What is encryption software used by Antti Tikkanen?

Scholar

What is encryption software used by Antti Tikkanen?

I watched on TV a couple of days ago, Prisma Studio program and I would like to know what program Antti Tikkanen used decryption?

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure

Re: What is encryption software used by Antti Tikkanen?

Hi!

 

In your screenshot I'm decrypting an embedded, encrypted program from the original sample. The tool you see is Immunity Debugger (http://immunityinc.com/products-immdbg.shtml). However, it isn't quite as straightforward as taking a malware sample and asking Immunity Debugger to decrypt it. In this case, I analyzed the sample a bit and found the decryption loop, and what you see is me stepping the malware though this loop. So you actually need to understand a bit about how the malware in question works to do this.

 

The other tool you see in the clip is the HIEW hex editor (http://www.hiew.ru/). I used it to decrypt the URL in the sample. For this to work, I had to reverse engineer the sample to recover the decryption routine. I then implemented the routine into HIEW to decrypt the string.

 

Hope this helps,

Antti

11 REPLIES 11
Senior Advisor

Re: What is encryption software used by Antti Tikkanen?

who the hell is Antti Tikkanen?..

 

 

 

 

Superuser

Re: What is encryption software used by Antti Tikkanen?

This is Antti!

 

http://fi.linkedin.com/in/tikkanen

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: What is encryption software used by Antti Tikkanen?

It would be nice if I could get the name of the program, so that I could research a computer that is full of viruses.

Superuser

Re: What is encryption software used by Antti Tikkanen?

When was it exactly?

please check here http://www.katsomo.fi/?treeId=33001005

 

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: What is encryption software used by Antti Tikkanen?

It doesn't  come from the MTV3 it came YLE view it here : http://areena.yle.fi/video/1320346677150   look forward 11.10.

Superuser

Re: What is encryption software used by Antti Tikkanen?

Does not show outside Suomi....

 

I guess we need to wait for Antti to reply himself...

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: What is encryption software used by Antti Tikkanen?

I take screenshot, Yle have bad quality on internet videos.

 

 

Decryption.png

 

 

Highlighted
Senior Advisor

Re: What is encryption software used by Antti Tikkanen?

oh my bad

 

 

sorry about Antti what I said...

F-Secure

Re: What is encryption software used by Antti Tikkanen?

Hi!

 

In your screenshot I'm decrypting an embedded, encrypted program from the original sample. The tool you see is Immunity Debugger (http://immunityinc.com/products-immdbg.shtml). However, it isn't quite as straightforward as taking a malware sample and asking Immunity Debugger to decrypt it. In this case, I analyzed the sample a bit and found the decryption loop, and what you see is me stepping the malware though this loop. So you actually need to understand a bit about how the malware in question works to do this.

 

The other tool you see in the clip is the HIEW hex editor (http://www.hiew.ru/). I used it to decrypt the URL in the sample. For this to work, I had to reverse engineer the sample to recover the decryption routine. I then implemented the routine into HIEW to decrypt the string.

 

Hope this helps,

Antti