You can't display the ransom messages on a machine that doesn't boot anymore.

Well, there are rumors that this ransomware was brought by the North Korea, so i guess if it is true, they would want to get some money and "terrorize the western civillization", but they would not want to get a warhead launched to their territory....

@@Zekrom569 No, I'm sure you're behind it! Of course, I only say that, so that you notice how damn stupid accusations are without evidence. Of course I have nothing against stupid chatter / a good joke. Keep going. Well it is a business. A fishy business, but it is a business. So they likely have a quality assurance department. But there is nothing special or any knowledge that otherwise should be good practice in the industry. That a budget gets cut and the code quality suffers from it is an old hat. The only thing you can learn from malware authors is that you later have a lot of time in prison to deepen your research. In my opinion, the artistic or interesting examples come from game programmers, anti-piracy measures or the elegant solution of mathematical problems on limited hardware.

@@dieSpinnt www.zdnet.com/article/how-us-authorities-tracked-down-the-north-korean-hacker-behind-wannacry/

@JustWasted3HoursHere There a big possibility that the korean created the virus, because they just wanted 300$, if it was other they would have asked thousands, and if you check the btc addresses it's still receiving btc transactions Also I remember you from the flattards videos, I stopped watching FE videos since beginning of last year and is the best thing

Oh hi

yes please do write a program to decrypt wannacry encrypted files!!

@@SuryaTejaKarra wannacry uses aes and rsa to encrypt the files i dont think you will have any hope getting them back

It's most likely not possible unless you read the memory and find the key and used their same algorithm

@@KeijonAutoVuokra oh nice! What's it called?

It’s not possible to recover. The private key is generated per machine and then encrypted with a public key, so to get the key back you need the attacker’s private key.

They can do that a few ways. They can simply keep a list around of those files, mark it in the header, or, RSA also has the property where the padding check will fail when decrypted with the wrong key - so you can just blindly try your private key, and if it fails, you have a way of knowing and aborting. I haven't RE'd this ransomware, but just assuming what could be done based on how many other ransomware do it.

It could literally just be to obfuscate a bunch of wannacry files. Perhaps they considered those files in particular to be the weak point of the program, and put extra care into encrypting them; just to avoid the chances of it being possible to correctly guess the obfuscation method.

Completely forgot, thanks!

It’s linked in the description of part 1!

@@stacksmashing Oops, sorry, I already found it on my own. Thank you for the quick response and thank you for the video.

No worries, glad you like it!

Just someone who loves what he doing.

Yeah. Years ago, one businessman ask me to convert couple of bucks to BTC. He paid to terrorist, and get all files back.

No, it's just a bait (as far as I understand it). These 10 files (possibly more) are encrypted with a known private key, so you can decrypt them. But for all other files, the seed is random and there is no functionality to keep track of these random seeds. Please correct me if I misunderstood this though!

@@kevinwydler4405 From my understanding of the previous video, the main encryption key pair is generated uniquely to each machine the first time it runs, and the private key (required to decrypt) is then encrypted with a fixed (public) key embedded by the ransomer. Theoretically, the ransomer could take the encrypted private key, decrypt it with their own key, and supply it back to the victim, thus allowing for the decryption of the files.

Interestingly (again, to my understanding and I’d love to be corrected with precise details!) a bug/exploit in windows’ implementation of the encryption meant that if you didn’t restart your computer after this was done, there was a chance that the (unencrypted) private key was still somewhere in memory, and thus with the right tools, in some cases it was possible to recover this and hence reverse the effects of the malicious encryption without paying the ransomer.

If all ransomeware work the same 😅🤷‍♂️ But I think it would not be a bad approch because the system needs files to run. If you place them between those the ransomeware first needs a logic to decide which are essential and which aren't

​@@ivanheinzer6829 I thought more about it, and I think it would be a nice idea to make your device give off "Virtual Machine" vibes while it's actually not, so malwares get spooked and stop running. (I actually don't know how you can fake being a virtual machine though)

Did you attain this knowledge level yet

Yea it was recorded on the next day, had some issues with a cold and had to stop - sorry about that :)

@@stacksmashing oh no worries, I figured it was something like that. Great content as always!

Yea unfortunately that’s a lot of work - have to look into it

@@stacksmashing, If you can release the option to add subtitles, if any subscribers are interested in doing so would be very helpful.

Ah i didn’t even know that’s possible! :) let me check that

OOP

@@user-ir2fu4cx6p Yes, i also thought it was OOP But can we decompile it? We can directly decompile exe file with c# code, cant we do this with c++?

@@Gameplayer55055 I think that because .net IS can be decompiled easy to it original functions structure type (there is tools specified to do that), but C++ I don't know maybe it's uses different approach for compile it to machine code make it relies less on the OS, C are much simpler language since it's very close to assembly in many ways, you maybe able to create complex code with C to make it harder to Decompile/read .

Yes, You're right. but after watching decompiled c++ code i want to write on pure c :)

@@Gameplayer55055 Lol same, but After I watch how they decompile C# codes, OG

Detecting decompiling is as such not possible, as the binary is never executed. The only way this would work is if the executable contained an exploit for whatever tool you are loading it in.

233/5000 Thanks for your answer, just two last questions... If someone is logically monitoring us (Rat), they will use a port that we could realize by monitoring the established connections. Is it possible that the attacker could hide that? Same question for a Man in the middle attack.

FWIW, there is sometimes anti-*debugging* code, since the debuggers need to actually run the code.

Yes, I found some information in the book of the Cat (Tamper proof). This led me to read about kernels, compilers, malware analysis. I finally ended up in computer forensics but there isn't much on this. In my country it is a concept born only two years ago. I don't know anyone in the business, I must be one of the few. Thanks for sharing these videos. They are my best school.

@@stacksmashing There are certain orders of bytes that can crash debuggers, decompilers, and disassemblers. There have even been RCEs on some of them. One CVE that I found to support the fact that such vectors can and have been attacked is CVE-2016-8390.

I’m sure asking this nicely will help :)