I have already said how to manually repair MBR in the face of MBR ransomware. This time we use dynamic debugging to obtain the password for decryption.
In fact, sometimes we can see the password directly when the first sector we copy out is opened with ida in 16 bits, but sometimes we are not very lucky, like the following, we can’t see the password directly, ida static analysis 16-bit program is very Hard work, so using ida to debug MBR remotely is the fastest way to get the password
First configure the environment for remote debugging of MBR
Add the following content to the virtual machine configuration file to be debugged
bios.bootDelay = "3000"
debugStub.listen.guest64 = "TRUE"
debugStub.hideBreakpoint = "TRUE"
monitor.debugOnStartGuest32 = "TRUE"
Open IDA
Click OK and open the virtual machine at the same time
Click go to 7c00
Set 16-bit assembly
Breakpoint F2 at 7c00
Then debug
It is easy to get the password through dynamic debugging