Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-03-2021, 23:05
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 72
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Any current Crypto Scanners or tools like KANAL in use?

Hi,

Is there or are there any current, scriptable (for signature updates) programs for the detection of cryptographic algorithms in executable files like KANAL for PEiD in use by some members here in this forum?

I have been searching on the web for some time now without success.

I have some old programs, most of which were downloaded as far back as 2001 that I have found now to contain compiled cryptographic algorithms that are not at all or falsely detected by the likes of KANAL, SND_RT Crypto Scanner or several crypto plug-ins for IDA.

Typical examples are some compiled crypto functions in some KingConvert software, with a Golden Ratio like initialization table typical with TEAN, the RCs and so on, but it uses some constants of the DES-S-Box. The decryption routine seems symmetric and has similarities to DES, AES, Rijndael, but yet is not any of these, and at least the comon ones I know of.

Also it would great to have the possibility to update the signatures for the detection of protections like OnGuard, TRegware, Matrix Encryption which I have found in old and current software I have managed to keygen.

In this short intro of the article from 2019 the authors Han Seong Lee and Hyung-Woo Lee write:
Quote:
Executable binary files can be developed using cryptographic modules using open libraries such as OpenSSL and Crypto++ in Windows environments. To determine the embedded encryption algorithms and detect cryptographic modules used in binary files, a high degree of knowledge on internal structure is required in de-assembling and analyzing. And the reverse engineering process on executable binary file is very difficult. Therefore, we developed an automatic detection tool that can automatically detect the cryptographic algorithm to efficiently analyze cryptographic algorithms as a form of IDA plug-in module. This tool can be used to detect and track cryptographic algorithms used in arbitrary executables on Windows OS system
Unfortunately there was no mention of the name of the plug-in so that it can be sought for.

Regards,
TemPoMat
Reply With Quote
  #2  
Old 06-04-2021, 00:41
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 102
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 272
Thanks Rcvd at 121 Times in 45 Posts
sh3dow Reputation: 77
It would be really helpful if you named the several crypto plug-ins for IDA that you used to make it easier for both of us, so we don't give you the same plug-ins you already used and find unhelpful and to prevent wasting time.
Reply With Quote
  #3  
Old 06-04-2021, 02:14
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 72
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
These are the crypto signatures I have and mostly use:

RESIGSv018PUB.sig
FGint.sig
FGintPackage.sig

ECElGamal.sig
ECDSA.sig
ECGFp.sig
FGIntRSA.sig
FGIntPrimeGeneration.sig
FGIntGOSTDSA.sig
FGintElGamal.sig
FGIntDSA.sig
Reply With Quote
The Following User Says Thank You to TempoMat For This Useful Post:
niculaita (06-04-2021)
  #4  
Old 06-04-2021, 09:35
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 599
Rept. Given: 13
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 547
Thanks Rcvd at 871 Times in 409 Posts
chants Reputation: 35
This sounds like a perfect case for FLIRT signatures especially if public libraries or reference implementations are involved.

One thought is also to look for signatures for big integer implementations in commonly used libraries like gnu mp/gmp or boost has cpp_int and libtommath, TTMath, BIGINT of OpenSSL, etc. Granted this covers mostly public key crypto like RSA or ECDSA. And there are do many libraries with so many versions that it would be time consuming to be thorough. And symmetric ciphers or hash functions which arent using such arithmetic but mixing like with AES and DES, would be reliant on solely specific signatures.

Of course with custom implementations which is not hard to do even for big integer, it becomes nearly impossible and you are stuck with heuristics and common patterns. Even SBoxes are customizable and its known to be done as long as the math behind it is correctly preserving security of the affine transforms.

It would be really nice to have a huge signature database of the common ones though as most developers are not engineering custom solutions.

Also if Windows API is used, it shouldn't be hard to check the DLL imports.
Reply With Quote
  #5  
Old 06-04-2021, 10:02
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 287
Rept. Given: 125
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 64
Thanks Rcvd at 34 Times in 13 Posts
TQN Reputation: 11
you can try this plugin: https://github.com/HongThatCong/FindCrypt3
This plugin is not done yet
Reply With Quote
The Following User Says Thank You to TQN For This Useful Post:
schrodyn (06-05-2021)
  #6  
Old 06-04-2021, 16:23
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 102
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 272
Thanks Rcvd at 121 Times in 45 Posts
sh3dow Reputation: 77
Quote:
Originally Posted by TempoMat View Post
Unfortunately there was no mention of the name of the plug-in so that it can be
The tool they developed wasn't open source and this is the problem of academic publishing. so the name of it wouldn't help you at all. though they mentioned many tools you find them here [https://ieeexplore.ieee.org/document/8866910/references#references]

I used my university email hoping he will send the code to me and I will share it here.

--


In the meantime there:

1- Findcrypt and Findcrypt2 and FindCrypt3

2- Findcrypt-yara (Yara based)

3- idascope
- https://hex-rays.com/contests_details/contest2012/#idascope
- https://pnx-tf.blogspot.com/2012/07/introducing-idascope.html
- https://danielplohmann.github.io/blog/2012/08/15/crypto_identification.html

4- IDAsignsrch, and its original commandline version
- http://www.macromonkey.com/bb/index.php/topic,22.0.html
- https://hex-rays.com/contests_details/contest2012/#IDA_Signsrch

Last edited by sh3dow; 06-04-2021 at 16:35. Reason: Fix Formating
Reply With Quote
The Following 3 Users Say Thank You to sh3dow For This Useful Post:
niculaita (06-05-2021), schrodyn (06-05-2021), TQN (06-08-2021)
  #7  
Old 06-10-2021, 14:52
JMP-JECXZ JMP-JECXZ is online now
Friend
 
Join Date: Mar 2017
Posts: 38
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 30 Times in 17 Posts
JMP-JECXZ Reputation: 0
Keygener Assistant can detect crypto too
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 16:34.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )