tweets - img.sauf.ca · pdf filefffff return out 00000000: 3af6 b4e2 ... e9 ee 3c e5 0f b2 b4...
TRANSCRIPT
∙ ∙
(gdb)hexdump0x9237700x6588090cda46fd2cde1de8e4458918ae46|....F.,....E...F|69643d31443930373645364644383533|id=1D9076E6FD853|414236266163743d6765746b65792661|AB6&act=getkey&a|666669643d33266c616e673d66722663|ffid=3&lang=fr&c|6f72703d3026736572763d30266f733d|orp=0&serv=0&os=|57696e646f77732b58502673703d3226|Windows+XP&sp=2&|7836343d30|x64=0
defencode(buff):buff=md5(buff).digest()+buffout=""key=0xcd43ef19
forindexinrange(len(buff)):ebx=ord(buff[index])ecx=(ror(key,5)-rol(index,0x0d))^ebxout+=chr(ecx&0xff)
edx=(rol(ebx,index&0x1f)+ror(key,1))&0xffffffffecx=(ror(index,0x17)+0x53702f68)&0xffffffffkey=edx^ecx
returnout
defdecode(buff):out=""key=0xaff49754
forindexinrange(len(buff)):eax=(ord(buff[index])-index-rol(key,3))&0xffout+=chr(eax)key+=((ror(eax,0xb)^rol(key,5)^index)+0xb834f2d1)&0xffffffff
returnout
00000000:3af6b4e283b164050758854fb971a80a:.....d..X.O.q..00000010:0602000000a400005253413100080000........RSA1....00000020:010001002160326290cb7be69b94d54a....!`2b..{....J00000030:45e0b6c3f6241ec53f287d06c868ca45E....$..?(}..h.E00000040:c374250f9ed991d33bd2b20fb843f9a3.t%.....;....C..00000050:11505af544784e900af91e8966d29860.PZ.DxN.....f..`00000060:4b60a2891a16c25837545be67ae3a75aK`.....X7T[.z..Z00000070:0be407839f1846e480f78195be65078e......F......e..00000080:de6237932fa6ceadd661e7e42b40c92b.b7./....a..+@.+00000090:23c94ab3c3aab5602258849cb9fcb1a7#.J....`"X......000000a0:b03fd9b1e5ee278cbf75040b5f489501.?....'..u.._H..000000b0:80f60cbf2bb404eba4b57e8d30adf4d4....+.....~.0...000000c0:70baf8fbddae72709103d385359a5a91p.....rp....5.Z.000000d0:4995999636203a12168ef1131753d18bI...6:......S..000000e0:fdac1eed25a1fa5c0d546d9cdcbd9cb7....%..\.Tm.....000000f0:4b8e12288b70be132bfdfacef91a8481K..(.p..+.......00000100:dc33185eb1818b0fccbdf89d67d3afa8.3.^........g...00000110:c68017d8010064384ebaa7b704b1d00f......d8N.......00000120:c4fc94ba....
#defineRSA2048BIT_KEY0x8000000
CryptAcquireContext(&hCryptProv,"LEXSI",NULL,PROV_RSA_FULL,0);CryptGenKey(hCryptProv,AT_KEYEXCHANGE,RSA2048BIT_KEY|CRYPT_EXPORTABLE,&hKey);
//ClépubliqueCryptExportKey(hKey,NULL,PUBLICKEYBLOB,0,NULL,&dwPublicKeyLen);pbPublicKey=(BYTE*)malloc(dwPublicKeyLen);CryptExportKey(hKey,NULL,PUBLICKEYBLOB,0,pbPublicKey,&dwPublicKeyLen);hPublicKeyFile=CreateFile("public.key",GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);WriteFile(hPublicKeyFile,(LPCVOID)pbPublicKey,dwPublicKeyLen,&lpNumberOfBytesWritten,NULL);
//CléprivéeCryptExportKey(hKey,NULL,PRIVATEKEYBLOB,0,NULL,&dwPrivateKeyLen);pbPrivateKey=(BYTE*)malloc(dwPrivateKeyLen);CryptExportKey(hKey,NULL,PRIVATEKEYBLOB,0,pbPrivateKey,&dwPrivateKeyLen);hPrivateKeyFile=CreateFile("private.key",GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);WriteFile(hPrivateKeyFile,(LPCVOID)pbPrivateKey,dwPrivateKeyLen,&lpNumberOfBytesWritten,NULL);
(gdb)hexdump0x009ef8a0169d86d342483a45041acb951c77908f7c
(gdb)hexdump0x009ef7840x1c080200000e660000100000009d86d342483a45041acb951c77908f7c
(gdb)x/w$esp+40x9ef830:0x00000004
(gdb)x/w*(int*)($esp+4+4)0x9ef858:0x00000002
