Reversing WannaCry Part 2 - Diving into the malware with
Рет қаралды 235,466
4 жыл бұрынIn the second video of the "Reversing WannaCry" series we continue to dive into the malware and find some encrypted components and the first traces of the decryption & encryption functionality of the ransomware. We also learn how to use OOAnalyzer to easily reverse engineer C++ code in Ghidra!
Part 1: • Reversing WannaCry Par...
The scripts and Ghidra projects can be found here: github.com/ghidraninja/Revers...
Twitter: / ghidraninja
Links:
- OOAnalyzer: insights.sei.cmu.edu/sei_blog...
- My Ghidra Scripts: github.com/ghidraninja/ghidra...
@fedemancuello8905 4 жыл бұрын
With this guy's ability it wouldn't surprise me that part 3 ends with the malware creator tied to a chair and asking forgiveness. He's going serious with this. Absolutely awesome.
@navjot7397 4 жыл бұрын
This is a content that surely is not expected to go viral on YT, but is a treat to watch for people with some coding knowledge and curious minds, thanks for creating this!
@stacksmashing 4 жыл бұрын
Thanks a lot!
@navjot7397 4 жыл бұрын
@@stacksmashing welcome, eagerly waiting for next part(s)
@mateusmercer2280 4 жыл бұрын
The first video has 300k+ views, this one have a lot less (about 70% less). It's funny to see how complex subject videos tends to have this pattern. With 3Blue1Brown playlists this happens a lot.
@navjot7397 4 жыл бұрын
@@mateusmercer2280 i think ppl just binge watch first part and very few feel intrigued enough to watch second
@HarryTicke 4 ай бұрын
@@navjot7397 Shame, though. This part has the candy.
@februalist4686 4 жыл бұрын
top 10 unexpected sequels
@stacksmashing 4 жыл бұрын
Am I before or after Matrix 4 in that list? :D
@user-sf6sg4sn1l 4 жыл бұрын
@@stacksmashing Before Half-Life 3. That's for sure )
@masodiongaming97 4 жыл бұрын
plot twist: he created the virus and now he's just playing with us
@asaripatlineto7295 3 жыл бұрын
Plot twist 2: you created the virus, and you are playing with us
@ayaan5015 3 жыл бұрын
@@asaripatlineto7295 Plot twist 3: you created the virus, and you are playing with us
@Aryan-ji2nk 2 жыл бұрын
@@ayaan5015 Plot twist 4: You both created the virus and now you're spamming here
@Stein060 2 жыл бұрын
@@Aryan-ji2nk Plot twist 5: You all created the virus and now you're making me wanna cry with all these confusing comments *ba-dum-tss*
@SyutoMC 2 жыл бұрын
Plot twist 7 the guy who made it is in prison
@Aliosar22 4 жыл бұрын
Just got the first part recommended. These two videos taught me a lot about how to use Ghidra so keep up the great work. I also really like the flow diagrams you're drawing as they give a great overview. You got a new subscriber and I hope you'll upload more regularly now.
@altro5067 4 жыл бұрын
Hell yeah! Been waiting for this since part 1
@aleksanderdzierzon6681 4 жыл бұрын
Imagine to be the creator of WannaCry and watching it
@alexremy5295 4 жыл бұрын
maybe it's you
@QS1597 4 жыл бұрын
Alex Rémy maybe it’s you
@phizlip 4 жыл бұрын
@@QS1597 maybe it's you
@nisseost1 4 жыл бұрын
@@phizlip Maybe it's you
@thedani4 4 жыл бұрын
Would it make him WannaCry?
@skillfulfighter23 4 жыл бұрын
Love it! It's amazing how it's possible to turn compiled code back into regular uncompiled code.
@nitrogen9975 4 жыл бұрын
So glad you showed your research into this! Thank you for your time figuring out this puzzle. :)
@SonicD007 4 жыл бұрын
Thank you for creating this series, very helpful in learning to RE and everything is explained clearly.
@lxhon 4 жыл бұрын
Again: absolutely incredible work on your side. How great would it be if Ghidra/Cutter/Hopper could have all those repeated tasks automated or at least suggested, either through a pattern matching or an AI which is feed by all the reverse engineers around the world. Candidates are: The OOAnalyzer, function renaming, multiple sequential char arrays, byte cleanup, no-return hinting, struct imports for pointer constructs in decompilation, etc. I would definitely fund such a project!
