Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Any current Crypto Scanners or tools like KANAL in use? (https://forum.exetools.com/showthread.php?t=19867)

TempoMat 06-03-2021 23:05

Any current Crypto Scanners or tools like KANAL in use?
 
Hi,

Is there or are there any current, scriptable (for signature updates) programs for the detection of cryptographic algorithms in executable files like KANAL for PEiD in use by some members here in this forum?

I have been searching on the web for some time now without success.

I have some old programs, most of which were downloaded as far back as 2001 that I have found now to contain compiled cryptographic algorithms that are not at all or falsely detected by the likes of KANAL, SND_RT Crypto Scanner or several crypto plug-ins for IDA.

Typical examples are some compiled crypto functions in some KingConvert software, with a Golden Ratio like initialization table typical with TEAN, the RCs and so on, but it uses some constants of the DES-S-Box. The decryption routine seems symmetric and has similarities to DES, AES, Rijndael, but yet is not any of these, and at least the comon ones I know of.

Also it would great to have the possibility to update the signatures for the detection of protections like OnGuard, TRegware, Matrix Encryption which I have found in old and current software I have managed to keygen.

In this short intro of the article from 2019 the authors Han Seong Lee and Hyung-Woo Lee write:
Quote:

Executable binary files can be developed using cryptographic modules using open libraries such as OpenSSL and Crypto++ in Windows environments. To determine the embedded encryption algorithms and detect cryptographic modules used in binary files, a high degree of knowledge on internal structure is required in de-assembling and analyzing. And the reverse engineering process on executable binary file is very difficult. Therefore, we developed an automatic detection tool that can automatically detect the cryptographic algorithm to efficiently analyze cryptographic algorithms as a form of IDA plug-in module. This tool can be used to detect and track cryptographic algorithms used in arbitrary executables on Windows OS system
Unfortunately there was no mention of the name of the plug-in so that it can be sought for.

Regards,
TemPoMat

sh3dow 06-04-2021 00:41

It would be really helpful if you named the several crypto plug-ins for IDA that you used to make it easier for both of us, so we don't give you the same plug-ins you already used and find unhelpful and to prevent wasting time.

TempoMat 06-04-2021 02:14

These are the crypto signatures I have and mostly use:

RESIGSv018PUB.sig
FGint.sig
FGintPackage.sig

ECElGamal.sig
ECDSA.sig
ECGFp.sig
FGIntRSA.sig
FGIntPrimeGeneration.sig
FGIntGOSTDSA.sig
FGintElGamal.sig
FGIntDSA.sig

chants 06-04-2021 09:35

This sounds like a perfect case for FLIRT signatures especially if public libraries or reference implementations are involved.

One thought is also to look for signatures for big integer implementations in commonly used libraries like gnu mp/gmp or boost has cpp_int and libtommath, TTMath, BIGINT of OpenSSL, etc. Granted this covers mostly public key crypto like RSA or ECDSA. And there are do many libraries with so many versions that it would be time consuming to be thorough. And symmetric ciphers or hash functions which arent using such arithmetic but mixing like with AES and DES, would be reliant on solely specific signatures.

Of course with custom implementations which is not hard to do even for big integer, it becomes nearly impossible and you are stuck with heuristics and common patterns. Even SBoxes are customizable and its known to be done as long as the math behind it is correctly preserving security of the affine transforms.

It would be really nice to have a huge signature database of the common ones though as most developers are not engineering custom solutions.

Also if Windows API is used, it shouldn't be hard to check the DLL imports.

TQN 06-04-2021 10:02

you can try this plugin: https://github.com/HongThatCong/FindCrypt3
This plugin is not done yet

sh3dow 06-04-2021 16:23

Quote:

Originally Posted by TempoMat (Post 123126)
Unfortunately there was no mention of the name of the plug-in so that it can be

The tool they developed wasn't open source and this is the problem of academic publishing. so the name of it wouldn't help you at all. though they mentioned many tools you find them here [https://ieeexplore.ieee.org/document/8866910/references#references]

I used my university email hoping he will send the code to me and I will share it here.

