As mostly a regular guy, with a bit of programming knowledge... I don’t know why, but I had assumed that the core of the malware would be far less refined than it is. There are checks for things I wouldn’t have considered. It’s like they wanted to make sure they didn’t actually hurt your data... you know... as long as you paid them, I mean.
Well, there are rumors that this ransomware was brought by the North Korea, so i guess if it is true, they would want to get some money and "terrorize the western civillization", but they would not want to get a warhead launched to their territory....
@Kudret Spyrou No, I'm sure you're behind it! Of course, I only say that, so that you notice how damn stupid accusations are without evidence. Of course I have nothing against stupid chatter / a good joke. Keep going. Well it is a business. A fishy business, but it is a business. So they likely have a quality assurance department. But there is nothing special or any knowledge that otherwise should be good practice in the industry. That a budget gets cut and the code quality suffers from it is an old hat. The only thing you can learn from malware authors is that you later have a lot of time in prison to deepen your research. In my opinion, the artistic or interesting examples come from game programmers, anti-piracy measures or the elegant solution of mathematical problems on limited hardware.
This series was very interesting, again i myself don't have a lot of programming knowledge, but i understand the systematic sequence of events which is interesting none the less. I have the feeling though that a 4th video would be greatly welcomed where he could go into the "unlocking" mechanics, and how the ransomware verified that you paid the bitcoin "ransom" and if there is a way to spoof it. Also, again correct me if im wrong, but was it said that one of the 2 128bit encryption keys is in the header of every encrypted file? I would like to see more details of how the decryption process worked after a verified payment. Honestly i was hoping he would go into that in this video.
I can barely make a basic calculator in Python, but for some reason I watched this whole C++ RE video lol. I always found Malware fascinating, and seeing this being taken apart is really cool. Thank you!
Great vid, I wondering with which program do you make the orchards and the step by step graphs of the malware? I could use something similar for my cases too. Also you are one of the few people which I have seen to cleanly organise the decompiled code than just slapping post it notes next to it, kudos for that.
Can you make a video as a guide to Ghidra IDE? A comprehensive tour of overview of all it's features and how to use them on a code sample. Ghidra has a lot of buttons, bells, and whistles, and I don't know what any of them do. So a tutorial about finding your way around the IDE would be great.
So the reason for including the embedded RSA key is to facilitate the partial decryption while allowing them to use the same encryption method, just by switching the key? Because it looks to me that using it to just obfuscate a bunch of wannacry files (as seen in 1 of previous parts) is a bit of an overkill.
It could literally just be to obfuscate a bunch of wannacry files. Perhaps they considered those files in particular to be the weak point of the program, and put extra care into encrypting them; just to avoid the chances of it being possible to correctly guess the obfuscation method.
would you ever do a part 4 looking at the decryptor and mainly how the C2 protocol works? I've never seen anyone talk about it, only the worm and the encryptor mainly.
When decrypting the 10 files, how does it differentiate between the embedded key encryption and the regular encryption. I assume it looks at headers. How would it find those 10 files out of all files? Does it do a search of all drives for those files?
They can do that a few ways. They can simply keep a list around of those files, mark it in the header, or, RSA also has the property where the padding check will fail when decrypted with the wrong key - so you can just blindly try your private key, and if it fails, you have a way of knowing and aborting. I haven't RE'd this ransomware, but just assuming what could be done based on how many other ransomware do it.
Would you be able to do something like reverse engineer and patch the Decryptor .exe and make it so that the decrypt button decrypts everything? (without a payment)
If all ransomeware work the same 😅🤷♂️ But I think it would not be a bad approch because the system needs files to run. If you place them between those the ransomeware first needs a logic to decide which are essential and which aren't
@Ivan Heinzer I thought more about it, and I think it would be a nice idea to make your device give off "Virtual Machine" vibes while it's actually not, so malwares get spooked and stop running. (I actually don't know how you can fake being a virtual machine though)
Does anyone know where I can find the wannacry binary. I would like to play along at home. Yes I know this is really bad software but I have an air gaped computer with virtualbox installed on it for just this kind of experimentation.
Legend has it that some executables can detect that you are decompiling them and at the same time run some defensive script or destruction command. Would you have an example of this? How can we avoid the first trap?
