Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in
Ғылым және технология
Part 2 is out! • Reversing WannaCry Par...
In this first video of the "Reversing WannaCry" series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.
Twitter: / ghidraninja
Links:
- Interview with MalwareTech: / s3-episode-11-wannacry...
- MalwareTech's blogpost about the killswitch: www.malwaretech.com/2017/05/h...
Further reading
- Wikipedia: en.wikipedia.org/wiki/WannaCr...
- LogRhythm Analysis: logrhythm.com/blog/a-technica...
- Secureworks Analysis: www.secureworks.com/research/...
Пікірлер: 848
Reverse engineering enhances the understanding of both programming thought and skills. This video is easy to follow, and the main techniques of reverse engineering are shown clearly, which makes me want to decompile a small interesting program to analyze it.
@wanderingpalace
4 жыл бұрын
安笑生 yeah we can learn programming from reverse engineering stuffs 你好同志
@r0x304
3 жыл бұрын
lol
@ADeeSHUPA
Жыл бұрын
@@wanderingpalace 安笑生
@gameacc6079
Жыл бұрын
@@wanderingpalace i love xi jinping's huge cawk
@muth69
7 ай бұрын
@@wanderingpalace no you absolutely can't
I'm a vegetable that doesn't understand anything but this was an interesting video
@GamerTheTurtle
5 жыл бұрын
@@tomatonyable takes one to know one! unless you're a reptilian
@ThisDaveAndThatJohn
5 жыл бұрын
read the book Code by Charles Petzold. You will understand how the CPU and assembler works even if you are a total noob. After that you will automatically understand how programming languages work, reverse engineering too and so on.
@ThisDaveAndThatJohn
5 жыл бұрын
@Rajath Pai trust me. Petzold is a guru
@zxxczczczcz
5 жыл бұрын
@@ThisDaveAndThatJohn code by charles petzold?
@HimanshuPal-li7nj
4 жыл бұрын
Ok BOOMER
Looks like Ghidra is a very good renaming tool!
@vladysmaximov6156
4 жыл бұрын
I prefer ollydbg 2.01 or x64dbg for 64 bit, ghidra makes really easy the reverse process, can get a source code... I prefer analyze asm instructions one by one for understand fully process but this isn't the best stategy.. one by one can take you a lot of time i use call stack window for locate specific part i want to analyze!
@aasquared8191
4 жыл бұрын
@@vladysmaximov6156 keep us posted mate
@Luzum
4 жыл бұрын
@@vladysmaximov6156 weird flex but ok
@madghostek3026
4 жыл бұрын
@@vladysmaximov6156 I tried out ghidra and improved my performance like 10 times (mainly due to being shit in reading asm fast).
@jonarmani8654
4 жыл бұрын
@@vladysmaximov6156 You absolute pleb. Version 1.10 or GTFO.
"Microsoft security center (2.0) sevice" LMAO
Love this! Please create a series of Reverse Engineering Basics!
@oliviasmith4680
5 жыл бұрын
Yes
@MattZelda
5 жыл бұрын
Just gotta learn GDB, Radare, OllyDBG for Windows, and assembly. And even then the assembly is the part that while takes the longest isn't too bad once you get used to it.
@MattZelda
5 жыл бұрын
Oh and IDA / Binary Ninja are good too.
WannaCry: exists Ghidra: im about to end this mans whole carrer
@xyphoes345
5 жыл бұрын
what the H E C C is a carrer
@glowingone1774
5 жыл бұрын
@@xyphoes345 it's a carrer
@xyphoes345
5 жыл бұрын
@@glowingone1774 isnt it meant to be a *career* tho
@glowingone1774
5 жыл бұрын
@@xyphoes345 no this is much different.
@quaintfalopa9724
5 жыл бұрын
but wannacry isnt a man
Ghidra ninja:The function is very simple Me:
This was SUPER interesting and well made, please continue! You left us on a cliffhanger!
Wow that was probably one of the best descriptive reverse engineering videos I've seen to date. Your method of explaining and showcasing each step in each function is fantastic and even explaining how to identify when disassemblers/decompilers mess up and how to fix them. Bravo. I'm upset that I waited this long to actually start watching these videos.
Very interesting and complete video, first time I watch a reversing engineering video and I love the way you investigate and explain what you do. It's the first video of your channel I see and I love it. Keep going !
