share your technology and add some temperature for safety

Posted by santillano at 2020-04-07

Article first I spring and autumn community, prohibit unauthorized reprint!

The story originated from C language bar. As a incompetent kid, I saw this in the bar one day:

Therefore, the big hacker named Xiaoba was immediately banned.

However, in view of his jumping in some places where he shouldn't jump, so it's not possible to simply let him go. In view of some complaints recently, I decided to turn over the old base of this big hacker. Then he teased him about the cruelty of it. So I don't code the content of this chapter. One is to hang the wall. The other is to let the big hacker have a look and understand it.

First of all, through the search of his baidu account, I don't find that Xiaoba, the big hacker, has been in the business of Yi language for a long time

This is the post:

First of all: I really don't like Yi language

Then: I really don't like Yi language's loyal users

Last but not least, I don't like Yi language's people who do machine lock virus blackmail

Further search information found that the goods were spreading his blackmail software everywhere, such as this

This, as well as the footprints of this product in various BBS

In a post of "easy language bar", he happened to win the prize for his extortion software

I'm not afraid that I can't bear to extort 1K yuan at a time. In the post, this product has also come out to show his experience. It seems that he is very proud of his extortion software

Unfortunately, the blackmail virus of this product was cracked by the passing wild God in five steps as soon as it was released

But it's obvious that the goods don't agree

Then the big hacker began to expose his "heroic deeds"

Obviously his old blackmail software was picked clean by the big guy watching the snow, but he still persevered in making more "new versions"

Let's go back to the blackmail virus

That is, the blackmail software known as RSA + AES encryption (in fact, no, big hackers don't seem to know what RSA and AES are). Put it into a virtual machine and use OllyDbg to mount it. Obviously, big hackers only know a shell for anti debugging means. This blackmail software uses upx shell, which is simply useless. After all, the compression shell is completely naked in the execution process

Then Alt + m opens the memory image and searches for 8b5424048b4c240885d275, which is the signature of easy language string matching

According to the analysis of this feature, there are two places in this program, and the one comparing the registration code is in the second place, jump to this address, and then make a breakpoint

In the frame of blackmail software, enter whatever you want, start to recover the file, and hit the breakpoint

In the first hit, the blackmail software will first compare whether the string is empty, and then compare it with the correct key in the second comparison. In the second comparison, it is obvious that the correct key has come out (in the lower right corner stack)

It doesn't matter. We'll continue to follow it until Retn finds out where it's going back. After returning, we'll take a few steps, and basically know what's going on

It's easy to crack, either fill JE with NOP, or set eax to 0 after call comparison function, of course, the most direct is to directly put the following code

Become so

Soon, this basically easy ransomware was disarmed and surrendered

As for what he said about RSA AES, it's a joke. With his IQ, he doesn't have any anti reverse analysis and data encryption capabilities at all

In order to make a thorough face attack, based on the above principles, I have compiled a one click cracking small software. If the code is not long, you can copy, paste and compile it directly. You can find the release program and source code of this software in the attachment

[C] Plain text view copy code

Copy the cracking program to the poisoned computer, double-click to run, and it will prompt that the cracking is successful

Then enter any password to start decryption

Here, the blackmail software is declared to fall, but we are not in a hurry. Let's play long-term fishing

Copy the ransomware to the virtual machine, and use pedoll for behavior analysis

The tutorial about pedoll is available in the forum, where we use malware analysis (debugging with network)

Post mount analysis behavior

Click to start the analysis. You can see that after the program executes several CMD commands, set yourself to start the whole crazy search and encrypt the file after startup

Assembly, C, C ා source class, Doc ppt docx file class All poisoned hands, then release the background picture

In the end, pedoll caught the packet of network communication. It should be some plug-ins in Yi language that visit Baidu

Finally, the climax came. The software sent some data to port 25

What is port 25? That's right. SMTP is the protocol for sending mail. To send mail, you must have an account password. It seems that in addition to the blackmail skills, big hackers have great attainments in how to tell others their account password. Click on the data to check the packets on port 25

What's more, the packet after auth login is his account after Base64, and the next send is his password after Base64. Of course, this software will take a screenshot on your computer and send it out by email

Decrypt with Base64 to get the account


Message sent (host configuration, serial number and unlocked key):

Code? No need. Log in and play. Go to Foxmail. Let's see what's good

It seems that besides what we just tested, a lot of people are locked

And the victim asked for the code. How straightforward do you think others are

OK, you're welcome, and I'm not merciful. Soon, I found something interesting

This email, obviously, is the email used by the author for his own test. He has sent the source code of his great work. OK, since it's here, let's open source it happily. Of course, there is a screenshot of his computer desktop. Let's share it together. All the source codes can be downloaded in the attachment

Of course, there are other interesting ones

For example, when the big hacker tested, the IP was also given to us. For example, the computer named Xiaoba didn't run

Here, most of the base hackers have been hacked. I download all his emails and put them in the attachment. Are you happy? If you think it's over? Of course not. How can we continue

I started with a trumpet, pretending to be the victim and emailing him

In order to show that we are "in a hurry", we send several more copies. Oh, the virtual machine takes a picture again to show our "sincerity"

Now we wait for him to get hooked, and then give him a mental blow. Unexpectedly, he will return soon

Cough and cough

I want money. If I don't show you something, you don't know the cruelty of it

The big hackers suddenly get confused. Why is the mailbox black

I'm afraid the hacker can't sleep tonight. This article makes you understand

End: release the package source code of big hacker email & one click cracker & some others, the reply can be seen.

Blackmail software cracker + source code:

Source code of Xiaoba software:

Mail package download (open with Foxmail):