WannaRen勒索被加密文件解密

前言

要说火爆全网的勒索，莫过于17年的WannaCry了，当时影响广泛，给用户造成了巨大损失。就在前段时间，蹭WannaCry热度的WannaRen勒索也小火了一把，然而来也匆匆，去也匆匆。

下图为展示勒索信的解密程序

样本为白加黑组合，类似windword加wwlib.dll的白加黑组合在2019年海莲花组织上使用过

本篇博客主要讲的是被Wannaren勒索文件解密，其他的信息就不多赘述

Wannaren解密

Wannaren主要是靠RSA和RC4组合进行加密，RC4生成随机密钥加密文件，RSA公钥加密RC4密钥并写入加密文件头作为标记

正常来说没有RSA私钥是无法解密的，但是作者已经公布了私钥，所以文件便可以进行解密

私钥如下

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxTC/Igjuybr1QbQ1RmD9YxpzVnJKIkgvYpBrBzhsczHQ8WeC
7ikmC5jTbum1eCxTFTxvtnONEy2qDbnSS5fbK/lxYExj6aDLKzQxXCOVSdSQCesW
g1i5AAdUC9S246sdS9VKxT0QL24I+SG+ixckBhcB+ww6z47ACegoH0aLDwvRvehZ
Ycc1qFr1lhRXQpHunrlg4WRphH5xBbszOI+dFRDOpprnbN56CHoLb0q1SzzV3ZFA
FF6Df68Pux1wMHwEXbULRHo5AIZJPJq8L9ThWVsj6v42jAjJQ8m8bRh0+Jz4Rohk
WwPgL+VFxDG2AiiCU5/yLNoQX0JM9VWBxy6Z3QIDAQABAoIBADi/KoH06CMNtn7O
CXbTepgGiKKcCVGMTHak8OgHCM6ty19tVnSLSvOTa2VDxIFs4AwAdHWhEzwtq/5/
N1GhxeUFx+balPYq28z3HC1T4CZ7EWiJStVJtxOXCEzPTkJ+f9PO8dGJHRtJIzPu
zhLg+fD2tg81GceZYRJ4yPMXLfWKA5DmGkRv/1Usq5zvMClLdrmw/q2rnCbRLdeE
EAzSAi9kqsnEaZKfCbXb/gby+bUwAgn7mxs+CJ611hzD/r2w9dgXkaUJYuKRRv+B
GlQHBRQ7hXogkIzeaGqmw8M3xko7xzADsytFYxt2Kthuww2YV4E6Q1Hl4bBW0q+g
w+jSolECgYEA0Tnns+LaqMd5KCQiyWlCodQ2DtOMOefhIrJbRhdAkAq6FtVICxkL
nIJL0gmo4T/zDaMr8vsn7Ck+wLjXUsYt1/EulLtVnuH76FU0PkjJqBdre5Gjf23/
YGHW7DJEoH3p/7DIgV4+wXPu6dD+8eECqwm1hLACOxkfZnOFZ1VGxeMCgYEA8UYH
jaA69ILlz0TzDzoRdTmam6RDqjsVO/bwaSChGphV0dicKue25iUUDj87a1yLU5Nq
t0Kt0w1FL/iile1Eu4fe4ryukPGw2jAZh/xq7i2RRSFLXim5an9AbBVQ55478AJa
sTaIOSoODgBspsBLShnXQRKEfwYPv2GthhcJLT8CgYAssRDERQ3uBYXkxCtGGJzq
Enllm1yVtelKTwzeIPNikVgErpRQAo6PZOmrOPMBAnb5j8RAh9OUR48m/ZTJEpoS
SWtoy8dTQ/RaQXECaOviYvZLk+V3v9hQDzYoh+hO2/aS7oE12RrQmeILwd/jbOvz
+wPyDuK7GvexG7YAR5/xfwKBgQCA8p6C0MnxeCv+dKk60BwYfKrm2AnZ5y3YGIgw
h2HS5uum9Y+xVpnnspVfb+f/3zwPdNAqFZb1HziFBOtQGbkMSPeUUqcxjBqq4d4j
UYKMvQnQ2pR/ROl1w4DYwyO0RlteUMPLxotTkehlD1ECZe9XMSxb+NubT9AGxtuI
uLMM3QKBgGl0mYCgCVHi4kJeBIgabGqbS2PuRr1uogAI7O2b/HQh5NAIaNEqJfUa
aTKS5WzQ6lJwhRLpA6Un38RDWHUGVnEmm8/vF50f74igTMgSddjPwpWEf3NPdu0Z
UIfJd1hd77BYLviBVYft1diwIK3ypPLzhRhsBSp7RL2L6w0/Y9rf
-----END RSA PRIVATE KEY-----

大致思路：

1.使用RSA私钥解密被加密的RC4密钥

2.取出中间被加密的数据使用RC4密钥解密

3.解密后的数据去除wannaren标记

解密关键代码

使用RSA私钥解密被加密的RC4密钥

char* decrypt_cr4_key(char* str, const char* prikey_path)
{
	char* pDedata;
	RSA* pRsa;
	FILE* pPrikey;
	int nRsalen;


	if ((pPrikey = fopen(szFilepath, "r")) == NULL)
	{
		printf("Open key file fail\n");
		return NULL;
	}
	if ((pRsa = PEM_read_RSAPrivateKey(pPrikey, NULL, NULL, NULL)) == NULL)
	{
		printf("Read private key fail\n");
		return NULL;
	}
	nRsalen = RSA_size(pRsa);
	pDedata = (char*)malloc(nRsalen + 1);
	memset(pDedata, 0, nRsalen + 1);
	if (RSA_private_decrypt(nRsalen, (unsigned char*)str, (unsigned
		char*)pDedata, pRsa, RSA_PKCS1_PADDING) < 0)
	{
		printf("Decrypt private key fail\n");
		return NULL;
	}

	RSA_free(pRsa);
	fclose(pPrikey);
	return pDedata;
}

RC4解密数据

char* rc4_decrypt_file(char* file_data, int data_size,
	const char* rc4_dencrypt_key, int encrypt_chunk_size = 16)
{
	char* out_data_all = NULL;
	if ((out_data_all = (char*)malloc(data_size)) == NULL)
	{
		printf("no enough memory!\n");
		return 0;
	}
	memset(out_data_all, 0, data_size);

	char code[64] = { 0 };
	int codelen = sizeof(code);
	RC4_KEY rc4_key;
	RC4_set_key(&rc4_key, strlen(rc4_dencrypt_key), (unsigned char*)rc4_dencrypt_key);

	char* in_data = new char[encrypt_chunk_size + 1];
	char* out_data = new char[encrypt_chunk_size + 1];

	int i = 0;
	//循环解密
	while (i < data_size)
	{
		encrypt_chunk_size = (data_size - i) / 16 > 0 ? 16 : data_size % 16;
		memcpy(in_data, (file_data + i), encrypt_chunk_size);
		RC4(&rc4_key, encrypt_chunk_size, (unsigned char*)in_data, (unsigned char*)out_data);
		memcpy(out_data_all + i, out_data, encrypt_chunk_size);
		i += encrypt_chunk_size;
	};

	char* restore_file_data = NULL;
	if ((restore_file_data = (char*)malloc(data_size - 0x12)) == NULL)
	{
		printf("no enough memory!\n");
		return 0;
	}
	memset(restore_file_data, 0, data_size - 0x12);
	memcpy(restore_file_data, out_data_all + 0x9, data_size - 0x12);

	RELESE_ARRAY(in_data);
	RELESE_ARRAY(out_data);
	RELESE_ARRAY(out_data_all);
	return restore_file_data;
}

具体工程见https://github.com/Iam0x17