I didn't understand anything of what you did, but the casualness of explaining something so exoticly complicated drew me in.
Really well done video. I think you should keep this series in this format. Personally I like the pacing of the video, and wouldn't want it slower, or faster.
I came across your channel shortly after downloading Ghidra. I appreciate how you clearly detail your train of thought in each video. I hope to see more!
Fantastic Video, I hope to see more both on wannacry and other things soon. As an embedded SW guy looking to get into RE this was great.
You know too many things. You explain it too casually like it's food lmao. This guy be like: Ok, let me present you my house.
@lionkor98
5 жыл бұрын
hijacking this to say WE NEED PART 2
@User-ko3un
4 жыл бұрын
Inserts his too powerful(smart) to be kept alive meme*
@acc373r4t0r
4 жыл бұрын
looks pretty standard to me
@NanoValorant
4 жыл бұрын
Plot twist: he is the hacker who made wanna cry
@brunph6174
4 жыл бұрын
marv b first 20 minutes is really basic stuff. Its just general reversing and assigning names
everyone: try not downloading files from entrusted places!!! Ghidra: let's unpack the malware !
@naxzed_it
4 жыл бұрын
@starshipeleven He could use a VM.
@brunoeilhart8516
4 жыл бұрын
What is an entrusted place?
@fatfr0g570
4 жыл бұрын
starshipeleven presumably you download the sample from within the VM, then disable the Ethernet adapter that gives the VM Internet access to prevent worms from going through the connection.
@fatfr0g570
4 жыл бұрын
starshipeleven forgot about that option, thanks for reminding me.
@yaelm631
4 жыл бұрын
Just something that scares me : They are easy accessible websites to download loads of virus to try antivirus and understanding how they work ? I hope they tell the user several warnings before sending the file
Subbed instantly.Cant wait for another episodes.
Keep up the amazing work you do with your videos!
Reading the WannaCry warning, the creaters were real lads, providing multiple languages, information about BitCoin and a contact method. They just sound incredibly kind.
@gabe6278
5 жыл бұрын
tbh, i think they knew that they would affect millions of devices. humble people
@SteppingStonevlogs
3 жыл бұрын
Kind, maybe not, but they were reasonable. Do as we ask and we promise all will be well. And see we have written in clear language what we want you to understand. Give us the money and have a nice day 😊
@kahlzun
Жыл бұрын
professionals have *standards*
@hiddenaether
Жыл бұрын
cant get money from someone who cant understand what they are reading
@ryannorthup3148
Жыл бұрын
@@kahlzun Investigations show that this was most likely an attack by the North-Korean Government-Controlled Lazarus hacking group to fund nuclear programs and Fatass Jong Un's Sanction-Bypassing Goldschlager run. Eh, probably not Goldschlager. The fatass is probably going for something more expensive.
This was super interesting. Please continue with this series
Thanks for the great work! Can't wait for a part 2
Very informative and interesting video. Thanks for that amazing upload! I cannot wait to see its continuation.
Just wow. Impressive job! I hope you are employed by one of the major tech/AV companies.
I don't really know what's going on because Im noob but these videos are cool, this is the best and practical approach I've seen I think, loving it and subbed immadietely, good commentary, step by step. Waiting for more.
I am just happy that there are people out there who understand stuff like this! 😅
Looks good want to see the following episode. Reverse engineering seems pretty fun.
Best video i ever seen on reverse engineering, keep it easy to understand! Thank you.
I understood everything except for the renaming parts. Meaning i did not understand a thing. Cool vid tho, you've earned a sub!
first time i watched this about 2 year ago and i was a simple java programer now i am a c/c++ programming working at a hardware developing company and i just watched this again that was awesome , i finally understood what was u talking about , i am always checking u tube for part 2 please upload it i am tried :)
I’m trying to learn Ghidra and reverse engineering in general, and this and your other videos are so helpful.
Thanks for your videos, great detail. I hope you carry on with this channel and it's content.
I'm so happy that KZread recommended this video to me. Keep up the good work! Waiting for part 2..
@stacksmashing
5 жыл бұрын
Hopefully tomorrow :) life has been busy
First time KZread recommended me something amazing. 😀
Thanks man! Great content!! Definitely looking forward to more!! All the best!!
