Fixed strings

Cisco-Talos · Jul 21, 2015 · f7b4e6c · f7b4e6c
1 parent bb9aa60
commit f7b4e6c
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 87 deletions.
diff --git a/Cpp/Log.cpp b/Cpp/Log.cpp
@@ -221,8 +221,8 @@ void CLog::Write(LPWSTR dbgStr) {
 	DWORD bytesWritten = 0;
 	CHAR * logStr = NULL;			// String to write in file
 
-	if (!g_hLogFile || g_hLogFile == INVALID_HANDLE_VALUE) {	// If I don't have opened a log file
-		OutputDebugString(dbgStr);				// write to debug output
+	if (!g_hLogFile || g_hLogFile == INVALID_HANDLE_VALUE) {		// If I don't have opened a log file
+		OutputDebugString(dbgStr);									// write to debug output
 	} else {
 		bytesToWrite = (DWORD)wcslen(dbgStr) + 1;
 		logStr = new CHAR[bytesToWrite];
@@ -367,7 +367,7 @@ LPTSTR CVersionInfo::GetCompanyName() {
 
 // Helper function that receive versione information of a specific module (NULL = this executable)
 bool CVersionInfo::GetModuleVersionInfo(HMODULE hMod) {
-	LPTSTR modFileName = NULL;		// Filename of module used to retrieve version information
+	LPTSTR modFileName = NULL;				// Filename of module used to retrieve version information
 	BOOL retVal = FALSE;
 
 	modFileName = new TCHAR[MAX_PATH];
@@ -383,11 +383,11 @@ bool CVersionInfo::GetModuleVersionInfo(HMODULE hMod) {
 }
 
 bool CVersionInfo::GetModuleVersionInfo(LPTSTR modName = NULL) {
-	DWORD dummy = 0;			// Dummy DWORD variable for GetFileVersionInfoSize
-	DWORD verSize = 0;			// Version info size
-	LPBYTE buff = NULL;			// Buffer
+	DWORD dummy = 0;						// Dummy DWORD variable for GetFileVersionInfoSize
+	DWORD verSize = 0;						// Version info size
+	LPBYTE buff = NULL;						// Buffer
 	BOOL retVal = FALSE;
-	LPTSTR langStr = NULL;			// Lang and code page Version string
+	LPTSTR langStr = NULL;					// Lang and code page Version string
 	if (!modName) return false;
 
 	verSize = GetFileVersionInfoSize(modName, &dummy);
@@ -408,8 +408,7 @@ bool CVersionInfo::GetModuleVersionInfo(LPTSTR modName = NULL) {
 		langStr = new TCHAR[0x40];
 		// Read the file description for each language and code page.
 		for(int i = 0; i < (int)(iLangTableLen / sizeof(struct LANGANDCODEPAGE)); i++) 
-			wsprintf(langStr, TEXT("\\StringFileInfo\\%04x%04x\\"), pLangTable[i].wLanguage, 
-										pLangTable[i].wCodePage);
+			wsprintf(langStr, TEXT("\\StringFileInfo\\%04x%04x\\"), pLangTable[i].wLanguage, pLangTable[i].wCodePage);
 		g_LangStr = langStr;
 	}
 
@@ -424,4 +423,4 @@ bool CVersionInfo::GetModuleVersionInfo(LPTSTR modName = NULL) {
 
 // ....
 // One Log to rule them all!
-// ....
+// ....
diff --git a/Cpp/Log.h b/Cpp/Log.h
@@ -48,8 +48,7 @@ class CLog {
 
