Full Reverse (Disassembly) of a infection decrypter app that uses custom XOR, and cracking on the custom XOR.

There is an infection that encrypts peoples files, and when you pay them you get a decrypter than decrypts them. I have disassembled this to the point to where i have the function that decrypts in C# now, and even made a flow diagram of how the encryption works. But i need someone to be able to disassemble it more, to get enough information, and then crack the custom encryption. I know its crackable, as it is XOR. But they customized it to use it in a CFB kind of way. If you know CryptoGraphy, and assembly, Please contact me.

Also, the Decrypter exe is highly obfuscated with a custom obfusctor. So it does take time to figure out which functions are junk and which are real.

To avoid confusion i would like to explain further,

I have been battling this infection I got that encrypts my files in 512 byte chunks with a friend. We have managed to find the Decryption function we think in IDA (the code is heavily obfuscated) from a user who paid for the decrypter. Below is the C dump of the encryption function:

=============================================
int __stdcall sub_40C78E(int a1, int a2, int a3, int a4)
{
int result;
char v5;
int v6;
int v7;
int v8;

v7 = a1;
v6 = a2;
v5 = 0;
result = 0;
if ( a2 )
{
v8 = a3;
do
{
LOBYTE(v8) = v5 + v8;
*(_BYTE *)v7 ^= v8;
v5 = *(_BYTE *)v7++;
v8 = __ROL__(a4 + v8, 8);
--v6;
}
while ( v6 );
result = v8;
}
return result;
}
====================================================

What we have found with this infection is that if you XOR the first byte of the cipher text with the plain text, you get a key byte you can use to get the first byte of every file back. Which makes sense with this function because the first time in the loop the key is added to 0, which means it is simply the key. But then this guy used some type of weird CFB type xor encryption where it uses the previous xor'ed byte with the key next.


So basically let me sum it up here. You will need to know assembly lang., and C to reverse this thing. (Prob. using IDA, and olly). The decryption function above in C, i converted to .NET and removed all the junk. And this is what i would need you to do for the whole EXE. The first step would be reversing the whole EXE into a .NET (your choice in lang) solution that i can open up, and decrypt the test file i have. Once this is done, the second step is to go through the XOR encryption and crack / make a universal decrypter for it. This should be easy as it is only xor, with a little trick to . The exe is extremely small (66KB) and has very little functions in it, so other than obfuscation in the exe, reversing should be easy for someone who knows assembly.

If you think you know how to make a universal decrypt function from the function above alone, also contact me. We we always know the plain text value of the original file, so XOR plain text attack is able to be used.

Please contact me for more details.

Please know the the major goal in this job is to give me a method to universally reverse the encryption this EXE uses to encrypt files (XOR with a twist?), Not really to have the reversed source for the exe. Though i think you may need to reverse near the whole thing to understand it. Good Luck.

Added the Decrypter File and the Encrypted files that it Decrypts.

00000002-4C905D61.rar - Decrypter File
00000002-4C905D61-FILES.rar - Encrypted Files

The passwords to the RAR's is "123"

Also I have included some of my custom notes to this encryption. Attached is 2 pdf's i used to explain the terminology of the encryption, and the other is a flow diagram of the encryption. I also included my whack at turning the first decryption function i found (Above in post) to C#.

Notes.rar - 2 PDF's and a .CS

The password to the RAR is "123"


Goodluck.

.NET Assembly C Programming Cryptography x86/x64 Assembler

Project ID: #5981565

About the project