00, 0x00
    , 0x01, 0x00, 0x01, 0x00, 0xBB, 0xEF, 0x02, 0x46, 0x0B, 0x5E, 0x8C, 0x72, 0x8E, 0xA0, 0xA0, 0x31
    , 0xAE, 0x95, 0x33, 0x82, 0xD6, 0x67, 0x89, 0x32, 0xB2, 0xED, 0x92, 0xA8, 0x16, 0x0A, 0xBC, 0x28
    , 0xC1, 0x4D, 0x3E, 0x00, 0xA3, 0xDC, 0x48, 0x47, 0x3D, 0xE9, 0x9A, 0xC1, 0x31, 0xAE, 0x41, 0xC5
    , 0xE8, 0x22, 0x70, 0x6A, 0x7F, 0x75, 0x98, 0x8F, 0xC6, 0xEB, 0xEE, 0x65, 0x9B, 0x1B, 0x96, 0xD3
    , 0x4D, 0xAA, 0x3F, 0x75, 0x0B, 0xA5, 0x75, 0xE7, 0x71, 0xCD, 0x88, 0xA0, 0x77, 0xE0, 0xCB, 0x2F
    , 0x33, 0xA2, 0x0D, 0xAB, 0xE4, 0xE3, 0x40, 0x82, 0x3F, 0xD9, 0x95, 0x50, 0xA4, 0x92, 0x56, 0xAA
    , 0x77, 0x61, 0x05, 0x75, 0xF2, 0x25, 0x81, 0xDA, 0xA1, 0xBE, 0x30, 0xA7, 0xCB, 0xDA, 0x2B, 0xA3
    , 0x9E, 0x85, 0xAB, 0x03, 0x8D, 0xBB, 0xD3, 0xF0, 0xBB, 0x9C, 0x71, 0x9A, 0xD4, 0x98, 0xCF, 0xC6
    , 0xC2, 0xA8, 0x62, 0x84, 0x32, 0x85, 0x4C, 0x1B, 0x2C, 0xFF, 0xE4, 0xD8, 0xD9, 0xE5, 0x2A, 0xBB
    , 0x18, 0x06, 0x08, 0x6A, 0xF4, 0xD8, 0xD1, 0x8D, 0x00, 0xE3, 0x41, 0xFC, 0xE7, 0xC5, 0x20, 0x25
    , 0xD2, 0xDD, 0x47, 0xFF, 0x27, 0x09, 0x1F, 0x6D, 0x34, 0x6C, 0x8A, 0x0A, 0xEB, 0xAB, 0x13, 0x48
    , 0x09, 0xF6, 0x24, 0x24, 0x98, 0x84, 0x22, 0xDD, 0xC1, 0xA1, 0x1C, 0x60, 0x63, 0x06, 0x71, 0xEE
    , 0x00, 0x4A, 0x21, 0xBA, 0x1F, 0xAF, 0x4C, 0x03, 0xD2, 0xC7, 0x3F, 0xBA, 0x64, 0x39, 0x35, 0xB4
    , 0x44, 0x0B, 0x17, 0x5F, 0xB5, 0x2C, 0x8C, 0x4E, 0xB2, 0xE6, 0x61, 0xB2, 0x23, 0x21, 0x4D, 0xAD
    , 0xFB, 0xD4, 0x1D, 0x96, 0x4B, 0xA1, 0xFC, 0x7F, 0xBF, 0x98, 0x78, 0xBB, 0xD3, 0x72, 0xF1, 0xE3
    , 0x46, 0x1F, 0x03, 0x4C, 0x05, 0x18, 0x96, 0xC1, 0x47, 0xC0, 0xA0, 0x6F, 0x17, 0x07, 0x11, 0x10
    , 0x2B, 0x2D, 0xD4, 0xC8, 0x79, 0xBF, 0xB4, 0x83, 0x75, 0x3D, 0x68, 0x60, 0x33, 0xBB, 0xA4, 0x7A
    , 0xC8, 0x52, 0x66, 0x2E, 0xE6, 0xFA, 0x44, 0x32, 0x4A, 0xAE, 0x06, 0xAB, 0x5A, 0x9F, 0xBE, 0x29
    , 0x1D, 0x3D, 0xB8, 0xA6, 0xC0, 0xCA, 0x0B, 0x10, 0x38, 0xA4, 0x52, 0x27, 0xBA, 0x61, 0xAC, 0x0A
    , 0x3B, 0x0E, 0x86, 0x8F, 0x7A, 0xAF, 0xBA, 0x89, 0x9D, 0x4A, 0x52, 0x33, 0x81, 0x74, 0x6B, 0xDE
    , 0x61, 0x26, 0xA5, 0xB4, 0x53, 0xA5, 0x48, 0x47, 0x8E, 0xA8, 0xD7, 0x01, 0x08, 0xA5, 0xDF, 0xF2
    , 0x06, 0xDD, 0xD5, 0x45, 0xDC, 0xF3, 0xE0, 0xAD, 0xCB, 0xFD, 0x1E, 0x55, 0x2C, 0x08, 0x63, 0xE2
