文章目录
前言
要说火爆全网的勒索,莫过于17年的WannaCry了,当时影响广泛,给用户造成了巨大损失。就在前段时间,蹭WannaCry热度的WannaRen勒索也小火了一把,然而来也匆匆,去也匆匆。
下图为展示勒索信的解密程序
样本为白加黑组合,类似windword加wwlib.dll的白加黑组合在2019年海莲花组织上使用过
本篇博客主要讲的是被Wannaren勒索文件解密,其他的信息就不多赘述
Wannaren解密
Wannaren主要是靠RSA和RC4组合进行加密,RC4生成随机密钥加密文件,RSA公钥加密RC4密钥并写入加密文件头作为标记
正常来说没有RSA私钥是无法解密的,但是作者已经公布了私钥,所以文件便可以进行解密
扫描二维码关注公众号,回复:
12099150 查看本文章
私钥如下
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxTC/Igjuybr1QbQ1RmD9YxpzVnJKIkgvYpBrBzhsczHQ8WeC
7ikmC5jTbum1eCxTFTxvtnONEy2qDbnSS5fbK/lxYExj6aDLKzQxXCOVSdSQCesW
g1i5AAdUC9S246sdS9VKxT0QL24I+SG+ixckBhcB+ww6z47ACegoH0aLDwvRvehZ
Ycc1qFr1lhRXQpHunrlg4WRphH5xBbszOI+dFRDOpprnbN56CHoLb0q1SzzV3ZFA
FF6Df68Pux1wMHwEXbULRHo5AIZJPJq8L9ThWVsj6v42jAjJQ8m8bRh0+Jz4Rohk
WwPgL+VFxDG2AiiCU5/yLNoQX0JM9VWBxy6Z3QIDAQABAoIBADi/KoH06CMNtn7O
CXbTepgGiKKcCVGMTHak8OgHCM6ty19tVnSLSvOTa2VDxIFs4AwAdHWhEzwtq/5/
N1GhxeUFx+balPYq28z3HC1T4CZ7EWiJStVJtxOXCEzPTkJ+f9PO8dGJHRtJIzPu
zhLg+fD2tg81GceZYRJ4yPMXLfWKA5DmGkRv/1Usq5zvMClLdrmw/q2rnCbRLdeE
EAzSAi9kqsnEaZKfCbXb/gby+bUwAgn7mxs+CJ611hzD/r2w9dgXkaUJYuKRRv+B
GlQHBRQ7hXogkIzeaGqmw8M3xko7xzADsytFYxt2Kthuww2YV4E6Q1Hl4bBW0q+g
w+jSolECgYEA0Tnns+LaqMd5KCQiyWlCodQ2DtOMOefhIrJbRhdAkAq6FtVICxkL
nIJL0gmo4T/zDaMr8vsn7Ck+wLjXUsYt1/EulLtVnuH76FU0PkjJqBdre5Gjf23/
YGHW7DJEoH3p/7DIgV4+wXPu6dD+8eECqwm1hLACOxkfZnOFZ1VGxeMCgYEA8UYH
jaA69ILlz0TzDzoRdTmam6RDqjsVO/bwaSChGphV0dicKue25iUUDj87a1yLU5Nq
t0Kt0w1FL/iile1Eu4fe4ryukPGw2jAZh/xq7i2RRSFLXim5an9AbBVQ55478AJa
sTaIOSoODgBspsBLShnXQRKEfwYPv2GthhcJLT8CgYAssRDERQ3uBYXkxCtGGJzq
Enllm1yVtelKTwzeIPNikVgErpRQAo6PZOmrOPMBAnb5j8RAh9OUR48m/ZTJEpoS
SWtoy8dTQ/RaQXECaOviYvZLk+V3v9hQDzYoh+hO2/aS7oE12RrQmeILwd/jbOvz
+wPyDuK7GvexG7YAR5/xfwKBgQCA8p6C0MnxeCv+dKk60BwYfKrm2AnZ5y3YGIgw
h2HS5uum9Y+xVpnnspVfb+f/3zwPdNAqFZb1HziFBOtQGbkMSPeUUqcxjBqq4d4j
UYKMvQnQ2pR/ROl1w4DYwyO0RlteUMPLxotTkehlD1ECZe9XMSxb+NubT9AGxtuI
uLMM3QKBgGl0mYCgCVHi4kJeBIgabGqbS2PuRr1uogAI7O2b/HQh5NAIaNEqJfUa
aTKS5WzQ6lJwhRLpA6Un38RDWHUGVnEmm8/vF50f74igTMgSddjPwpWEf3NPdu0Z
UIfJd1hd77BYLviBVYft1diwIK3ypPLzhRhsBSp7RL2L6w0/Y9rf
-----END RSA PRIVATE KEY-----
大致思路:
1.使用RSA私钥解密被加密的RC4密钥
2.取出中间被加密的数据使用RC4密钥解密
3.解密后的数据去除wannaren标记
解密关键代码
使用RSA私钥解密被加密的RC4密钥
char* decrypt_cr4_key(char* str, const char* prikey_path)
{
char* pDedata;
RSA* pRsa;
FILE* pPrikey;
int nRsalen;
if ((pPrikey = fopen(szFilepath, "r")) == NULL)
{
printf("Open key file fail\n");
return NULL;
}
if ((pRsa = PEM_read_RSAPrivateKey(pPrikey, NULL, NULL, NULL)) == NULL)
{
printf("Read private key fail\n");
return NULL;
}
nRsalen = RSA_size(pRsa);
pDedata = (char*)malloc(nRsalen + 1);
memset(pDedata, 0, nRsalen + 1);
if (RSA_private_decrypt(nRsalen, (unsigned char*)str, (unsigned
char*)pDedata, pRsa, RSA_PKCS1_PADDING) < 0)
{
printf("Decrypt private key fail\n");
return NULL;
}
RSA_free(pRsa);
fclose(pPrikey);
return pDedata;
}
RC4解密数据
char* rc4_decrypt_file(char* file_data, int data_size,
const char* rc4_dencrypt_key, int encrypt_chunk_size = 16)
{
char* out_data_all = NULL;
if ((out_data_all = (char*)malloc(data_size)) == NULL)
{
printf("no enough memory!\n");
return 0;
}
memset(out_data_all, 0, data_size);
char code[64] = {
0 };
int codelen = sizeof(code);
RC4_KEY rc4_key;
RC4_set_key(&rc4_key, strlen(rc4_dencrypt_key), (unsigned char*)rc4_dencrypt_key);
char* in_data = new char[encrypt_chunk_size + 1];
char* out_data = new char[encrypt_chunk_size + 1];
int i = 0;
//循环解密
while (i < data_size)
{
encrypt_chunk_size = (data_size - i) / 16 > 0 ? 16 : data_size % 16;
memcpy(in_data, (file_data + i), encrypt_chunk_size);
RC4(&rc4_key, encrypt_chunk_size, (unsigned char*)in_data, (unsigned char*)out_data);
memcpy(out_data_all + i, out_data, encrypt_chunk_size);
i += encrypt_chunk_size;
};
char* restore_file_data = NULL;
if ((restore_file_data = (char*)malloc(data_size - 0x12)) == NULL)
{
printf("no enough memory!\n");
return 0;
}
memset(restore_file_data, 0, data_size - 0x12);
memcpy(restore_file_data, out_data_all + 0x9, data_size - 0x12);
RELESE_ARRAY(in_data);
RELESE_ARRAY(out_data);
RELESE_ARRAY(out_data_all);
return restore_file_data;
}