Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by matwachich

  1. About JPEG files recovery, I have been able to recover nearly 90% of my pics with the tool I created. <LINK TO UNAUTHORIZED SOFTWARE REMOVED> Another news, the onion ressource is no more available. It is redirected to fgb45ft3pqamyji7.onion and we are able to chat to the bad guys!
  2. I confirm. This is actually what I'm doing with my JPEG recovery tool. I'm working on it now, I think it will be really accurate (release tonight or tomorrow).
  3. Hi! You can try my program for Jpeg files (see my former posts). I'm always working on it. For Mp4 videos, Google Recover_Mp4, it's a program that was able to recover many of my personnal videos. For the rest, you can prey the gods... (sorry)
  4. https://github.com/matwachich/recover_jpeg Follow the developpement of the JPEG recover tool here
  5. Ok, now I think I have a pretty good version of the JPEG recover script. So I will share! How to use: create a folder named "__models__" aside the ImageSaver.exe and place in it valid jpeg files taken with the same camera(s) as the encrypted ones, with different resolutions, orientation and quality settings, give them clear names because the model name is appended to the recovered file (ex. s7-1080-paysage.jpg). Then, just drag and drop the encrypted files on the exe. It will try to rebuild the lost pics using what remains valid in them. It gonna create many files (for each model), many of them will be invalid. It's up to you then to delete the invalid files and keep the valid one. It will surely not recover all pics, I'm still working on this... PS: about the padding, try first big numbers (as 4000) then decrease or increase to see the result. ImageSaver.exe
  6. My method actually works for say 60-80% of my pictures. I'm currently searching a mean to recover them event if the essential Start Of Scan marker (0xFFDA) is encrypted. It will be partial recovery.. I'm developping a small tool to do it. I don't know if I'm gonna release the source because I'm afraid that the hackers will see it and adapt their encryption routines.
  7. Small correction: there are no entirely encrypted files! I thought so because I couldn't find the SOS (0xFFDA) marker in some JPEG pics, this is because the file is so small that the 0xFFDA is within the first 10 encrypted kilobytes. I have to find a way to recover partial JPEG encoded data...
  8. Please, can somebody upload the malware files. I am unable to download them from this forum. (Please use some file sharing websites: box, dropbox...)
  9. I was thinking: the ransomware have to generate a keys pair (public/private), it must do it (I think) on the victim's computer (using some random data and/or UUID of the machine), then use the public key to encrypt and transfert the private key to the criminals master server. What if I re-execute the ransomware on my computer and try to intercept the keys in memory using a debugger? Is it a good idea? (Note: I didn't yet formated my computer, I juste secured my sensitive data) The problem is that I'm a complete noob in assembly and debugging... What I want to say here is that it is not mendatory to "crack" the encryption keys, If each one can reverse engineer the malware on his own computer (supposing the key generation doesn't use random data) then this could work (intercept a key that hopefully will be the same)!
  10. The decryptor is doing the following (Win API Monitor): Read 10240 encrypted bytes Read 36 last bytes separatly: first 32 bytes then last 4 bytes (so they could mean different things...?) Write 10240 decrypted bytes and discard 36 last bytes. I also saw that some files are totally encrypted (with always appended 36 bytes), so perhaps the last 36 bytes have something to do with this (a sort of marker of total/partial encryption?).
  11. Someone need to reverse engineer the cryptor and the decryptor to see how are generated those keys and what is the relation between them, the ID and the last 36 bytes of the file. I'm pretty good at C system programming, I have some notions on cryptography (what is asymetric and symetric encryption and hashing) but assembly and debugging is totaly obscure to me. I'm currently trying to learn assembly but it's a very long way. My greatest fear is that the pirates disapear in the nature!
  12. I have just discovered a terrible thing!!! Some files are entirely encrypted!!!!!
  13. The c:\windows\dell\svchost.exe is only this I don't have (yet) the real virus executable. Anyone can provide it?
  14. Yes, it must be another variant... Try this to know which ransomware it is. By the way, the 36 bytes are all appended at the end of the file. In all my files, it is: [1 randome byte][31 null bytes][4 fixed bytes)
  15. I'm currently working on pictures recovery. The technique already worked for me. I'm developping a tool to apply it on many files at once. So if you gonna pay only for pics, wait a moment. PM me if you want more info.
  16. I'm interested! Please upload them and PM me the links. Thanks! Do the emsisoft team have the exes?
  17. Does anybody have a sample of the virus? We could run it and monitor it's memory and API calls to try to catch ke key generation, and to analyse its behaviour. Also, I have a bunch of torrent files that were completed, I can provide their encrypted part with the decrypted one (after re-downloading them), will it help? Lastly, since only the first 10kb of each file are encrypted, I think that pictures (jpeg...) could be recovered (partly at least) by a sort of reconstruction of their header to a generic one.
  • Create New...