Apparently a new version of Winlocker Builder was released
VAN32 (the creator) have also released the full Delphi source code.
A generated sample for view the result on VirusTotal: http://www.virustotal.com/file-scan/reanalysis.html?id=2fcf56f7fcdbc267848bbca81fdb83001065cd1bfd137ff285cfb44077d04abe-1303744252
http://www.virustotal.com/file-scan/report.html?id=2fcf56f7fcdbc267848bbca81fdb83001065cd1bfd137ff285cfb44077d04abe-1303744185
Result: 4/41 (9.8%) Dr.Web guys are fast generally for blacklist ransomware threats
On the generated Winlock, the 1024x768 resolution problem seem not yet fixed !
So here we go, what's new on this version ?
A simple homemade XOR on the serial verification.
But one 'lame' thing i've noticed, the xored unlock code is 'unxored' inside and compared in plaintext with the serial entered by the user.
That would have a sens (and more fun to reverse) if the entered serial was xored and compared to the xored unlock code stored inside, but it makes the opposite.
Unlock:
The code source is public, I think we will see soon custom variants.
A simple XOR Reverse done with the original source code of WinLocker Builder v0.4
http://xylitol.free.fr/Reverse%20XOR.zip
Archive password: xylibox
May only the challenge guide you, so don't use this tool. :)
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, XPMan;
type
TForm1 = class(TForm)
GroupBox1: TGroupBox;
Edit1: TEdit;
Edit2: TEdit;
Label1: TLabel;
Label2: TLabel;
Button1: TButton;
XPManifest1: TXPManifest;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function XOR1(Str: string; Key: string): string;
var
X, Y: Integer;
A: Byte;
begin
Y := 1;
for X := 1 to Length(Str) do
begin
A := (ord(Str[X]) and $0F) xor (ord(Key[Y]) and $0F);
Str[X] := char((ord(Str[X]) and $F0) + A);
Inc(Y);
if Y > length(Key) then Y := 1;
end;
Result := Str;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
Edit1.Text := XOR1(Edit1.Text, 'asd9sa786ves');
end;
end.
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, XPMan;
type
TForm1 = class(TForm)
GroupBox1: TGroupBox;
Edit1: TEdit;
Edit2: TEdit;
Label1: TLabel;
Label2: TLabel;
Button1: TButton;
XPManifest1: TXPManifest;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function XOR1(Str: string; Key: string): string;
var
X, Y: Integer;
A: Byte;
begin
Y := 1;
for X := 1 to Length(Str) do
begin
A := (ord(Str[X]) and $0F) xor (ord(Key[Y]) and $0F);
Str[X] := char((ord(Str[X]) and $F0) + A);
Inc(Y);
if Y > length(Key) then Y := 1;
end;
Result := Str;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
Edit1.Text := XOR1(Edit1.Text, 'asd9sa786ves');
end;
end.
Merci Xash pour le Delphi, ça faisait vraiment longtemps que j'avais pas touché à ça ;)
--------
VAN32 Winlocker Builder on the past ~
Trojan.Ransom (Winlocker builder)
WinLocker Builder v0.2/v0.3 - Cracking Generated winlocks
Trojan.Ransom Private_Brute.exe
Encoder Builder [bin + src]
ReplyDeletehttp://forum.xakep.ru/m_2182077/tm.htm
What the hell is in the code where the use Edit2
ReplyDeleteAnd if used as a key "asd9sa786ves" then Exit nekak asd9sa786ves not turn and the more 1337BBQ!