40Hex Issue 4 December 1991 A Further Look Into Cracking Encrypted Virues --------------------------------------------- In Censor #1, Rabids' Data Disruptor showed a way to decrypt encrypted viruses. The only problem with the method shown is that once you decrypt the virus, it cannot be run without modification. I wish to take his theory a little farther, with a different approch. There is a really simple way around the problem. What you will need is a debugger. I perfer Turbo Debugger, by Borland. However if you are good at the DOS utility Debug, you may be able to follow along. The routine to unencrypt is simple, really simple. What you will need to do is make a small target file for the virus to infect. A 100 byte of less file is perfered. Step One -------- Copy the target file to a different filename to make two copies of the file. Example - COPY TARGET.COM DUDE.COM Step Two -------- Infect one of the files, however the virus infectes the file. Remember just infect one of the files. Step Three ---------- Load up you dubugger (I'm gonna give Turbo Debugger steps, so people with Debug and the Microsoft Debugger will have to improvise) and get ready to single step through the virus. Step Four --------- Start single stepping through the virus. If the virus is encrypted you will hit a loop somwhere near the beginning of the code. In most cases this is an XOR loop. It will look something like this... add si, [1234] ; mov di, si ; mov cx, 0123 ; this would be the virus size to unencrypt * mov al, [0105] ; this is the encryption value's offset or the ; actual encryption value if no brackets are ; around it cli ; auto increment lodsb ; load byte from si position xor ah, al ; xor byte at si stosb ; store it a di (same as si) loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset ret ; return when done Where the "*" is, will be either the location of the encryption value, or the actual encryption value if no brackets are around it. If there are no brackets, keep that number in mind. Otherwise write the offset down. Step Five --------- When the encryption procedure is done the virus is then unencrypted. If you were to write the virus to disk now, it would not run. Cause as soon as the virus runs it encrypts itself and then jumps into the encrypted code. Follow the program to the part where the virus is about to write the virus to the host program. It will again call on the encryption routine. * Here it is again, but this time, before it XORs anything load the encryption value with 0's. If it is a bytes value load it with 00, if it is a word value load it with 0000 as in... add si, [1234] ; mov di, si ; mov cx, 0123 ; this would be the virus size to unencrypt * mov al, 00 ; change the encryption value to zero, thus the ; encryption will not take place at all. Instead ; the virus will produce an original strain. cli ; auto increment lodsb ; load byte from si position xor ah, al ; xor byte at si stosb ; store it a di (same as si) loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset ret ; return when done Now run the program at full speed. The next file the virus infects will be unencrypted, and executable. NOTE: This method will work only for the types of viruses that use this type of encryption. Mainly non-resident .COM and .EXE infectors. In other words, don't go thinking this trick will work on Whale or anything.