Reversing WannaCry Part 2 - Diving into the malware with #Ghidra

This is a content that surely is not expected to go viral on YT, but is a treat to watch for people with some coding knowledge and curious minds, thanks for creating this!

With this guy's ability it wouldn't surprise me that part 3 ends with the malware creator tied to a chair and asking forgiveness. He's going serious with this. Absolutely awesome.

Just got the first part recommended. These two videos taught me a lot about how to use Ghidra so keep up the great work.
I also really like the flow diagrams you're drawing as they give a great overview.
You got a new subscriber and I hope you'll upload more regularly now.

plot twist: he created the virus and now he's just playing with us

Awesome! I remember doing same with IdaPRO in terminal. But back in my time the viruses has much simpler code :)Thanks !

Love it! It's amazing how it's possible to turn compiled code back into regular uncompiled code.

Finally some good reverse engineering videos, I understood everything


Waiting for part 3 now

So glad you showed your research into this! Thank you for your time figuring out this puzzle. :)

Thank you for creating this series, very helpful in learning to RE and everything is explained clearly.

Part 3 should be very interesting!

Hell yeah! Been waiting for this since part 1

I hope you keep putting out content and that you ll find the time to do videos more frequently. Great Video!

Love your work.Please keep it going

Again: absolutely incredible work on your side.



How great would it be if Ghidra/Cutter/Hopper could have all those repeated tasks automated or at least suggested, either through a pattern matching or an AI which is feed by all the reverse engineers around the world. Candidates are: The OOAnalyzer, function renaming, multiple sequential char arrays, byte cleanup, no-return hinting, struct imports for pointer constructs in decompilation, etc. I would definitely fund such a project!

Great video! Very insightful! Post more like this!

Can you recommend any good books you read personally on the subject? I know it's a vast topic and I have a hard time to go deeper than reversing some entry level crackmes and making patches.

You just gained a like, as sub, and a bell notification user. I'm amazed how much you can understand from so few words on each line. Really good work bro :D

After 2 rewind I'm still half-understood. But man this is really good for sleep when listening at night.

Can't wait for part 3 :)

Imagine to be the creator of WannaCry and watching it

This video is so interesting. I look forward to the next part. All the best

looking forward to part III

You are insane, keep them coming

That's really nice and deep
Looking forward for more series of videos ..

Can't wait for open source malware!

Waiting for part 3!

You have to admit, the inventor who made wannacry is an intelligent human being

Question: So far in Part 1 and Part 2 I don't think we've actually seen any "exploit" right? Just want to make sure I'm following along correctly. It appears its so far just been a bootstrap / setup process so far using Win32 APIs. All of which you'd need administrator privileges to run right?

Great video! Thanks sharing this!

Such a nice video. Liked+subscribed, pls continue doing videos

Waiting for part 3 next week or so

thank god part 2 came out!!

Long have we waited! Glad to have you back :)

Good videos bruh, i hope you keep it up

Very imformative!! Keep it up!!

Heyo, very new to reverse engineering here, though i saw that some things that for example bitcoin adresses are shown while reverse engineering thanks to your video, can any person that's reverse engineering this just change that and then relaunch it? Or do most "hackers" that still use wannacry just launch it without changing anything? But I'm guessing it's not really active anymore and can't be used thanks to the killswitch?

At last, I've been looking forward to this!

I don't know why this is in my recommendation and didn't understood a single word you said. But I'm sure you're doing a great job at whatever you're doing 👍🏻

Nice work and video!

Brilliant stuff!

finally, that's why i subscribed to your channel

Thanks for these videos

3:24: installing Pharos for C++ analysis - by using "docker pull seipharos/pharos"

*One-Winged Angel* starts playing...

top 10 unexpected sequels

0:39 isn't that check redundant since tasksche.exe was run with the /i argument?

finally , I've been waiting for this.

PART 3 PLS

WannaCry dude was not from this planet......... Totally a Legend....!!

