Last active
January 7, 2022 13:24
-
-
Save KSHMK/e378dfeb31a87ea8a76af6262eca75e9 to your computer and use it in GitHub Desktop.
A research on file decryption through memory dumps at ransomware Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| from struct import unpack,pack | |
| from Crypto.Cipher import AES | |
| from Crypto.PublicKey import RSA | |
| from Crypto.Cipher import PKCS1_v1_5 | |
| if __name__ == "__main__": | |
| if len(sys.argv) != 3: | |
| print(f"{sys.argv[0]} Encrypted File decrypt_key.pem") | |
| sys.exit() | |
| # Read encrypted file data | |
| Encrypted_File_Name = sys.argv[1] | |
| Encrypted_File_Data = b'' | |
| with open(Encrypted_File_Name,"rb") as f: | |
| Encrypted_File_Data = f.read() | |
| # Parse encrypted file data | |
| magic, \ | |
| key_len, \ | |
| encrypted_aes_key, \ | |
| file_code, \ | |
| file_length = unpack("<8sI256sIQ",Encrypted_File_Data[0x00:0x118]) | |
| encrypted_data = Encrypted_File_Data[0x118:] | |
| # Read decrypt key pem | |
| decrypt_key_pem = b'' | |
| with open(sys.argv[2],"rb") as f: | |
| decrypt_key_pem = f.read() | |
| # Load private key | |
| rsa_private_key = RSA.import_key(decrypt_key_pem) | |
| cipher = PKCS1_v1_5.new(rsa_private_key) | |
| # Decrypt aes key | |
| decrypted_aes_key = cipher.decrypt(encrypted_aes_key[::-1],b'error') | |
| # Load AES 128 CBC key | |
| crypto = AES.new(decrypted_aes_key, AES.MODE_CBC,b'\x00'*16) | |
| # Decrypt data | |
| decrypted_data = crypto.decrypt(encrypted_data) | |
| Decrypted_File_Name = Encrypted_File_Name.replace(".WNCRY","") | |
| with open(Decrypted_File_Name,"wb") as f: | |
| f.write(decrypted_data[:file_length]) | |
| print(f"Decrypt {Decrypted_File_Name}") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| from struct import unpack,pack | |
| from Crypto.PublicKey import RSA | |
| def egcd(a, b): | |
| x,y, u,v = 0,1, 1,0 | |
| while a != 0: | |
| q, r = b//a, b%a | |
| m, n = x-u*q, y-v*q | |
| b,a, x,y, u,v = a,r, u,v, m,n | |
| gcd = b | |
| return gcd, x, y | |
| if __name__ == "__main__": | |
| if len(sys.argv) != 3: | |
| print(f"{sys.argv[0]} DMP File pky File") | |
| sys.exit() | |
| # Read DMP data | |
| DMP_Data = b'' | |
| with open(sys.argv[1],"rb") as f: | |
| DMP_Data = f.read() | |
| # Read pky data | |
| pky_Data = b'' | |
| with open(sys.argv[2],"rb") as f: | |
| pky_Data = f.read() | |
| # Parse N and E | |
| E = unpack("<I",pky_Data[0x10:0x14])[0] | |
| N = int.from_bytes(pky_Data[0x14:0x114],byteorder='little') | |
| # Find P with Sliding Window algorithm | |
| found_p = False | |
| for i in range(len(DMP_Data)-0x80): | |
| P = int.from_bytes(DMP_Data[i:i+0x80],byteorder='little') | |
| if P == 0 or P == 1: | |
| continue | |
| if N % P == 0: | |
| found_p = True | |
| break | |
| del P | |
| if found_p == False: | |
| print("Failed to Find Prime number!") | |
| sys.exit() | |
| # Calculate Q, D | |
| Q = N // P | |
| phi = (P-1)*(Q-1) | |
| gcd, a, b = egcd(E, phi) | |
| D = a | |
| print("Found P, Q") | |
| print("P:",hex(P)) | |
| print("Q:",hex(Q)) | |
| # Save RSA Private key as PEM | |
| key_params = (N, E, D, P, Q) | |
| RSA_Private_key = RSA.construct(key_params) | |
| RSA_Private_key_PEM = RSA_Private_key.export_key() | |
| with open("decrypt_key.pem","wb") as f: | |
| f.write(RSA_Private_key_PEM) | |
| print("Save Private key at decrypt_key.pem!") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment