Full Reverse (Disassembly) of a infection decrypter app that uses custom XOR, and cracking on the custom XOR.

There is an infection that encrypts peoples files, and when you pay them you get a decrypter than decrypts them. I have disassembled this to the point to where i have the function that decrypts in C# now, and even made a flow diagram of how the encryption works. But i need someone to be able to disassemble it more, to get enough information, and then crack the custom encryption. I know its crackable, as it is XOR. But they customized it to use it in a CFB kind of way. If you know CryptoGraphy, and assembly, Please contact me.

Also, the Decrypter exe is highly obfuscated with a custom obfusctor. So it does take time to figure out which functions are junk and which are real.

To avoid confusion i would like to explain further,

I have been battling this infection I got that encrypts my files in 512 byte chunks with a friend. We have managed to find the Decryption function we think in IDA (the code is heavily obfuscated) from a user who paid for the decrypter. Below is the C dump of the encryption function:

int __stdcall sub_40C78E(int a1, int a2, int a3, int a4)
int result;
char v5;
int v6;
int v7;
int v8;

v7 = a1;
v6 = a2;
v5 = 0;
result = 0;
if ( a2 )
v8 = a3;
LOBYTE(v8) = v5 + v8;
*(_BYTE *)v7 ^= v8;
v5 = *(_BYTE *)v7++;
v8 = __ROL__(a4 + v8, 8);
while ( v6 );
result = v8;
return result;

What we have found with this infection is that if you XOR the first byte of the cipher text with the plain text, you get a key byte you can use to get the first byte of every file back. Which makes sense with this function because the first time in the loop the key is added to 0, which means it is simply the key. But then this guy used some type of weird CFB type xor encryption where it uses the previous xor'ed byte with the key next.

So basically let me sum it up here. You will need to know assembly lang., and C to reverse this thing. (Prob. using IDA, and olly). The decryption function above in C, i converted to .NET and removed all the junk. And this is what i would need you to do for the whole EXE. The first step would be reversing the whole EXE into a .NET (your choice in lang) solution that i can open up, and decrypt the test file i have. Once this is done, the second step is to go through the XOR encryption and crack / make a universal decrypter for it. This should be easy as it is only xor, with a little trick to . The exe is extremely small (66KB) and has very little functions in it, so other than obfuscation in the exe, reversing should be easy for someone who knows assembly.

If you think you know how to make a universal decrypt function from the function above alone, also contact me. We we always know the plain text value of the original file, so XOR plain text attack is able to be used.

Please contact me for more details.

Please know the the major goal in this job is to give me a method to universally reverse the encryption this EXE uses to encrypt files (XOR with a twist?), Not really to have the reversed source for the exe. Though i think you may need to reverse near the whole thing to understand it. Good Luck.

Added the Decrypter File and the Encrypted files that it Decrypts.

00000002-4C905D61.rar - Decrypter File
00000002-4C905D61-FILES.rar - Encrypted Files

The passwords to the RAR's is "123"

Also I have included some of my custom notes to this encryption. Attached is 2 pdf's i used to explain the terminology of the encryption, and the other is a flow diagram of the encryption. I also included my whack at turning the first decryption function i found (Above in post) to C#.

Notes.rar - 2 PDF's and a .CS

The password to the RAR is "123"


Evner: .NET, Montage, C programmering, Kryptografi, x86-x64 Assembler

Se mere: cfb xor crack, cfb xor, this is the flow, programming diagram, assembler programming, xor, flow diagram, encryption app, cracking, reverse app, programming cryptography, app reverse, need someone crack, crack exe, exe crack, cryptography programming, customized app, programming assembly, infection files, exe encryption, app reverse video android, android app reverse video play, android app reverse video, reverse exe encryption, android app reverse play video

Om arbejdsgiveren:
( 3 bedømmelser ) coral springs, United States

Projekt ID: #5981565

Tildelt til:


Hi, My name is Mohamed Shetta. I have an experience in reverse code engineering. I do malware research, vulnerability research and reversing for the purpose of decompilation. I have already found vulnerabilities i Flere

$333 USD in 5 dage
(0 bedømmelser)

8 freelancere byder i gennemsnit $466 på dette job


Hi. I have exp in encryption/decryption/reverse. I have done alot of similar projects. I am ready to do for you. Thanks!

$1500 USD in 5 dage
(52 bedømmelser)

Hello, I have experience with debugging similar malware programs. However, I think that this is a very difficult job and that is why my bid is higher than the budget you have specified. Please, contact me if you wan Flere

$750 USD in 30 dage
(73 bedømmelser)

Can i have the full software if you had it send me full package and detail please .

$250 USD in 10 dage
(4 bedømmelser)

Hi, I recently worked on a project identifying an encryption algorithm and can help you with this task. In what language is the virus written?

$277 USD in 7 dage
(2 bedømmelser)

I have read your requirement. I have 3 years programming experiences. I already have skills like your project. If you choose me, I will not let you down. I will wait for your reply

$400 USD in 5 dage
(4 bedømmelser)

hi, i can do your ptoject, please send app file to analyzing....i will change my bid after it (maybe)...............................................................

$350 USD in 2 dage
(3 bedømmelser)

Hello, sir. I read your job posting with interest. I am very interested in your job. I am a excellent reverse engineer and have rich experiences. I can use many debugging tools like IDA pro and SoftICE. I have mo Flere

$388 USD in 3 dage
(2 bedømmelser)

Dear, I can do this project for you. I did MS in Information Security and an Electronics Engineer. I will disassemble and can fix this bug.I already did this type of project and cracked M209 machine.

$155 USD in 13 dage
(0 bedømmelser)

Dear brother, I can do this for you.I am basically a cryptographer and can crack this algorithm. I work with full dedication and result oriented effort. If you need further information let me know.

$111 USD in 7 dage
(0 bedømmelser)