    , 0xF0, 0x5B, 0x39, 0x81, 0x75, 0x50, 0xFB, 0x5C, 0x7E, 0x36, 0x2C, 0x13, 0xBD, 0x8F, 0x6F, 0xE2
    , 0xAE, 0xBC, 0xA3, 0x1D, 0x0D, 0x96, 0x2D, 0x91, 0x88, 0xE4, 0x8F, 0x39, 0xE0, 0x99, 0x71, 0x09
    , 0xE0, 0xE3, 0x80, 0xEE, 0xD3, 0x57, 0xEF, 0x91, 0x53, 0x3C, 0x5D, 0x00, 0x30, 0x7C, 0x7B, 0x00
    , 0x0D, 0x66, 0x28, 0x7E, 0xC9, 0xEA, 0x67, 0x18, 0xAE, 0xD2, 0xC2, 0xB6, 0x25, 0xDD, 0xA4, 0xB7
    , 0x1D, 0x92, 0x7A, 0x53, 0xA1, 0xBB, 0xD3, 0xA2, 0x31, 0xF8, 0x2E, 0x49, 0x50, 0x6E, 0xF8, 0x8E
    , 0x07, 0x86, 0x16, 0x01, 0x15, 0x47, 0x05, 0x2F, 0x89, 0xBA, 0xD5, 0xE4, 0x8C, 0x29, 0x61, 0xEB
    , 0x6E, 0x72, 0x62, 0x47, 0x56, 0xF3, 0x96, 0x70, 0x5C, 0x70, 0xA3, 0x2E, 0x7F, 0x9F, 0x52, 0x66
    , 0x54, 0xDD, 0xB2, 0xD0, 0x6A, 0xA8, 0xE0, 0x70, 0xE0, 0xF6, 0xE9, 0xEC, 0x8A, 0xAF, 0x67, 0x10
    , 0x9B, 0x7F, 0xBA, 0x32, 0x4D, 0x33, 0xCA, 0xB3, 0xC4, 0x9B, 0xB6, 0x66, 0xDE, 0x62, 0x17, 0x21
    , 0x20, 0x90, 0x0C, 0x37, 0x16, 0x50, 0x77, 0x98, 0xDA, 0x50, 0xE0, 0xF7, 0xB5, 0x84, 0xAB, 0x1C
    , 0xFB, 0xC0, 0x8F, 0xD7, 0xF1, 0x11, 0x84, 0xE0, 0x8C, 0x1D, 0x57, 0xB0, 0x6D, 0x6E, 0x82, 0x96
    , 0x1E, 0xCC, 0x78, 0xBD, 0x3B, 0xA9, 0xC3, 0x83, 0x7C, 0xD5, 0x3F, 0x8F, 0x93, 0xAD, 0xB7, 0x8A
    , 0x45, 0x96, 0x21, 0xA6, 0xD5, 0x1D, 0x5D, 0xDC, 0x50, 0x3C, 0x39, 0x71, 0x53, 0xC1, 0x71, 0xE3
    , 0x60, 0x42, 0x11, 0x07, 0x06, 0xC1, 0x01, 0xEE, 0x56, 0x5D, 0xED, 0xCA, 0x78, 0xD2, 0x4C, 0xC4
    , 0xBE, 0x40, 0x35, 0x9B, 0x54, 0x27, 0x3E, 0x82, 0xE7, 0x48, 0x37, 0xCD, 0x72, 0x3A, 0x95, 0xF9
    , 0x8E, 0x25, 0x70, 0x62, 0x98, 0x59, 0xD2, 0x9D, 0x71, 0x06, 0x74, 0xE3, 0x32, 0xA8, 0x1E, 0xB6
    , 0xB6, 0x91, 0x64, 0xCD, 0xDC, 0x35, 0x42, 0x1C, 0xDA, 0x57, 0xCB, 0x1F, 0x12, 0x23, 0x21, 0x53
    , 0xF4, 0xC6, 0xD5, 0x10, 0x13, 0x24, 0x6C, 0x82, 0x11, 0x63, 0x15, 0xB1, 0x78, 0x61, 0x4E, 0x6D
    , 0x87, 0x69, 0xEA, 0x4D, 0xAB, 0xED, 0xF4, 0x2A, 0xB3, 0xB6, 0xE0, 0x6D, 0xDF, 0x20, 0x1F, 0x04
    , 0xF4, 0x56, 0xCC, 0xC8, 0xD9, 0x4B, 0x32, 0x3F, 0x9E, 0x10, 0x54, 0xA4, 0xA5, 0xFF, 0xC5, 0x01
    , 0x8E, 0xF3, 0x3C, 0x9F, 0xB1, 0x8B, 0x4D, 0xAE, 0x25, 0x94, 0x87, 0x80, 0x70, 0x18, 0xFA, 0xA8