--


In the meantime there:

1- Findcrypt and Findcrypt2 and FindCrypt3

2- Findcrypt-yara (Yara based)

3- idascope
- https://hex-rays.com/contests_details/contest2012/#idascope
- https://pnx-tf.blogspot.com/2012/07/introducing-idascope.html
- https://danielplohmann.github.io/blog/2012/08/15/crypto_identification.html

4- IDAsignsrch, and its original commandline version
- http://www.macromonkey.com/bb/index.php/topic,22.0.html
- https://hex-rays.com/contests_details/contest2012/#IDA_Signsrch

JMP-JECXZ 06-10-2021 14:52

Keygener Assistant can detect crypto too

TempoMat 06-15-2021 05:06

Quote:

Originally Posted by sh3dow (Post 123133)

Thanks for the links.

Sorry for forgetting to mention earlier that I have had and tried the FindCrypt and FindCrypt2 plugins already.
They were mostly useless in detecting cryptos in most of the apps I have tried them on, so I rarely use them.

FindCrypt3 is for v7.x so I can't test it right now.

I downloaded and tried to use the ida-sigsearch plugin without success.
It turned out it was not compatible to the IDA 6.1, which was the version I was using until now.
I managed to get a v6.8 (as the author of the plugin had stated that it was tested on v6.5) and was able to invoke it.
However the result wasn’t all that promising.
There was even a false positive for a TEA hit on a modified MD5 Init Table with the TEA key schedule const 0x9E3779B9

Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.

TempoMat 06-15-2021 05:17

Quote:

Originally Posted by JMP-JECXZ (Post 123153)
Keygener Assistant can detect crypto too

Thanks for the tip.
I have never used that option until I read your post.
Well interestingly it was able to detect TRegware in all the apps I tested it on that use this routine for their serials.
Generally, it gave a lot of false positives for cryptos with most of the apps, but hits on Hashes were mostly accurate.

sh3dow 06-15-2021 19:33

Quote:

Originally Posted by TempoMat (Post 123178)
Thanks for the links.
Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.


Install Requests library.

PHP Code:

python -m pip install requests 


TempoMat 07-10-2021 02:47

Quote:

Originally Posted by sh3dow (Post 123181)
Install Requests library.

PHP Code:

python -m pip install requests 


I have tried to install the requests on different WinOS without success.

In the meantime, I’ve spent some time reading different papers on the strength of Yara and decided to try to write some rules for OnGuard, Matrix Decryption and TRegware for the start.
It was during this time that I realized for the first time that x64Dbg at least up to the snapshot from March, 28 2019 had Yara implemented as dll.
So I decided to test my attempts of the yara rules in it.

It worked most of the times in x64Dbg if I don’t use the “pe” and “math” options in the rules, which I needed, to limit the scanning only to MZ header files.
Also the version in x64Dbg only scans the file in its current active CPU, even if you select a different directory to scan, and this I presume could be the reason the "pe" option fails.

So in the end I was able to write - thanks to some code snippets from the net - a wrapper in classic VB to execute and capture the result of the console version of the latest compiled yara32.
Tries were made with single files as well as nested folders with pretty decent results in timing and hits in the results I have added rules of the signatures of these three modules to the “crypto_signatures.yara” found example @ https://github.com/Yara-Rules/rules/tree/master/crypto

an0rma1 07-20-2021 03:06

Hi, I was going to suggest Crypto Checker, as you said not new since 2016, but I've used with success many times. Anyway, looking for the files online found this nice listing of programs to analyze specifically crypto stuff,
https://www.manhunter.ru/underground/954_programmi_dlya_poiska_kriptoalgoritmov_v_ispolnyaemih_faylah.html

For binaries packing/modification, I think the best nowadays are ExePeInfo and DIE. I like specially this last one because the database done via scripting, and the huge support for DOS stuff.

nathan 08-29-2021 21:37

Any Linux support for crypto checkers ?

aliali 09-18-2021 00:53

Quote:

Originally Posted by nathan (Post 123666)
Any Linux support for crypto checkers ?

This might help you.

https://github.com/Wind-River/crypto-detector


All times are GMT +8. The time now is 08:32.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX