tag:blogger.com,1999:blog-5585899500615421840.post2181207503863672275..comments2023-08-09T06:58:13.823-07:00Comments on RE Solver - Malware, ransomware analysis and a lot of fun with reverse engineering.: DE-Cr1pt0r tool - The Cr1pt0r ransomware decompiled decryption routineRESolverhttp://www.blogger.com/profile/18398347094530806892noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-5585899500615421840.post-21017471640517981352019-07-01T11:09:03.757-07:002019-07-01T11:09:03.757-07:00Hi, I am not able to get it compiled (Win7 32 bits...Hi, I am not able to get it compiled (Win7 32 bits / Dev-C++).<br /><br />Could you by any chance give us your compile command?<br /><br />Thanks in advance,<br /><br /><br />BenoitAnonymoushttps://www.blogger.com/profile/08406814028323371349noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-62198857688406919862019-07-01T00:15:49.871-07:002019-07-01T00:15:49.871-07:00We are all following it, keep the awesome work!!!We are all following it, keep the awesome work!!!Iluminadorhttps://www.blogger.com/profile/03572871481739474154noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-3163492931020908142019-05-15T11:04:52.250-07:002019-05-15T11:04:52.250-07:00Hi. thank you for your big help. I just need to kn...Hi. thank you for your big help. I just need to know the string to write in the command consolle. Is it just DE-Cr1pt0r.exe or DE-Cr1pt0r.exe + enc (or enc.tmp)?<br />Thank you ResolverAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-82762915554547352112019-04-28T13:44:31.000-07:002019-04-28T13:44:31.000-07:00
And I picked up Cr1ptT0r. Ready to thank for the ...<br />And I picked up Cr1ptT0r. Ready to thank for the decryptorAnonymoushttps://www.blogger.com/profile/00203177688323792011noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-29818076246439709612019-04-02T03:19:33.632-07:002019-04-02T03:19:33.632-07:00i'm just running to see if i'm lucky enoug...i'm just running to see if i'm lucky enough to find it in one week. For testing purposes only.<br />Thanks anyway for your great jobborekonhttps://www.blogger.com/profile/06197188263718667579noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-88319474970977308042019-04-02T03:02:50.471-07:002019-04-02T03:02:50.471-07:00It's a single-thread application. You should w...It's a single-thread application. You should write the appropriate multicore/multithread variant from the source or better with NVIDIA CUDA support.<br />BTW the decryptor is not intended to be used like that unless you're available to let it run for the rest of your life :)RESolverhttps://www.blogger.com/profile/18398347094530806892noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-50393940931855730012019-04-01T08:06:51.615-07:002019-04-01T08:06:51.615-07:00i'm using the decryptor just for try before re...i'm using the decryptor just for try before remove everything, but it takes only 12% of cpu. Could it be powerful?borekonhttps://www.blogger.com/profile/06197188263718667579noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-16479825416676993502019-03-26T01:47:30.545-07:002019-03-26T01:47:30.545-07:00Hello,
when I realized that my files were being en...Hello,<br />when I realized that my files were being encrypted i shutdown my NAS so Cr1ptTor was unable to finish to encrypt all my files (i have encrypted and not encrypted file) .<br />By searching in Drives of my NAS i found the install folder of Cr1ptT0r and in this folder i've found a repository called "Hidden Service", in this folder there is a file called "Private_Key".<br />I can provide you if it can be usefull for you to create a decryptor for us !!<br />Thanks for your Job !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-72701252286246994162019-03-25T03:08:46.538-07:002019-03-25T03:08:46.538-07:00Hello I've found a file in the ransmonware ins...Hello I've found a file in the ransmonware install folders.<br />the folder is called 'hidden service' and the file is called 'Private_Key'.<br />he contain the following : (I have remove the key) <br />-----BEGIN RSA PRIVATE KEY-----<br />[...]<br />-----END RSA PRIVATE KEY-----<br /><br />Can it be usefull for You?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-13129065526270475902019-03-20T13:23:24.677-07:002019-03-20T13:23:24.677-07:00You can upload the keys and your nas label picture...You can upload the keys and your nas label picture (mac and serial number). ;)RESolverhttps://www.blogger.com/profile/18398347094530806892noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-30015894085114592822019-03-18T16:23:07.819-07:002019-03-18T16:23:07.819-07:00I have a lot file crypt and uncrypt and private Ke...I have a lot file crypt and uncrypt and private Key used to crypt to give if this file Can help to résolved this.Small file and large file txt and vidéo and IMG.<br />RegardsNeorayhttps://www.blogger.com/profile/12945932590180851807noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-75259010409731019432019-03-13T17:19:22.555-07:002019-03-13T17:19:22.555-07:00May the force be with us all!May the force be with us all!RESolverhttps://www.blogger.com/profile/18398347094530806892noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-91864420670339332812019-03-13T08:24:39.541-07:002019-03-13T08:24:39.541-07:00Gosh !
