-
-
[原创]GandCrab4.0勒索软件解密工具
-
发表于: 2020-9-21 20:13
-
GandCrab是由一个十分猖狂的团队研发的勒索软件病毒,2018年开始活跃,一年内勒索了将近20亿美元。2019年可谓臭名远扬的勒索软件之王:GandCrab背后的运营团队在俄语论坛中发表官方声明称,GandCrab勒索病毒将停止更新。
为什么停止更新了呢?答案竟是,钱赚够了。然而这么猖狂的犯罪团伙,至今都没有被找到幕后团伙是谁。这就是GandCrab勒索软件的神奇传说。
今天分享去年写的一个解密工具,没有遍历文件,只是一次解密一个文件而已。
代码有些变量和数量不太优雅,还望见谅。
FBI公布GandCrabv4.0原始公钥链接:(需访问国外网站)
https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/
\ProgramData\
\IETldCache\
\Boot\
\Program Files\
\Tor Browser\
\All Users\
\Local Settings\
\Windows\
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
KRAB-DECRYPT.html
KRAB-DECRYPT.txt
CRAB-DECRYPT.txt
ntldr
NTDETECT.COM
Bootfont.bin
所有被加密文件的后缀都会被改为.KRAB。
定义RSA2048非对称加密算法的私钥和salsa20流加密算法的Key和iv(key和iv在不同主机并不固定,这里定义固定是针对一个测试用例),其中RSA2048的私钥FBI已经公开,salsa20的key和iv在被感染主机的HKEY_CURRENT_USER\Software\keys_data\data注册表中。
勒索病毒一定有解密的后门和配置,这些需要事先进行病毒分析深入了解病毒行为。首先读取隐藏在注册表中的key。
核心的解密逻辑,具体解密过程的实现一定要完全看懂解密流程图再分析。注释比较多,这里不再多说。
基于Crypto库实现的RSA2048解密函数。
基于Crypto库实现的salsa20流加密算法的解密函数。
https://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis--new-shell--same-old-menace.html
BYTE privatekey[] = { //FBI公布的BLOB格式RSA2048私钥
0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00, 0x08, 0x00, 0x00
, 0x01, 0x00, 0x01, 0x00, 0xBB, 0xEF, 0x02, 0x46, 0x0B, 0x5E, 0x8C, 0x72, 0x8E, 0xA0, 0xA0, 0x31
, 0xAE, 0x95, 0x33, 0x82, 0xD6, 0x67, 0x89, 0x32, 0xB2, 0xED, 0x92, 0xA8, 0x16, 0x0A, 0xBC, 0x28
, 0xC1, 0x4D, 0x3E, 0x00, 0xA3, 0xDC, 0x48, 0x47, 0x3D, 0xE9, 0x9A, 0xC1, 0x31, 0xAE, 0x41, 0xC5
, 0xE8, 0x22, 0x70, 0x6A, 0x7F, 0x75, 0x98, 0x8F, 0xC6, 0xEB, 0xEE, 0x65, 0x9B, 0x1B, 0x96, 0xD3
, 0x4D, 0xAA, 0x3F, 0x75, 0x0B, 0xA5, 0x75, 0xE7, 0x71, 0xCD, 0x88, 0xA0, 0x77, 0xE0, 0xCB, 0x2F
, 0x33, 0xA2, 0x0D, 0xAB, 0xE4, 0xE3, 0x40, 0x82, 0x3F, 0xD9, 0x95, 0x50, 0xA4, 0x92, 0x56, 0xAA
, 0x77, 0x61, 0x05, 0x75, 0xF2, 0x25, 0x81, 0xDA, 0xA1, 0xBE, 0x30, 0xA7, 0xCB, 0xDA, 0x2B, 0xA3
, 0x9E, 0x85, 0xAB, 0x03, 0x8D, 0xBB, 0xD3, 0xF0, 0xBB, 0x9C, 0x71, 0x9A, 0xD4, 0x98, 0xCF, 0xC6
, 0xC2, 0xA8, 0x62, 0x84, 0x32, 0x85, 0x4C, 0x1B, 0x2C, 0xFF, 0xE4, 0xD8, 0xD9, 0xE5, 0x2A, 0xBB
, 0x18, 0x06, 0x08, 0x6A, 0xF4, 0xD8, 0xD1, 0x8D, 0x00, 0xE3, 0x41, 0xFC, 0xE7, 0xC5, 0x20, 0x25
, 0xD2, 0xDD, 0x47, 0xFF, 0x27, 0x09, 0x1F, 0x6D, 0x34, 0x6C, 0x8A, 0x0A, 0xEB, 0xAB, 0x13, 0x48
, 0x09, 0xF6, 0x24, 0x24, 0x98, 0x84, 0x22, 0xDD, 0xC1, 0xA1, 0x1C, 0x60, 0x63, 0x06, 0x71, 0xEE
, 0x00, 0x4A, 0x21, 0xBA, 0x1F, 0xAF, 0x4C, 0x03, 0xD2, 0xC7, 0x3F, 0xBA, 0x64, 0x39, 0x35, 0xB4
, 0x44, 0x0B, 0x17, 0x5F, 0xB5, 0x2C, 0x8C, 0x4E, 0xB2, 0xE6, 0x61, 0xB2, 0x23, 0x21, 0x4D, 0xAD