@Wasabiofip 4 жыл бұрын
Fund it with your time - it's open source! ;)
@kirdow 4 жыл бұрын
You just gained a like, as sub, and a bell notification user. I'm amazed how much you can understand from so few words on each line. Really good work bro :D
@n3r0z3r0 4 жыл бұрын
Awesome! I remember doing same with IdaPRO in terminal. But back in my time the viruses has much simpler code :)Thanks !
@vladysmaximov6156 4 жыл бұрын
I dont see very much obfuscation on wannacry lol i remember a keygenme who was a lot more obfuscated and some techniques for frustrate reverse engineering analysis, im using ollydbg, remember some obfuscated strings with large algorithm on Statinko malware.
@andrei-ioan535 4 жыл бұрын
This video is so interesting. I look forward to the next part. All the best
@lanceward7048 3 ай бұрын
This deserves a million more views, but so few proves how rare a talent you have for this content
@MinhNguyen-kv2mz 4 жыл бұрын
Long have we waited! Glad to have you back :)
@AlmightyGauss 4 жыл бұрын
At last, I've been looking forward to this!
@sepehrmohaghegh2855 4 жыл бұрын
Part 3 should be very interesting!
@Hacks00145 4 жыл бұрын
That's really nice and deep Looking forward for more series of videos ..
@TU7OV 4 жыл бұрын
Glad you're back!
@Backshopgolf 4 жыл бұрын
Great video! Very insightful! Post more like this!
@anurag2877 4 жыл бұрын
finally , I've been waiting for this.
@mrhidetf2 4 жыл бұрын
I hope you keep putting out content and that you ll find the time to do videos more frequently. Great Video!
@OskaIvanovichSmirnov 4 жыл бұрын
After 2 rewind I'm still half-understood. But man this is really good for sleep when listening at night.
@idiyerbill1968 3 жыл бұрын
😂😂😂🤣🤣😂🤣
@IcedDoubleYT Ай бұрын
Agree this puts you to sleep if you have no programming knowledge
@ywanhk9895 4 жыл бұрын
Finally some good reverse engineering videos, I understood everything Waiting for part 3 now
@sdHansy 4 жыл бұрын
Nice, I had nothing to watch until this popped up. See you in part 1.
@TheSailingDentist 4 жыл бұрын
Love your work.Please keep it going
@pierrevevostudio5271 4 жыл бұрын
Can't wait for part 3 :)
@mihaelpanjkrc7870 4 жыл бұрын
Dude finally!!
@robmorgan1214 4 жыл бұрын
Great video! Thanks sharing this!
@thecowmilk4857 4 жыл бұрын
WannaCry dude was not from this planet......... Totally a Legend....!!
@snowcold903 4 жыл бұрын
was waiting for this video!!
@AureliusR 4 жыл бұрын
thank god part 2 came out!!
@florianvandillen 4 жыл бұрын
Brilliant stuff!
4 жыл бұрын
finally, that's why i subscribed to your channel
@btarg1 4 жыл бұрын
Can't wait for open source malware!
@sinistergeek 4 жыл бұрын
Very imformative!! Keep it up!!
@Laflamablanca969 4 жыл бұрын
You are insane, keep them coming
@anothersplinterinyourmind9043 4 жыл бұрын
Good videos bruh, i hope you keep it up
@blade1551431 4 жыл бұрын
hallelujah part 2 finaly
@RmFrZQ 4 жыл бұрын
Can you recommend any good books you read personally on the subject? I know it's a vast topic and I have a hard time to go deeper than reversing some entry level crackmes and making patches.
@thehyperdimentinaltraveller 4 жыл бұрын
I don't know why this is in my recommendation and didn't understood a single word you said. But I'm sure you're doing a great job at whatever you're doing 👍🏻
@christopherleubner6633 2 ай бұрын
You should teach classes on this stuff. You break it down very well. ❤
@royals6413 4 жыл бұрын
Thanks for these videos
@budhachandrayumkhaibam6079 4 жыл бұрын
looking forward to part III
@xusheng9821 4 жыл бұрын
Nice work and video!
