eXeLab
eXeL@B ВИДЕОКУРС !

ВИДЕОКУРС ВЗЛОМ
выпущен 2 июля!


УЗНАТЬ БОЛЬШЕ >>
Домой | Статьи | RAR-cтатьи | FAQ | Форум | Скачать | Видеокурс
Новичку | Ссылки | Программирование | Интервью | Архив | Связь

Русский / Russian English / Английский

Сейчас на форуме: (+1 невидимый пользователь)
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS · SVN ·

 eXeL@B —› WorldWide —› Help with Decompiling/Reverse Engineering Delphi exe
Посл.ответ Сообщение

Ранг: 0.6 (гость)
Статус: Участник

Создано: 17 июня 2012 23:09 New!
Цитата · Личное сообщение · #1

Greetings.

I need some help in decompiling/reverse engineering a Delphi executable file. Following some online tutorials and using the indicated tools I was able to identify that the EXE was packed using ASPACk 2.12. Following a different tutorial I BELIEVE I was ale to unpack it...not 100% sure but the resulting EXE I dumped was able to open with software like IDA PRO and DeDe and generate most of te files and a semi-readable source code with a lot of assembly instructions.

Why am I doing this you ask...I will be honest. I very stupidly allowed my computer to be infected by MALWARE that encoded all my pictures and documentos into .crypt files. File recovery software restored less than 5% of what I had and most of my searches on AV forums have produced little or no solution as the malware seems to use AES256 or something like that and is tagged as Encoder.141...and there seems to be no solution thus far.

I was,however, able to get my hands on one of the programs that the creators of the MALWARE supposedly send people who pay their "ransom money" that is supposed to fix the problem. However the bastards say each fis file is specificto the infected computer based on the ID the program informs you whenyou are infected. Sadly the file I found differs from mine.

Having said that, the creators of this horrible thing say you must pay them money and inform the ID so they an send you the correct file...which mademe think that possibly all the fixes they send are very similar in terms of programming and may differ only on a the ID file as simple parameter. (If not and the coding alorithm is indeed different based on ID then I am screwed).

So what I have been attempting to is to decompile the EXE and see if there is a way to get to the source code and re-compile it with changes so that it can recover my files.

Please I have NO DESIRE to use this decryption algorithm for anything other than recovering my files.

If anyone can help me in any way the FILES are here: http://ifile.it/re1nx3y (559.exe is the original file and _test.exe is the file I think I unpacked correctly).

I hope that this post is not in violation of your forum rules, and if it is, I humbly apologize and will respect whatever actions you feel are necessary. And I thank you in advance for your time and any help you may be willing to offer.


Статус: Пришелец

Создано: 18 июня 2012 00:32 · Поправил: F_a_u_s_t New!
Цитата #2

Google translate
I analyzed several kinds of malware from the AES and nothing to cheer, some key input is not as such, but uses random key, enter in some key words, but again with a random key entry in the registry key and the MD5 hash if you did not write it yourself or a student Avery something about the data you can forget to catch the AES there is nothing.


Ранг: 147.4 (ветеран)
Статус: Участник

Создано: 18 июня 2012 00:41 New!
Цитата · Личное сообщение · #3

TheHorseman
The only thing that I've found is something, that looks like a decryption password:
0045DB30 mov ecx, 45DD1C ;"RFUUBKqg9"

But, as you already know, this password is not for your computer
Without encryptor, recovery of your files is almost impossible task

btw. Do you know the CompId of the computer, that can be decrypted with this program?

Also, try to find the file "SetSysLog32.exe"
It`s an encryptor
I dont really hope, that it didn't delete self, but it may be so

Ранг: 0.6 (гость)
Статус: Участник

Создано: 18 июня 2012 01:27 New!
Цитата · Личное сообщение · #4

First off..thank you for taking the time to address my problem

From what I saw from the guy who got the file, his ID was 559, to match the name of the EXE.

Can't find the file you said either AkaBoss.

But if that is the password...then it somehow matches the 559? Some kind of string conversion algorithm?

I will try to find other examples of the decryption file for other IDs, if that helps in any way.

Thank you again AkaBOSS and F_a_u_s_t

Ранг: 114.8 (ветеран)
Статус: Участник

Создано: 18 июня 2012 04:18 New!
Цитата · Личное сообщение · #5

TheHorseman
besides "SetSysLog32.exe", try to find "vscdrvt.exe"
in addition, look for registry values named "bdgid" and "id" in one of these registry keys:
HKEY_USERS\*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Ранг: 0.6 (гость)
Статус: Участник

Создано: 19 июня 2012 03:27 New!
Цитата · Личное сообщение · #6

_ruzmaz_: unfortunately I can't find either of those files or those registry keys I probably deleted them when I thought the virus wasn't enything serious and just some silly adware. Now I definately regret doing that
 eXeL@B —› WorldWide —› Help with Decompiling/Reverse Engineering Delphi exe

Оригинальный DVD-ROM: eXeL@B DVD !

Вы находитесь на форуме сайта EXELAB.RU
Проект ReactOS