    , 0x45, 0xA4, 0x0D, 0xC5, 0xF2, 0xE3, 0x67, 0x08, 0xF8, 0x54, 0x30, 0xF6, 0x9E, 0x3A, 0x05, 0x39
    , 0xE4, 0xE8, 0x72, 0x51, 0x47, 0x2F, 0x81, 0x41, 0xF2, 0xE3, 0xE9, 0xEE, 0x9F, 0x76, 0xA3, 0xBC
    , 0x94, 0x08, 0xB5, 0x46, 0x11, 0x12, 0x13, 0xBA, 0x53, 0xB0, 0xB6, 0x67, 0xF0, 0xE5, 0x2E, 0x0A
    , 0xCA, 0xB2, 0x57, 0x26, 0x2C, 0xCC, 0x2E, 0x19, 0x50, 0xDA, 0xD2, 0x4A, 0xBD, 0xDA, 0x69, 0xEC
    , 0xA7, 0x01, 0xD7, 0x95, 0x98, 0x92, 0x49, 0xB4, 0xD6, 0x41, 0x09, 0x1A, 0x39, 0x04, 0x89, 0xD6
    , 0xDA, 0xC2, 0x49, 0xB9, 0xDE, 0x98, 0xDB, 0x43, 0x51, 0x66, 0x80, 0x85, 0x6E, 0xA3, 0x11, 0x05
    , 0x5B, 0x9F, 0xC3, 0x55, 0x77, 0x7B, 0xC9, 0xE0, 0x52, 0x9E, 0xCE, 0x0A, 0x08, 0xBC, 0x05, 0xE1
    , 0xC0, 0xA7, 0x29, 0x3D, 0xB5, 0x2F, 0x8E, 0x3D, 0x84, 0xB8, 0xBD, 0xDF, 0x38, 0x49, 0x65, 0xB4
    , 0x1F, 0xB0, 0xC2, 0xEE, 0x7B, 0x57, 0xFE, 0x39, 0x8D, 0x93, 0x12, 0x1E, 0xFB, 0x16, 0x7E, 0x2F
    , 0xAF, 0x07, 0x60, 0x78, 0xD9, 0x72, 0x22, 0x53, 0x4C, 0xB4, 0x96, 0xB6, 0xFC, 0xA0, 0x51, 0x45
    , 0x2C, 0x1C, 0x81, 0x34, 0x26, 0xE2, 0xA9, 0xF9, 0xA4, 0x20, 0x3F, 0x6B, 0x9B, 0xA4, 0xD8, 0x33
    , 0x8C, 0xDC, 0x7F, 0x9D, 0x62, 0xCD, 0x0A, 0xFE, 0x17, 0x6C, 0xC4, 0xCB, 0x7D, 0x46, 0xD9, 0x68
    , 0x29, 0x71, 0x9A, 0x7C, 0x8C, 0x3B, 0xCA, 0xCA, 0xA3, 0x62, 0x85, 0x95, 0x6F, 0x7D, 0xE8, 0xAC
    , 0xEC, 0x71, 0x6D, 0xE2, 0x61, 0xBA, 0x75, 0x74, 0xCB, 0xE6, 0xBD, 0x80, 0x4D, 0x54, 0x6B, 0x32
    , 0xC6, 0x89, 0x24, 0x49, 0x3B, 0xB2, 0xF2, 0x6F, 0xE4, 0xCF, 0x34, 0xDA, 0x19, 0x45, 0xBE, 0x0E
    , 0x65, 0x10, 0x0A, 0x4A, 0x0D, 0xD2, 0xFA, 0x51, 0x1B, 0x9B, 0x1D, 0xCE, 0xE2, 0xA9, 0xC8, 0xC0
    , 0xFF, 0xFC, 0x63, 0x8D, 0xDE, 0x9E, 0x08, 0xF4, 0xAB, 0x10, 0xCB, 0x30, 0x3C, 0xFE, 0x93, 0x37
    , 0x68, 0xFD, 0x08, 0x10, 0x2F, 0x5B, 0x84, 0x28, 0xEB, 0x8F, 0xDC, 0xFB, 0xD8, 0xEC, 0xDB, 0x63
    , 0xD5, 0xEF, 0xCB, 0xAC, 0x84, 0xEA, 0x30, 0x92, 0x86, 0xF8, 0xC0, 0x2A, 0x7D, 0xD2, 0x42, 0xB2
    , 0x66, 0xC1, 0x0B, 0xB1, 0x88, 0xCF, 0xD7, 0x9A, 0x02, 0x60, 0xC9, 0x05, 0x04, 0x4F, 0x25, 0xB1
    , 0x70, 0xBA, 0x8B, 0x96, 0xCE, 0xFF, 0xB0, 0x52, 0x19, 0x70, 0xCD, 0x6E, 0xF5, 0x73, 0xE2, 0x45
    , 0x7F, 0x84, 0x23, 0x81, 0xDD, 0x8B, 0x2A, 0xC1, 0x4D, 0x88, 0x17, 0x8F, 0xCC, 0x13, 0x71, 0x11