, 0xFB, 0xD4, 0x1D, 0x96, 0x4B, 0xA1, 0xFC, 0x7F, 0xBF, 0x98, 0x78, 0xBB, 0xD3, 0x72, 0xF1, 0xE3
, 0x46, 0x1F, 0x03, 0x4C, 0x05, 0x18, 0x96, 0xC1, 0x47, 0xC0, 0xA0, 0x6F, 0x17, 0x07, 0x11, 0x10
, 0x2B, 0x2D, 0xD4, 0xC8, 0x79, 0xBF, 0xB4, 0x83, 0x75, 0x3D, 0x68, 0x60, 0x33, 0xBB, 0xA4, 0x7A
, 0xC8, 0x52, 0x66, 0x2E, 0xE6, 0xFA, 0x44, 0x32, 0x4A, 0xAE, 0x06, 0xAB, 0x5A, 0x9F, 0xBE, 0x29
, 0x1D, 0x3D, 0xB8, 0xA6, 0xC0, 0xCA, 0x0B, 0x10, 0x38, 0xA4, 0x52, 0x27, 0xBA, 0x61, 0xAC, 0x0A
, 0x3B, 0x0E, 0x86, 0x8F, 0x7A, 0xAF, 0xBA, 0x89, 0x9D, 0x4A, 0x52, 0x33, 0x81, 0x74, 0x6B, 0xDE
, 0x61, 0x26, 0xA5, 0xB4, 0x53, 0xA5, 0x48, 0x47, 0x8E, 0xA8, 0xD7, 0x01, 0x08, 0xA5, 0xDF, 0xF2
, 0x06, 0xDD, 0xD5, 0x45, 0xDC, 0xF3, 0xE0, 0xAD, 0xCB, 0xFD, 0x1E, 0x55, 0x2C, 0x08, 0x63, 0xE2
, 0xF0, 0x5B, 0x39, 0x81, 0x75, 0x50, 0xFB, 0x5C, 0x7E, 0x36, 0x2C, 0x13, 0xBD, 0x8F, 0x6F, 0xE2
, 0xAE, 0xBC, 0xA3, 0x1D, 0x0D, 0x96, 0x2D, 0x91, 0x88, 0xE4, 0x8F, 0x39, 0xE0, 0x99, 0x71, 0x09
, 0xE0, 0xE3, 0x80, 0xEE, 0xD3, 0x57, 0xEF, 0x91, 0x53, 0x3C, 0x5D, 0x00, 0x30, 0x7C, 0x7B, 0x00
, 0x0D, 0x66, 0x28, 0x7E, 0xC9, 0xEA, 0x67, 0x18, 0xAE, 0xD2, 0xC2, 0xB6, 0x25, 0xDD, 0xA4, 0xB7
, 0x1D, 0x92, 0x7A, 0x53, 0xA1, 0xBB, 0xD3, 0xA2, 0x31, 0xF8, 0x2E, 0x49, 0x50, 0x6E, 0xF8, 0x8E
, 0x07, 0x86, 0x16, 0x01, 0x15, 0x47, 0x05, 0x2F, 0x89, 0xBA, 0xD5, 0xE4, 0x8C, 0x29, 0x61, 0xEB
, 0x6E, 0x72, 0x62, 0x47, 0x56, 0xF3, 0x96, 0x70, 0x5C, 0x70, 0xA3, 0x2E, 0x7F, 0x9F, 0x52, 0x66
, 0x54, 0xDD, 0xB2, 0xD0, 0x6A, 0xA8, 0xE0, 0x70, 0xE0, 0xF6, 0xE9, 0xEC, 0x8A, 0xAF, 0x67, 0x10
, 0x9B, 0x7F, 0xBA, 0x32, 0x4D, 0x33, 0xCA, 0xB3, 0xC4, 0x9B, 0xB6, 0x66, 0xDE, 0x62, 0x17, 0x21
, 0x20, 0x90, 0x0C, 0x37, 0x16, 0x50, 0x77, 0x98, 0xDA, 0x50, 0xE0, 0xF7, 0xB5, 0x84, 0xAB, 0x1C
, 0xFB, 0xC0, 0x8F, 0xD7, 0xF1, 0x11, 0x84, 0xE0, 0x8C, 0x1D, 0x57, 0xB0, 0x6D, 0x6E, 0x82, 0x96
, 0x1E, 0xCC, 0x78, 0xBD, 0x3B, 0xA9, 0xC3, 0x83, 0x7C, 0xD5, 0x3F, 0x8F, 0x93, 0xAD, 0xB7, 0x8A
, 0x45, 0x96, 0x21, 0xA6, 0xD5, 0x1D, 0x5D, 0xDC, 0x50, 0x3C, 0x39, 0x71, 0x53, 0xC1, 0x71, 0xE3
, 0x60, 0x42, 0x11, 0x07, 0x06, 0xC1, 0x01, 0xEE, 0x56, 0x5D, 0xED, 0xCA, 0x78, 0xD2, 0x4C, 0xC4
, 0xBE, 0x40, 0x35, 0x9B, 0x54, 0x27, 0x3E, 0x82, 0xE7, 0x48, 0x37, 0xCD, 0x72, 0x3A, 0x95, 0xF9
, 0x8E, 0x25, 0x70, 0x62, 0x98, 0x59, 0xD2, 0x9D, 0x71, 0x06, 0x74, 0xE3, 0x32, 0xA8, 0x1E, 0xB6
, 0xB6, 0x91, 0x64, 0xCD, 0xDC, 0x35, 0x42, 0x1C, 0xDA, 0x57, 0xCB, 0x1F, 0x12, 0x23, 0x21, 0x53
, 0xF4, 0xC6, 0xD5, 0x10, 0x13, 0x24, 0x6C, 0x82, 0x11, 0x63, 0x15, 0xB1, 0x78, 0x61, 0x4E, 0x6D
, 0x87, 0x69, 0xEA, 0x4D, 0xAB, 0xED, 0xF4, 0x2A, 0xB3, 0xB6, 0xE0, 0x6D, 0xDF, 0x20, 0x1F, 0x04
