Article first I spring and autumn community, prohibit unauthorized reprint!
The story originated from C language bar. As a incompetent kid, I saw this in the bar one day:
Therefore, the big hacker named Xiaoba was immediately banned.
However, in view of his jumping in some places where he shouldn't jump, so it's not possible to simply let him go. In view of some complaints recently, I decided to turn over the old base of this big hacker. Then he teased him about the cruelty of it. So I don't code the content of this chapter. One is to hang the wall. The other is to let the big hacker have a look and understand it.
First of all, through the search of his baidu account, I don't find that Xiaoba, the big hacker, has been in the business of Yi language for a long time
This is the post:
First of all: I really don't like Yi language
Then: I really don't like Yi language's loyal users
Last but not least, I don't like Yi language's people who do machine lock virus blackmail
Further search information found that the goods were spreading his blackmail software everywhere, such as this
This, as well as the footprints of this product in various BBS
In a post of "easy language bar", he happened to win the prize for his extortion software
I'm not afraid that I can't bear to extort 1K yuan at a time. In the post, this product has also come out to show his experience. It seems that he is very proud of his extortion software
Unfortunately, the blackmail virus of this product was cracked by the passing wild God in five steps as soon as it was released
But it's obvious that the goods don't agree
Then the big hacker began to expose his "heroic deeds"
Obviously his old blackmail software was picked clean by the big guy watching the snow, but he still persevered in making more "new versions"
Let's go back to the blackmail virus
That is, the blackmail software known as RSA + AES encryption (in fact, no, big hackers don't seem to know what RSA and AES are). Put it into a virtual machine and use OllyDbg to mount it. Obviously, big hackers only know a shell for anti debugging means. This blackmail software uses upx shell, which is simply useless. After all, the compression shell is completely naked in the execution process
Then Alt + m opens the memory image and searches for 8b5424048b4c240885d275, which is the signature of easy language string matching
According to the analysis of this feature, there are two places in this program, and the one comparing the registration code is in the second place, jump to this address, and then make a breakpoint
In the frame of blackmail software, enter whatever you want, start to recover the file, and hit the breakpoint
In the first hit, the blackmail software will first compare whether the string is empty, and then compare it with the correct key in the second comparison. In the second comparison, it is obvious that the correct key has come out (in the lower right corner stack)
It doesn't matter. We'll continue to follow it until Retn finds out where it's going back. After returning, we'll take a few steps, and basically know what's going on
It's easy to crack, either fill JE with NOP, or set eax to 0 after call comparison function, of course, the most direct is to directly put the following code
Become so
Soon, this basically easy ransomware was disarmed and surrendered
As for what he said about RSA AES, it's a joke. With his IQ, he doesn't have any anti reverse analysis and data encryption capabilities at all
In order to make a thorough face attack, based on the above principles, I have compiled a one click cracking small software. If the code is not long, you can copy, paste and compile it directly. You can find the release program and source code of this software in the attachment
[C] Plain text view copy code
Copy the cracking program to the poisoned computer, double-click to run, and it will prompt that the cracking is successful
Then enter any password to start decryption
Here, the blackmail software is declared to fall, but we are not in a hurry. Let's play long-term fishing
Copy the ransomware to the virtual machine, and use pedoll for behavior analysis
The tutorial about pedoll is available in the forum, where we use malware analysis (debugging with network)
Post mount analysis behavior
Click to start the analysis. You can see that after the program executes several CMD commands, set yourself to start the whole crazy search and encrypt the file after startup
Assembly, C, C ා source class, Doc ppt docx file class All poisoned hands, then release the background picture
In the end, pedoll caught the packet of network communication. It should be some plug-ins in Yi language that visit Baidu
Finally, the climax came. The software sent some data to port 25
What is port 25? That's right. SMTP is the protocol for sending mail. To send mail, you must have an account password. It seems that in addition to the blackmail skills, big hackers have great attainments in how to tell others their account password. Click on the data to check the packets on port 25
What's more, the packet after auth login is his account after Base64, and the next send is his password after Base64. Of course, this software will take a screenshot on your computer and send it out by email
Decrypt with Base64 to get the account
Password
Message sent (host configuration, serial number and unlocked key):
Code? No need. Log in and play. Go to Foxmail. Let's see what's good
It seems that besides what we just tested, a lot of people are locked
And the victim asked for the code. How straightforward do you think others are
OK, you're welcome, and I'm not merciful. Soon, I found something interesting
This email, obviously, is the email used by the author for his own test. He has sent the source code of his great work. OK, since it's here, let's open source it happily. Of course, there is a screenshot of his computer desktop. Let's share it together. All the source codes can be downloaded in the attachment
Of course, there are other interesting ones
For example, when the big hacker tested, the IP was also given to us. For example, the computer named Xiaoba didn't run
Here, most of the base hackers have been hacked. I download all his emails and put them in the attachment. Are you happy? If you think it's over? Of course not. How can we continue
I started with a trumpet, pretending to be the victim and emailing him
In order to show that we are "in a hurry", we send several more copies. Oh, the virtual machine takes a picture again to show our "sincerity"
Now we wait for him to get hooked, and then give him a mental blow. Unexpectedly, he will return soon
Cough and cough
I want money. If I don't show you something, you don't know the cruelty of it
The big hackers suddenly get confused. Why is the mailbox black
I'm afraid the hacker can't sleep tonight. This article makes you understand
End: release the package source code of big hacker email & one click cracker & some others, the reply can be seen.
Blackmail software cracker + source code:
Source code of Xiaoba software: https://pan.baidu.com/s/1i5tf1yp
Mail package download (open with Foxmail): https://pan.baidu.com/s/1eslbxsa