Exetools  

Go Back   Exetools > General > General Discussion

Notices

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 12-24-2014, 20:04
The Old Pirate The Old Pirate is offline
Family
 
Join Date: Sep 2005
Posts: 120
Rept. Given: 51
Rept. Rcvd 73 Times in 22 Posts
Thanks Given: 9
Thanks Rcvd at 18 Times in 10 Posts
The Old Pirate Reputation: 73
Help identify crypto

Hi all.

How do you identify the cipher based on the assembly code of the encryption algorithm? I tried to use tools such as IDAScope, signsrch etc but none of them have found any constants (the program is not obfuscated).

I think the cipher in question is a common one but I am unable to tell which one. From what I see the ciphertext is a 256-byte block. There is also a static array in the code of which first 256 bytes are taken (the key?). Then I see both blocks are copied in memory in reverse order and then the magic is done.

Is anyone able to recognize it based on this description?
__________________

http://youtu.be/H0QfVDebLFg

Last edited by The Old Pirate; 12-24-2014 at 20:43.
  #2  
Old 12-25-2014, 00:52
nikre's Avatar
nikre nikre is offline
VIP
 
Join Date: Sep 2011
Posts: 180
Rept. Given: 177
Rept. Rcvd 100 Times in 35 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 10 Posts
nikre Reputation: 100-199 nikre Reputation: 100-199
try cc or kanal for peid ?
The Following User Gave Reputation+1 to nikre For This Useful Post:
The Old Pirate (12-27-2014)
  #3  
Old 12-25-2014, 03:12
The Old Pirate The Old Pirate is offline
Family
 
Join Date: Sep 2005
Posts: 120
Rept. Given: 51
Rept. Rcvd 73 Times in 22 Posts
Thanks Given: 9
Thanks Rcvd at 18 Times in 10 Posts
The Old Pirate Reputation: 73
Yes, I tried these too, unfortunately to no avail. Even by looking over the assembly code of the algo I couldn't locate any specific constants (except for 0x8000, 0xFFFD, 0xFFFE, 0xFFFF and 0x10000).

Some additional info: the resulting plaintext message is 256 bytes long as well. From what I see, during the decryption process the encrypted block undergoes many tranformations (at some point even doubles it's size).

Any guess?
__________________

http://youtu.be/H0QfVDebLFg

Last edited by The Old Pirate; 12-25-2014 at 03:19.
  #4  
Old 12-25-2014, 03:40
RedBlkJck RedBlkJck is offline
Family
 
Join Date: Oct 2011
Posts: 99
Rept. Given: 64
Rept. Rcvd 80 Times in 43 Posts
Thanks Given: 25
Thanks Rcvd at 11 Times in 9 Posts
RedBlkJck Reputation: 80
Those constants are seen when computing CRC16. I would think the scanner would pick that up tho.
Perhaps its a compression instead?

Last edited by RedBlkJck; 12-25-2014 at 03:44. Reason: add on
The Following User Gave Reputation+1 to RedBlkJck For This Useful Post:
The Old Pirate (12-27-2014)
  #5  
Old 12-26-2014, 19:30
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 158
Rept. Given: 113
Rept. Rcvd 79 Times in 24 Posts
Thanks Given: 458
Thanks Rcvd at 202 Times in 75 Posts
sh3dow Reputation: 79
you can use FindCrypt plugin for ida pro http://www.hexblog.com/?p=27



While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.


The idea behind it pretty simple: since almost all crypto algorithms use magic constants, we will just look for these constants in the program body. Here is how we would do it manually:
http://www.sockpuppet.org/tqbf/log/2006/01/two-things.html
This approach will fail if the S-boxes have been altered but in most cases they are untouched (can you admit that you understand all consequences of modifying an S-box, say, in AES?)
The plugin supports virtually all crypto algorithms and hash functions. I also added the zlib library constants to the list just for the user convenience. Here is the full list:

PHP Code:
    Blowfish
    Camellia
    CAST
    CAST256
    CRC32
    DES
    GOST
    HAVAL
    MARS
    MD2
    MD4
    MD5
    PKCS_MD2 
(byte sequence used in PKCS envelope)
    
PKCS_MD5 (byte sequence used in PKCS envelope)
    
PKCS_RIPEMD160 (byte sequence used in PKCS envelope)
    
PKCS_SHA256 (byte sequence used in PKCS envelope)
    
PKCS_SHA384 (byte sequence used in PKCS envelope)
    
PKCS_SHA512 (byte sequence used in PKCS envelope)
    
PKCS_Tiger (byte sequence used in PKCS envelope)
    
RawDES
    RC2
    RC5
    RC6
    Rijndael
    SAFER
    SHA
-1
    SHA
-256
    SHA
-512
    SHARK
    SKIPJACK
    Square
    Tiger
    Twofish
    WAKE
    Whirlpool
    zlib 
Please note that the list does not contain the IDEA algorithm because it usually builds its tables on the fly. Other algorithms can be added if needed.
The plugin is very easy to use ¨C just select it from the plugins menu and it will do its job. At the end it will display a message box like this:
http://www.hexblog.com/ida_pro/pix/f...t_finished.gif
It also will rename all found arrays and put them in the marked location list:
http://www.hexblog.com/ida_pro/pix/findcrypt_marks.gif
The same approach can be used to find other magic constants and strings. The plugin can also be automated ¨C just hook to the ph.newfile processor module event and run the search.
The source code, as usual, comes with the plugin: findcrypt.zip
Have (cryptic) fun!
The Following User Gave Reputation+1 to sh3dow For This Useful Post:
The Old Pirate (12-27-2014)
  #6  
Old 12-27-2014, 04:15
The Old Pirate The Old Pirate is offline
Family
 
Join Date: Sep 2005
Posts: 120
Rept. Given: 51
Rept. Rcvd 73 Times in 22 Posts
Thanks Given: 9
Thanks Rcvd at 18 Times in 10 Posts
The Old Pirate Reputation: 73
Findcrypt doesn't find anything. I can't find any constants similar to these from findcrypt source code in the disassembly of the algo. I also don't believe it's a compression since the output has the same length as input.
__________________

http://youtu.be/H0QfVDebLFg
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Identify an unknown 64 bit Packer Kurapica General Discussion 1 07-06-2021 01:05
How to identify the address where the test is done? byvs General Discussion 13 10-25-2016 08:40
Trying to identify crypto algorithm SiNTAX General Discussion 4 06-17-2010 03:23


All times are GMT +8. The time now is 20:53.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )