Создано: 17 июня 2012 23:09 New! Цитата · Личное сообщение · #1
I need some help in decompiling/reverse engineering a Delphi executable file. Following some online tutorials and using the indicated tools I was able to identify that the EXE was packed using ASPACk 2.12. Following a different tutorial I BELIEVE I was ale to unpack it...not 100% sure but the resulting EXE I dumped was able to open with software like IDA PRO and DeDe and generate most of te files and a semi-readable source code with a lot of assembly instructions.
Why am I doing this you ask...I will be honest. I very stupidly allowed my computer to be infected by MALWARE that encoded all my pictures and documentos into .crypt files. File recovery software restored less than 5% of what I had and most of my searches on AV forums have produced little or no solution as the malware seems to use AES256 or something like that and is tagged as Encoder.141...and there seems to be no solution thus far.
I was,however, able to get my hands on one of the programs that the creators of the MALWARE supposedly send people who pay their "ransom money" that is supposed to fix the problem. However the bastards say each fis file is specificto the infected computer based on the ID the program informs you whenyou are infected. Sadly the file I found differs from mine.
Having said that, the creators of this horrible thing say you must pay them money and inform the ID so they an send you the correct file...which mademe think that possibly all the fixes they send are very similar in terms of programming and may differ only on a the ID file as simple parameter. (If not and the coding alorithm is indeed different based on ID then I am screwed).
So what I have been attempting to is to decompile the EXE and see if there is a way to get to the source code and re-compile it with changes so that it can recover my files.
Please I have NO DESIRE to use this decryption algorithm for anything other than recovering my files.
If anyone can help me in any way the FILES are here: http://ifile.it/re1nx3y (559.exe is the original file and _test.exe is the file I think I unpacked correctly).
I hope that this post is not in violation of your forum rules, and if it is, I humbly apologize and will respect whatever actions you feel are necessary. And I thank you in advance for your time and any help you may be willing to offer.
Google translate I analyzed several kinds of malware from the AES and nothing to cheer, some key input is not as such, but uses random key, enter in some key words, but again with a random key entry in the registry key and the MD5 hash if you did not write it yourself or a student Avery something about the data you can forget to catch the AES there is nothing.
Создано: 18 июня 2012 04:18 New! Цитата · Личное сообщение · #5
TheHorseman besides "SetSysLog32.exe", try to find "vscdrvt.exe" in addition, look for registry values named "bdgid" and "id" in one of these registry keys: HKEY_USERS\*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Создано: 19 июня 2012 03:27 New! Цитата · Личное сообщение · #6
_ruzmaz_: unfortunately I can't find either of those files or those registry keys I probably deleted them when I thought the virus wasn't enything serious and just some silly adware. Now I definately regret doing that