Hey man can you tell me the part where actual encryption take place

Yesterday I got attacked by .ghas, from the djvu family and I was wondering if it can also be reverse engineered like that?

Bro this is the best analyses I saw , But please slow down the video little bit so we can follow xD

i hope you never be interested to write a virus
thanks a lot , keep going i enjoy your videos more than netflix <3
i just wrote a printf("hello world"); C app
but couldn't decompile it, cause there was lots of codes there XD

almost forgot about this series

Glad you're back!

was waiting for this video!!

Wannacry 2.0 is on the way :D

When will be the part.3 !!!

I want to make a reverse engineering tool like Ghidra or a tool to view the assembly code of a program can someone help?

cool. thanks 👍👍

When Ghidra doesn't work sometimes you should check if you don't have WannaCry installed... (ik bad joke..)

dude you are so fucking good at this

continue please~1

Maybe you can show how 2 de-compile some djy drone firmware as education purpose or other advanced stuff.It would be interesting to see... :)

Send this video to normal people to scare them 😁

very good！

This means that the leaked keys are all equals?

Nice, I had nothing to watch until this popped up. See you in part 1.

decompile windows for next project

The maker of WannaCry should be wannacry now if they watch this

Man comeon.... Part threeeeeeeeeeee😢

How ? How did you know I want to learn how to analysis malware ? Get off my PC!!

man this is insane

Go to the legit one 🖕 PM he's very good on this.

Dude finally!!

:) This is cool

In your future videos, don't jump around as much please, and thank you.

NSA joined the chat

Finally!!!

what is the main language that Wannacry is written with? is it C or C+ !?

I hope your next project is going to be nmcrypt.

From your explanation i feel you are the founder of wannacry ,,😂

"tasksche.exe" is short for TaskScheduler so "task A dot ex uh" just sounds wrong. :)

<3 enjoyed

Why we don't create "wannalaugh.exe"?

hallelujah part 2 finaly

What's in the deep web [dot]onion links from part 1?

Good to know reverse engineering only takes around a year.

What abt those .onion addresses u got in part 1 ??

Can anyone help me out with installation process of OOAnalyzer please?

Super cool

brain.exe has stopped working

Renaming simulator 2021

simple have important data on pc ? get and external HDD ( they are cheap ) backup offline your data and just format pc if you get this crap !!

FINALLY

holy cats, i will need a life time to learn assembly, you will be my best friend if you teach me how to find games functions with IDA 😘💓

holy shit i want to learn it but you are highest level and i dont umderstand anything.

Mac OS X ! Yay !

do you want to kill wannacry programmers in real life without any weapons ??
just show them this series

Please increase your bitrates

Bruh makes a follow up video after 10 months and doesnt acknowledge the time gap lol

so yeah, part 2 of still not understanding anything
help

you r grt

As far as for this convoluted shit show, it would have been better to code the entire thing cleanly into one monolithic executable and then worry about obfuscation. Kind of begs me to make a better wannacry. The only thing I would add is a message box right in the middle of the decryption process. It will read "This is what happens to people who don't back up. Deep down you and I know you deserve this, at least in part".

YES!

Im not into coding or something like this so i dont know why this is getting recommended to me but in the start he said that WannaCry try to connect to a URL and if it succeed it does nothing, so if a computer is connected to the internet, why is it unable to connect to this URL?

Welcome back! :P

This vid has 666 likes 0_o

fuck you have great content

How to get that CERT menubar in ghidra?

yeaaaa finally

nerding over 9001

Soup scoop

what's next????

You have a nice dialekt, where are u from?

never play Dota 2 please!!

10 months LATER

It takes almost 1 year!?? damn.

Why did it take so long for part 2..

Just FYI. Ghidra was developed by NSA

Yeah...

Ew you use apple products

let's hope this won't get used as a malware tutorial

Come on mate do it on the newest active malware nowdays

This guy uses mac. I wonder if operating system matters...