I prefer to pay you than the hackers if you...Gosh !<br />I prefer to pay you than the hackers if you find the tool to unencrypt my files !!!<br />May the force be with you !!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-30748816109407998922019-03-13T04:53:10.501-07:002019-03-13T04:53:10.501-07:00enc files here: https://www.sendspace.com/file/b8m...enc files here: https://www.sendspace.com/file/b8m06c<br />unsigned char recipient_pk[crypto_box_PUBLICKEYBYTES]={0x3D , 0x3F , 0x78 , 0x63 , 0x3E , 0xA6 , 0xA7 , 0x99 , 0xC4 , 0xDC , 0xF2 , 0x52 , 0x2D , 0x90 , 0x21 , 0xC5 , 0x10 , 0x31 , 0xDE , 0x6B , 0xA3 , 0xEB , 0xCF , 0x06 , 0x1C , 0xC5 , 0xCA , 0xF8 , 0xF8 , 0x43 , 0xC5 , 0x2F};<br /><br />unsigned char recipient_sk[crypto_box_SECRETKEYBYTES]={ 0xDB , 0xA2 , 0xD4 , 0x74 , 0xC0 , 0xB7 , 0x2B , 0x62 , 0x0E , 0xCD , 0xC8 , 0x7F , 0x43 , 0xEA , 0xAB , 0x2E , 0x24 , 0x65 , 0x00 , 0x91 , 0x74 , 0xDC , 0x03 , 0xB4 , 0x22 , 0xC8 , 0x48 , 0x30 , 0x1F , 0x19 , 0xDD , 0x78 };RESolverhttps://www.blogger.com/profile/18398347094530806892noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-85323058513980201682019-03-13T04:18:02.217-07:002019-03-13T04:18:02.217-07:00You should remove the last 0x7A bytes wich means t...You should remove the last 0x7A bytes wich means the sum of length(_Cr1ptT0r_)+ length(pubkey)+ length(ciphertext)--> 0x0A+0x20+0x50 starting from the end of the file. See the first picture in this post.<br />Btw, take a look at https://resolverblog.blogspot.com/2019/03/libsodium-sealed-boxes-multiple-32.html<br />Starting from the fact that the private keys are only 32 allowed and practically adjacent to each other, does not contribute to reduce the brute force times significantly, therefore brute force remains a theorical approach and is not intended as solution. <br />You need years of runtime to get the key.RESolverhttps://www.blogger.com/profile/18398347094530806892noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-292975357316106882019-03-11T03:37:39.929-07:002019-03-11T03:37:39.929-07:00"and strip the last 0x7A "
What do you m..."and strip the last 0x7A "<br />What do you mean? Do I have to remove the "_Cr1ptT0r_" string from my file before feeding it to your software?<br /><br />Thank you for your work :)800leaannoreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-25454240369511280142019-03-11T02:11:31.284-07:002019-03-11T02:11:31.284-07:00Keep up the good work, kind code warrior.Keep up the good work, kind code warrior.Vahé Damassianhttps://www.blogger.com/profile/00702818283744388806noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-4023578819993312112019-03-08T11:40:23.239-08:002019-03-08T11:40:23.239-08:00That's great, thanks! I've got it compiled...That's great, thanks! I've got it compiled and running now, and I'm working on getting it multi-threaded for speed, but I'm a little worried I might have made a mistake - any chance you can share your encrypted test file & key, so I can test my work without having to wait for it to run through?Zauberhttps://www.blogger.com/profile/04909231229689883899noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-77586855344799087592019-03-08T02:08:51.065-08:002019-03-08T02:08:51.065-08:00Hi,
link fixed in the post.
I was using the mingw...Hi,<br />link fixed in the post. <br />I was using the mingw precompiled ones because of DEV-C++ IDE.<br />You can choose the right one for you from libsodium github releases:<br />https://github.com/jedisct1/libsodium/releases<br />ByeRESolverhttps://www.blogger.com/profile/18398347094530806892noreply@blogger.comtag:blogger.com,1999:blog-5585899500615421840.post-32899515030067792822019-03-07T15:08:26.857-08:002019-03-07T15:08:26.857-08:00Thanks for this! I really appreciate the work you ...Thanks for this! I really appreciate the work you are doing.<br /><br />I only use linux, and it looks like this is only for windows? Do you have a linux version? I'm trying to build it myself, but I'm not finding it easy :(. Are the include statements supposed to have a space in them? gcc doesn't seem to like that.<br /><br />The libsodium library link doesn't work. I clicked it and it doesn't go anywhere, where can I get that?<br />Zauberhttps://www.blogger.com/profile/04909231229689883899noreply@blogger.com