Everything posted by Win32.DN
My friend became the victim and I reversed uploaded "unlock.exe" yesterday. The 36 (0x2４) bytes variant is actually based on Cry9. I already understand (i hope) how the unlocker decrypts the files. The problem is factoring the AES128 key (and 0x1000+ bytes additional table), which looks to be different per the victim. Maybe Fabian knows better about this part (or he is stuck at the same point). I will look more when I have more time but don't expect good news from me.