SLAM.015: Decrypt your encrypted macros with this program

eZine lover (@eZine)

Published in 

Slam

 · 22 Feb 2022

-------------------------------------- 
    Technique to decrypt macro saved 
       with the option IsReadOnly 
	     , 
 By     <****{=============- 
	     ' AuRoDrEpH, the Drow 
--------------------------------------

The material you need :

• a WORD document with a macro virus
• MicroFuck WORD :-) of course
• a good hex editor (UltraEdit, etc....)
• some paper and a pencil
• my little program (decrypt.exe)

Step 1 - Preparation of the document....

• Make a copy of the original file and your original NORMAL.DOT...
• Then open the file with WORD (be careful because you will infect your system with the virus....).
• Delete all the text in the document....
• Check if you don't have the OPTION / SAVE / QUICK SAVE enabled...
• Save the document...

Step 2 - Searching of the vital informations

* find the encryption key....

• Locate the "real" filename of the document within the document,
• A few bytes after the end of the name, there is a "U", the byte immediately following is the ... XOR value to use.
• If your document contain several encrypted macro, you will find a U for each macro...
  
• so you must copy all the encryption keys...

Example of document :

000019B0 0003 0A00 0002 0000 0300 0035 0300 0003 ...........5.... 
000019C0 0026 000B 4172 7468 7572 2044 656E 7417 .&..Arthur Dent. 
000019D0 443A 5C49 4E46 4543 5445 445C 4845 4C50 D:\INFECTED\HELP 
000019E0 4552 412E 444F 43FF 0101 0055 8E02 0000 ERA.DOC....U.... 
000019F0 00FF FF01 0300 0099 0100 0002 0000 006A ...............j 
00001A00 5200 6F00 6F00 7400 2000 4500 6E00 7400 R.o.o.t. .E.n.t. 
00001A10 7200 7900 0000 0000 0000 0000 0000 0000 r.y.............

Here the encryption key is 8e....

* find the address of the beginning and the end of the macro...

• move to the beginning of the document...
• then go down search something like this....( a pack of information without 00 00)
• ( The true beginning of the macro as this form ?? ?? ?? cledec-1 cledec, here is 17F5.. but you can enter another value like 17E9

000017E0 0000 0000 0000 0000 0000 8F8E EA95 E78A ................ 
000017F0 C3CF C7C0 EAE9 100E E28F 8EEA 93E9 840E ................ 
00001800 8BE9 820E 8B88 9CE2 8A8E 9CE2 8C8E 8882 ................ 
00001810 E48C BFBE 90EA DFDC E95F 8EFD EE8E 82E4 ........._...... 
00001820 8AE6 EBE2 FEEA DAEA EAE7 8BFA E1FA EFE2 ................ 
00001830 82E9 390E 8BE2 8E8E 88EA E786 E7E0 E8EB ..9............. 
00001840 EDFA EBEA 82E2 8E8E EAEA 93E7 8BFA E1FA ................ 
00001850 EFE2 81E2 8E8E 90EA DCAD E78B EDF7 EDE2 ................ 
00001860 EB82 E28F 8EAA E78B FAE1 FAEF E2EA E18C ................ 
00001870 93E9 360E 8BE7 8BED F7ED E2EB 9CE2 8E8E ..6............. 
00001880 8882 E487 CFFB FAE1 CDE2 E1FD EB90 EAE1 ................ 
00001890 8CE0 8AE7 86E7 E0E8 EBED FAEB EA82 E28F ................ 
000018A0 8EEA E18C 9493 EADC A8E7 8BED F7ED E2EB ................ 
000018B0 EA94 93EA EAE7 8BE0 EFE3 EBAA 82E9 B50E ................ 
000018C0 8B88 89E4 84B4 CFFB FAE1 CDE2 E1FD EBEA ................ 
000018D0 EA93 E786 E7E0 E8EB EDFA EBEA 83E2 8F8E ................ 
000018E0 90EA DCE9 4C0E E78B E0EF E3EB AA9C E49E ....L........... 
000018F0 C9E2 E1EC EFE2 B4CF FBFA E1CD E2E1 FDEB ................ 
00001900 9CE2 8F8E EAAE EADC E786 E7E0 E8EB EDFA ................ 
00001910 EBEA 82E2 8E8E EA94 93EA EA93 E939 0E8B .............9.. 
00001920 E28F 8E88 83E2 8E8E 90EA E18C E786 E7E0 ................ 
00001930 E8EB EDFA EBEA 82E2 8F8E EA94 93EA EA93 ................ 
00001940 E786 E7E0 E8EB EDFA EBEA 82E2 8E8E 90EA ................ 
00001950 E18C E9DA 8EFD 458E 82E2 8F8E EAE1 8CE9 ......E......... 
00001960 4C0E E49E C9E2 E1EC EFE2 B4CF FBFA E1CD L............... 
00001970 E2E1 FDEB 9CE7 8BE0 EFE3 EBAA EA94 93EA ................ 
00001980 EA94 9500 0000 0035 0000 0003 00FF FFFF .......5........ 
00001990 FF03 00FF FFFF FF01 0004 20FF FF01 0000 .......... ..... 
000019A0 0000 0035 0000 0000 0000 0000 0000 0300 ...5............

