Exemplo n.º 1
0
        //This code handles all of the main duties in decryptCMAuto.
        Program(string file)
        {
            Console.Write("> Loading Cookie Muncher Stub...");
            ModuleDefMD moduleDef = ModuleDefMD.Load(file); //load the stub

            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("OK");
            Console.ForegroundColor = ConsoleColor.Gray;
            if (moduleDef.Resources.FindEmbeddedResource("source") != null) //If "source" exists, then SombraCrypt was used in the stub.
            {
                Console.Write("> Detected SombraCrypt, unpacking...");
                moduleDef = decryptCMSombraUnpack.UnpackSombra(moduleDef); //Unpack SombraCrypt.
                Console.ForegroundColor = ConsoleColor.Green;
                Console.WriteLine("OK");
                Console.ForegroundColor = ConsoleColor.Gray;
            }
            //Declare variables.
            TypeDef CookieWork   = null;
            TypeDef WhiteList    = null;
            string  HWIDKey      = "";
            string  EncUserEmail = "";
            string  EncCMEmail   = "";
            string  EncCMPass    = "";

            byte[] IV = new byte[decryptCMOffsets.IV_AMOUNT]; //as of right now, the IV is 16 bytes long.
            foreach (TypeDef type in moduleDef.GetTypes())
            {
                //Lazy code, just gets classes that we need.
                if (type.Name == "cookiework")
                {
                    CookieWork = type;
                }
                else if (type.Name == "whitelist")
                {
                    WhiteList = type;
                }
                else if (type.Name == "encryption")
                {
                    CookieMuncherOriginal(moduleDef); //If this class exists, we have a Cookie Muncher Original stub.
                    return;
                }
            }
            Console.Write("> Getting IV's/Keys...");
            if (CookieWork == null || WhiteList == null) //If the classes dont exist, then this isnt a CMR5 stub.
            {
                Console.WriteLine("ERROR: Invalid stub! (failed to find cookiework/whitelist)");
                Console.ReadLine();
                Environment.Exit(0);
            }
            foreach (MethodDef method in CookieWork.Methods)
            {
                if (method.Name == ".ctor")                                                              //NOTE: .ctor internally is used to represent constructors for classes. This also means that the users decKey (their HWID) is also in there!
                {
                    HWIDKey = (string)method.Body.Instructions[decryptCMOffsets.OFFSET_HWIDKEY].Operand; //Get decKey.
                }
                else if (method.Name == "exec")                                                          //Contains the actual encrypted information itself.
                {
                    EncCMEmail   = (string)method.Body.Instructions[decryptCMOffsets.OFFSET_CMEMAIL].Operand;
                    EncCMPass    = (string)method.Body.Instructions[decryptCMOffsets.OFFSET_CMPASS].Operand;
                    EncUserEmail = (string)method.Body.Instructions[decryptCMOffsets.OFFSET_USEREMAIL].Operand;
                }
            }
            if (String.IsNullOrEmpty(HWIDKey) || String.IsNullOrEmpty(EncCMEmail) || String.IsNullOrEmpty(EncCMPass) || String.IsNullOrEmpty(EncUserEmail))
            {
                //We dont have one of the right keys/encrypted things - error out.
                Console.WriteLine("ERROR: Invalid stub! (failed to find HWIDKey/EncKeys)");
                Console.ReadLine();
                Environment.Exit(0);
            }
            foreach (MethodDef method in WhiteList.Methods)
            {
                if (method.Name == "init2") //Used in CMR5 to declare the IV.
                {
                    int counter    = 0;
                    int counterIns = decryptCMOffsets.OFFSET_IVINITAL;
                    while (counter < 16)
                    {
                        /*
                         * This is complicated IL crap, but you should be able to understand.
                         * In this particular malware, each IV byte was ALWAYS 4 instructions away from the last one. Luckily, this means we didnt have to code the offsets indivdually.
                         */
                        IV[counter] =
                            Convert.ToByte(method.Body.Instructions[counterIns + counter * decryptCMOffsets.OFFSET_IVBETWEEN]
                                           .GetLdcI4Value()); //Errors arise if we just use .Operand
                        counter++;
                    }
                }
            }
            //Print out results - we are done!
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("OK\n");
            Console.ForegroundColor = ConsoleColor.Gray;
            decryptCMToolchain chainDec = new decryptCMToolchain(IV, HWIDKey); //Init toolchain decryptor.