, 0xF4, 0x56, 0xCC, 0xC8, 0xD9, 0x4B, 0x32, 0x3F, 0x9E, 0x10, 0x54, 0xA4, 0xA5, 0xFF, 0xC5, 0x01
, 0x8E, 0xF3, 0x3C, 0x9F, 0xB1, 0x8B, 0x4D, 0xAE, 0x25, 0x94, 0x87, 0x80, 0x70, 0x18, 0xFA, 0xA8
, 0x45, 0xA4, 0x0D, 0xC5, 0xF2, 0xE3, 0x67, 0x08, 0xF8, 0x54, 0x30, 0xF6, 0x9E, 0x3A, 0x05, 0x39
, 0xE4, 0xE8, 0x72, 0x51, 0x47, 0x2F, 0x81, 0x41, 0xF2, 0xE3, 0xE9, 0xEE, 0x9F, 0x76, 0xA3, 0xBC
, 0x94, 0x08, 0xB5, 0x46, 0x11, 0x12, 0x13, 0xBA, 0x53, 0xB0, 0xB6, 0x67, 0xF0, 0xE5, 0x2E, 0x0A
, 0xCA, 0xB2, 0x57, 0x26, 0x2C, 0xCC, 0x2E, 0x19, 0x50, 0xDA, 0xD2, 0x4A, 0xBD, 0xDA, 0x69, 0xEC
, 0xA7, 0x01, 0xD7, 0x95, 0x98, 0x92, 0x49, 0xB4, 0xD6, 0x41, 0x09, 0x1A, 0x39, 0x04, 0x89, 0xD6
, 0xDA, 0xC2, 0x49, 0xB9, 0xDE, 0x98, 0xDB, 0x43, 0x51, 0x66, 0x80, 0x85, 0x6E, 0xA3, 0x11, 0x05
, 0x5B, 0x9F, 0xC3, 0x55, 0x77, 0x7B, 0xC9, 0xE0, 0x52, 0x9E, 0xCE, 0x0A, 0x08, 0xBC, 0x05, 0xE1
, 0xC0, 0xA7, 0x29, 0x3D, 0xB5, 0x2F, 0x8E, 0x3D, 0x84, 0xB8, 0xBD, 0xDF, 0x38, 0x49, 0x65, 0xB4
, 0x1F, 0xB0, 0xC2, 0xEE, 0x7B, 0x57, 0xFE, 0x39, 0x8D, 0x93, 0x12, 0x1E, 0xFB, 0x16, 0x7E, 0x2F
, 0xAF, 0x07, 0x60, 0x78, 0xD9, 0x72, 0x22, 0x53, 0x4C, 0xB4, 0x96, 0xB6, 0xFC, 0xA0, 0x51, 0x45
, 0x2C, 0x1C, 0x81, 0x34, 0x26, 0xE2, 0xA9, 0xF9, 0xA4, 0x20, 0x3F, 0x6B, 0x9B, 0xA4, 0xD8, 0x33
, 0x8C, 0xDC, 0x7F, 0x9D, 0x62, 0xCD, 0x0A, 0xFE, 0x17, 0x6C, 0xC4, 0xCB, 0x7D, 0x46, 0xD9, 0x68
, 0x29, 0x71, 0x9A, 0x7C, 0x8C, 0x3B, 0xCA, 0xCA, 0xA3, 0x62, 0x85, 0x95, 0x6F, 0x7D, 0xE8, 0xAC
, 0xEC, 0x71, 0x6D, 0xE2, 0x61, 0xBA, 0x75, 0x74, 0xCB, 0xE6, 0xBD, 0x80, 0x4D, 0x54, 0x6B, 0x32
, 0xC6, 0x89, 0x24, 0x49, 0x3B, 0xB2, 0xF2, 0x6F, 0xE4, 0xCF, 0x34, 0xDA, 0x19, 0x45, 0xBE, 0x0E
, 0x65, 0x10, 0x0A, 0x4A, 0x0D, 0xD2, 0xFA, 0x51, 0x1B, 0x9B, 0x1D, 0xCE, 0xE2, 0xA9, 0xC8, 0xC0
, 0xFF, 0xFC, 0x63, 0x8D, 0xDE, 0x9E, 0x08, 0xF4, 0xAB, 0x10, 0xCB, 0x30, 0x3C, 0xFE, 0x93, 0x37
, 0x68, 0xFD, 0x08, 0x10, 0x2F, 0x5B, 0x84, 0x28, 0xEB, 0x8F, 0xDC, 0xFB, 0xD8, 0xEC, 0xDB, 0x63
, 0xD5, 0xEF, 0xCB, 0xAC, 0x84, 0xEA, 0x30, 0x92, 0x86, 0xF8, 0xC0, 0x2A, 0x7D, 0xD2, 0x42, 0xB2
, 0x66, 0xC1, 0x0B, 0xB1, 0x88, 0xCF, 0xD7, 0x9A, 0x02, 0x60, 0xC9, 0x05, 0x04, 0x4F, 0x25, 0xB1
, 0x70, 0xBA, 0x8B, 0x96, 0xCE, 0xFF, 0xB0, 0x52, 0x19, 0x70, 0xCD, 0x6E, 0xF5, 0x73, 0xE2, 0x45
, 0x7F, 0x84, 0x23, 0x81, 0xDD, 0x8B, 0x2A, 0xC1, 0x4D, 0x88, 0x17, 0x8F, 0xCC, 0x13, 0x71, 0x11
, 0x0E, 0x13, 0x3A, 0xDB, 0x3A, 0xCD, 0x65, 0xE0, 0x32, 0x51, 0xFE, 0xBA, 0x04, 0x2E, 0x8B, 0x1A
, 0x2C, 0xF1, 0xC7, 0xF8, 0x31, 0x9B, 0xDA, 0x12, 0x9F, 0x60, 0x37, 0x17, 0x6E, 0x0B, 0x51, 0xCD
