Thread: Help identify crypto
View Single Post
  #5  
Old 12-26-2014, 19:30
sh3dow sh3dow is offline
Family
  
Join Date: Oct 2014
Posts: 158
Rept. Given: 113
Rept. Rcvd 79 Times in 24 Posts
Thanks Given: 461
Thanks Rcvd at 202 Times in 75 Posts
sh3dow Reputation: 79
you can use FindCrypt plugin for ida pro http://www.hexblog.com/?p=27



While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.


The idea behind it pretty simple: since almost all crypto algorithms use magic constants, we will just look for these constants in the program body. Here is how we would do it manually:
http://www.sockpuppet.org/tqbf/log/2006/01/two-things.html
This approach will fail if the S-boxes have been altered but in most cases they are untouched (can you admit that you understand all consequences of modifying an S-box, say, in AES?)
The plugin supports virtually all crypto algorithms and hash functions. I also added the zlib library constants to the list just for the user convenience. Here is the full list:

PHP Code:
    Blowfish
    Camellia
    CAST
    CAST256
    CRC32
    DES
    GOST
    HAVAL
    MARS
    MD2
    MD4
    MD5
    PKCS_MD2 (byte sequence used in PKCS envelope)
    PKCS_MD5 (byte sequence used in PKCS envelope)
    PKCS_RIPEMD160 (byte sequence used in PKCS envelope)
    PKCS_SHA256 (byte sequence used in PKCS envelope)
    PKCS_SHA384 (byte sequence used in PKCS envelope)
    PKCS_SHA512 (byte sequence used in PKCS envelope)
    PKCS_Tiger (byte sequence used in PKCS envelope)
    RawDES
    RC2
    RC5
    RC6
    Rijndael
    SAFER
    SHA-1
    SHA-256
    SHA-512
    SHARK
    SKIPJACK
    Square
    Tiger
    Twofish
    WAKE
    Whirlpool
    zlib 
Please note that the list does not contain the IDEA algorithm because it usually builds its tables on the fly. Other algorithms can be added if needed.
The plugin is very easy to use �C just select it from the plugins menu and it will do its job. At the end it will display a message box like this:
http://www.hexblog.com/ida_pro/pix/f...t_finished.gif
It also will rename all found arrays and put them in the marked location list:
http://www.hexblog.com/ida_pro/pix/findcrypt_marks.gif
The same approach can be used to find other magic constants and strings. The plugin can also be automated �C just hook to the ph.newfile processor module event and run the search.
The source code, as usual, comes with the plugin: findcrypt.zip
Have (cryptic) fun!
The Following User Gave Reputation+1 to sh3dow For This Useful Post:
The Old Pirate (12-27-2014)