 	// Get log file name
 	const LPTSTR GetLogFileName() { 
-		return this->g_strLogFile;
-	}
+		return this->g_strLogFile; }
 
 	const bool IsOpened() {
 		return (g_hLogFile && g_hLogFile != INVALID_HANDLE_VALUE);
@@ -90,11 +89,11 @@ class CLog {
 
 private:
 	LPTSTR g_strLogFile;			// This instance log file string
-	HANDLE g_hLogFile;			// Log file handle of this CLog
+	HANDLE g_hLogFile;				// Log file handle of this CLog
 	LPTSTR g_strLogTitle;			// Log title (see LOGTITLE definition)
 	bool g_bIsAutoDeleteLog;		// Set if this log has to delete itself if there are no writing
 	bool g_bAtLeastOneWrite;		// Set if user called at least one Write function
-	bool g_bImCopy;				// True if this instance is a copy of another ones
+	bool g_bImCopy;					// True if this instance is a copy of another ones
 };
 
 #pragma region Version Information Class
@@ -111,7 +110,7 @@ class CVersionInfo {
 	LPTSTR GetCompanyName();
 
 private:
-	// Helper functions that receive version information of a specific module (NULL = this executable)
+	// Helper functions that receive versione information of a specific module (NULL = this executable)
 	bool GetModuleVersionInfo(HMODULE hMod = NULL);
 	bool GetModuleVersionInfo(LPTSTR modName);
 

diff --git a/Cpp/TeslaDecrypter.cpp b/Cpp/TeslaDecrypter.cpp
@@ -20,7 +20,7 @@
  *	Filename: TeslaDecrypter.cpp
  *	Implements the CTeslaDecrypter class, contains code needed to decrypt
  *	all the TeslaCrypt encrypted files
- *	Last revision: 04/17/2015
+ *	Last revision: 07/17/2015
  *
  */
 
@@ -79,7 +79,7 @@ bool CTeslaDecrypter::ReadKeyFile(LPTSTR fileName, BOOLEAN * pbMasterKeyStripped
 	CHAR recKeyHex[0x82] = {0};	// The recovery key in hex
 
 	hFile = CreateFile(fileName, FILE_GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 
-	        	                                    FILE_ATTRIBUTE_NORMAL, NULL);
+		FILE_ATTRIBUTE_NORMAL, NULL);
 	dwLastErr = GetLastError();
 
 	if (hFile == INVALID_HANDLE_VALUE) 
@@ -90,22 +90,6 @@ bool CTeslaDecrypter::ReadKeyFile(LPTSTR fileName, BOOLEAN * pbMasterKeyStripped
 		return false;
 	}
 
-<<<<<<< HEAD
-=======
-	// Compile the offset based on the "key.dat" file size:
-	if (dwFileSize == 0x290) {
-		yearOffset = 0x126;
-		masterKeyOffset = 0x177;
-	} else if (dwFileSize >= 0x2F0) {
-		// Last TeslaCrypt dropper (04/20/2015) ... the time is coming ...
-		yearOffset = 0x18A;
-		masterKeyOffset = 0x1DB;
-	} else if (dwFileSize < 0x1A0) {	// 0x1A0 is the aligned (masterKeyOffset + sizeof(SHA256))
-		// Wrong file size, exit...
-		return false;
-	}
-
->>>>>>> origin/master
 	// Allocate the memory for the file content
 	lpBuff = (LPBYTE)new BYTE[dwFileSize];
 	RtlZeroMemory(lpBuff, dwFileSize);
@@ -188,7 +172,7 @@ bool CTeslaDecrypter::ReadKeyFile(LPTSTR fileName, BOOLEAN * pbMasterKeyStripped
 	BYTE zeroedBuff[32] = {0};
 	if (memcmp(masterKey, zeroedBuff, sizeof(DWORD)) == 0) {
 		g_pLog->WriteLine(L"ReadKeyFile - Warning! The master key inside the \"%s\" file is stripped down. "
-			                L"Unable to import the master key.", fileName);
+			L"Unable to import the master key.", fileName);
 		if (pbMasterKeyStripped) *pbMasterKeyStripped = TRUE;
 		bRetVal = FALSE;
 	} else
@@ -251,7 +235,7 @@ bool CTeslaDecrypter::SetMasterKey(BYTE key[32]) {
 	bool bRetVal = false;
 
