Is this RSA algorithm?

[bridgeic]

****************
File for static debug:
****************
https://app.box.com/s/npyh7dgjsvr3cdwm9b0a

Some clue indicate SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac call may use RSA algorithm, but can't find the public key after long time debug, anyone can give help?

SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca => call SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac => call rsa_eay.c


**********************
IDA F5 => Pseudo code
**********************
if ( SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca(v14, v17, v18, v13, 1) == -1 )
{
v15 = 0;
dword_282C990 = SNPSle_0b7605938c156c1e7171bec194fc1df0();
snpsFreeFunc(v18);
snpsFreeFunc(v17);
}
else
{
v15 = SNPSle_e70385d734271e1f();
SNPSle_a319640d45ef7860(v15, v18);
snpsFreeFunc(v18);
snpsFreeFunc(v17);
}
return v15;

*************************************************
Function SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca
*************************************************
.text:0129A65C mov edx, [esp+24h]
.text:0129A660 mov dword ptr [esp+10h], 1
.text:0129A668 mov [esp+0Ch], esi
.text:0129A66C mov [esp+8], edx
.text:0129A670 mov edx, [esp+20h]
.text:0129A674 mov [esp], eax
.text:0129A677 mov [esp+4], edx
.text:0129A67B call SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca

.text:012FF9C0 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca proc near
.text:012FF9C0 ; CODE XREF: SNPSle_8c043950c9569b2b28b737acdf3db27f+16Bp
.text:012FF9C0 ; SNPSle_5b20c9bca9f2e8472400b8222d99bf873af76a24be776844+6Fp ...
.text:012FF9C0
.text:012FF9C0 var_1C = dword ptr -1Ch
.text:012FF9C0 var_18 = dword ptr -18h
.text:012FF9C0 var_14 = dword ptr -14h
.text:012FF9C0 var_10 = dword ptr -10h
.text:012FF9C0 var_C = dword ptr -0Ch
.text:012FF9C0 arg_0 = dword ptr 4
.text:012FF9C0 arg_4 = dword ptr 8
.text:012FF9C0 arg_8 = dword ptr 0Ch
.text:012FF9C0 arg_C = dword ptr 10h
.text:012FF9C0 arg_10 = dword ptr 14h
.text:012FF9C0
.text:012FF9C0 sub esp, 1Ch
.text:012FF9C3 mov edx, [esp+1Ch+arg_C]
.text:012FF9C7 mov eax, [esp+1Ch+arg_10]
.text:012FF9CB mov ecx, [edx+8]
.text:012FF9CE mov [esp+1Ch+var_C], eax
.text:012FF9D2 mov eax, [esp+1Ch+arg_8]
.text:012FF9D6 mov [esp+1Ch+var_10], edx
.text:012FF9DA mov [esp+1Ch+var_14], eax
.text:012FF9DE mov eax, [esp+1Ch+arg_4]
.text:012FF9E2 mov [esp+1Ch+var_18], eax
.text:012FF9E6 mov eax, [esp+1Ch+arg_0]
.text:012FF9EA mov [esp+1Ch+var_1C], eax
.text:012FF9ED call dword ptr [ecx+8] => call 013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac
.text:012FF9F0 add esp, 1Ch
.text:012FF9F3 retn
.text:012FF9F3 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca endp

*****************************************************************
Function SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac
*****************************************************************
.text:013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac proc near
.text:013BA9F0 ; DATA XREF: .data:02796748o
......
.text:013BAA9F lea eax, (aRsa_eay_c - 26FB44Ch)[ebx] ; "rsa_eay.c"
......
.text:013BAE7D SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac endp

[Git]

Have you tried applying some of the well know crypto lib sigs in IDA ?.

Git

[bridgeic]

Quote:

Originally Posted by Git

Have you tried applying some of the well know crypto lib sigs in IDA ?.

Git

Dear Git,

I use findcrypt.plw, would you help recommend some other crypto lib sigs that maybe helpful? I have few experience on this kind of lib sigs, you guide will be very appreciated, thanks.

[Kerlingen]

The code you posted just moves some arguments around and does nothing which would help to identify anything.

"rsa_eay.c" is part of the OpenSSL package. If OpenSSL is linked to your code, it naturally contains RSA, but also dozens of other crypto algorithms. It doesn't mean the algorithms are actually used for anything.

The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files.

[bridgeic]

Quote:

Originally Posted by Kerlingen

The code you posted just moves some arguments around and does nothing which would help to identify anything.

"rsa_eay.c" is part of the OpenSSL package. If OpenSSL is linked to your code, it naturally contains RSA, but also dozens of other crypto algorithms. It doesn't mean the algorithms are actually used for anything.

The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files.

Yes, I confirm the code call "rsa_eay.c", but I don't know how to deal with it, would you please give a little more details on how to complile OpenSSL and create IDA signature? Is there any post can be referenced? Thanks.

[bridgeic]

Quote:

Originally Posted by Kerlingen

The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files.

This is a ELF format under RHEL OS, would you let me know which library file of openssl (such as libeay32.lib under windows) I should use to generate IDA signature? thanks.