            Console.Write("User Email: ");
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine(chainDec.decryptCM_decrypt(EncUserEmail)); //decrypt (user email)
            Console.ForegroundColor = ConsoleColor.Gray;
            Console.Write("Cookie Muncher Email: ");
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine(chainDec.decryptCM_decrypt(EncCMEmail)); //decrypt (cmr5 author email)
            Console.ForegroundColor = ConsoleColor.Gray;
            Console.Write("Cookie Muncher Email (Password): ");
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine(chainDec.decryptCM_decrypt(EncCMPass)); //decrypt (cmr5 author password)
            Console.ForegroundColor = ConsoleColor.Gray;
        }
Exemplo n.º 2
0
        //This handles decryption for ORIGINAL CMR5 stubs.
        void CookieMuncherOriginal(ModuleDefMD moduleDef)
        {
            Console.Write("> Detected Cookie Muncher Original, getting IV/Keys...");
            //Declare variables.
            TypeDef Encryption   = null;
            TypeDef Module1      = null;
            string  HWIDKey      = "";
            string  EncUserEmail = "";
            string  EncCMCombo   = "";

            byte[] IV = new byte[decryptCMOffsets.IV_AMOUNT];
            foreach (TypeDef type in moduleDef.GetTypes())
            {
                //Lazy code, just gets classes that we need.
                if (type.Name == "encryption")
                {
                    Encryption = type;
                }
                else if (type.Name == "Module1")
                {
                    Module1 = type;
                }
            }
            if (Encryption == null || Module1 == null)
            {
                Console.WriteLine("ERROR: Invalid stub! (failed to find encryption/Module1)");
                Console.ReadLine();
                Environment.Exit(0);
            }
            foreach (MethodDef method in Encryption.Methods)
            {
                if (method.Name == ".ctor")  //NOTE: .ctor internally is used to represent constructors for classes. This also means that the users decKey (their HWID) is also in there!
                {
                    HWIDKey = (string)method.Body.Instructions[decryptCMOffsets.COFFSET_HWIDKEY].Operand;
                }
                else if (method.Name == "init") //Used in CMR5 to declare the IV.
                {
                    int counter    = 0;
                    int counterIns = decryptCMOffsets.COFFSET_IVINITAL;
                    while (counter < 16)
                    {
                        /*
                         * This is complicated IL crap, but you should be able to understand.
                         * In this particular malware, each IV byte was ALWAYS 4 instructions away from the last one. Luckily, this means we didnt have to code the offsets indivdually.
                         */
                        IV[counter] =
                            Convert.ToByte(method.Body.Instructions[counterIns + counter * decryptCMOffsets.OFFSET_IVBETWEEN]
                                           .GetLdcI4Value()); //Errors arise if we just use .Operand
                        counter++;
                    }
                }
            }
            if (String.IsNullOrEmpty(HWIDKey)) //If we dont have the HWIDKey yet, then this isnt a CMR5 stub.
            {
                Console.WriteLine("ERROR: Invalid stub! (failed to find HWIDKey)");
                Console.ReadLine();
                Environment.Exit(0);
            }
            foreach (MethodDef method in Module1.Methods)
            {
                if (method.Name == "Main") //Contains the actual encrypted information itself.
                {
                    EncUserEmail = (string)method.Body.Instructions[decryptCMOffsets.COFFSET_USEREMAIL].Operand;
                    EncCMCombo   = (string)method.Body.Instructions[decryptCMOffsets.COFFSET_CMDOUBLE].Operand;
                }
            }
            //Print out results - we are done!
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("OK\n");
            Console.ForegroundColor = ConsoleColor.Gray;
            decryptCMToolchain chainDec = new decryptCMToolchain(IV, HWIDKey); //Init toolchain decryptor.

            Console.Write("User Email: ");
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine(chainDec.decryptCM_decrypt(EncUserEmail)); //decrypt (user email)
            Console.ForegroundColor = ConsoleColor.Gray;
            Console.Write("Cookie Muncher Email: ");
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine(chainDec.decryptCM_decrypt(EncCMCombo)); //decryt (cookie muncher email)
            Console.ForegroundColor = ConsoleColor.Gray;
        }