 	// Calculate the SHA256 of the key
-	bRetVal = GetSha256(key, 32, sha256);	// BANG! Don't use COUNTOF(key) when an array is passed as argument
+	bRetVal = GetSha256(key, 32, sha256);			// BANG! Don't use COUNTOF(key) when an array is passed as argument
 	if (bRetVal) {
 		// Copy the output SHA256 and the key
 		RtlCopyMemory(g_sha256mKey, sha256, sizeof(g_sha256mKey));
@@ -292,8 +276,7 @@ bool CTeslaDecrypter::DecryptTeslaFile(LPTSTR orgFile, LPTSTR destFile) {
 	dwLastErr = GetLastError();
 
 	if (hOrgFile == INVALID_HANDLE_VALUE) {
-		g_pLog->WriteLine(L"DecryptTeslaFile - Unable to open \"%s\" encrypted file for reading. "
-                                            L"Last Win32 error: %i.", orgFile, (LPVOID)dwLastErr);
+		g_pLog->WriteLine(L"DecryptTeslaFile - Unable to open \"%s\" encrypted file for reading. Last Win32 error: %i.", orgFile, (LPVOID)dwLastErr);
 		return false;
 	}
 
@@ -321,18 +304,15 @@ bool CTeslaDecrypter::DecryptTeslaFile(LPTSTR orgFile, LPTSTR destFile) {
 
 	// Verify the header
 	if (!bRetVal || dwOrgFileSize > dwFileSize) {
-		g_pLog->WriteLine(L"DecryptTeslaFile - The \"%s\" encrypted file format is invalid. "
-                            L"Maybe it is already decrypted or it's not a TeslaCrypt encrypted file. "
-                                            L"(last Win32 error: %i).", orgFile, (LPVOID)dwLastErr);
+		g_pLog->WriteLine(L"DecryptTeslaFile - The \"%s\" encrypted file format is invalid. Maybe it is already decrypted or it's not a TeslaCrypt encrypted file. (last Win32 error: %i).", orgFile, (LPVOID)dwLastErr);
 		CloseHandle(hOrgFile);
 		return false;
 	}
 
 	// Allocate the memory and read the entire file
 	lpFileBuff = (LPBYTE)VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_READWRITE);
 	if (!lpFileBuff) {			// I am too lazy ... :-( ... but check the returned buffer 
-		g_pLog->WriteLine(L"DecryptTeslaFile - Unable to open \"%s\" encrypted file for reading. "
-                                            L"The system has not enough free resources.", orgFile);
+		g_pLog->WriteLine(L"DecryptTeslaFile - Unable to open \"%s\" encrypted file for reading. The system has not enough free resources.", orgFile);
 		CloseHandle(hOrgFile);
 		return false;
 	}
@@ -344,8 +324,7 @@ bool CTeslaDecrypter::DecryptTeslaFile(LPTSTR orgFile, LPTSTR destFile) {
 	CloseHandle(hOrgFile);			// Close original file handle
 
