Thursday, 21 July 2011

MBRLocker Builder v0.1 / MBRLocker Builder v0.2

Yesterday Vazonez released a new winlock generator

This hack tools build MBR lockers, it write the MBR, and request  unlock code.
MBR code is based on an existing ransomware (Trojan.MBRlock.6).

You can configure the message text, password, unlock code, color and icon.
Here, a sample made by MBRLocker Builder v0.1 in action:

 It's simple as usual for find the unlock code.

Edit 25 Jul 2k11: MBRLocker Builder v0.2 released
What's new ? fixed sector bug, Serial is now xored with a random key

IDA Schem of the serial check:

Hiew view:

More 10 sec to unxor the serial maybe.
I've made a VB6 code for retrieve serials of MBRLocker v0.2

'MBRLocker Builder v0.2 Generic serial retriever
'Add just one Textbox with name: Text1
'Then just Drop your infected MBR Dump

Option Explicit
Dim XorKey, strSubstr, buffer, sHold, sText, sFileExtention, TotalChaine, Path, ipos, sOutput As String
Dim iLocationOfString1, iLocationOfString2, iCompareStyle As Long
Dim a, b, i As Integer

Private Sub Form_Load()
Forme.OLEDropMode = 1  'Manual Ole Drop Mode
End Sub

Private Sub Form_OLEDragDrop(Data As DataObject, _
                              Effect As Long, _
                              Button As Integer, _
                              Shift As Integer, _
                              X As Single, _
                              Y As Single)
  With Data
  sText = ""
    If .GetFormat(vbCFFiles) Then
      If .Files.Count = 1 Then
        'Only one filename was dragged.  Retrieve it.
       Path = .Files(1)  'Note numeral 1.
       'Pull text file data into our textbox.
         Open Path For Input As #1
            Do Until EOF(1)
              Line Input #1, sHold
              sText = sText & sHold & vbCrLf
          Close #1
          Text1.Text = sText
      If .Files.Count > 1 Then
      Exit Sub ' Dude, wtf are you doing here ?
     End If
    End If
  End If
End With
ipos = InStr(1, Text1, "EnTeR c0d3:") 'Check 1
If ipos = "0" Then
Text1.Text = "Error: This is not a MBR or it's not infected"
Exit Sub
ipos = InStr(1, Text1, "wExE") 'Check 2
If ipos = "0" Then
Text1.Text = "Error: This is not a MBR or it's not infected"
Exit Sub
TotalChaine = ""
buffer = ""
Text1 = funcParseStringFromString2String(Text1, "EnTeR c0d3:", "wExE") 'Parsing
Text1 = Replace(Text1, " º€¹ ¸ » Í ê8 Š ‹}¬Š €ò", "") 'Remove useless shit (generic)
XorKey = Left$(Text1, 1)      'XOR Key
XorKey = Asc(XorKey) 'Get the Dec
strSubstr = Left$(Text1, 15) 'Hardcoded remove
Text1 = Replace(Text1, strSubstr, "") 'Remove hardcoded
For a = 1 To Len(Text1)           'Let's loop until the end
b = Asc(Mid(Text1, a, 1)) 'Grab one dec char
TotalChaine = XorKey Xor b 'unxor it
buffer = buffer & Chr(TotalChaine) 'make it char and add it to the final serial
Text1 = buffer 'Final result
End If
End If
End Sub

Function funcParseStringFromString2String(sSourceString, sString1 As String, sString2 As String, Optional fCaseCaseInsensitive As Boolean = False) As String
 If fCaseCaseInsensitive Then
iCompareStyle = vbTextCompare
iCompareStyle = vbBinaryCompare
 End If
 sOutput = sSourceString
 iLocationOfString1 = InStr(1, sOutput, sString1, iCompareStyle)
 iLocationOfString2 = InStr(1, sOutput, sString2, iCompareStyle)
 If iLocationOfString1 = 0 And iLocationOfString2 = 0 Then
'nothing found
sOutput = ""
If Len(sString1) = 0 And Len(sString2) = 0 Then
 'do nothing
ElseIf Len(sString1) = 0 Then
 If iLocationOfString2 <> 0 Then
sOutput = Mid(sOutput, 1, iLocationOfString2 - 1)
 End If
ElseIf Len(sString2) = 0 Then
 sOutput = Mid(sOutput, iLocationOfString1 + Len(sString1))
 'cut off begining
If iLocationOfString1 <> 0 Then
sOutput = Mid(sOutput, iLocationOfString1 + Len(sString1))
 End If
 'take off the end part
iLocationOfString2 = InStr(1, sOutput, sString2, iCompareStyle)
 If iLocationOfString2 <> 0 Then
sOutput = Mid(sOutput, 1, iLocationOfString2 - 1)
 End If
End If
 End If
 funcParseStringFromString2String = sOutput
End Function

Related ~
How to debug MBR Ransomware (14 Jul 2k11)
Trojan.MBRlock (xxxvideo.avi.exe) (9 Jul 2k11)
Trojan.MBRlock (xxxvideo.avi.exe) (4 Jul 2k11)
Trojan.MBRlock (output.exe) (25 Apr 2k11)

Already noticed on the past: here (25 Apr 2k11) ~ here (4 Jul 2k11) ~ here (9 Jul 2k11)


  1. It's funny, because i got an MbrLocker, from this toolz i think, same text, same color, and xored serial ( in my case 0xED ) :

    Thanks for the article, i really enjoy your blog.