@keisarimies 4 жыл бұрын
Waiting for part 3!
@respectedmastermind 4 жыл бұрын
Welcome back! :P
@szymoniak75 4 жыл бұрын
almost forgot about this series
@jeremoisde9928 4 жыл бұрын
holy shit i want to learn it but you are highest level and i dont umderstand anything.
@tenzo4961 2 жыл бұрын
You have to admit, the inventor who made wannacry is an intelligent human being
@AdeeJa Жыл бұрын
This kind of malware is the work of a team, not a single person.
@ncg8224 Жыл бұрын
@@AdeeJa Inadvertently a intelligent group of people
@TheErixcode 3 жыл бұрын
Bro this is the best analyses I saw , But please slow down the video little bit so we can follow xD
@Alumx 11 ай бұрын
its 5am and i'm watching reverse engineering coding gameplay Lets fuckin goo 🔥🔥🔥
@pipony8939 4 жыл бұрын
*NSA* joined the chat
@syrul6735 11 ай бұрын
hello, i want to ask how you get the CERT plugin in ghidra? not comming out for mine
@Vollex_ 4 жыл бұрын
Finally!!!
@andybrychenko 4 жыл бұрын
Super cool
@wdestroier 4 жыл бұрын
Waiting for part 3 next week or so
@diynno742 2 жыл бұрын
Yesterday I got attacked by .ghas, from the djvu family and I was wondering if it can also be reverse engineered like that?
@drozcan 4 жыл бұрын
yeaaaa finally
@mayuna_ 4 жыл бұрын
FINALLY
@androBughunter 2 жыл бұрын
cool. thanks 👍👍
@user-lm4wq2po2m 4 жыл бұрын
very good!
@begga9682 4 жыл бұрын
YES!
@hikaru_hajime941 Жыл бұрын
such a classic
@georgehammond867 3 жыл бұрын
what is the main language that Wannacry is written with? is it C or C+ !?
@WikiPeoples 3 жыл бұрын
Question: So far in Part 1 and Part 2 I don't think we've actually seen any "exploit" right? Just want to make sure I'm following along correctly. It appears its so far just been a bootstrap / setup process so far using Win32 APIs. All of which you'd need administrator privileges to run right?
@oriyadid Жыл бұрын
I'm a bit late in answering this but it might be helpful to someone else wondering the same thing Yes, this isn't the exploit code, and you do need admin privileges for the code in parts 1 and 2 to work. This is because wannacry is typically invoked by the exploit, rather than by a user interaction. The actual exploit itself is probably mentioned in part 3, as it talks about how the malware spreads, but a short version is it's a zero-day in windows found by the NSA, which was leaked to the public by a group known as the "Shadow Brokers". As far as I remember windows patched the vulnerability before wannacry was created, but many machines which were not updated were still vulnerable.
@lunatic0x5 4 жыл бұрын
Hey man can you tell me the part where actual encryption take place
@samsepiol6052 Жыл бұрын
I am following along with you, and I just want to know: how did you get ooanalyzer? Did you just use the docker file?
@stacksmashing Жыл бұрын
I believe at the time I used the docker image!
@samsepiol6052 Жыл бұрын
@@stacksmashing Thank you for your reply. Does using the docker image automatically make the "CERT" option appear?
@stacksmashing Жыл бұрын
Ah for Ghidra you need the plug-in :)
@samsepiol6052 Жыл бұрын
@@stacksmashing Thank you so much! It worked like a charm.
@hasangurbuz3454 5 ай бұрын
This guy is the real antivirus
@amimox1950 3 жыл бұрын
nerding over 9001
@luizvaz 4 жыл бұрын
This means that the leaked keys are all equals?
@shyonae 4 жыл бұрын
dude you are so fucking good at this
@h3xad3cimaldev61 4 жыл бұрын
I want to make a reverse engineering tool like Ghidra or a tool to view the assembly code of a program can someone help?
@thejswaroop5230 3 жыл бұрын
What abt those .onion addresses u got in part 1 ??