 	if (!bRetVal) {
-		g_pLog->WriteLine(L"DecryptTeslaFile - Error, unable to read from \"%s\" file. "
-                                                L"Returned error: %i.", orgFile, (LPVOID)dwLastErr);
+		g_pLog->WriteLine(L"DecryptTeslaFile - Error, unable to read from \"%s\" file. Returned error: %i.", orgFile, (LPVOID)dwLastErr);
 		if (lpFileBuff) VirtualFree(lpFileBuff, 0, MEM_RELEASE);
 		return false;
 	}
@@ -398,8 +377,7 @@ bool CTeslaDecrypter::DecryptTeslaFile(LPTSTR orgFile, LPTSTR destFile) {
 		g_pLog->WriteLine(L"DecryptTeslaFile - Successfully decrypted \"%s\" file.", destFile);
 		return true;
 	} else {		
-		g_pLog->WriteLine(L"DecryptTeslaFile - Unable to write the decrypted file (\"%s\"). "
-                                            L"Returned error: %i.", destFile, (LPVOID)dwLastErr);
+		g_pLog->WriteLine(L"DecryptTeslaFile - Unable to write the decrypted file (\"%s\"). Returned error: %i.", destFile, (LPVOID)dwLastErr);
 		return false;
 	}
 }
@@ -469,7 +447,7 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 	HANDLE hSearch = NULL;					// Handle to the file search
 	BOOL bRetVal = FALSE;					// Win32 returned value
 	bool bSomeErrors = false,				// True if I have encountered some errors
-		 bAtLeastOneDecrypted = false;		// True if I have decrypted almost one file
+		bAtLeastOneDecrypted = false;		// True if I have decrypted almost one file
 	WIN32_FIND_DATA findData = {0};			// Win32 find data
 	TCHAR fullSearchPattern[0x200] = {0};	// FULL search pattern
 	DWORD dwStrLen = 0;						// String size in TCHARs
@@ -479,9 +457,8 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 	if (!FileExists(dirName)) return false;
 
 	if (!bIsRecursiveCall)
-		g_pLog->WriteLine(L"DecryptDirectory - Processing \"%s\"  directory (Recursive: %s, "
-                          L"Strip file extensions: %s)...", dirName,
-                			(bRecursive ? L"True": L"False"), (bStripExt ? L"True": L"False"));
+		g_pLog->WriteLine(L"DecryptDirectory - Processing \"%s\"  directory (Recursive: %s, Strip file extensions: %s)...", dirName,
+			(bRecursive ? L"True": L"False"), (bStripExt ? L"True": L"False"));
 
 	// Create full search path
 	wcscpy_s(fullSearchPattern, COUNTOF(fullSearchPattern), dirName);
@@ -501,8 +478,8 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 
 	while (bRetVal) {
 		// Compose the full file path
-		TCHAR fileFullPath[MAX_PATH] = {0};		// Full original file path
-		LPTSTR lpDestFileName = NULL;			// New file full path (if needed)
+		TCHAR fileFullPath[MAX_PATH] = {0};				// Full original file path
+		LPTSTR lpDestFileName = NULL;					// New file full path (if needed)
 		wcscpy_s(fileFullPath, COUNTOF(fileFullPath), fullSearchPattern);
 		wcscat_s(fileFullPath, COUNTOF(fileFullPath), findData.cFileName);
 
@@ -533,6 +510,8 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 			(_wcsicmp(findData.cFileName, L"HELP_RESTORE_FILES.bmp") == 0);
 		bIsGarbageFile |= 
 			(_wcsnicmp(findData.cFileName,L"HELP_RESTORE_FILES_", 19) == 0);
+		bIsGarbageFile |= 
+			(_wcsicmp(findData.cFileName, L"HELP_TO_SAVE_FILES.txt") == 0);
 
 		if (g_bCleanupTeslaFiles && bIsGarbageFile) {
 			bRetVal = DeleteFile(fileFullPath);
@@ -563,17 +542,6 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 
 		// Delete the new file name buffer 
 		if (lpDestFileName) {
-<<<<<<< HEAD
-=======
-			if (!g_bKeepOriginalFiles) {
-				bRetVal = DeleteFile(fileFullPath);
-				if (bRetVal)
-					g_pLog->WriteLine(L"DecryptDirectory - Original encrypted file (\"%s\") "
-                                                                    L"deleted.",fileFullPath);
-			} else
-				g_pLog->WriteLine(L"DecryptDirectory - A backup of the original encrypted file "
-                                                    L"was stored in \"%s\".", fileFullPath);
->>>>>>> origin/master
 			delete lpDestFileName;
 			lpDestFileName = NULL;
 		}
@@ -585,7 +553,7 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 
 	if (bAtLeastOneDecrypted) return true;
 	if (!bSomeErrors) {
-		// g_pLog->WriteLine(L"DecryptDirectory - Nothing to decrypt here (\"%s\").", dirName);
+		//g_pLog->WriteLine(L"DecryptDirectory - Nothing to decrypt here (\"%s\").", dirName);
 		return true;
 	}
 	return false;
@@ -594,7 +562,7 @@ bool CTeslaDecrypter::DecryptDirectory(LPTSTR dirName, LPTSTR pattern, bool bRec
 // Decrypt the entire Workstation
 bool CTeslaDecrypter::DecryptAllPcFiles(LPTSTR pattern) {
 	bool bAtLeastOneDriveOk = false,
-		 bSomeErrors = false;
+		bSomeErrors = false;
 	BOOL bRetVal = FALSE;
 
 	DWORD drivesMask = GetLogicalDrives();
@@ -615,8 +583,8 @@ bool CTeslaDecrypter::DecryptAllPcFiles(LPTSTR pattern) {
 					fsFlags = 0,					// File system flags	
 					maxPathLen = 0;					// Maximum sizes of the FS paths
 
-				bRetVal = GetVolumeInformation(drvName, volumeName, COUNTOF(volumeName), &volSn, 
-                                        &maxPathLen, &fsFlags, fsName, COUNTOF(fsName));
+				bRetVal = GetVolumeInformation(drvName, volumeName, COUNTOF(volumeName), &volSn, &maxPathLen,
+					&fsFlags, fsName, COUNTOF(fsName));
 
 				if (bRetVal) {
 					// Do the decryption of this volume

diff --git a/Cpp/TeslaDecrypter.h b/Cpp/TeslaDecrypter.h
@@ -19,7 +19,7 @@
  * 
  *	Filename: TeslaDecrypter.h
  *	Defines the CTeslaDecrypter class
- *	Last revision: 04/17/2015
+ *	Last revision: 07/17/2015
  *
  */
 #pragma once
@@ -61,12 +61,7 @@ class CTeslaDecrypter
 	bool DecryptTeslaFile(LPTSTR orgFile, LPTSTR destFile = NULL);
 
 	// Decrypt an entire directory, looking for a specific pattern
-<<<<<<< HEAD
 	bool DecryptDirectory(LPTSTR dirName, LPTSTR pattern = L"*.ecc;*.ezz;*.exx", bool bRecursive = true, bool bStripExt = true, bool bIsRecursiveCall = false);
-=======
-	bool DecryptDirectory(LPTSTR dirName, LPTSTR pattern = L"*.ecc", bool bRecursive = true, 
-                                          bool bStripExt = true, bool bIsRecursiveCall = false);
->>>>>>> origin/master
 
 	// Decrypt the entire Workstation
 	bool DecryptAllPcFiles(LPTSTR pattern = L"*.ecc;*.ezz;*.exx");
@@ -82,8 +77,7 @@ class CTeslaDecrypter
 	bool GetSha256(LPBYTE lpBuff, DWORD dwSize, BYTE sha256[32]);
 
 	// Decrypt / encrypt with and AES CBC 256 algorithm
-	bool EncDecWithAes256(LPBYTE lpBuff, DWORD dwBuffSize, BYTE iv[16], LPBYTE * lppOut, 
-                                         LPDWORD lpdwOutBuffSize, bool bEncrypt = false);
+	bool EncDecWithAes256(LPBYTE lpBuff, DWORD dwBuffSize, BYTE iv[16], LPBYTE * lppOut, LPDWORD lpdwOutBuffSize, bool bEncrypt = false);
 
 	// Check if a filename matches the pattern string
 	bool CheckFileNameInPattern(LPTSTR fileName, LPTSTR pattern);

diff --git a/Cpp/TeslaDecrypterApp.cpp b/Cpp/TeslaDecrypterApp.cpp
@@ -21,7 +21,7 @@
  *	Implements the CTeslaDecrypterApp class code
  *	This class contains the main application code, Anti-TeslaCrypt routines,
  *  and Log initialization
- *	Last revision: 04/17/2015
+ *	Last revision: 07/17/2015
  *
  */
 
