Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in
ฝัง
- เผยแพร่เมื่อ 26 มี.ค. 2019
- Part 2 is out! • Reversing WannaCry Par...
In this first video of the "Reversing WannaCry" series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.
Twitter: / ghidraninja
Links:
- Interview with MalwareTech: / s3-episode-11-wannacry...
- MalwareTech's blogpost about the killswitch: www.malwaretech.com/2017/05/h...
Further reading
- Wikipedia: en.wikipedia.org/wiki/WannaCr...
- LogRhythm Analysis: logrhythm.com/blog/a-technica...
- Secureworks Analysis: www.secureworks.com/research/... - วิทยาศาสตร์และเทคโนโลยี
Reverse engineering enhances the understanding of both programming thought and skills. This video is easy to follow, and the main techniques of reverse engineering are shown clearly, which makes me want to decompile a small interesting program to analyze it.
安笑生 yeah we can learn programming from reverse engineering stuffs
你好同志
lol
@@wanderingpalace 安笑生
@@wanderingpalace i love xi jinping's huge cawk
@@wanderingpalace no you absolutely can't
I'm a vegetable that doesn't understand anything but this was an interesting video
@@tomatonyable
takes one to know one! unless you're a reptilian
read the book Code by Charles Petzold. You will understand how the CPU and assembler works even if you are a total noob. After that you will automatically understand how programming languages work, reverse engineering too and so on.
@Rajath Pai trust me. Petzold is a guru
@@ThisDaveAndThatJohn code by charles petzold?
Ok BOOMER
Looks like Ghidra is a very good renaming tool!
I prefer ollydbg 2.01 or x64dbg for 64 bit, ghidra makes really easy the reverse process, can get a source code... I prefer analyze asm instructions one by one for understand fully process but this isn't the best stategy.. one by one can take you a lot of time i use call stack window for locate specific part i want to analyze!
@@vladysmaximov6156 keep us posted mate
@@vladysmaximov6156 weird flex but ok
@@vladysmaximov6156 I tried out ghidra and improved my performance like 10 times (mainly due to being shit in reading asm fast).
@@vladysmaximov6156 You absolute pleb. Version 1.10 or GTFO.
"Microsoft security center (2.0) sevice" LMAO
Love this! Please create a series of Reverse Engineering Basics!
Yes
Just gotta learn GDB, Radare, OllyDBG for Windows, and assembly. And even then the assembly is the part that while takes the longest isn't too bad once you get used to it.
Oh and IDA / Binary Ninja are good too.
Ghidra ninja:The function is very simple
Me:
Wow that was probably one of the best descriptive reverse engineering videos I've seen to date. Your method of explaining and showcasing each step in each function is fantastic and even explaining how to identify when disassemblers/decompilers mess up and how to fix them.
Bravo. I'm upset that I waited this long to actually start watching these videos.
I didn't understand anything of what you did, but the casualness of explaining something so exoticly complicated drew me in.
Very interesting and complete video, first time I watch a reversing engineering video and I love the way you investigate and explain what you do. It's the first video of your channel I see and I love it. Keep going !
This was SUPER interesting and well made, please continue! You left us on a cliffhanger!
WannaCry: exists
Ghidra: im about to end this mans whole carrer
what the H E C C is a carrer
@@xyphoes345 it's a carrer
@@glowingone1774 isnt it meant to be a *career* tho
@@xyphoes345 no this is much different.
but wannacry isnt a man
Really well done video. I think you should keep this series in this format. Personally I like the pacing of the video, and wouldn't want it slower, or faster.
You know too many things. You explain it too casually like it's food lmao.
This guy be like:
Ok, let me present you my house.
hijacking this to say WE NEED PART 2
Inserts his too powerful(smart) to be kept alive meme*
looks pretty standard to me
Plot twist: he is the hacker who made wanna cry
marv b first 20 minutes is really basic stuff. Its just general reversing and assigning names
I came across your channel shortly after downloading Ghidra. I appreciate how you clearly detail your train of thought in each video. I hope to see more!