, 0x68, 0x1F, 0x0A, 0xE9, 0x5B, 0xC1, 0x4B, 0x23, 0x1D, 0xCB, 0x53, 0x4B, 0xC1, 0xB0, 0x7D, 0x7B
, 0xDC, 0x6A, 0x5F, 0x3B, 0xED, 0xD6, 0x48, 0xA8, 0xDB, 0xAB, 0xD9, 0xD4, 0x5D, 0x1F, 0x9C, 0xCA
, 0x6E, 0x83, 0x06, 0x5B, 0xAD, 0xB2, 0xBB, 0x5A, 0x7E, 0xB7, 0xF5, 0x48, 0xAE, 0xB9, 0x76, 0x06
, 0x79, 0xE5, 0x62, 0x07, 0xC7, 0x7E, 0x09, 0xC2, 0x1E, 0x45, 0x12, 0x35, 0xDA, 0x13, 0xC8, 0x77
, 0x7F, 0xE6, 0xFC, 0x1C, 0x4A, 0x24, 0xE6, 0x5C, 0x0A, 0xA0, 0xEF, 0x1C, 0x53, 0xA3, 0xBE, 0xDD
, 0xE7, 0x1D, 0xB1, 0xA3 };
BYTE mykey[] = { 0x3E, 0xEF, 0x1E, 0x4E, 0x0B, 0xC9, 0xD3, 0x92, 0xFA, 0xE3, 0xA7, 0xEF, 0xF5, 0xAF, 0x4F, 0xD4,
0x07, 0x4F, 0x61, 0x02, 0x5A, 0x96, 0xE8, 0x8D, 0xD9, 0xCC, 0x23, 0x80, 0xB2, 0xCF, 0x75, 0xBF };//
BYTE myiv[] = { 0xCB, 0x72, 0x42, 0x60, 0x86, 0x25, 0x0B, 0x91 };//
BYTE privatekey[] = { //FBI公布的BLOB格式RSA2048私钥
0x07, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x32, 0x00, 0x08, 0x00, 0x00
, 0x01, 0x00, 0x01, 0x00, 0xBB, 0xEF, 0x02, 0x46, 0x0B, 0x5E, 0x8C, 0x72, 0x8E, 0xA0, 0xA0, 0x31
, 0xAE, 0x95, 0x33, 0x82, 0xD6, 0x67, 0x89, 0x32, 0xB2, 0xED, 0x92, 0xA8, 0x16, 0x0A, 0xBC, 0x28
, 0xC1, 0x4D, 0x3E, 0x00, 0xA3, 0xDC, 0x48, 0x47, 0x3D, 0xE9, 0x9A, 0xC1, 0x31, 0xAE, 0x41, 0xC5
, 0xE8, 0x22, 0x70, 0x6A, 0x7F, 0x75, 0x98, 0x8F, 0xC6, 0xEB, 0xEE, 0x65, 0x9B, 0x1B, 0x96, 0xD3
, 0x4D, 0xAA, 0x3F, 0x75, 0x0B, 0xA5, 0x75, 0xE7, 0x71, 0xCD, 0x88, 0xA0, 0x77, 0xE0, 0xCB, 0x2F
, 0x33, 0xA2, 0x0D, 0xAB, 0xE4, 0xE3, 0x40, 0x82, 0x3F, 0xD9, 0x95, 0x50, 0xA4, 0x92, 0x56, 0xAA
, 0x77, 0x61, 0x05, 0x75, 0xF2, 0x25, 0x81, 0xDA, 0xA1, 0xBE, 0x30, 0xA7, 0xCB, 0xDA, 0x2B, 0xA3
, 0x9E, 0x85, 0xAB, 0x03, 0x8D, 0xBB, 0xD3, 0xF0, 0xBB, 0x9C, 0x71, 0x9A, 0xD4, 0x98, 0xCF, 0xC6
, 0xC2, 0xA8, 0x62, 0x84, 0x32, 0x85, 0x4C, 0x1B, 0x2C, 0xFF, 0xE4, 0xD8, 0xD9, 0xE5, 0x2A, 0xBB
, 0x18, 0x06, 0x08, 0x6A, 0xF4, 0xD8, 0xD1, 0x8D, 0x00, 0xE3, 0x41, 0xFC, 0xE7, 0xC5, 0x20, 0x25
, 0xD2, 0xDD, 0x47, 0xFF, 0x27, 0x09, 0x1F, 0x6D, 0x34, 0x6C, 0x8A, 0x0A, 0xEB, 0xAB, 0x13, 0x48
, 0x09, 0xF6, 0x24, 0x24, 0x98, 0x84, 0x22, 0xDD, 0xC1, 0xA1, 0x1C, 0x60, 0x63, 0x06, 0x71, 0xEE
, 0x00, 0x4A, 0x21, 0xBA, 0x1F, 0xAF, 0x4C, 0x03, 0xD2, 0xC7, 0x3F, 0xBA, 0x64, 0x39, 0x35, 0xB4
, 0x44, 0x0B, 0x17, 0x5F, 0xB5, 0x2C, 0x8C, 0x4E, 0xB2, 0xE6, 0x61, 0xB2, 0x23, 0x21, 0x4D, 0xAD
, 0xFB, 0xD4, 0x1D, 0x96, 0x4B, 0xA1, 0xFC, 0x7F, 0xBF, 0x98, 0x78, 0xBB, 0xD3, 0x72, 0xF1, 0xE3
, 0x46, 0x1F, 0x03, 0x4C, 0x05, 0x18, 0x96, 0xC1, 0x47, 0xC0, 0xA0, 0x6F, 0x17, 0x07, 0x11, 0x10
, 0x2B, 0x2D, 0xD4, 0xC8, 0x79, 0xBF, 0xB4, 0x83, 0x75, 0x3D, 0x68, 0x60, 0x33, 0xBB, 0xA4, 0x7A