@@ -228,7 +228,12 @@ int CTeslaDecrypterApp::ParseCommandLine(int argc, TCHAR * argv[]) {
 		LPTSTR impKey = SearchAndImportKeyFile();
 		if (impKey) {delete impKey; bRetVal = TRUE; }
 	}
-
+
+	if (bDeleteDropper) 
+		// Automatically scan, kill and delete TeslaCrypt dropper
+		SearchAndKillTeslaProc(false, true, true);
+
+
 	if (!bRetVal) {
 		cl_wprintf(RED, L"\r\nError! ");
 		if (bMasterKeyStripped)
@@ -238,10 +243,6 @@ int CTeslaDecrypterApp::ParseCommandLine(int argc, TCHAR * argv[]) {
 		return -1;
 	}
 
-	if (bDeleteDropper) 
-		// Automatically scan, kill and delete TeslaCrypt dropper
-		SearchAndKillTeslaProc(false, true, true);
-
 
 	if (bScanEntirePc) {
 		// Decrypt all PC files
@@ -300,7 +301,7 @@ int CTeslaDecrypterApp::NoCmdLineMain() {
 		if (!keyDatPath) {
 			cl_wprintf(RED, L"\r\nError! ");
 			wprintf(L"Unable to import the master key!\r\n"
-				L"Try to use the command line.\r\n");
+				L"Try to manually specify the file that contains the master key using the \r\nproper command line argument.\r\n");
 			return -1;
 		} else {
 			delete keyDatPath;			// Don't forget to do this
@@ -311,7 +312,7 @@ int CTeslaDecrypterApp::NoCmdLineMain() {
 	// Search the TeslaCrypt process (if any)
 	bRetVal = SearchAndKillTeslaProc(true);
 
-	wprintf(L"Would you like to attempt to decrypt all files encrypted by Tesla/AlphaCrypt \r\non this computer? [Y/N] ");
+	wprintf(L"Would you like to attempt to decrypt all files encrypted by Tesla/AlphaCrypt \r\non this computer, including mounted network shares? [Y/N] ");
 	wscanf_s(L"%4s", answer, COUNTOF(answer));
 	if (CHR_UPR(answer[0]) == 'Y') dwActionId = 1;
 
@@ -669,7 +670,7 @@ LPTSTR CTeslaDecrypterApp::SearchAndImportKeyFile() {
 			bMasterKeyObtained = true;
 			// Default don't keep files value
 			GetDecrypter()->KeepOriginalFiles(false);
-			wprintf(L"Master key obtained from \"%s\" file installed in this workstation.\r\n", keyFileName);
+			wprintf(L"Master key obtained from \"%s\".\r\n", keyDatPath);
 		}
 	}
 
@@ -678,8 +679,8 @@ LPTSTR CTeslaDecrypterApp::SearchAndImportKeyFile() {
 
 	if (bMasterKeyStripped) {
 		cl_wprintf(YELLOW, L"Warning! ");
-		wprintf(L"The file \"key.dat\" doesn't include the master key.\r\n"
-			L"It may have already been deleted by TeslaCrypt/AlphaCrypt.\r\n");
+		wprintf(L"The file \"%s\" doesn't include the master key.\r\n"
+			L"It may have already been deleted by TeslaCrypt/AlphaCrypt.\r\n", keyFileName);
 	}
 	delete keyDatPath;
 	return NULL;

diff --git a/Cpp/TeslaDecrypterApp.h b/Cpp/TeslaDecrypterApp.h
@@ -19,7 +19,7 @@
  * 
  *	Filename: TeslaDecrypterApp.h
  *	Defines the CTeslaDecrypterApp class 
- *	Last revision: 04/17/2015
+ *	Last revision: 07/17/2015
  *
  */
 

diff --git a/Windows/TeslaDecrypter.exe b/Windows/TeslaDecrypter.exe