[Storm Shadow]

the ida scope plugin does a very nice jobb checking crypto.I did a fix for ida 6.1 here http://techbliss.org/threads/idascope-v1-1-yara-scanning-fixed-for-ida-6-1-python-2-7.484/#post-1509
and there is also the RSA key finder script. http://kyprizel.net/work/ida_rsakeyfinder.html /(python needed)

[bridgeic]

Quote:

Originally Posted by Storm Shadow

the ida scope plugin does a very nice jobb checking crypto.I did a fix for ida 6.1 here http://techbliss.org/threads/idascope-v1-1-yara-scanning-fixed-for-ida-6-1-python-2-7.484/#post-1509

Dear Storm,

Why when using IDAscope, I have no this part that highlight with red colour below? Would you help have a look? (Attachment is my view when using IDAscope)

[/] setting up widgets...
[|] loading FunctionInspectionWidget
[|] loading WinApiWidget
[|] loading CryptoIdentificationWidget
[|] loading YaraScannerWidget
[\] this took 0.20 seconds.

Using FLIRT signature: Microsoft VisualC 2-10/net runtime
loading rules from file: C:\yara\apt.yar (72)
loading rules from file: C:\yara\APT_NGO_wuaclt.yar (1)
loading rules from file: C:\yara\APT_NGO_wuaclt_PDF.yar (1)
loading rules from file: C:\yara\avdetect.yar (1)
[!] Could not load yara rules from file: C:\yara\cve.yar
loading rules from file: C:\yara\dbgdetect.yar (3)
loading rules from file: C:\yara\GeorBotBinary.yara (1)
loading rules from file: C:\yara\GeorBotMemory.yara (1)
loading rules from file: C:\yara\hangover.yar (16)
[!] Could not load yara rules from file: C:\yara\index.yar
loading rules from file: C:\yara\sandboxdetect.yar (1)
loading rules from file: C:\yara\vmdetect.yar (1)
loading rules from file: C:\yara\xplug.yar (2)


[!] Performing YARA scan...

[Storm Shadow]

the RSA finder script had the wrong link
http://kyprizel.net/work/ida_rsakeyfinder.html

[bridgeic]

Quote:

Originally Posted by Storm Shadow

the RSA finder script had the wrong link
http://kyprizel.net/work/ida_rsakeyfinder.html

I try this RSA finder script, but seems find nothing, even for a simple RSA demo case as attached, it find nothing, I'm not sure whether my usage issue. The check output in IDA list as below.

Searching for X.509 Public Key Infrastructure Certificates
Searching for PKCS #8: Private-Key Information Syntax Standard
Key scan complete.

public key for attached demo case:
n=80C07AFC9D25404D6555B9ACF3567CF1, e=10001

[Storm Shadow]

Quote:

Originally Posted by bridgeic

I try this RSA finder script, but seems find nothing, even for a simple RSA demo case as attached, it find nothing, I'm not sure whether my usage issue. The check output in IDA list as below.

Searching for X.509 Public Key Infrastructure Certificates
Searching for PKCS #8: Private-Key Information Syntax Standard
Key scan complete.

public key for attached demo case:
n=80C07AFC9D25404D6555B9ACF3567CF1, e=10001

the script searches for the public rsa key header in certicates as shown here.

http://etherhack.co.uk/asymmetric/docs/rsa_key_breakdown.html

it wouldent find anything in the demo case( source for your file here) http://read.pudn.com/downloads149/sourcecode/crypt/645649/KeyGen/src/RSAKeyGen.c__.htm
it cant find random public keys

[bridgeic]

Quote:

Originally Posted by Storm Shadow

the script searches for the public rsa key header in certicates as shown here.

http://etherhack.co.uk/asymmetric/docs/rsa_key_breakdown.html

Dear Storm,

I'm inspired with the document your gave "OpenSSL 1024 bit RSA Private Key Breakdown". I see the public key before when do dynamic debug with edb(as the attached picture shows), but I don't understand it, after read the document, I fully understand it.

I still don't know how to make the rsa signature files, but with your help I have found and understand the public key, and have verify my understanding is right with BigCal. Here I should say many thanks to you for your warm help and guide.

I may still have some questions related, hope you can still give help, thanks again.

[mr.exodia]

@bridgeic: Use a compiler there to compile OpenSLL in that specific format. Then use the IDA SDK tools (available everywhere) to generate FLIRT signatures. Nobody can really do that for you, just look up a guide on 'compiling openssl in linux' or something.

RHEL is RedHat Enterprise?

Greetings

[bridgeic]

Quote:

Originally Posted by mr.exodia

@bridgeic: Use a compiler there to compile OpenSLL in that specific format. Then use the IDA SDK tools (available everywhere) to generate FLIRT signatures. Nobody can really do that for you, just look up a guide on 'compiling openssl in linux' or something.

Yes, I have experience on using FLAIR, and I also compile openssl under RHEL5 succesfully. I just don't know which library files in openssl should be used as the input for pelf to generate openssl IDA signature file. Would you give some help on this? Thanks.

Quote:

Originally Posted by mr.exodia

RHEL is RedHat Enterprise?
Greetings

Yes, it is.

[bridgeic]

So far still no progress, I can upload all files needed on dynamic debug if anyone can give some help or direction kindly(the total files are some big, about 500M), thanks in advance.