, 0xC8, 0x52, 0x66, 0x2E, 0xE6, 0xFA, 0x44, 0x32, 0x4A, 0xAE, 0x06, 0xAB, 0x5A, 0x9F, 0xBE, 0x29
, 0x1D, 0x3D, 0xB8, 0xA6, 0xC0, 0xCA, 0x0B, 0x10, 0x38, 0xA4, 0x52, 0x27, 0xBA, 0x61, 0xAC, 0x0A
, 0x3B, 0x0E, 0x86, 0x8F, 0x7A, 0xAF, 0xBA, 0x89, 0x9D, 0x4A, 0x52, 0x33, 0x81, 0x74, 0x6B, 0xDE
, 0x61, 0x26, 0xA5, 0xB4, 0x53, 0xA5, 0x48, 0x47, 0x8E, 0xA8, 0xD7, 0x01, 0x08, 0xA5, 0xDF, 0xF2
, 0x06, 0xDD, 0xD5, 0x45, 0xDC, 0xF3, 0xE0, 0xAD, 0xCB, 0xFD, 0x1E, 0x55, 0x2C, 0x08, 0x63, 0xE2
, 0xF0, 0x5B, 0x39, 0x81, 0x75, 0x50, 0xFB, 0x5C, 0x7E, 0x36, 0x2C, 0x13, 0xBD, 0x8F, 0x6F, 0xE2
, 0xAE, 0xBC, 0xA3, 0x1D, 0x0D, 0x96, 0x2D, 0x91, 0x88, 0xE4, 0x8F, 0x39, 0xE0, 0x99, 0x71, 0x09
, 0xE0, 0xE3, 0x80, 0xEE, 0xD3, 0x57, 0xEF, 0x91, 0x53, 0x3C, 0x5D, 0x00, 0x30, 0x7C, 0x7B, 0x00
, 0x0D, 0x66, 0x28, 0x7E, 0xC9, 0xEA, 0x67, 0x18, 0xAE, 0xD2, 0xC2, 0xB6, 0x25, 0xDD, 0xA4, 0xB7
, 0x1D, 0x92, 0x7A, 0x53, 0xA1, 0xBB, 0xD3, 0xA2, 0x31, 0xF8, 0x2E, 0x49, 0x50, 0x6E, 0xF8, 0x8E
, 0x07, 0x86, 0x16, 0x01, 0x15, 0x47, 0x05, 0x2F, 0x89, 0xBA, 0xD5, 0xE4, 0x8C, 0x29, 0x61, 0xEB
, 0x6E, 0x72, 0x62, 0x47, 0x56, 0xF3, 0x96, 0x70, 0x5C, 0x70, 0xA3, 0x2E, 0x7F, 0x9F, 0x52, 0x66
, 0x54, 0xDD, 0xB2, 0xD0, 0x6A, 0xA8, 0xE0, 0x70, 0xE0, 0xF6, 0xE9, 0xEC, 0x8A, 0xAF, 0x67, 0x10
, 0x9B, 0x7F, 0xBA, 0x32, 0x4D, 0x33, 0xCA, 0xB3, 0xC4, 0x9B, 0xB6, 0x66, 0xDE, 0x62, 0x17, 0x21
, 0x20, 0x90, 0x0C, 0x37, 0x16, 0x50, 0x77, 0x98, 0xDA, 0x50, 0xE0, 0xF7, 0xB5, 0x84, 0xAB, 0x1C
, 0xFB, 0xC0, 0x8F, 0xD7, 0xF1, 0x11, 0x84, 0xE0, 0x8C, 0x1D, 0x57, 0xB0, 0x6D, 0x6E, 0x82, 0x96
, 0x1E, 0xCC, 0x78, 0xBD, 0x3B, 0xA9, 0xC3, 0x83, 0x7C, 0xD5, 0x3F, 0x8F, 0x93, 0xAD, 0xB7, 0x8A
, 0x45, 0x96, 0x21, 0xA6, 0xD5, 0x1D, 0x5D, 0xDC, 0x50, 0x3C, 0x39, 0x71, 0x53, 0xC1, 0x71, 0xE3
, 0x60, 0x42, 0x11, 0x07, 0x06, 0xC1, 0x01, 0xEE, 0x56, 0x5D, 0xED, 0xCA, 0x78, 0xD2, 0x4C, 0xC4
, 0xBE, 0x40, 0x35, 0x9B, 0x54, 0x27, 0x3E, 0x82, 0xE7, 0x48, 0x37, 0xCD, 0x72, 0x3A, 0x95, 0xF9
, 0x8E, 0x25, 0x70, 0x62, 0x98, 0x59, 0xD2, 0x9D, 0x71, 0x06, 0x74, 0xE3, 0x32, 0xA8, 0x1E, 0xB6
, 0xB6, 0x91, 0x64, 0xCD, 0xDC, 0x35, 0x42, 0x1C, 0xDA, 0x57, 0xCB, 0x1F, 0x12, 0x23, 0x21, 0x53
, 0xF4, 0xC6, 0xD5, 0x10, 0x13, 0x24, 0x6C, 0x82, 0x11, 0x63, 0x15, 0xB1, 0x78, 0x61, 0x4E, 0x6D
, 0x87, 0x69, 0xEA, 0x4D, 0xAB, 0xED, 0xF4, 0x2A, 0xB3, 0xB6, 0xE0, 0x6D, 0xDF, 0x20, 0x1F, 0x04
, 0xF4, 0x56, 0xCC, 0xC8, 0xD9, 0x4B, 0x32, 0x3F, 0x9E, 0x10, 0x54, 0xA4, 0xA5, 0xFF, 0xC5, 0x01
, 0x8E, 0xF3, 0x3C, 0x9F, 0xB1, 0x8B, 0x4D, 0xAE, 0x25, 0x94, 0x87, 0x80, 0x70, 0x18, 0xFA, 0xA8
, 0x45, 0xA4, 0x0D, 0xC5, 0xF2, 0xE3, 0x67, 0x08, 0xF8, 0x54, 0x30, 0xF6, 0x9E, 0x3A, 0x05, 0x39
, 0xE4, 0xE8, 0x72, 0x51, 0x47, 0x2F, 0x81, 0x41, 0xF2, 0xE3, 0xE9, 0xEE, 0x9F, 0x76, 0xA3, 0xBC
, 0x94, 0x08, 0xB5, 0x46, 0x11, 0x12, 0x13, 0xBA, 0x53, 0xB0, 0xB6, 0x67, 0xF0, 0xE5, 0x2E, 0x0A
, 0xCA, 0xB2, 0x57, 0x26, 0x2C, 0xCC, 0x2E, 0x19, 0x50, 0xDA, 0xD2, 0x4A, 0xBD, 0xDA, 0x69, 0xEC
, 0xA7, 0x01, 0xD7, 0x95, 0x98, 0x92, 0x49, 0xB4, 0xD6, 0x41, 0x09, 0x1A, 0x39, 0x04, 0x89, 0xD6
, 0xDA, 0xC2, 0x49, 0xB9, 0xDE, 0x98, 0xDB, 0x43, 0x51, 0x66, 0x80, 0x85, 0x6E, 0xA3, 0x11, 0x05
, 0x5B, 0x9F, 0xC3, 0x55, 0x77, 0x7B, 0xC9, 0xE0, 0x52, 0x9E, 0xCE, 0x0A, 0x08, 0xBC, 0x05, 0xE1
, 0xC0, 0xA7, 0x29, 0x3D, 0xB5, 0x2F, 0x8E, 0x3D, 0x84, 0xB8, 0xBD, 0xDF, 0x38, 0x49, 0x65, 0xB4
, 0x1F, 0xB0, 0xC2, 0xEE, 0x7B, 0x57, 0xFE, 0x39, 0x8D, 0x93, 0x12, 0x1E, 0xFB, 0x16, 0x7E, 0x2F
, 0xAF, 0x07, 0x60, 0x78, 0xD9, 0x72, 0x22, 0x53, 0x4C, 0xB4, 0x96, 0xB6, 0xFC, 0xA0, 0x51, 0x45
, 0x2C, 0x1C, 0x81, 0x34, 0x26, 0xE2, 0xA9, 0xF9, 0xA4, 0x20, 0x3F, 0x6B, 0x9B, 0xA4, 0xD8, 0x33
, 0x8C, 0xDC, 0x7F, 0x9D, 0x62, 0xCD, 0x0A, 0xFE, 0x17, 0x6C, 0xC4, 0xCB, 0x7D, 0x46, 0xD9, 0x68
, 0x29, 0x71, 0x9A, 0x7C, 0x8C, 0x3B, 0xCA, 0xCA, 0xA3, 0x62, 0x85, 0x95, 0x6F, 0x7D, 0xE8, 0xAC
, 0xEC, 0x71, 0x6D, 0xE2, 0x61, 0xBA, 0x75, 0x74, 0xCB, 0xE6, 0xBD, 0x80, 0x4D, 0x54, 0x6B, 0x32
, 0xC6, 0x89, 0x24, 0x49, 0x3B, 0xB2, 0xF2, 0x6F, 0xE4, 0xCF, 0x34, 0xDA, 0x19, 0x45, 0xBE, 0x0E
, 0x65, 0x10, 0x0A, 0x4A, 0x0D, 0xD2, 0xFA, 0x51, 0x1B, 0x9B, 0x1D, 0xCE, 0xE2, 0xA9, 0xC8, 0xC0
, 0xFF, 0xFC, 0x63, 0x8D, 0xDE, 0x9E, 0x08, 0xF4, 0xAB, 0x10, 0xCB, 0x30, 0x3C, 0xFE, 0x93, 0x37
, 0x68, 0xFD, 0x08, 0x10, 0x2F, 0x5B, 0x84, 0x28, 0xEB, 0x8F, 0xDC, 0xFB, 0xD8, 0xEC, 0xDB, 0x63
, 0xD5, 0xEF, 0xCB, 0xAC, 0x84, 0xEA, 0x30, 0x92, 0x86, 0xF8, 0xC0, 0x2A, 0x7D, 0xD2, 0x42, 0xB2
, 0x66, 0xC1, 0x0B, 0xB1, 0x88, 0xCF, 0xD7, 0x9A, 0x02, 0x60, 0xC9, 0x05, 0x04, 0x4F, 0x25, 0xB1
, 0x70, 0xBA, 0x8B, 0x96, 0xCE, 0xFF, 0xB0, 0x52, 0x19, 0x70, 0xCD, 0x6E, 0xF5, 0x73, 0xE2, 0x45
, 0x7F, 0x84, 0x23, 0x81, 0xDD, 0x8B, 0x2A, 0xC1, 0x4D, 0x88, 0x17, 0x8F, 0xCC, 0x13, 0x71, 0x11
, 0x0E, 0x13, 0x3A, 0xDB, 0x3A, 0xCD, 0x65, 0xE0, 0x32, 0x51, 0xFE, 0xBA, 0x04, 0x2E, 0x8B, 0x1A
, 0x2C, 0xF1, 0xC7, 0xF8, 0x31, 0x9B, 0xDA, 0x12, 0x9F, 0x60, 0x37, 0x17, 0x6E, 0x0B, 0x51, 0xCD
, 0x68, 0x1F, 0x0A, 0xE9, 0x5B, 0xC1, 0x4B, 0x23, 0x1D, 0xCB, 0x53, 0x4B, 0xC1, 0xB0, 0x7D, 0x7B
, 0xDC, 0x6A, 0x5F, 0x3B, 0xED, 0xD6, 0x48, 0xA8, 0xDB, 0xAB, 0xD9, 0xD4, 0x5D, 0x1F, 0x9C, 0xCA
, 0x6E, 0x83, 0x06, 0x5B, 0xAD, 0xB2, 0xBB, 0x5A, 0x7E, 0xB7, 0xF5, 0x48, 0xAE, 0xB9, 0x76, 0x06