    , 0x0E, 0x13, 0x3A, 0xDB, 0x3A, 0xCD, 0x65, 0xE0, 0x32, 0x51, 0xFE, 0xBA, 0x04, 0x2E, 0x8B, 0x1A
    , 0x2C, 0xF1, 0xC7, 0xF8, 0x31, 0x9B, 0xDA, 0x12, 0x9F, 0x60, 0x37, 0x17, 0x6E, 0x0B, 0x51, 0xCD
    , 0x68, 0x1F, 0x0A, 0xE9, 0x5B, 0xC1, 0x4B, 0x23, 0x1D, 0xCB, 0x53, 0x4B, 0xC1, 0xB0, 0x7D, 0x7B
    , 0xDC, 0x6A, 0x5F, 0x3B, 0xED, 0xD6, 0x48, 0xA8, 0xDB, 0xAB, 0xD9, 0xD4, 0x5D, 0x1F, 0x9C, 0xCA
    , 0x6E, 0x83, 0x06, 0x5B, 0xAD, 0xB2, 0xBB, 0x5A, 0x7E, 0xB7, 0xF5, 0x48, 0xAE, 0xB9, 0x76, 0x06
    , 0x79, 0xE5, 0x62, 0x07, 0xC7, 0x7E, 0x09, 0xC2, 0x1E, 0x45, 0x12, 0x35, 0xDA, 0x13, 0xC8, 0x77
    , 0x7F, 0xE6, 0xFC, 0x1C, 0x4A, 0x24, 0xE6, 0x5C, 0x0A, 0xA0, 0xEF, 0x1C, 0x53, 0xA3, 0xBE, 0xDD
    , 0xE7, 0x1D, 0xB1, 0xA3 };
 
BYTE mykey[] = { 0x3E, 0xEF, 0x1E, 0x4E, 0x0B, 0xC9, 0xD3, 0x92, 0xFA, 0xE3, 0xA7, 0xEF, 0xF5, 0xAF, 0x4F, 0xD4,
0x07, 0x4F, 0x61, 0x02, 0x5A, 0x96, 0xE8, 0x8D, 0xD9, 0xCC, 0x23, 0x80, 0xB2, 0xCF, 0x75, 0xBF };//
BYTE myiv[] = { 0xCB, 0x72, 0x42, 0x60, 0x86, 0x25, 0x0B, 0x91 };//
//1.读取注册表 HKEY_CURRENT_USER\Software\keys_data\data内容
QueryRegister(QUERYDATA);
printf("被rsa2048加密的salsa20key:\n");
for (i = 4; i < 260; i++)               //4h104h100字节内容
{
    printf("%x", QUERYDATA[i]);
    SALSA20KEY[i-4] = QUERYDATA[i];
}
printf("\n被rsa2048加密的salsa20iv:\n");
for (i = 260; i < 516; i++)            //104h204h100字节内容
{
    printf("%x", QUERYDATA[i]);
    SALSA20IV[i - 260] = QUERYDATA[i];
}
printf("\n被salsa20加密的randomrsa2048privatekey:\n");
for (i = 516; i < 1688; i++)            //取剩余字节内容为RSA私钥
{
    printf("%x", QUERYDATA[i]);
    RSA2048PRIVATE[i - 516] = QUERYDATA[i];
}
//1.读取注册表 HKEY_CURRENT_USER\Software\keys_data\data内容
QueryRegister(QUERYDATA);
printf("被rsa2048加密的salsa20key:\n");
for (i = 4; i < 260; i++)               //4h104h100字节内容
{
    printf("%x", QUERYDATA[i]);
    SALSA20KEY[i-4] = QUERYDATA[i];
}
printf("\n被rsa2048加密的salsa20iv:\n");
for (i = 260; i < 516; i++)            //104h204h100字节内容
{
    printf("%x", QUERYDATA[i]);
    SALSA20IV[i - 260] = QUERYDATA[i];
}
printf("\n被salsa20加密的randomrsa2048privatekey:\n");
for (i = 516; i < 1688; i++)            //取剩余字节内容为RSA私钥
{
    printf("%x", QUERYDATA[i]);
    RSA2048PRIVATE[i - 516] = QUERYDATA[i];
