{"id":1717,"date":"2024-03-04T11:44:05","date_gmt":"2024-03-04T02:44:05","guid":{"rendered":"https:\/\/h4ck.kr\/?p=1717"},"modified":"2024-05-20T13:28:24","modified_gmt":"2024-05-20T04:28:24","slug":"ransomware","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=1717","title":{"rendered":"Ransomware"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">readme.txt<\/h2>\n\n\n\n<p>Decrypt File (EXE)<\/p>\n\n\n\n<p>By Pyutic<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Exeinfo PE<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"257\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-16.png\" alt=\"\" class=\"wp-image-1718\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-16.png 542w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-16-300x142.png 300w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/figure>\n\n\n\n<p>UPX\ub85c \ud328\ud0b9\ub418\uc5b4\uc788\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">C:\\Users\\seo\\Documents\\upx-4.2.2-win64>upx.exe -d C:\\Users\\seo\\Desktop\\ransomware\\run.exe\n                       Ultimate Packer for eXecutables\n                          Copyright (C) 1996 - 2024\nUPX 4.2.2       Markus Oberhumer, Laszlo Molnar &amp; John Reiser    Jan 3rd 2024\n\n        File size         Ratio      Format      Name\n   --------------------   ------   -----------   -----------\n    311296 &lt;-     10240    3.29%    win32\/pe     run.exe\n\nUnpacked 1 file.<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>\uc815\uc801\ubd84\uc11d\uc744 \uc704\ud574 \uc5b8\ud328\ud0b9\ud574\ubcf4\uc790.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Decompiled-src<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">main<\/h2>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.text:004135E9                 pusha\n.text:004135EA                 popa\n.text:004135EB                 nop\n.text:004135EC                 push    eax\n.text:004135ED                 pop     eax\n.text:004135EE                 push    ebx\n.text:004135EF                 pop     ebx\n...<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>main \ud568\uc218\uc758 \ud504\ub864\ub85c\uadf8 \ucabd\uc744 \uc0b4\ud3b4\ubcf4\uba74 \uc704\uc640 \uac19\uc740 \uba85\ub839\uc5b4, \uc4f8\ubaa8\uc5c6\ub294 \ub354\ubbf8 \ucf54\ub4dc\uac00 \uacc4\uc18d \ubc18\ubcf5\ub41c\ub2e4.<br>\uc774\ub85c \uc778\ud574 IDA\uc5d0\uc11c Pseudo Code\ub85c \ubcc0\ud658\ud558\ub294\ub370 \uc5b4\ub824\uc6c0\uc774 \uc0dd\uae30\ub294\ub370,  <\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.text:004135E0                 push    ebp\n.text:004135E1                 mov     ebp, esp\n.text:004135E3                 sub     esp, 24h\n.text:004135E6                 push    ebx\n.text:004135E7                 push    esi\n.text:004135E8                 push    edi\n.text:004135E9                 jmp     loc_44A775<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p><strong>004135E9: 60 61 90 50 58 53 -&gt; E9 87 71 03 00 90 (jmp loc_44A775)<\/strong><\/p>\n\n\n\n<p>004135E9 \uc8fc\uc18c\ub97c \ub354\ubbf8 \ucf54\ub4dc\uac00 \ub05d\ub09c \ub4a4\uc758 \uc9c0\uc810\uc73c\ub85c \uc810\ud504\ud558\ub3c4\ub85d \uba85\ub839\uc5b4\ub97c \ud328\uce58\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  unsigned int v4; \/\/ [esp+Ch] [ebp-24h]\n  FILE *v5; \/\/ [esp+1Ch] [ebp-14h]\n  unsigned int v6; \/\/ [esp+20h] [ebp-10h]\n  int v7; \/\/ [esp+28h] [ebp-8h]\n  unsigned int i; \/\/ [esp+28h] [ebp-8h]\n  unsigned int j; \/\/ [esp+28h] [ebp-8h]\n  FILE *Stream; \/\/ [esp+2Ch] [ebp-4h]\n\n  printf(\"Key : \");\n  sub_401000();\n  scanf(\"%s\", byte_44D370);\n  