Using an open source reversing platform like Ghidra, everyone could potentially come closer to the reversing world. Oh what if I could be some years younger..
@Decentsito
5 жыл бұрын
what do you mean years younger
@freeweed4all
5 жыл бұрын
@@Decentsito I'm too old to start studying in depth reversing, now.
@VictorNascimentoo
5 жыл бұрын
No one is too old to learn.
@medvfx3370
5 жыл бұрын
@@freeweed4all how old are you?
@freeweed4all
5 жыл бұрын
@@UCnPE-cqd00o5SHPn0rHxphg thanks for the support. I made a choice some years ago, leaving netsec to start studying at University a totally different thing: knowing today how this sector is growing, maybe my choice wasn't the right one. Today, with these excellent resources, is far more easy to fill the gap with skilled reversing ppl: some years ago they appear like a part of a niche, like an out of reach status. This effect is an outcome of how much the reversing job offers are growing (US government choice about Ghidra isn't random).
The thing that blew my mind the most, was the list of language translations you found in the passworded zip. Made me realize how much they really scaled this thing to take on the world. Absolute savage. Who ever did this was well organized. Do you ever wonder if they watched this video?
@hiddenaether
Жыл бұрын
they make locale translators for batch translating, prob took them about 5 minutes to translate all locales. The least impressive part
@traida111
Жыл бұрын
@@hiddenaether then why hide it with such levels of encryption? it would be easy to just use english, but instead they have the ambition to take on the world.
Dude!! This is an epic walkthrough of reverse engineering - SO INTERESTING!!
Nice tutorials man! Maybe some basics for reverse engineering video's in Ghidra would be great as well! Like explaining how the system works and what each action truly means :). But it's great :) Can't wait for the next one.
Again your videos are insanely good !!! Love it !
Wow, I learnt so much about decompilation in this video! Thanks, keep it up!
Wow this is very impressive! Great job & keep going :)
Your skills are unbelievable. Good job 👏🏼
Very nice video, thank you. I would definitely want to see more malware analysis with ghidra videos. :)
Amazing, subscribed..... can't wait for part 2
Hey, I love watching reverse engineering videos! Thank you for this one. I'm glad that the KZread recommendation bots have blessed you.
I didn't understand single bit of information u said but I watched full video..and subscribed.. Thanks for making this video
great work....can´t wait for part II
Ghidra looks like an EXCELLENT tool to manage an RE session. Top notch.
Man, I used to debug exe using ollydebug and you are taking it to another level 🤯
Ghidra: *does windows reverse engineering in iOS* Windows: "Am I a joke to you?"
@rohitas2050
5 жыл бұрын
macOS*
@Elffi
5 жыл бұрын
@@rohitas2050 woops
@Juppie902
4 жыл бұрын
more like Reclass: Am I a Joke to you ?
@smwfreak1647
4 жыл бұрын
@@Elffi LOL
This is some quality work! Congrats...
Great work and love what you did to show us how to reengineer a malware program like wanna cry I am in discord and on htb trying everything I can do to learn this so thank you and this is very helpful
Impressed by your work. Keep it up! :D
Interesting and good video. Reverse engineering and programming isn't really my thing and a lot of it is going over my head. But it's an interesting and informative video none the less. Waiting to see part 2!
KZread algo has done it again. Could understand probably 1% of what was talked about, but it seemed very interesting. Subscribed!
Highly informative! Clearly explained, only understood about half of it but subscribed!!!
Awesome video looking fwd to part 2
I have no idea what's gong on here, but I'm straining to understand. Great video!
Thank you for your videos!!
Wow... as difficult as all this sounds, I'm a new security enthusiast, so I'm still learning. I was able to understand and somewhat follow what you were doing. kudus.
Great video. Waiting for the next part
Was looking for a video like this, thank you 👍
Awesome work as always. Keep it up
Very good video. Thanks for this video. That flowchart was helpful too. I have never seen reverse engineering in practice, this was very interesting. Very similar to debugging programs only here we don't have symbol information and have to create our own symbols, but it seems this Ghidhra tool makes things a lot convenient. Whoever wrote this malware must have very good knowledge of Windows API, maybe even about Windows kernel.