Detecting decompiling is as such not possible, as the binary is never executed. The only way this would work is if the executable contained an exploit for whatever tool you are loading it in.
233/5000
Thanks for your answer, just two last questions... If someone is logically monitoring us (Rat), they will use a port that we could realize by monitoring the established connections. Is it possible that the attacker could hide that? Same question for a Man in the middle attack.
Yes, I found some information in the book of the Cat (Tamper proof). This led me to read about kernels, compilers, malware analysis. I finally ended up in computer forensics but there isn't much on this. In my country it is a concept born only two years ago. I don't know anyone in the business, I must be one of the few. Thanks for sharing these videos. They are my best school.
:( i was hoping that this was going somewhere... what happens if the countdown expires? Is there a way to decrypt without paying? Who do the bitcoin addresses belong to?
Why decompiled c++ is so dirty? Especially std::string I decompiled my own simple program and i can't understand c++ types here. But C is fine for decompiling, everything is understandable
@Gameplayer 55055 I think that because .net IS can be decompiled easy to it original functions structure type (there is tools specified to do that), but C++ I don't know maybe it's uses different approach for compile it to machine code make it relies less on the OS, C are much simpler language since it's very close to assembly in many ways, you maybe able to create complex code with C to make it harder to Decompile/read .
It's not the OOP. If it was the OOP, OOAnalyzer would clean it up and make everything nice
The reason things like std::string are dirty, are because they're inlinable. This means that when the compiler is compiling code, it's allowed to copy and paste the contents of std::string's functions directly into your code (which allows more optimizations in some cases, though also leads to more mess). Which means instead of one call to std::string::append(myString, otherString), you now get all the functions std::string::append called pasted straight into your code.
If std::string used OOP, it would be much nicer looking as the compiler would be unable to figure out what std::string::append did, and be unable to copy and paste it into code everywhere
If you're trying to match up the decompiled code to source code, try going into the <string> header, and matching up the decompiled code with the contents of the std::string function you called. You'll probably find that they match very nicely. If you're compiling with clang, add the command `-Xclang -fdump-record-layouts` to your compiler invocation and it'll print the binary layout of classes like std::string for you to copy into Ghidra structure definitions. I do wish there was an automated way to do this though, some clang-ghidra integration plugin where you could write c++ structs in a header and then import them into Ghidra.
No, it's just a bait (as far as I understand it). These 10 files (possibly more) are encrypted with a known private key, so you can decrypt them. But for all other files, the seed is random and there is no functionality to keep track of these random seeds.
@Kevin Wydler From my understanding of the previous video, the main encryption key pair is generated uniquely to each machine the first time it runs, and the private key (required to decrypt) is then encrypted with a fixed (public) key embedded by the ransomer. Theoretically, the ransomer could take the encrypted private key, decrypt it with their own key, and supply it back to the victim, thus allowing for the decryption of the files.
Interestingly (again, to my understanding and I’d love to be corrected with precise details!) a bug/exploit in windows’ implementation of the encryption meant that if you didn’t restart your computer after this was done, there was a chance that the (unencrypted) private key was still somewhere in memory, and thus with the right tools, in some cases it was possible to recover this and hence reverse the effects of the malicious encryption without paying the ransomer.
Dude, I have a question I have a Set top box and to get into it. Currently the channels limited in it is managed at the box. I want to edit it. Other channel which i have not paid for should be accessible, when I move over the channels, a small piece of the programm just flashes
Good to know WannaCry cleans up its temporary files. There's nothing worse than ransomware that doesn't clean up after itself!
74 likesAs mostly a regular guy, with a bit of programming knowledge... I don’t know why, but I had assumed that the core of the malware would be far less refined than it is. There are checks for things I wouldn’t have considered. It’s like they wanted to make sure they didn’t actually hurt your data... you know... as long as you paid them, I mean.
190 likesReplies (5)
You can't display the ransom messages on a machine that doesn't boot anymore.
64 likesWell, there are rumors that this ransomware was brought by the North Korea, so i guess if it is true, they would want to get some money and "terrorize the western civillization", but they would not want to get a warhead launched to their territory....
3 likes@Kudret Spyrou No, I'm sure you're behind it!
8 likesOf course, I only say that, so that you notice how damn stupid accusations are without evidence. Of course I have nothing against stupid chatter / a good joke. Keep going.
Well it is a business. A fishy business, but it is a business. So they likely have a quality assurance department.
But there is nothing special or any knowledge that otherwise should be good practice in the industry. That a budget gets cut and the code quality suffers from it is an old hat.
The only thing you can learn from malware authors is that you later have a lot of time in prison to deepen your research. In my opinion, the artistic or interesting examples come from game programmers, anti-piracy measures or the elegant solution of mathematical problems on limited hardware.
This series was very interesting, again i myself don't have a lot of programming knowledge, but i understand the systematic sequence of events which is interesting none the less. I have the feeling though that a 4th video would be greatly welcomed where he could go into the "unlocking" mechanics, and how the ransomware verified that you paid the bitcoin "ransom" and if there is a way to spoof it. Also, again correct me if im wrong, but was it said that one of the 2 128bit encryption keys is in the header of every encrypted file? I would like to see more details of how the decryption process worked after a verified payment. Honestly i was hoping he would go into that in this video.
14 likes@JustWasted3HoursHere Yep! because media tells me, means its true
0 likesI can barely make a basic calculator in Python, but for some reason I watched this whole C++ RE video lol. I always found Malware fascinating, and seeing this being taken apart is really cool. Thank you!
4 likesGreat to know even WannaCry is multi threaded
140 likesGreat to see more RE content on YouTube. Keep it up.
84 likesReplies (1)
Oh hi
0 likesGreat vid, I wondering with which program do you make the orchards and the step by step graphs of the malware? I could use something similar for my cases too. Also you are one of the few people which I have seen to cleanly organise the decompiled code than just slapping post it notes next to it, kudos for that.
0 likesyou are an inspiration dude. I've always wanted to try software reverse engineering
5 likesCan you make a video as a guide to Ghidra IDE? A comprehensive tour of overview of all it's features and how to use them on a code sample. Ghidra has a lot of buttons, bells, and whistles, and I don't know what any of them do. So a tutorial about finding your way around the IDE would be great.
14 likesSo the reason for including the embedded RSA key is to facilitate the partial decryption while allowing them to use the same encryption method, just by switching the key? Because it looks to me that using it to just obfuscate a bunch of wannacry files (as seen in 1 of previous parts) is a bit of an overkill.
7 likesReplies (1)
It could literally just be to obfuscate a bunch of wannacry files. Perhaps they considered those files in particular to be the weak point of the program, and put extra care into encrypting them; just to avoid the chances of it being possible to correctly guess the obfuscation method.
0 likesFinally made it to the end, after so many months. Thanks a lot for this series!
0 likeswould you ever do a part 4 looking at the decryptor and mainly how the C2 protocol works? I've never seen anyone talk about it, only the worm and the encryptor mainly.
0 likesQuality content, thank you.
0 likesWhat does it do if the rand() doesnt execute >10 times? Either by not enough files or just by chance?
0 likesIt also doesn't seem to count to 10. So maybe more than 10 are acturally decryptable ^^
That was great. In the final part, you need to write a program that decrypts files :DDD
52 likesReplies (4)
yes please do write a program to decrypt wannacry encrypted files!!
3 likes@Surya Teja K wannacry uses aes and rsa to encrypt the files i dont think you will have any hope getting them back
6 likesIt's most likely not possible unless you read the memory and find the key and used their same algorithm
4 likes@:K oh nice! What's it called?
0 likesWhen decrypting the 10 files, how does it differentiate between the embedded key encryption and the regular encryption. I assume it looks at headers. How would it find those 10 files out of all files? Does it do a search of all drives for those files?
7 likesReplies (1)
They can do that a few ways. They can simply keep a list around of those files, mark it in the header, or, RSA also has the property where the padding check will fail when decrypted with the wrong key - so you can just blindly try your private key, and if it fails, you have a way of knowing and aborting. I haven't RE'd this ransomware, but just assuming what could be done based on how many other ransomware do it.
2 likesMake part 4 please, I've been waiting!
1 likeIf you set up a Patreon to help subsidize the time spent creating these videos, I would definitely subscribe.
8 likesThank you for posting this. I had all but given up hope.
2 likesWhy you are not using ENUMs for all of those `filetypes` code becomes much more readable..?
1 likeHow much time do I need to be in this knowledge level
1 likeAwesome video, respect!! How about RE of Petya/MEMZ/CEREBO?
12 likesso where did the key come from and also what were the .onion websites used for?
0 likesDude you are good, I am trying to get as good as you.
0 likesi really love this video how you reverse this thing btw can you reverse bonzi buddy too?
0 likesOn the set array to all zero that Ghidra doesn't understand: maybe - function inlining?
0 likesWould you be able to do something like reverse engineer and patch the Decryptor .exe and make it so that the decrypt button decrypts everything? (without a payment)
0 likes8:40 , can't we use this knowledge in order to put some very important files inside these folders to protect them against ransomware?
0 likesReplies (2)
If all ransomeware work the same 😅🤷♂️
1 likeBut I think it would not be a bad approch because the system needs files to run. If you place them between those the ransomeware first needs a logic to decide which are essential and which aren't
@Ivan Heinzer I thought more about it, and I think it would be a nice idea to make your device give off "Virtual Machine" vibes while it's actually not, so malwares get spooked and stop running. (I actually don't know how you can fake being a virtual machine though)
0 likesCould you reverse the musallat.exe virus for the next serie?
0 likesDoes anyone know where I can find the wannacry binary. I would like to play along at home. Yes I know this is really bad software but I have an air gaped computer with virtualbox installed on it for just this kind of experimentation.
3 likesReplies (3)
It’s linked in the description of part 1!
3 likes@stacksmashing Oops, sorry, I already found it on my own. Thank you for the quick response and thank you for the video.
3 likesNo worries, glad you like it!
3 likescan you disassemble the ex4_to_mq4 decompiler :)
0 likesOMG i am waiting for this for sooooooooooooo long !!!!
6 likesGreat Video! :D
3 likespart4!!!! I want to see a key decrypt generator
0 likesSo, is It possible to write a code to unencript all the files?
0 likesLegend has it that some executables can detect that you are decompiling them and at the same time run some defensive script or destruction command. Would you have an example of this? How can we avoid the first trap?
1 likeReplies (4)
Detecting decompiling is as such not possible, as the binary is never executed. The only way this would work is if the executable contained an exploit for whatever tool you are loading it in.
6 likes233/5000
0 likesThanks for your answer, just two last questions... If someone is logically monitoring us (Rat), they will use a port that we could realize by monitoring the established connections. Is it possible that the attacker could hide that? Same question for a Man in the middle attack.
FWIW, there is sometimes anti-debugging code, since the debuggers need to actually run the code.
1 likeYes, I found some information in the book of the Cat (Tamper proof). This led me to read about kernels, compilers, malware analysis. I finally ended up in computer forensics but there isn't much on this. In my country it is a concept born only two years ago. I don't know anyone in the business, I must be one of the few. Thanks for sharing these videos. They are my best school.
0 likesHow to reverse WannaCry:make CTRL+I !
0 likesNice one!
2 likesReverse engineering is so hard lol
0 likes:( i was hoping that this was going somewhere... what happens if the countdown expires? Is there a way to decrypt without paying? Who do the bitcoin addresses belong to?
0 likesplace this into playlists as well
8 likesReplies (1)
Completely forgot, thanks!
1 likeWow just wow.. I'm sure you won't need to pay for any game/software if you decide to spend some time.
0 likesWhy decompiled c++ is so dirty?
2 likesEspecially std::string
I decompiled my own simple program and i can't understand c++ types here.
But C is fine for decompiling, everything is understandable
Replies (8)
OOP
0 likes@مقاطع مترجمة
0 likesYes, i also thought it was OOP
But can we decompile it?
We can directly decompile exe file with c# code, cant we do this with c++?
@Gameplayer 55055 I think that because .net IS can be decompiled easy to it original functions structure type (there is tools specified to do that), but C++ I don't know maybe it's uses different approach for compile it to machine code make it relies less on the OS, C are much simpler language since it's very close to assembly in many ways, you maybe able to create complex code with C to make it harder to Decompile/read .
1 likeYes, You're right.
1 likebut after watching decompiled c++ code i want to write on pure c :)
@Gameplayer 55055 Lol same, but After I watch how they decompile C# codes, OG
0 likesIt's not the OOP. If it was the OOP, OOAnalyzer would clean it up and make everything nice
2 likesThe reason things like std::string are dirty, are because they're inlinable. This means that when the compiler is compiling code, it's allowed to copy and paste the contents of std::string's functions directly into your code (which allows more optimizations in some cases, though also leads to more mess). Which means instead of one call to std::string::append(myString, otherString), you now get all the functions std::string::append called pasted straight into your code.