The end of the macro block is just before a serie of 00 00 00... Here is 1983

Step 3 - Run the program DECRYPT.EXE

• easy ... with all the information you have find, you will win...
• This operation will create a document DECRYPT.DOC.

Step 4 - Open Word and read the file decrypt.doc

• If you have a error message, when you open the document it's normal.
• Go to the Tools/Macro and select each macro..
  
• Be careful not to double click on the macro, this execute its
• Only one macro can be read it's normal!!!

Step 5 - repeat the step 3 and 4 for each macro...

Then you have the virus decrypted...

Tips : * if your document is > 32 ko, my soft doesn't work, so delete some macros and save the document.. the size will decrease..

If you have some comments or some ideas, please mail me to AURODREPH@defiant.ilf.net

Here is the source. You can modify as you want.. I just want you send me you modification...

/********* 
 Decode macro virus 
	version 1.000.001 beta 
**********/ 

#include "io.h" 
#include "stdlib.h" 
#include "stdio.h" 
#include "conio.h" 
#include "process.h" 
#include "fcntl.h" 
#include "sys\stat.h" 

void main (void) 
 { 
	char Name[13]; 
	char Target[]="decrypt.doc"; 
	int cledec, debmac, finmac, Handler, Handler1; 
	unsigned char *Buffer; 
	unsigned int Offset; 
	unsigned long Length = 0; 

	clrscr(); 
	printf (" ******************************************************************\n"); 
	printf (" *                                                                *\n"); 
	printf (" *               DECRYPT WORD 6.0 MACROS saved                    *\n"); 
	printf (" *                 with the option IsReadOnly                     *\n"); 
	printf (" *                    Version 1.000.001 beta                      *\n"); 
	printf (" *                                                                *\n"); 
	printf (" *           ,                                                    *\n"); 
	printf (" *     <*****}===============-                                    *\n"); 
	printf (" *      (z)  ' AURODREPH Productions 04/1996                      *\n"); 
	printf (" ******************************************************************\n"); 
	printf ("\n"); printf("\n"); 
	printf ("Name of source file      = "); 
	scanf ("%12s",Name); 
	printf ("\n"); 
	printf ("Decrypt Key              = "); 
	scanf ("%x",&cledec); 
	printf("\n"); 
	printf ("Begin of the macros (05EF)= "); 
	scanf ("%x",&debmac); 
	printf("\n"); 
	printf ("End of the macros         = "); 
	scanf ("%x",&finmac); 
	printf("\n"); 

	Handler = open (Name, O_BINARY | O_RDONLY , S_IREAD); 
	if (Handler == -1) 
		{printf ("Source file doesn't exist... \n"); exit(0);} 

	Length= (unsigned long) lseek(Handler, 0, SEEK_END); 
	lseek (Handler,0,SEEK_SET); 
	printf ("length = %lu octets \n", Length); 

	if (Length >(256L*256)) 
		{close (Handler); 
		printf ("File too long (>32 ko)... %lu octets \n", Length); 
		exit (0);} 

	Buffer = (unsigned char *) malloc((unsigned) Length); 

	if (Buffer == NULL) printf ("Memory Allocation....\n"); 

	if (read(Handler, Buffer, (unsigned) Length) != Length) 
		{ /*exit (0);*/} 

/* beginning for the decryption routine */ 
	for (Offset = debmac; Offset < finmac; Offset++) 
	 { Buffer[Offset] ^= cledec; }; 
/* end of the procedure */ 

/* Delete the Word protection */ 
	for (Offset = 0x0000; Offset < Length; Offset++) 
	 { 
	  if ( (Buffer[Offset] == 0x00) && (Buffer[Offset+1] == 0x55) 
	  			&& (Buffer[Offset+2] == cledec)) 
			{Buffer [Offset+2] = 0x00; 
			} 
	 }; 
/* end of the procedure */ 

	_fmode= O_BINARY; 
	Handler1 = creat(Target, S_IREAD | S_IWRITE); 
	write (Handler1, Buffer,(unsigned) Length); 

	close (Handler1); 
	close (Handler); 
	printf("\n"); 
	printf ("done..."); 
}