#1
|
|||
|
|||
Is this RSA algorithm?
****************
File for static debug: **************** https://app.box.com/s/npyh7dgjsvr3cdwm9b0a Some clue indicate SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac call may use RSA algorithm, but can't find the public key after long time debug, anyone can give help? SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca => call SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac => call rsa_eay.c ********************** IDA F5 => Pseudo code ********************** if ( SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca(v14, v17, v18, v13, 1) == -1 ) { v15 = 0; dword_282C990 = SNPSle_0b7605938c156c1e7171bec194fc1df0(); snpsFreeFunc(v18); snpsFreeFunc(v17); } else { v15 = SNPSle_e70385d734271e1f(); SNPSle_a319640d45ef7860(v15, v18); snpsFreeFunc(v18); snpsFreeFunc(v17); } return v15; ************************************************* Function SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca ************************************************* .text:0129A65C mov edx, [esp+24h] .text:0129A660 mov dword ptr [esp+10h], 1 .text:0129A668 mov [esp+0Ch], esi .text:0129A66C mov [esp+8], edx .text:0129A670 mov edx, [esp+20h] .text:0129A674 mov [esp], eax .text:0129A677 mov [esp+4], edx .text:0129A67B call SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca .text:012FF9C0 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca proc near .text:012FF9C0 ; CODE XREF: SNPSle_8c043950c9569b2b28b737acdf3db27f+16Bp .text:012FF9C0 ; SNPSle_5b20c9bca9f2e8472400b8222d99bf873af76a24be776844+6Fp ... .text:012FF9C0 .text:012FF9C0 var_1C = dword ptr -1Ch .text:012FF9C0 var_18 = dword ptr -18h .text:012FF9C0 var_14 = dword ptr -14h .text:012FF9C0 var_10 = dword ptr -10h .text:012FF9C0 var_C = dword ptr -0Ch .text:012FF9C0 arg_0 = dword ptr 4 .text:012FF9C0 arg_4 = dword ptr 8 .text:012FF9C0 arg_8 = dword ptr 0Ch .text:012FF9C0 arg_C = dword ptr 10h .text:012FF9C0 arg_10 = dword ptr 14h .text:012FF9C0 .text:012FF9C0 sub esp, 1Ch .text:012FF9C3 mov edx, [esp+1Ch+arg_C] .text:012FF9C7 mov eax, [esp+1Ch+arg_10] .text:012FF9CB mov ecx, [edx+8] .text:012FF9CE mov [esp+1Ch+var_C], eax .text:012FF9D2 mov eax, [esp+1Ch+arg_8] .text:012FF9D6 mov [esp+1Ch+var_10], edx .text:012FF9DA mov [esp+1Ch+var_14], eax .text:012FF9DE mov eax, [esp+1Ch+arg_4] .text:012FF9E2 mov [esp+1Ch+var_18], eax .text:012FF9E6 mov eax, [esp+1Ch+arg_0] .text:012FF9EA mov [esp+1Ch+var_1C], eax .text:012FF9ED call dword ptr [ecx+8] => call 013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac .text:012FF9F0 add esp, 1Ch .text:012FF9F3 retn .text:012FF9F3 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca endp ***************************************************************** Function SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac ***************************************************************** .text:013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac proc near .text:013BA9F0 ; DATA XREF: .data:02796748o ...... .text:013BAA9F lea eax, (aRsa_eay_c - 26FB44Ch)[ebx] ; "rsa_eay.c" ...... .text:013BAE7D SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac endp |
#2
|
||||
|
||||
Have you tried applying some of the well know crypto lib sigs in IDA ?.
Git |
#3
|
|||
|
|||
The code you posted just moves some arguments around and does nothing which would help to identify anything.
"rsa_eay.c" is part of the OpenSSL package. If OpenSSL is linked to your code, it naturally contains RSA, but also dozens of other crypto algorithms. It doesn't mean the algorithms are actually used for anything. The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files. |
#4
|
|||
|
|||
Quote:
I use findcrypt.plw, would you help recommend some other crypto lib sigs that maybe helpful? I have few experience on this kind of lib sigs, you guide will be very appreciated, thanks. |
#5
|
|||
|
|||
Quote:
|
#6
|
||||
|
||||
the ida scope plugin does a very nice jobb checking crypto.I did a fix for ida 6.1 here http://techbliss.org/threads/idascope-v1-1-yara-scanning-fixed-for-ida-6-1-python-2-7.484/#post-1509
and there is also the RSA key finder script. http://kyprizel.net/work/ida_rsakeyfinder.html /(python needed) |
#7
|
||||
|
||||
the RSA finder script had the wrong link
http://kyprizel.net/work/ida_rsakeyfinder.html |
#8
|
|||
|
|||
Quote:
Searching for X.509 Public Key Infrastructure Certificates Searching for PKCS #8: Private-Key Information Syntax Standard Key scan complete. public key for attached demo case: n=80C07AFC9D25404D6555B9ACF3567CF1, e=10001 |
#9
|
|||
|
|||
This is a ELF format under RHEL OS, would you let me know which library file of openssl (such as libeay32.lib under windows) I should use to generate IDA signature? thanks.
|
#10
|
|||
|
|||
@bridgeic: Use a compiler there to compile OpenSLL in that specific format. Then use the IDA SDK tools (available everywhere) to generate FLIRT signatures. Nobody can really do that for you, just look up a guide on 'compiling openssl in linux' or something.
RHEL is RedHat Enterprise? Greetings |
#11
|
|||
|
|||
Quote:
Yes, it is. |
#12
|
|||
|
|||
So far still no progress, I can upload all files needed on dynamic debug if anyone can give some help or direction kindly(the total files are some big, about 500M), thanks in advance.
|
#13
|
|||
|
|||
@bridgeic: Just create a list of all files included, I really have no clue, probably you need .a or .elf files...
Greetings |
#14
|
||||
|
||||
As Kerlingen suggests you need the correct sig file for the compiler used. If it is an unusual compiler you will have to compile it yourself. One you have the .lib used to link in the openssl functions, use IDA's Flirt tools to convert .lib to .sig. Put the .sig in the sig directory and proceed to apply that sig to your disassembly. Many openssl functions should now be identified with the correct names.
Git |
#15
|
||||
|
||||
Quote:
http://etherhack.co.uk/asymmetric/docs/rsa_key_breakdown.html it wouldent find anything in the demo case( source for your file here) http://read.pudn.com/downloads149/sourcecode/crypt/645649/KeyGen/src/RSAKeyGen.c__.htm it cant find random public keys Last edited by Storm Shadow; 08-06-2014 at 23:09. |
The Following User Gave Reputation+1 to Storm Shadow For This Useful Post: | ||
bridgeic (08-15-2014) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Find the Algorithm | mcr4ck | General Discussion | 3 | 05-26-2020 18:19 |
Find the Algorithm | mcr4ck | General Discussion | 18 | 02-06-2020 15:43 |