Skip navigation.
Home

Decrypting created files?

|

I'm new to reversing malware but i'm chugging along, however this file creates some encrypted text files to send back to the master's website. Do you have any links to share about decrypting or how to find the decryption key/hash for files created in this manner? I hope I'm making sense here lol.

Thanks in advance

Hi. Can you share the

Hi.
Can you share the malware?

well

if you upload the sample and provide us the md5sum I can pull it apart and try to figure out the encryption for you. A good site to read on for reverse engineering is openrce.org. I think i even saw an article on generic decryption there.

It might just be a matter of putting it in a debugger and pausing it before it encrypts, but youll have to figure out when that is by disassemblinig it.

V>

i think you won't come

i think you won't come around to learn reverse engineering. it's hard to say: "what's a generic way for decrypting code (polymorph or even metamorph). there are some generic indicators to detect when an unpacker has finished it's work, like looking for a long jump (unpacker stub --> to OEP) or a typically visual c start (setup of stack frame, installing of SEH, getversion(), getcommandline() ), but in your case you're searching for a decryption routine that decrypts textdata, so maybe looking for mnems like xor, shr, shl, rol, ror, sub, add might be a good idea like this one here:

repeat:
mov esi, eax
shl eax, 7
shr esi, 19h
or esi, eax
movsx eax, cl
mov cl, [edx+1]
xor eax, esi
inc edx
test cl, cl
jnz repeat:

contingently the malware might use well know algorithms for encryption. than the IDA plugin findcrypt v2 will help you to find code that does encryption using blowfish, 3des, aes etc.

but without proper RE knowledge it's hard to have success.

cheers,
frank boldewin

Finally

ok I've been away from my machine for the last 2 weeks or so but I haven't forgotten about you here is the info for the dll
MD5SUM: 8911f4e0b95167972d54bb3501b8dc47
SHA1SUM: 58047d1bedb5277ce77486a45a35a8fb5e7a024c
SHA256SUM: 82f32a8530c2467b20555c42db7d4af1e061cfd39bca9bcd146fb09540a594b3

Quick synopsis, the dll creates some reg keys and attaches itself to svchost.exe and looks for it's masters website. When it finds it it downloads the contents of a webpage. It's obfuscated data on the webpage though so you cant read it. The dll de-obfuscates (is that a real word??) the command and runs them. Then writes some obfuscated crap to a file and sends it back to the masters website. And that's where I'm stuck, I can see whats happening but I just can't find the obfuscation method, even with the FANTASTIC info from Frank. So here you go I'm sure it'll be easy for those with more experience so if you could give me some info on how you could recognize where it was at or how you did it that would be great. Thanks a lot for your patience!!!
BTW: I have the dropper somewhere and I'll post that too when I can find it.

Post a link to the DLL file,

Post a link to the DLL file, put it in a zip or rar archive with a password, then upload it to some free file host site and give us the link. Thanks.

http://www.megaupload.com/?d=

http://www.megaupload.com/?d=AOGUHHZB
password is "malware"