Amazing video, very good to follow and it helped me a lot with some frustrating 'features' in Ghidra. I found I was using the disassembler window more than the decompilation window because of weird decompilation results - you helped me understand getting better decompilation results by adjusting Ghidra's interpretation of some code. Thanks!
@stacksmashing
5 жыл бұрын
That's awesome to hear, thank you! Feel free to let me know what else you have trouble with, maybe it's something I can feature in the future
@BGroothedde
5 жыл бұрын
@@stacksmashing I'll be sure to comment it when I find more stuff, but seeing you work already solves a lot of problems!
@manuellopes1269
5 жыл бұрын
@@stacksmashing greaat tut, can please explain if possible im chrome devtools save the changes i make in offline? i want change a pwa web worker app that works online and offline but the changes i made nolt save when i restart the app, exist any trick to save?if i not save i only get the cache of pwa app and not possible open and edit i think, thanks
I didn't understand anything, but I would have loved to cause it seems like a very useful skill to have and props to you for being so good at it!
So fast and accurate like a real ninja 😂, nice video , I didn't have to use speed 2 , like I usually do 😂
I am currently doing my bachelor in Computer Science and didn't know this reverse engineering even existed! Very cool and very nicely explained. Showing the keyboard output is also a nice addition of you! Thanks :)
@elijahburnham7882
4 жыл бұрын
RubenCO what language is this in?
@Slenderman63323
Жыл бұрын
@@elijahburnham7882 The left side of Ghidra is x86 Assembly and the right side is C.
@hjrgf
4 ай бұрын
@@Slenderman63323you need low level knowledge to be able to do stuff like this since the c code that is outputed is very low level
That was elite. Way to go!
Great video! Looking forward to more of your videos on Ghidra reverse engineering!
awesome video! I'd love to see more!
you make me realise how little I know about anything. Great video
Can’t wait for part 2
Would love to see a tutorial on TP-Link router firmware RE or firmware with similar architecture, reverse engineering and rebuild of the firmware. Love your videos so far.
this is the video that helped me learn how to reverse engineer, thank you
Your videos are excellent. I very much hope that you make more.
This looks very interesting, great analysis, even for laymen.
Excellent. Really. You got my respect.
That was very insightful! I'm a software developer/architect for 17 years now and I must say that you have a very nice way to tell details and to guide your audience. thank you very much! for the follow up video I would like to see the "physical" impact of the malware, like show the registry-key or the installation folder to make it more understandable for non-developers.
@not_glad
3 ай бұрын
I have a few questions. I've done vb coding for years, but more as a supplement to my other work loads, I'm not a full blown dev. First, what was so hard about spotting the kill switch? There must have been a lot of the best devs looking at this code globally for 4 days, the guy who killed it even did that on accident. Secondly, and I'm not advocating for better viruses, but would a kill switch that the owner had exclusive controle over not be possible? They went to great lengths coding this but left the kill switch free for anyone to use.
This is fantastic, thank you
I hope to be as knowledgeable as you on this topic someday - please make a part 2!
A Very Awesome Walk-through . On Point!!! ... Thanks. :D
Keep doing this. Show the world sth more about WannaCry.
I'm looking forward to the second part to this series..
subbed, 22 minutes passed like a breeze
Wow Ghidra really does all the work !
Abra, Kadabra, Alakazam, You now possess a new subscriber, Simsalabam.
You ma boy are very stronk in what you're doing. Nice!
I don't know shit about coding, but you've explained this in a very human-readable way and i appreciate that.
Nice, nice, nice! Thanks for the video.
Si entendiera inglés y lo que haces me encantaría seguir lo que haces. Mis ojos se quedaron atrapados cuando vi este video al parecer lo había visto antes y no comenté. .Mis respetos hombre.
Well, I dont really understand well but Im here to understand it better, thanks for the video! Edit: i actually managed to understand a part of it
i don't know much about what you are doing but you earn a new subscriber here
good stuff, nicely presented; thx for sharing, have fun, godspeed
That’s some proper clever stuff great video x
This is very important and informative
An amazing job at this. Thanks for the invaluable video
Awesome video! I also want to see more :)
Great Content. I wish I could find and neutralize all the malwares myself instead of depend on a software, but I guess people like you decode all those anti-malware software. Thanks for the work if you are reading this and work for such company!
I enjoyed this video. Subscribed!