├── resources.zip
├── ghidra_projects.zip
├── part3
    └── dll.dec.gzf
├── decrypt_large_chunk.py
├── README.md
└── RSA Decryption.cpp


/resources.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ghidraninja/ReversingWannacry/HEAD/resources.zip


--------------------------------------------------------------------------------
/ghidra_projects.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ghidraninja/ReversingWannacry/HEAD/ghidra_projects.zip


--------------------------------------------------------------------------------
/part3/dll.dec.gzf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ghidraninja/ReversingWannacry/HEAD/part3/dll.dec.gzf


--------------------------------------------------------------------------------
/decrypt_large_chunk.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | from Crypto.Cipher import AES
 4 | 
 5 | # The bytes we just decrypted
 6 | key = bytes.fromhex("bee19b98d2e5b12211ce211eecb13de6")
 7 | 
 8 | # Try an empty IV
 9 | iv = 16 * b'\x00'
10 | 
11 | # Initialize cipher
12 | cipher = AES.new(key, AES.MODE_CBC, iv=iv)
13 | 
14 | # Read in large_chunk.bin
15 | f = open("large_chunk.bin", "rb").read()
16 | 
17 | # Decrypt it
18 | d = cipher.decrypt(f)
19 | 
20 | # Write it to large_chunk.dec
21 | fout = open("large_chunk.dec", "wb")
22 | fout.write(d)
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ReversingWannacry
 2 | 
 3 | These are the scripts and Ghidra projects for my Reversing Wannacry series:
 4 | 
 5 | [![](https://img.youtube.com/vi/Q90uZS3taG0/0.jpg)](https://www.youtube.com/watch?v=Q90uZS3taG0)
 6 | 
 7 | ## Extracting the Ghidra projects and the resources
 8 | 
 9 | Note that the Ghidra project and the files in the resources ZIP file will probably trigger your AV!
10 | 
11 | The Ghidra projects and the DLL are in an encrypted ZIP, protected by the password "ghidra".
12 | 
13 | ## Extracting the part of t.wnry
14 | 
15 | Simply run:
16 | 
17 | ```
18 | dd if=t.wnry of=encrypted_aes_key bs=1 skip=12 count=256
19 | dd if=t.wnry of=large_chunk.bin skip=280 bs=1
20 | ```
21 | 
22 | ## Importing the Ghidra projects
23 | 
24 | The Ghidra projects are exported as ZIP files. You can simply drag them into the Ghidra project screen.
25 | 


--------------------------------------------------------------------------------
/RSA Decryption.cpp:
--------------------------------------------------------------------------------
 1 | #include "stdafx.h"
 2 | #include <stdio.h>
 3 | #include <tchar.h>
 4 | #include <windows.h>
 5 | #include <Wincrypt.h>
 6 | 
 7 | int main()
 8 | {
 9 | 	HCRYPTPROV hCryptProv;
10 | 	FILE *keyFile = fopen(
11 | 		"rsa_key.bin",
12 | 		"rb"
13 | 	);
14 | 	if (keyFile == NULL) {
15 | 		printf("Failed to open rsa_key.bin.\n");
16 | 		return -1;
17 | 	}
18 | 	DWORD dataLen = 0x494;
19 | 	char keyData[0x494];
20 | 	int f = fread(keyData, dataLen, 1, keyFile);
21 | 	if (f != 1) {
22 | 		printf("Failed to read key.\n");
23 | 		printf("%d\n", f);
24 | 		return -1;
25 | 	}
26 | 
27 | 	if (CryptAcquireContext(
28 | 		&hCryptProv,
29 | 		NULL,
30 | 		MS_ENH_RSA_AES_PROV,
31 | 		0x18,
32 | 		0xF0000000)) {
33 | 		printf("Acquired crypto context.\n");
34 | 	}
35 | 	else {
36 | 		printf("Failed to acquire crypto context.\n");
37 | 		return -1;
38 | 	}
39 | 
40 | 	HCRYPTKEY decryptKey;
41 | 
42 | 	if (CryptImportKey(hCryptProv, (BYTE*)keyData, dataLen, 0, 0, &decryptKey)) {
43 | 		printf("Imported key.\n");
44 | 	}
45 | 	else {
46 | 		printf("Failed to import key.\n");
47 | 		return -1;
48 | 	}
49 | 
50 | 	FILE *encryptedFile = fopen("encrypted_aes_key", "rb");
51 | 	if (encryptedFile == NULL) {
52 | 		printf("Failed to open encrypted_aes_key.\n");
53 | 		return -1;
54 | 	}
55 | 
56 | 	char fileData[256];
57 | 	if (fread(fileData, 256, 1, encryptedFile) != 1) {
58 | 		printf("Failed to read encrypted_aes_key.\n");
59 | 		return -1;
60 | 	}
61 | 
62 | 	dataLen = 256;
63 | 	if (CryptDecrypt(decryptKey, 0, 1, 0, (BYTE*)fileData, &dataLen)) {
64 | 		printf("Decryption successful.\n");
65 | 	}
66 | 	else {
67 | 		printf("Decryption failed.\n");
68 | 		return -1;
69 | 	}
70 | 
71 | 	for (int i = 0; i < 256; i++) {
72 | 		if (i && i % 16 == 0) {
73 | 			printf("\n");
74 | 		}
75 | 		printf("%02x ", fileData[i] & 0xFF);
76 | 		
77 | 	}
78 | 
79 | 	return 0;
80 | }
81 | 
82 | 


--------------------------------------------------------------------------------