(gdb)hexdump0x9ef8a025664ab20757556aef4af207f3881d7d656|d.uuV....8...V|2289926e30e061d224f0a1d62a207f6c|"..n0.a.$...*.l|e010ccab26623366718d934c04618a9a|....&b3fq..L.a..|86e7f47558ae8a68961fa86915aa2fe7|...uX..h...i../.|8bcdca2eb07be1895f3e65614c0b435e|.....{.._>eaL.C^|603b17480ed20880bd4de2385b51c982|`;.H.....M.8[Q..|26bf948a454082621e8842aa352a3e58|&[email protected]*>X|d27d034dcdd4e63b7d44e95fdc4d1c4b|.}.M...;}D._.M.K|27a9390c74ed469760af3a973f893328|'.9.t.F.`.:.?.3(|bf276757f8c54e037245608803e51198|.'gW..N.rE`.....|6f49af927269dbecb7c7519a05f234e0|oI..ri....Q...4.|17e41b7ec597ff3d425dffa569a458f8|...~...=B]..i.X.|3bbd9f846ea5c7814e0eaa5d40ff0601|;...n...N..]@...|e9ee3ce50fb2b480af56c5b825af112e|..<......V..%...|2282c1f19350b2a47698462edb6c76bb|"....P..v.F..lv.|b51e704441e21531f9027d927ae57317|..pDA..1..}.z.s.|
(gdb)hexdump0x009265980x80000000000000000000000000000000000|................|00000000000000000000000000000001|................|00000000000000000000000000000002|................|00000000000000000000000000000003|................|00000000000000000000000000000004|................|00000000000000000000000000000005|................|00000000000000000000000000000006|................|[...]0000000000000000000000000000007a|...............z|0000000000000000000000000000007b|...............{|0000000000000000000000000000007c|...............||0000000000000000000000000000007d|...............}|0000000000000000000000000000007e|...............~|0000000000000000000000000000007f|................|
0x00926598:fcd3bb90ac1e1e6e76880952667671fc0x009265a8:d5e207fda50c0250d0834e9b951c0b600x009265b8:3fc549e5dfb20556bdceebf60d709f620x009265c8:98f1e8b7e28ed8977fa183142bdb82980x009265d8:5b4a94f7fb6081cdbbc7a23360b1c0c70x009265e8:1cc5c740af7cea4be274b032c2375efa0x009265f8:cf40699b8192b8f177798397321975a6[...]0x009267c8:969a1dbd9b03332fd5e7a7fcacfc09c90x009267d8:f6bdc573ce9ecebcfde4ef6f06dd7d150x009267e8:7d95e618788746ba755e582ef8ba5c140x009267f8:3da9f3d3afef0b3900ae0c322bfd37eb0x00926808:3f3a6811b8d1aee728400a2033318f7e0x00926818:c38f552a5fb531260241d7e384c5799b[...]
(gdb)p/x$edx//fluxdeclé$3=0x90bbd3fc
(gdb)hexdump$edi64//avantXOR2aa11bd46d006f006e00660069006300|*...m.o.n.f.i.c.|68006900650072002e00740078007400|h.i.e.r...t.x.t.|00000000000000000000000000000000|................|00000000000000000000000000000000|................|
(gdb)hexdump$edi64//aprèsXOR1d672a0446d006f006e00660069006300|.r.Dm.o.n.f.i.c.|68006900650072002e00740078007400|h.i.e.r...t.x.t.|00000000000000000000000000000000|................|00000000000000000000000000000000|................|
(gdb)p/x$eax//fluxdeclé$4=0x6e1e1eac
(gdb)hexdump$edi64//aprèsXOR2d672a044c11e716e6e00660069006300|.r.D..qnn.f.i.c.|68006900650072002e00740078007400|h.i.e.r...t.x.t.|00000000000000000000000000000000|................|00000000000000000000000000000000|................|
(gdb)p/x$edx$5=0xbd1d9a96//fluxdecléàl'offset0x230(0x009267c8)
(gdb)hexdump$edi64//avantXOR636563692065737420756e2073656372|ceciestunsecr|65740000000000000000000000000000|et..............|
(gdb)hexdump$edi64//aprèsXOR1f5ff7ed42065737420756e2073656372|..~.estunsecr|65740000000000000000000000000000|et..............|
(gdb)hexdump*(int*)($esp+4+4+4+4)1280x009255e0:000000000000000000000000000000800x009255f0:000000000000000000000000000000810x00925600:00000000000000000000000000000082[...]
(gdb)hexdump*(int*)($esp+4+4+4+4)1280x009255e0:000000000000000000000000000001000x009255f0:000000000000000000000000000001010x00925600:00000000000000000000000000000102[...]
//ImportdelacléprivéeRSAhPrivateKeyFile=CreateFile("private.key",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,NULL);dwPrivateKeyLen=GetFileSize(hPrivateKeyFile,NULL);pbPrivateKey=(BYTE*)malloc(dwPrivateKeyLen);ReadFile(hPrivateKeyFile,pbPrivateKey,dwPrivateKeyLen,&dwPrivateKeyLen,NULL);CryptImportKey(hCryptProv,pbPrivateKey,dwPrivateKeyLen,0,0,&hKey);
//LecturedubufferRSAhEncryptedFile=CreateFile("encrypted.rsa",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,NULL);dwEncryptedDataLen=GetFileSize(hEncryptedFile,NULL);pbEncryptedFile=(BYTE*)malloc(dwEncryptedDataLen);ReadFile(hEncryptedFile,pbEncryptedFile,dwEncryptedDataLen,&dwEncryptedDataLen,NULL);
//DéchiffrementdelacléAESCryptDecrypt(hKey,NULL,TRUE,0,pbEncryptedFile,&dwEncryptedDataLen);hClearFile=CreateFile("aeskey.raw",GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);WriteFile(hClearFile,(LPCVOID)pbEncryptedFile,dwEncryptedDataLen,&lpNumberOfBytesWritten,NULL);
$xxdaeskey.raw9d86d342483a45041acb951c77908f7c
#!/usr/bin/envpython
fromCrypto.CipherimportAES
print"UnLocky-Lockydecryptiontool,CERT-LEXSI2016
key="9d86d342483a45041acb951c77908f7c".decode("hex")
#NB:icipetitsfichiersseulementcounter=""foriinrange(0x80):counter+="\x00"*15+chr(i)
keystream=AES.new(key,AES.MODE_ECB).encrypt(counter)
data=open("1D9076E6FD853AB6C931AFE2B33C3AF9.locky").read()enc_size=len(data)-0x230-0x100-0x14
enc_filename=data[-0x230:]enc_content=data[:enc_size]
clear_filename=""foriinrange(0x230):clear_filename+=chr(ord(enc_filename[i])^ord(keystream[i]))
print"[+]Nomdufichier:"printclear_filename
clear_content=""foriinrange(enc_size):clear_content+=chr(ord(enc_content[i])^ord(keystream[0x230+i]))
print"[+]Contenu:"printclear_content
$./unlocky.pyUnLocky-Lockydecryptiontool,CERT-LEXSI2016
[+]Nomdufichier:monfichier.txt
[+]Contenu:ceciestunsecret
Tweetsby@lexsi
22Mar
22Mar
LexsiRetweeted
Unexcellentbilletpar@lexsisurcommentcréerunvaccincontreLocky:lexsi.com/securityhub/co…#malware#locky#sécurité
#lockyAbusingbugsintheLockyransomwaretocreateavaccinelexsi.com/securityhub/ab…
#lockyCommentcréerunvaccincontreleransomwareLocky?
LéoDepriester@cryptobioz
Commentcréerunvaccin…En2009,nousavionsappli…lexsi.com
Lexsi@lexsi
AbusingbugsintheLocky…Backin2009,weappliedt…lexsi.com
Lexsi@lexsi
∙
∙
∙
Prénom Nom
Email Société
Commentaires
∙