v4 = strlen(byte_44D370);\n  sub_401000();\n  v7 = 0;\n  Stream = fopen(\"file\", \"rb\");\n  sub_401000();\n  if ( !Stream )\n  {\n    sub_401000();\n    printf(asc_44C1C4);\n    sub_401000();\n    exit(0);\n  }\n  fseek(Stream, 0, 2);\n  sub_401000();\n  v6 = ftell(Stream);\n  sub_401000();\n  rewind(Stream);\n  sub_401000();\n  while ( !feof(Stream) )\n  {\n    sub_401000();\n    byte_5415B8[v7] = fgetc(Stream);\n    sub_401000();\n    ++v7;\n    sub_401000();\n  }\n  sub_401000();\n  for ( i = 0; i &lt; v6; ++i )\n  {\n    byte_5415B8[i] ^= byte_44D370[i % v4];\n    sub_401000();\n    byte_5415B8[i] = ~byte_5415B8[i];\n    sub_401000();\n  }\n  fclose(Stream);\n  sub_401000();\n  v5 = fopen(\"file\", \"wb\");\n  sub_401000();\n  sub_401000();\n  for ( j = 0; j &lt; v6; ++j )\n  {\n    fputc(byte_5415B8[j], v5);\n    sub_401000();\n  }\n  printf(asc_44C1E8);\n  sub_401000();\n  return getch();\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>Key \uac12\uc744 \uc785\ub825\ubc1b\uace0 <code>file<\/code>\uc744 fopen\ud558\uc5ec <br>key\uac12\uc758 \ud55c\ubc14\uc774\ud2b8\uc529 \uc21c\ud68c\ud558\uba74\uc11c XOR, 0xff\uc640 \ud55c\ubc88\ub354 XOR \uc5f0\uc0b0\uc744 \ud558\uace0 \uc788\uc5c8\ub2e4.<br>\uadf8\ub807\uac8c \uc5f0\uc0b0\ub41c \ub370\uc774\ud130\ub294 file\ub85c \ub2e4\uc2dc \uc800\uc7a5\ud55c\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">sub_401000<\/h3>\n\n\n\n<p>main \ud568\uc218\uc758 \uc911\uac04\uc911\uac04\uc5d0 sub_401000 \ud568\uc218\uac00 \ud638\ucd9c\ub418\ub294 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.text:00401006                 pusha\n.text:00401007                 popa\n.text:00401008                 nop\n.text:00401009                 push    eax\n.text:0040100A                 pop     eax\n.text:0040100B                 push    ebx\n.text:0040100C                 pop     ebx\n...<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p><br>\ub9c8\ucc2c\uac00\uc9c0\ub85c \ud504\ub864\ub85c\uadf8\uc5d0\ub294 \uc704\uc640 \uac19\uc740 \ub354\ubbf8\ucf54\ub4dc\uac00 \uc788\uc5c8\uace0,<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.text:00401000                 push    ebp\n.text:00401001                 mov     ebp, esp\n.text:00401003                 push    ebx\n.text:00401004                 push    esi\n.text:00401005                 push    edi\n.text:00401006                 jmp     loc_4135CE<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p><strong>00401006: 60 61 90 50 58 -&gt; E9 C3 25 01 00 (jmp loc_4135CE)<\/strong><\/p>\n\n\n\n<p>\uc774\uac83 \uc5ed\uc2dc \ub354\ubbf8 \ucf54\ub4dc\uac00 \ub05d\ub09c \ub4a4\uc758 \uc9c0\uc810\uc73c\ub85c \uc810\ud504\ud558\ub3c4\ub85d \uba85\ub839\uc5b4\ub97c \ud328\uce58\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">void sub_401000()\n{\n  ;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>\ub530\ub77c\uc11c \uc554\ud638\ud654\uc2dc\ud0a4\ub294 \ucf54\ub4dc\ub97c \ud30c\uc774\uc36c3\ub85c \uad6c\ud604\ud558\ub2e4\uba74 \uc544\ub798\uc640 \uac19\ub2e4. (Key\uc758 \uacbd\uc6b0, \uc784\uc758\ub85c ABCD\ub85c \uc9c0\uc815)<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">with open(\"file\", 'rb') as f:\n    data = f.read()\n\nkey = b\"ABCD\"\nenc = []\n\nfor i in range(len(data)):\n    val = data[i] ^ key[i%len(key)]\n    val = val ^ 0xff\n    print(hex(val), end=' ')\n    enc.append(val)\n\nenc = bytearray(enc)\n\nwith open(\"file_encrypted\", 'wb') as f:\n    f.write(enc)<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">get_key.py<\/h3>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">exe_header =  b\"\\x4D\\x5A\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\"\nexe_header += b\"\\xB8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\nwith open(\"file\", 'rb') as f:\n    data = f.read()\n\nfor i in range(len(data)):\n    val = data[i] ^ exe_header[i%len(exe_header)]\n    val = val ^ 0xff\n    print(chr(val), end=' ')\n\n    if(i>25):\n        break<\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>readme.txt \ud30c\uc77c\uc5d0 \uc554\ud638\ud654\ub41c \ud30c\uc77c exe\ub77c\ub294 \uac83\uc744 \uc54c\ub824\uc8fc\uace0 \uc788\ub2e4.<br>\ub530\ub77c\uc11c exe \uc2dc\uadf8\ub2c8\ucc98\uc640 xor\ud558\uba74 key\uac12\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">PS C:\\Users\\Seo Hyun-gyu\\Desktop\\reversing_ransomware> python3 .\\get_key.py\nl e t s p l a y c h e s s l e t s p l a y c h e s s l <\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>key\ub294 letsplaychess\uc600\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"999\" height=\"780\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-17.png\" alt=\"\" class=\"wp-image-1719\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-17.png 999w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-17-300x234.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-17-768x600.png 768w\" sizes=\"auto, (max-width: 999px) 100vw, 999px\" \/><\/figure>\n\n\n\n<p>\ubcf5\ud638\ud654\ub41c exe \uc2e4\ud589\ud30c\uc77c\uc744 \uc5bb\uc5c8\ub2e4.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"257\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-18.png\" alt=\"\" class=\"wp-image-1720\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-18.png 542w, https:\/\/h4ck.kr\/wp-content\/uploads\/2024\/03\/image-18-300x142.png 300w\" sizes=\"auto, (max-width: 542px) 100vw, 542px\" \/><\/figure>\n\n\n\n<p>\ub9c8\ucc2c\uac00\uc9c0\ub85c upx \ud328\ud0b9\uc774 \ub418\uc5b4\uc788\uc5c8\uace0, \ud328\ud0b9\uc744 \ud480\uc5b4\uc11c \uc2e4\ud589 \ud30c\uc77c\uc744 \ud655\uc778\ud574\ubcf4\uc790<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int wmain_0()\n{\n  printf(\"Key -> Colle System\");\n  getch();\n  return 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">FLAG<\/h2>\n\n\n\n<p><strong>Colle System<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>readme.txt Decrypt File (EXE) By Pyutic Exeinfo PE UPX\ub85c \ud328\ud0b9\ub418\uc5b4\uc788\ub2e4. \uc815\uc801\ubd84\uc11d\uc744 \uc704\ud574 \uc5b8\ud328\ud0b9\ud574\ubcf4\uc790. Decompiled-src main main \ud568\uc218\uc758 \ud504\ub864\ub85c\uadf8 \ucabd\uc744 \uc0b4\ud3b4\ubcf4\uba74 \uc704\uc640 \uac19\uc740 \uba85\ub839\uc5b4, \uc4f8\ubaa8\uc5c6\ub294 \ub354\ubbf8 \ucf54\ub4dc\uac00 \uacc4\uc18d \ubc18\ubcf5\ub41c\ub2e4.\uc774\ub85c \uc778\ud574 IDA\uc5d0\uc11c Pseudo Code\ub85c \ubcc0\ud658\ud558\ub294\ub370 \uc5b4\ub824\uc6c0\uc774 \uc0dd\uae30\ub294\ub370, 004135E9: 60 61 90 50 58 53 -&gt; E9 87 71 03 00 90 (jmp loc_44A775) 004135E9 \uc8fc\uc18c\ub97c \ub354\ubbf8 \ucf54\ub4dc\uac00&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=1717\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">Ransomware<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[16],"tags":[24],"class_list":["post-1717","post","type-post","status-publish","format-standard","hentry","category-reversing-kr","tag-reversing"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1717"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1717\/revisions"}],"predecessor-version":[{"id":1722,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1717\/revisions\/1722"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}