Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-03-2021, 23:05
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 74
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Any current Crypto Scanners or tools like KANAL in use?

Hi,

Is there or are there any current, scriptable (for signature updates) programs for the detection of cryptographic algorithms in executable files like KANAL for PEiD in use by some members here in this forum?

I have been searching on the web for some time now without success.

I have some old programs, most of which were downloaded as far back as 2001 that I have found now to contain compiled cryptographic algorithms that are not at all or falsely detected by the likes of KANAL, SND_RT Crypto Scanner or several crypto plug-ins for IDA.

Typical examples are some compiled crypto functions in some KingConvert software, with a Golden Ratio like initialization table typical with TEAN, the RCs and so on, but it uses some constants of the DES-S-Box. The decryption routine seems symmetric and has similarities to DES, AES, Rijndael, but yet is not any of these, and at least the comon ones I know of.

Also it would great to have the possibility to update the signatures for the detection of protections like OnGuard, TRegware, Matrix Encryption which I have found in old and current software I have managed to keygen.

In this short intro of the article from 2019 the authors Han Seong Lee and Hyung-Woo Lee write:
Quote:
Executable binary files can be developed using cryptographic modules using open libraries such as OpenSSL and Crypto++ in Windows environments. To determine the embedded encryption algorithms and detect cryptographic modules used in binary files, a high degree of knowledge on internal structure is required in de-assembling and analyzing. And the reverse engineering process on executable binary file is very difficult. Therefore, we developed an automatic detection tool that can automatically detect the cryptographic algorithm to efficiently analyze cryptographic algorithms as a form of IDA plug-in module. This tool can be used to detect and track cryptographic algorithms used in arbitrary executables on Windows OS system
Unfortunately there was no mention of the name of the plug-in so that it can be sought for.

Regards,
TemPoMat
Reply With Quote
  #2  
Old 06-04-2021, 00:41
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 103
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 277
Thanks Rcvd at 126 Times in 45 Posts
sh3dow Reputation: 77
It would be really helpful if you named the several crypto plug-ins for IDA that you used to make it easier for both of us, so we don't give you the same plug-ins you already used and find unhelpful and to prevent wasting time.
Reply With Quote
  #3  
Old 06-04-2021, 02:14
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 74
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
These are the crypto signatures I have and mostly use:

RESIGSv018PUB.sig
FGint.sig
FGintPackage.sig

ECElGamal.sig
ECDSA.sig
ECGFp.sig
FGIntRSA.sig
FGIntPrimeGeneration.sig
FGIntGOSTDSA.sig
FGintElGamal.sig
FGIntDSA.sig
Reply With Quote
The Following User Says Thank You to TempoMat For This Useful Post:
niculaita (06-04-2021)
  #4  
Old 06-04-2021, 09:35
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 602
Rept. Given: 13
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 548
Thanks Rcvd at 874 Times in 411 Posts
chants Reputation: 35
This sounds like a perfect case for FLIRT signatures especially if public libraries or reference implementations are involved.

One thought is also to look for signatures for big integer implementations in commonly used libraries like gnu mp/gmp or boost has cpp_int and libtommath, TTMath, BIGINT of OpenSSL, etc. Granted this covers mostly public key crypto like RSA or ECDSA. And there are do many libraries with so many versions that it would be time consuming to be thorough. And symmetric ciphers or hash functions which arent using such arithmetic but mixing like with AES and DES, would be reliant on solely specific signatures.

Of course with custom implementations which is not hard to do even for big integer, it becomes nearly impossible and you are stuck with heuristics and common patterns. Even SBoxes are customizable and its known to be done as long as the math behind it is correctly preserving security of the affine transforms.

It would be really nice to have a huge signature database of the common ones though as most developers are not engineering custom solutions.

Also if Windows API is used, it shouldn't be hard to check the DLL imports.
Reply With Quote
  #5  
Old 06-04-2021, 10:02
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 290
Rept. Given: 125
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 65
Thanks Rcvd at 36 Times in 14 Posts
TQN Reputation: 11
you can try this plugin: https://github.com/HongThatCong/FindCrypt3
This plugin is not done yet
Reply With Quote
The Following User Says Thank You to TQN For This Useful Post:
schrodyn (06-05-2021)
  #6  
Old 06-04-2021, 16:23
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 103
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 277
Thanks Rcvd at 126 Times in 45 Posts
sh3dow Reputation: 77
Quote:
Originally Posted by TempoMat View Post
Unfortunately there was no mention of the name of the plug-in so that it can be
The tool they developed wasn't open source and this is the problem of academic publishing. so the name of it wouldn't help you at all. though they mentioned many tools you find them here [https://ieeexplore.ieee.org/document/8866910/references#references]

I used my university email hoping he will send the code to me and I will share it here.

--


In the meantime there:

1- Findcrypt and Findcrypt2 and FindCrypt3

2- Findcrypt-yara (Yara based)

3- idascope
- https://hex-rays.com/contests_details/contest2012/#idascope
- https://pnx-tf.blogspot.com/2012/07/introducing-idascope.html
- https://danielplohmann.github.io/blog/2012/08/15/crypto_identification.html

4- IDAsignsrch, and its original commandline version
- http://www.macromonkey.com/bb/index.php/topic,22.0.html
- https://hex-rays.com/contests_details/contest2012/#IDA_Signsrch

Last edited by sh3dow; 06-04-2021 at 16:35. Reason: Fix Formating
Reply With Quote
The Following 3 Users Say Thank You to sh3dow For This Useful Post:
niculaita (06-05-2021), schrodyn (06-05-2021), TQN (06-08-2021)
  #7  
Old 06-10-2021, 14:52
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 38
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 31 Times in 18 Posts
JMP-JECXZ Reputation: 0
Keygener Assistant can detect crypto too
Reply With Quote
  #8  
Old 06-15-2021, 05:06
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 74
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by sh3dow View Post
Thanks for the links.

Sorry for forgetting to mention earlier that I have had and tried the FindCrypt and FindCrypt2 plugins already.
They were mostly useless in detecting cryptos in most of the apps I have tried them on, so I rarely use them.

FindCrypt3 is for v7.x so I can't test it right now.

I downloaded and tried to use the ida-sigsearch plugin without success.
It turned out it was not compatible to the IDA 6.1, which was the version I was using until now.
I managed to get a v6.8 (as the author of the plugin had stated that it was tested on v6.5) and was able to invoke it.
However the result wasn’t all that promising.
There was even a false positive for a TEA hit on a modified MD5 Init Table with the TEA key schedule const 0x9E3779B9

Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.
Reply With Quote
  #9  
Old 06-15-2021, 05:17
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 74
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by JMP-JECXZ View Post
Keygener Assistant can detect crypto too
Thanks for the tip.
I have never used that option until I read your post.
Well interestingly it was able to detect TRegware in all the apps I tested it on that use this routine for their serials.
Generally, it gave a lot of false positives for cryptos with most of the apps, but hits on Hashes were mostly accurate.
Reply With Quote
  #10  
Old 06-15-2021, 19:33
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 103
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 277
Thanks Rcvd at 126 Times in 45 Posts
sh3dow Reputation: 77
Quote:
Originally Posted by TempoMat View Post
Thanks for the links.
Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.

Install Requests library.

PHP Code:
python -m pip install requests 
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 11:41.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )