CHIqueen
Now that you extracted the password from the memory, could you decrypt rick's files? vmware-tray.exe에서 pdb정보를 찾아봅니다. $ strings executable.3720.exe | grep pdbC:\Users\Tyler\Desktop\hidden-tear-master\hidden-tear\hidden-tear\obj\Debug\VapeHacksLoader.pdb 경로를 보면 hidden-tear라고 하는 https://github.com/goliate/hidden-tear 랜섬웨어를 찾을 수 있습니다. 다행히도 decrypter도 같이 있습니다. 하지만 무엇을 복호화를 해야될까요? 0x000000007e410890 1..
Rick got to have his files recovered! What is the random password used to encrypt the files? 랜섬웨어에서 password관련 함수들을 찾아보면 CreatePassword()와 SendPassword(), startAction()이 있습니다. public string CreatePassword(int length) { StringBuilder stringBuilder = new StringBuilder(); Random random = new Random(); while (0 < length--) { stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1..