}
//2.利用RSA公钥解密salsa20的密钥
DWORD dwDataLength = MAX_PATH;                //其实本来有108字节,但是iv生成时有前8字节被iv覆盖掉,所以总共是208字节。但这样并不影响解密
DWORD privatesize = sizeof(privatekey);
HCRYPTPROV hCryptProv1, hCryptProv2;
hCryptProv1 = RsaDecrypt1(privatekey, privatesize, SALSA20KEY, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++)                     //存储20字节key
{
    printf("%x", SALSA20KEY[i]);
    SALSA20KEY2[i] = SALSA20KEY[i];           //从这里取出salsa20key。。。。。。。。。。。。。。。。。。。。。。。。。。
}
DWORD dwDataLength2 = MAX_PATH;             
 
hCryptProv2=RsaDecrypt1(privatekey, privatesize, SALSA20IV, dwDataLength2);
printf("\n解密出slasa20IV:\n");
for (i = 0; i < 8; i++)                      //存储8字节iv
{
    printf("%x", SALSA20IV[i]);
    SALSA20IV2[i] = SALSA20IV[i];            //从这里取出salsa20iv。。。。。。。。。。。。。。。。。。。。。。。。。。。。
}
//2.利用RSA公钥解密salsa20的密钥
DWORD dwDataLength = MAX_PATH;                //其实本来有108字节,但是iv生成时有前8字节被iv覆盖掉,所以总共是208字节。但这样并不影响解密
DWORD privatesize = sizeof(privatekey);
HCRYPTPROV hCryptProv1, hCryptProv2;
hCryptProv1 = RsaDecrypt1(privatekey, privatesize, SALSA20KEY, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++)                     //存储20字节key
{
    printf("%x", SALSA20KEY[i]);
    SALSA20KEY2[i] = SALSA20KEY[i];           //从这里取出salsa20key。。。。。。。。。。。。。。。。。。。。。。。。。。
}
DWORD dwDataLength2 = MAX_PATH;             
 
hCryptProv2=RsaDecrypt1(privatekey, privatesize, SALSA20IV, dwDataLength2);
printf("\n解密出slasa20IV:\n");
for (i = 0; i < 8; i++)                      //存储8字节iv
{
    printf("%x", SALSA20IV[i]);
    SALSA20IV2[i] = SALSA20IV[i];            //从这里取出salsa20iv。。。。。。。。。。。。。。。。。。。。。。。。。。。。
}
    //3.利用salsa20的密钥解密出随机申请的RSA私钥
    string cipher;
    BYTE *KEY;
    KEY = salsa20A(cipher);
    BYTE RANDOMRSAKEY[sizeof(RSA2048PRIVATE)] = { 0 };
    printf("\n解密出的随机生成的RSA公钥:\n");
    for (i = 0; i < sizeof(RSA2048PRIVATE); i++)                      //存储8字节iv
    {
        printf("%x", *(KEY+i));
        RANDOMRSAKEY[i] = *(KEY + i);
    }
    //4.全盘文件遍历,判断文件后缀是否为.KARB,这是文件感染的标志
    //封装处,下面5.6步均需写入到文件遍历判断成功后
    //5.读取每个文件末尾处后200字节内容,解密出加密每个文件用的不同salsa20密钥,删除同目录下的txt文件
    BYTE bufferreadkey[256] = { 0 };            //读取末尾208字节,其中前100字节可以解密出SALSA20KEY