I understood everything except for the renaming parts. Meaning i did not understand a thing. Cool vid tho, you've earned a sub!
Using an open source reversing platform like Ghidra, everyone could potentially come closer to the reversing world. Oh what if I could be some years younger..
what do you mean years younger
@@Decentsito I'm too old to start studying in depth reversing, now.
No one is too old to learn.
@@freeweed4all how old are you?
@@UCnPE-cqd00o5SHPn0rHxphg thanks for the support. I made a choice some years ago, leaving netsec to start studying at University a totally different thing: knowing today how this sector is growing, maybe my choice wasn't the right one. Today, with these excellent resources, is far more easy to fill the gap with skilled reversing ppl: some years ago they appear like a part of a niche, like an out of reach status. This effect is an outcome of how much the reversing job offers are growing (US government choice about Ghidra isn't random).
everyone: try not downloading files from entrusted places!!!
Ghidra: let's unpack the malware !
@starshipeleven He could use a VM.
What is an entrusted place?
starshipeleven presumably you download the sample from within the VM, then disable the Ethernet adapter that gives the VM Internet access to prevent worms from going through the connection.
starshipeleven forgot about that option, thanks for reminding me.
Just something that scares me :
They are easy accessible websites to download loads of virus to try antivirus and understanding how they work ?
I hope they tell the user several warnings before sending the file
Fantastic Video, I hope to see more both on wannacry and other things soon. As an embedded SW guy looking to get into RE this was great.
Just wow. Impressive job! I hope you are employed by one of the major tech/AV companies.
Reading the WannaCry warning, the creaters were real lads, providing multiple languages, information about BitCoin and a contact method.
They just sound incredibly kind.
tbh, i think they knew that they would affect millions of devices. humble people
Kind, maybe not, but they were reasonable. Do as we ask and we promise all will be well. And see we have written in clear language what we want you to understand. Give us the money and have a nice day 😊
professionals have *standards*
cant get money from someone who cant understand what they are reading
@@kahlzun Investigations show that this was most likely an attack by the North-Korean Government-Controlled Lazarus hacking group to fund nuclear programs and Fatass Jong Un's Sanction-Bypassing Goldschlager run. Eh, probably not Goldschlager. The fatass is probably going for something more expensive.
Subbed instantly.Cant wait for another episodes.
I don't really know what's going on because Im noob but these videos are cool, this is the best and practical approach I've seen I think, loving it and subbed immadietely, good commentary, step by step. Waiting for more.
I am just happy that there are people out there who understand stuff like this! 😅
Keep up the amazing work you do with your videos!
Very informative and interesting video. Thanks for that amazing upload! I cannot wait to see its continuation.
Looks good want to see the following episode. Reverse engineering seems pretty fun.
Nice tutorials man! Maybe some basics for reverse engineering video's in Ghidra would be great as well! Like explaining how the system works and what each action truly means :). But it's great :) Can't wait for the next one.
first time i watched this about 2 year ago and i was a simple java programer
now i am a c/c++ programming working at a hardware developing company and i just watched this again
that was awesome , i finally understood what was u talking about , i am always checking u tube for part 2 please upload it i am tried :)
Best video i ever seen on reverse engineering, keep it easy to understand! Thank you.
Thanks for the great work! Can't wait for a part 2
First time TH-cam recommended me something amazing. 😀
The thing that blew my mind the most, was the list of language translations you found in the passworded zip. Made me realize how much they really scaled this thing to take on the world. Absolute savage. Who ever did this was well organized. Do you ever wonder if they watched this video?
they make locale translators for batch translating, prob took them about 5 minutes to translate all locales. The least impressive part
@@hiddenaether then why hide it with such levels of encryption? it would be easy to just use english, but instead they have the ambition to take on the world.
I’m trying to learn Ghidra and reverse engineering in general, and this and your other videos are so helpful.
Thanks man! Great content!! Definitely looking forward to more!!
All the best!!
Ghidra looks like an EXCELLENT tool to manage an RE session. Top notch.
Hey, I love watching reverse engineering videos! Thank you for this one. I'm glad that the TH-cam recommendation bots have blessed you.
Interesting and good video. Reverse engineering and programming isn't really my thing and a lot of it is going over my head. But it's an interesting and informative video none the less. Waiting to see part 2!
This was super interesting. Please continue with this series
Wow this is very impressive! Great job & keep going :)
Very nice video, thank you. I would definitely want to see more malware analysis with ghidra videos. :)
Man, I used to debug exe using ollydebug and you are taking it to another level 🤯
Wow... as difficult as all this sounds, I'm a new security enthusiast, so I'm still learning. I was able to understand and somewhat follow what you were doing. kudus.
Your skills are unbelievable. Good job 👏🏼
I didn't understand single bit of information u said but I watched full video..and subscribed.. Thanks for making this video
Ghidra: *does windows reverse engineering in iOS*
Windows: "Am I a joke to you?"
macOS*
@@rohitas2050 woops
more like Reclass: Am I a Joke to you ?
@@Elffi LOL
I'm so happy that TH-cam recommended this video to me. Keep up the good work! Waiting for part 2..
Hopefully tomorrow :) life has been busy
TH-cam algo has done it again. Could understand probably 1% of what was talked about, but it seemed very interesting. Subscribed!
Thanks for your videos, great detail. I hope you carry on with this channel and it's content.
Wow, I learnt so much about decompilation in this video! Thanks, keep it up!
This is some quality work! Congrats...
Impressed by your work. Keep it up! :D
Great work and love what you did to show us how to reengineer a malware program like wanna cry I am in discord and on htb trying everything I can do to learn this so thank you and this is very helpful
Amazing, subscribed..... can't wait for part 2
Dude!! This is an epic walkthrough of reverse engineering - SO INTERESTING!!
I am currently doing my bachelor in Computer Science and didn't know this reverse engineering even existed!
Very cool and very nicely explained. Showing the keyboard output is also a nice addition of you! Thanks :)
RubenCO what language is this in?
@@elijahburnham7882 The left side of Ghidra is x86 Assembly and the right side is C.
@@Slenderman63323you need low level knowledge to be able to do stuff like this since the c code that is outputed is very low level
Would love to see a tutorial on TP-Link router firmware RE or firmware with similar architecture, reverse engineering and rebuild of the firmware. Love your videos so far.
Again your videos are insanely good !!! Love it !
Abra, Kadabra, Alakazam,
You now possess a new subscriber,
Simsalabam.
Thank you for your videos!!
I have no idea what's gong on here, but I'm straining to understand. Great video!
great work....can´t wait for part II
So fast and accurate like a real ninja 😂, nice video , I didn't have to use speed 2 , like I usually do 😂
Very good video. Thanks for this video. That flowchart was helpful too. I have never seen reverse engineering in practice, this was very interesting. Very similar to debugging programs only here we don't have symbol information and have to create our own symbols, but it seems this Ghidhra tool makes things a lot convenient.
Whoever wrote this malware must have very good knowledge of Windows API, maybe even about Windows kernel.
Highly informative! Clearly explained, only understood about half of it but subscribed!!!
subbed, 22 minutes passed like a breeze
Well, I dont really understand well but Im here to understand it better, thanks for the video!
Edit: i actually managed to understand a part of it
That was very insightful! I'm a software developer/architect for 17 years now and I must say that you have a very nice way to tell details and to guide your audience. thank you very much!
for the follow up video I would like to see the "physical" impact of the malware, like show the registry-key or the installation folder to make it more understandable for non-developers.
I have a few questions. I've done vb coding for years, but more as a supplement to my other work loads, I'm not a full blown dev.