@Djmaxofficial 3 жыл бұрын
Wannacry 2.0 is on the way :D
@danihidayat4012 4 жыл бұрын
man this is insane
@theojohanson 4 жыл бұрын
Heyo, very new to reverse engineering here, though i saw that some things that for example bitcoin adresses are shown while reverse engineering thanks to your video, can any person that's reverse engineering this just change that and then relaunch it? Or do most "hackers" that still use wannacry just launch it without changing anything? But I'm guessing it's not really active anymore and can't be used thanks to the killswitch?
@v380riMz 2 жыл бұрын
Ofcourse WannaCry still can be used, what’s cheaper, paying some hacker 350 usd in BTC or paying a company that charges you a couple of grand just to undo all the stuff, ofcourse they won’t tell you a killswitch is active
@mathyscesaire3045 4 жыл бұрын
When will be the part.3 !!!
@nankipoo492 3 жыл бұрын
3:24: installing Pharos for C++ analysis - by using "docker pull seipharos/pharos" **One-Winged Angel** starts playing...
@ujurak3899 4 жыл бұрын
0:39 isn't that check redundant since tasksche.exe was run with the /i argument?
@stacksmashing 4 жыл бұрын
No because it re-launches itself without the /i argument :)
@Schtevs 4 жыл бұрын
Mac OS X ! Yay !
@jnandeepdevsarma2966 4 жыл бұрын
you r grt
@TheSailingDentist 4 жыл бұрын
Maybe you can show how 2 de-compile some djy drone firmware as education purpose or other advanced stuff.It would be interesting to see... :)
@McDonnerbogen 4 жыл бұрын
He'd be sued in no time
@estherowo 4 жыл бұрын
:) This is cool
@crystalsheep1434 Жыл бұрын
Wow
@saeedmahmoodi7211 4 жыл бұрын
i hope you never be interested to write a virus thanks a lot , keep going i enjoy your videos more than netflix
@twobob 3 жыл бұрын
@reinko5194 3 жыл бұрын
Im not into coding or something like this so i dont know why this is getting recommended to me but in the start he said that WannaCry try to connect to a URL and if it succeed it does nothing, so if a computer is connected to the internet, why is it unable to connect to this URL?
@sbapkat8691 3 жыл бұрын
The URL was not Registered, so if you tried to access it nothing would be returned. It acts as a kill switch because someone can register this URL and make it active to stop the spread
@reinko5194 3 жыл бұрын
@@sbapkat8691 Thanks for the response, now it make sense to me.
@kingroliKR 4 жыл бұрын
continue please~1
@lunatic0x5 4 жыл бұрын
Man comeon.... Part threeeeeeeeeeee😢
@saeedmahmoodi7211 4 жыл бұрын
decompile windows for next project
@braaitongs Жыл бұрын
Now that we know how this works, is there a way to make your pc invulnerable to this malware?
@youtube_bat3811 Жыл бұрын
probably, but it would take a long time
@guap3228 8 ай бұрын
Complete noob here. Were the variables renamed to vague things like “param1” etc to intentionally mask what the code is doing?
@godfire6498 3 жыл бұрын
Why we don't create "wannalaugh.exe"?
@jofx4051 4 жыл бұрын
The maker of WannaCry should be wannacry now if they watch this
@bjrnbreivik4030 4 жыл бұрын
I hope your next project is going to be nmcrypt.
@Retrenorium 4 жыл бұрын
Soup scoop
@doubleeeeeee 4 жыл бұрын
PART 3 PLS
@nakul2569 3 жыл бұрын
How to get that CERT menubar in ghidra?
@stacksmashing 3 жыл бұрын
it’s part of the OOAnalayzer plugin
@nakul2569 3 жыл бұрын
@@stacksmashing I have spent the whole morning installing that plugin using this repo here github.com/cmu-sei/pharos/tree/master/tools/ooanalyzer/ghidra/OOAnalyzerPlugin but nothing works :( Btw your videos are life changing. Please continue to make more ghidra reverse engineering videos. Cheers!!
@shadorain 2 жыл бұрын
@@nakul2569 Were you ever able to get it? If not, now there is no actual ghidra tree in the pharos repo, it is now built into a new tool (sorta big combined tool) called Kaiju which has a bunch of Ghidra stuff including the OOanalyzer CERT tab on the menubar
stacksmashing
Рет қаралды 1,3 МЛН
Low Level Learning
Рет қаралды 1,2 МЛН
Immersed
Рет қаралды 61 МЛН