Monday 25 April 2011

WinLocker Builder v0.4 - Cracking Generated winlocks



Apparently a new version of Winlocker Builder was released
 VAN32 (the creator) have also released the full Delphi source code.



A generated sample for view the result on VirusTotal: http://www.virustotal.com/file-scan/reanalysis.html?id=2fcf56f7fcdbc267848bbca81fdb83001065cd1bfd137ff285cfb44077d04abe-1303744252

http://www.virustotal.com/file-scan/report.html?id=2fcf56f7fcdbc267848bbca81fdb83001065cd1bfd137ff285cfb44077d04abe-1303744185

Result: 4/41 (9.8%) Dr.Web guys are fast generally for blacklist ransomware threats

On the generated Winlock, the 1024x768 resolution problem seem not yet fixed !

So here we go, what's new on this version ?
A simple homemade XOR on the serial verification.


But one 'lame' thing i've noticed, the xored unlock code is 'unxored' inside and compared in plaintext with the serial entered by the user.
That would have a sens (and more fun to reverse) if the entered serial was xored and compared to the xored unlock code stored inside, but it makes the opposite.


Unlock:


The code source is public, I think we will see soon custom variants.

A simple XOR Reverse done with the original source code of WinLocker Builder v0.4

http://xylitol.free.fr/Reverse%20XOR.zip
Archive password: xylibox

May only the challenge guide you, so don't use this tool. :)

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, XPMan;

type
  TForm1 = class(TForm)
    GroupBox1: TGroupBox;
    Edit1: TEdit;
    Edit2: TEdit;
    Label1: TLabel;
    Label2: TLabel;
    Button1: TButton;
    XPManifest1: TXPManifest;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

function XOR1(Str: string; Key: string): string;
var
  X, Y: Integer;
  A: Byte;
begin
  Y := 1;
  for X := 1 to Length(Str) do
  begin
    A := (ord(Str[X]) and $0F) xor (ord(Key[Y]) and $0F);
    Str[X] := char((ord(Str[X]) and $F0) + A);
    Inc(Y);
    if Y > length(Key) then Y := 1;
  end;
  Result := Str;
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
  Edit1.Text := XOR1(Edit1.Text, 'asd9sa786ves');
end;

end.

Merci Xash pour le Delphi, ça faisait vraiment longtemps que j'avais pas touché à ça ;)

--------
VAN32 Winlocker Builder on the past ~
Trojan.Ransom (Winlocker builder)
WinLocker Builder v0.2/v0.3 - Cracking Generated winlocks
Trojan.Ransom Private_Brute.exe

2 comments:

  1. Encoder Builder [bin + src]
    http://forum.xakep.ru/m_2182077/tm.htm

    ReplyDelete
  2. What the hell is in the code where the use Edit2
    And if used as a key "asd9sa786ves" then Exit nekak asd9sa786ves not turn and the more 1337BBQ!

    ReplyDelete