    BYTE bufferreadiv[264] = { 0 };             //108字节可以解密出SALSA20IV
    DWORD NumberOfBytesRead = 0x80;
    HANDLE hfile = CreateFile(L"C:\\example.KRAB", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    DWORD  FileSizeHigh;
 
    SetFilePointer(hfile, -264, 0, FILE_END);
    ReadFile(hfile, bufferreadiv, sizeof(bufferreadiv), &NumberOfBytesRead, 0);
    SetFilePointer(hfile, -520, 0, FILE_END);
    ReadFile(hfile, bufferreadkey, sizeof(bufferreadkey), &NumberOfBytesRead, 0);
    dwDataLength = MAX_PATH;
    RsaDecrypt2(hCryptProv1,RANDOMRSAKEY, sizeof(RANDOMRSAKEY), bufferreadkey, dwDataLength);
    printf("\n解密出slasa20key:\n");
    for (i = 0; i < 32; i++)                     //存储20字节key
    {
        printf("%x", bufferreadkey[i]);
        SALSA20KEYFINAL[i] = bufferreadkey[i];          
    }
    dwDataLength = MAX_PATH;  //必须重定义
    RsaDecrypt2(hCryptProv2,RANDOMRSAKEY, sizeof(RANDOMRSAKEY), bufferreadiv, dwDataLength);
    printf("\n解密出slasa20iv:\n");
    for (i = 0; i < 8; i++)                     //存储20字节key
    {
        printf("%x", bufferreadiv[i]);
        SALSA20IVFINAL[i] = bufferreadiv[i];         
    }   
    //6.用salsa20密钥解密出原文件内容,删除文件的KRAB后缀,删除后面208个字节
    DWORD  FileSize;
    FileSize = GetFileSize(hfile, &FileSizeHigh);
    DWORD RealFileSize = FileSize - 520;
 
    BYTE * filebuffer = new BYTE[FileSize];
 
    HANDLE hFile = CreateFile(L"C:\\Gandcrab4.clean", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
//    while (TOTALDECRYPT < FileSize)//不能循环解密,不是从头开始的解密结果都是错的,第二次调用就是错的
//    {
        SetFilePointer(hfile, 0, 0, FILE_BEGIN);
        ReadFile(hfile, filebuffer, RealFileSize, &NumberOfBytesRead, 0);//这个时候读取的全部文件的buffer
 
        string cipher2;
        BYTE *KEY2 = NULL;
        KEY2 = salsa20B(cipher2, filebuffer, RealFileSize,hFile);
 
//    };
    //3.利用salsa20的密钥解密出随机申请的RSA私钥
    string cipher;

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2020-9-21 20:17 被绝望的皮卡丘编辑 ,原因: 删除注释
上传的附件:
收藏
免费 1
支持
分享
最新回复 (1)
雪    币: 7065
活跃值: (3106)
能力值: ( LV4,RANK:52 )
在线值:
发帖
回帖
粉丝
2
应该是读取后缀名拼上 -DECRYPT.txt,然后读取这个txt里面的key,base64decode后通过上面的方法进行解密,估计是各大厂家为了避免重装系统注册表丢失吧
2020-9-22 10:53
0
游客
登录 | 注册 方可回帖
返回
//