, 0x79, 0xE5, 0x62, 0x07, 0xC7, 0x7E, 0x09, 0xC2, 0x1E, 0x45, 0x12, 0x35, 0xDA, 0x13, 0xC8, 0x77
, 0x7F, 0xE6, 0xFC, 0x1C, 0x4A, 0x24, 0xE6, 0x5C, 0x0A, 0xA0, 0xEF, 0x1C, 0x53, 0xA3, 0xBE, 0xDD
, 0xE7, 0x1D, 0xB1, 0xA3 };
BYTE mykey[] = { 0x3E, 0xEF, 0x1E, 0x4E, 0x0B, 0xC9, 0xD3, 0x92, 0xFA, 0xE3, 0xA7, 0xEF, 0xF5, 0xAF, 0x4F, 0xD4,
0x07, 0x4F, 0x61, 0x02, 0x5A, 0x96, 0xE8, 0x8D, 0xD9, 0xCC, 0x23, 0x80, 0xB2, 0xCF, 0x75, 0xBF };//
BYTE myiv[] = { 0xCB, 0x72, 0x42, 0x60, 0x86, 0x25, 0x0B, 0x91 };//
//1.读取注册表 HKEY_CURRENT_USER\Software\keys_data\data内容
QueryRegister(QUERYDATA);printf("被rsa2048加密的salsa20key:\n");
for (i = 4; i < 260; i++) //取4h到104h共100字节内容
{ printf("%x", QUERYDATA[i]);
SALSA20KEY[i-4] = QUERYDATA[i];
}printf("\n被rsa2048加密的salsa20iv:\n");
for (i = 260; i < 516; i++) //取104h到204h共100字节内容
{ printf("%x", QUERYDATA[i]);
SALSA20IV[i - 260] = QUERYDATA[i];
}printf("\n被salsa20加密的randomrsa2048privatekey:\n");
for (i = 516; i < 1688; i++) //取剩余字节内容为RSA私钥
{ printf("%x", QUERYDATA[i]);
RSA2048PRIVATE[i - 516] = QUERYDATA[i];
}//1.读取注册表 HKEY_CURRENT_USER\Software\keys_data\data内容
QueryRegister(QUERYDATA);printf("被rsa2048加密的salsa20key:\n");
for (i = 4; i < 260; i++) //取4h到104h共100字节内容
{ printf("%x", QUERYDATA[i]);
SALSA20KEY[i-4] = QUERYDATA[i];
}printf("\n被rsa2048加密的salsa20iv:\n");
for (i = 260; i < 516; i++) //取104h到204h共100字节内容
{ printf("%x", QUERYDATA[i]);
SALSA20IV[i - 260] = QUERYDATA[i];
}printf("\n被salsa20加密的randomrsa2048privatekey:\n");
for (i = 516; i < 1688; i++) //取剩余字节内容为RSA私钥
{ printf("%x", QUERYDATA[i]);
RSA2048PRIVATE[i - 516] = QUERYDATA[i];
}//2.利用RSA公钥解密salsa20的密钥
DWORD dwDataLength = MAX_PATH; //其实本来有108字节,但是iv生成时有前8字节被iv覆盖掉,所以总共是208字节。但这样并不影响解密
DWORD privatesize = sizeof(privatekey);
HCRYPTPROV hCryptProv1, hCryptProv2;hCryptProv1 = RsaDecrypt1(privatekey, privatesize, SALSA20KEY, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++) //存储20字节key
{ printf("%x", SALSA20KEY[i]);
SALSA20KEY2[i] = SALSA20KEY[i]; //从这里取出salsa20key。。。。。。。。。。。。。。。。。。。。。。。。。。
}DWORD dwDataLength2 = MAX_PATH;
hCryptProv2=RsaDecrypt1(privatekey, privatesize, SALSA20IV, dwDataLength2);
printf("\n解密出slasa20IV:\n");
for (i = 0; i < 8; i++) //存储8字节iv
{ printf("%x", SALSA20IV[i]);
SALSA20IV2[i] = SALSA20IV[i]; //从这里取出salsa20iv。。。。。。。。。。。。。。。。。。。。。。。。。。。。
}//2.利用RSA公钥解密salsa20的密钥
DWORD dwDataLength = MAX_PATH; //其实本来有108字节,但是iv生成时有前8字节被iv覆盖掉,所以总共是208字节。但这样并不影响解密
DWORD privatesize = sizeof(privatekey);
HCRYPTPROV hCryptProv1, hCryptProv2;hCryptProv1 = RsaDecrypt1(privatekey, privatesize, SALSA20KEY, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++) //存储20字节key
{ printf("%x", SALSA20KEY[i]);
SALSA20KEY2[i] = SALSA20KEY[i]; //从这里取出salsa20key。。。。。。。。。。。。。。。。。。。。。。。。。。
}DWORD dwDataLength2 = MAX_PATH;
hCryptProv2=RsaDecrypt1(privatekey, privatesize, SALSA20IV, dwDataLength2);
printf("\n解密出slasa20IV:\n");
for (i = 0; i < 8; i++) //存储8字节iv
{ printf("%x", SALSA20IV[i]);
SALSA20IV2[i] = SALSA20IV[i]; //从这里取出salsa20iv。。。。。。。。。。。。。。。。。。。。。。。。。。。。
} //3.利用salsa20的密钥解密出随机申请的RSA私钥
string cipher;
BYTE *KEY;
KEY = salsa20A(cipher);
BYTE RANDOMRSAKEY[sizeof(RSA2048PRIVATE)] = { 0 };
printf("\n解密出的随机生成的RSA公钥:\n");
for (i = 0; i < sizeof(RSA2048PRIVATE); i++) //存储8字节iv
{
printf("%x", *(KEY+i));
RANDOMRSAKEY[i] = *(KEY + i);
}
//4.全盘文件遍历,判断文件后缀是否为.KARB,这是文件感染的标志
//封装处,下面5.6步均需写入到文件遍历判断成功后
//5.读取每个文件末尾处后200字节内容,解密出加密每个文件用的不同salsa20密钥,删除同目录下的txt文件
BYTE bufferreadkey[256] = { 0 }; //读取末尾208字节,其中前100字节可以解密出SALSA20KEY
BYTE bufferreadiv[264] = { 0 }; //后108字节可以解密出SALSA20IV
DWORD NumberOfBytesRead = 0x80;
HANDLE hfile = CreateFile(L"C:\\example.KRAB", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD FileSizeHigh;
SetFilePointer(hfile, -264, 0, FILE_END);
ReadFile(hfile, bufferreadiv, sizeof(bufferreadiv), &NumberOfBytesRead, 0);
SetFilePointer(hfile, -520, 0, FILE_END);
ReadFile(hfile, bufferreadkey, sizeof(bufferreadkey), &NumberOfBytesRead, 0);
dwDataLength = MAX_PATH;
RsaDecrypt2(hCryptProv1,RANDOMRSAKEY, sizeof(RANDOMRSAKEY), bufferreadkey, dwDataLength);
printf("\n解密出slasa20key:\n");
for (i = 0; i < 32; i++) //存储20字节key
{
printf("%x", bufferreadkey[i]);
SALSA20KEYFINAL[i] = bufferreadkey[i];
}
dwDataLength = MAX_PATH; //必须重定义
RsaDecrypt2(hCryptProv2,RANDOMRSAKEY, sizeof(RANDOMRSAKEY), bufferreadiv, dwDataLength);
printf("\n解密出slasa20iv:\n");
for (i = 0; i < 8; i++) //存储20字节key
{
printf("%x", bufferreadiv[i]);
SALSA20IVFINAL[i] = bufferreadiv[i];
}
//6.用salsa20密钥解密出原文件内容,删除文件的KRAB后缀,删除后面208个字节
DWORD FileSize;
FileSize = GetFileSize(hfile, &FileSizeHigh);
DWORD RealFileSize = FileSize - 520;
BYTE * filebuffer = new BYTE[FileSize];
HANDLE hFile = CreateFile(L"C:\\Gandcrab4.clean", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
// while (TOTALDECRYPT < FileSize)//不能循环解密,不是从头开始的解密结果都是错的,第二次调用就是错的
// {
SetFilePointer(hfile, 0, 0, FILE_BEGIN);
ReadFile(hfile, filebuffer, RealFileSize, &NumberOfBytesRead, 0);//这个时候读取的全部文件的buffer
string cipher2;
BYTE *KEY2 = NULL;
KEY2 = salsa20B(cipher2, filebuffer, RealFileSize,hFile);
// };
//3.利用salsa20的密钥解密出随机申请的RSA私钥
string cipher;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2020-9-21 20:17
被绝望的皮卡丘编辑
,原因: 删除注释