First, what was so hard about spotting the kill switch? There must have been a lot of the best devs looking at this code globally for 4 days, the guy who killed it even did that on accident.
Secondly, and I'm not advocating for better viruses, but would a kill switch that the owner had exclusive controle over not be possible? They went to great lengths coding this but left the kill switch free for anyone to use.
I didn't understand anything, but I would have loved to cause it seems like a very useful skill to have and props to you for being so good at it!
Awesome work as always. Keep it up
Amazing video, very good to follow and it helped me a lot with some frustrating 'features' in Ghidra. I found I was using the disassembler window more than the decompilation window because of weird decompilation results - you helped me understand getting better decompilation results by adjusting Ghidra's interpretation of some code.
Thanks!
That's awesome to hear, thank you! Feel free to let me know what else you have trouble with, maybe it's something I can feature in the future
@@stacksmashing I'll be sure to comment it when I find more stuff, but seeing you work already solves a lot of problems!
@@stacksmashing greaat tut, can please explain if possible im chrome devtools save the changes i make in offline? i want change a pwa web worker app that works online and offline but the changes i made nolt save when i restart the app, exist any trick to save?if i not save i only get the cache of pwa app and not possible open and edit i think, thanks
Great video! Looking forward to more of your videos on Ghidra reverse engineering!
Great video. Waiting for the next part
This looks very interesting, great analysis, even for laymen.
you make me realise how little I know about anything. Great video
Awesome video looking fwd to part 2
I hope to be as knowledgeable as you on this topic someday - please make a part 2!
I don't know shit about coding, but you've explained this in a very human-readable way and i appreciate that.
Excellent. Really. You got my respect.
This is fantastic, thank you
Was looking for a video like this, thank you 👍
I'm looking forward to the second part to this series..
this is the video that helped me learn how to reverse engineer, thank you
awesome video! I'd love to see more!
I am looking forward to the next video. (Should you encrypt the copy of Wannacry on your website using the AES key in your previous video? That would protect script kiddies from themselves and create a nice easter egg/crackme challenge?)
I honestly didn't understand a single thing but I still appreciate the video, so thanks for sharing this.
I wonder who was behind the attack. It pisses me off there was nothing I could do to help when it happened to my relatives.
It might be finger pointing, but the US, UK, and Australia claimed that North Korea was behind the attack.
@@fatfr0g570 they formally asserted its origin as North Korea, the only 2 instruction pages not machine translated were english and chinese. more interestingly, the developers computers had Korean font families installed and build stamps indicated their timezone.
hey, thanks dude! Probably speeding up the video was a good idea. I wish I could speed up Ghidra itself in a live session. I tried to open Microsoft's comctl32.dll in it and it took forever, and made it very sluggish afterwards.
Quick question -- how do you load symbols from the Microsoft server into it? (Like we used to do with windbg.)
Keep doing this. Show the world sth more about WannaCry.
man, this was a trip
I used the GNU debugger to reverse engineer some stuff, but with more complex programs it gets harder, this seems make things more agile and clear
Might be just Ghidra making it seem too easy 😃
Wow you do that so fast xD hmm very informative video and i learnt a bit about reverse engineering
A Very Awesome Walk-through . On Point!!! ... Thanks. :D
Nice, nice, nice!
Thanks for the video.
Wow Ghidra really does all the work !
Si entendiera inglés y lo que haces me encantaría seguir lo que haces. Mis ojos se quedaron atrapados cuando vi este video al parecer lo había visto antes y no comenté. .Mis respetos hombre.
Can’t wait for part 2
That was elite. Way to go!
Great Content. I wish I could find and neutralize all the malwares myself instead of depend on a software, but I guess people like you decode all those anti-malware software. Thanks for the work if you are reading this and work for such company!
You ma boy are very stronk in what you're doing. Nice!
This is very important and informative
best I've seen till now