If std::string used OOP, it would be much nicer looking as the compiler would be unable to figure out what std::string::append did, and be unable to copy and paste it into code everywhere
If you're trying to match up the decompiled code to source code, try going into the <string> header, and matching up the decompiled code with the contents of the std::string function you called. You'll probably find that they match very nicely. If you're compiling with clang, add the command `-Xclang -fdump-record-layouts` to your compiler invocation and it'll print the binary layout of classes like std::string for you to copy into Ghidra structure definitions. I do wish there was an automated way to do this though, some clang-ghidra integration plugin where you could write c++ structs in a header and then import them into Ghidra.
@Tellow Krinkle thanks for complete answer.
1 likeI already noticed that std::string functions are copied everywhere.
@Tellow Krinkle thanks for complete answer.
1 likeI have already noticed that std::string functions are copied everywhere.
The only thing that makes me wanna cry is the light theme
40 likesIt would be interesting if you allow subtitles (human) for better understanding.
2 likesReplies (3)
Yea unfortunately that’s a lot of work - have to look into it
1 like@stacksmashing, If you can release the option to add subtitles, if any subscribers are interested in doing so would be very helpful.
1 likeAh i didn’t even know that’s possible! :) let me check that
2 likesFinally video! Thanks
2 likesCan you please do a series on NotPetya please? :D :D
1 likeis Wannacry still available?
0 likesThanks!
1 likeso you actually can decrypt your files, if you paid them and this 10 file demo isn't some baiting tactic, to make you pay?
11 likesReplies (5)
Just someone who loves what he doing.
2 likesYeah. Years ago, one businessman ask me to convert couple of bucks to BTC. He paid to terrorist, and get all files back.
1 likeNo, it's just a bait (as far as I understand it). These 10 files (possibly more) are encrypted with a known private key, so you can decrypt them. But for all other files, the seed is random and there is no functionality to keep track of these random seeds.
5 likesPlease correct me if I misunderstood this though!
@Kevin Wydler From my understanding of the previous video, the main encryption key pair is generated uniquely to each machine the first time it runs, and the private key (required to decrypt) is then encrypted with a fixed (public) key embedded by the ransomer. Theoretically, the ransomer could take the encrypted private key, decrypt it with their own key, and supply it back to the victim, thus allowing for the decryption of the files.
1 likeInterestingly (again, to my understanding and I’d love to be corrected with precise details!) a bug/exploit in windows’ implementation of the encryption meant that if you didn’t restart your computer after this was done, there was a chance that the (unencrypted) private key was still somewhere in memory, and thus with the right tools, in some cases it was possible to recover this and hence reverse the effects of the malicious encryption without paying the ransomer.
5 likesFinally!!!!
7 likesPart 4 ?
1 likewhere is private key?
1 likeso you you hack the hacker and decrypt without paying?
0 likesNow, does it mean it is possible to decrypt after you've paid the money or does it mean it isn't?
0 likesDude, I have a question
0 likesI have a Set top box and to get into it.
Currently the channels limited in it is managed at the box. I want to edit it.
Other channel which i have not paid for should be accessible, when I move over the channels, a small piece of the programm just flashes
It's great WannaCry won't encrypt my Minecraft folder
2 likesfinally!
5 likesYou are my Netflix
4 likesHallo Thomas. Did i read it right?
0 likesGrüße aus stuttgart
fasicnating
0 likesthx
2 likesWhen is the next viedooooooooo
0 likesHell ye
1 likemy ghidra is dead because a virus disable my jdk and orale servers is actually down. someone can send me the source code ? T_T
1 likethe change in your voice from 10:25 -> 10:26 is incredibly unnerving
5 likesReplies (2)
Yea it was recorded on the next day, had some issues with a cold and had to stop - sorry about that :)
1 like@stacksmashing oh no worries, I figured it was something like that. Great content as always!
1 likeyes
2 likeswhere is the etranalblue code ???? i came for etarnalblue
1 likeReplies (1)
I’m sure asking this nicely will help :)
5 likes601th view
1 like