A Further Look Into Cracking Encrypted Virues
---------------------------------------------
In Censor #1, Rabids' Data Disruptor showed a way to decrypt
encrypted viruses. The only problem with the method shown is that
once you decrypt the virus, it cannot be run without modification.
I wish to take his theory a little farther, with a different
approch.
There is a really simple way around the problem. What you will
need is a debugger. I perfer Turbo Debugger, by Borland. However
if you are good at the DOS utility Debug, you may be able to follow
along.
The routine to unencrypt is simple, really simple. What you will
need to do is make a small target file for the virus to infect. A
100 byte of less file is perfered.
Step One
--------
Copy the target file to a different filename to make two copies of
the file. Example - COPY TARGET.COM DUDE.COM
Step Two
--------
Infect one of the files, however the virus infectes the file.
Remember just infect one of the files.
Step Three
----------
Load up you dubugger (I'm gonna give Turbo Debugger steps, so people
with Debug and the Microsoft Debugger will have to improvise) and
get ready to single step through the virus.
Step Four
---------
Start single stepping through the virus. If the virus is encrypted
you will hit a loop somwhere near the beginning of the code. In
most cases this is an XOR loop. It will look something like this...
add si, [1234] ;
mov di, si ;
mov cx, 0123 ; this would be the virus size to unencrypt
* mov al, [0105] ; this is the encryption value's offset or the
; actual encryption value if no brackets are
; around it
cli ; auto increment
lodsb ; load byte from si position
xor ah, al ; xor byte at si
stosb ; store it a di (same as si)
loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset
ret ; return when done
Where the "*" is, will be either the location of the encryption
value, or the actual encryption value if no brackets are around it.
If there are no brackets, keep that number in mind. Otherwise write
the offset down.
Step Five
---------
When the encryption procedure is done the virus is then unencrypted.
If you were to write the virus to disk now, it would not run. Cause
as soon as the virus runs it encrypts itself and then jumps into the
encrypted code.
Follow the program to the part where the virus is about to write the
virus to the host program. It will again call on the encryption
routine.
* Here it is again, but this time, before it XORs anything load the
encryption value with 0's. If it is a bytes value load it with 00,
if it is a word value load it with 0000 as in...
add si, [1234] ;
mov di, si ;
mov cx, 0123 ; this would be the virus size to unencrypt
* mov al, 00 ; change the encryption value to zero, thus the
; encryption will not take place at all. Instead
; the virus will produce an original strain.
cli ; auto increment
lodsb ; load byte from si position
xor ah, al ; xor byte at si
stosb ; store it a di (same as si)
loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset
ret ; return when done
Now run the program at full speed. The next file the virus infects
will be unencrypted, and executable.
NOTE: This method will work only for the types of viruses that use
this type of encryption. Mainly non-resident .COM and .EXE
infectors. In other words, don't go thinking this trick will work
on Whale or anything.
