#1
|
|||
|
|||
Help identify crypto
Hi all.
How do you identify the cipher based on the assembly code of the encryption algorithm? I tried to use tools such as IDAScope, signsrch etc but none of them have found any constants (the program is not obfuscated). I think the cipher in question is a common one but I am unable to tell which one. From what I see the ciphertext is a 256-byte block. There is also a static array in the code of which first 256 bytes are taken (the key?). Then I see both blocks are copied in memory in reverse order and then the magic is done. Is anyone able to recognize it based on this description?
__________________
http://youtu.be/H0QfVDebLFg Last edited by The Old Pirate; 12-24-2014 at 20:43. |
#2
|
||||
|
||||
try cc or kanal for peid ?
|
The Following User Gave Reputation+1 to nikre For This Useful Post: | ||
The Old Pirate (12-27-2014) |
#3
|
|||
|
|||
Yes, I tried these too, unfortunately to no avail. Even by looking over the assembly code of the algo I couldn't locate any specific constants (except for 0x8000, 0xFFFD, 0xFFFE, 0xFFFF and 0x10000).
Some additional info: the resulting plaintext message is 256 bytes long as well. From what I see, during the decryption process the encrypted block undergoes many tranformations (at some point even doubles it's size). Any guess?
__________________
http://youtu.be/H0QfVDebLFg Last edited by The Old Pirate; 12-25-2014 at 03:19. |
#4
|
|||
|
|||
Those constants are seen when computing CRC16. I would think the scanner would pick that up tho.
Perhaps its a compression instead? Last edited by RedBlkJck; 12-25-2014 at 03:44. Reason: add on |
The Following User Gave Reputation+1 to RedBlkJck For This Useful Post: | ||
The Old Pirate (12-27-2014) |
#5
|
|||
|
|||
you can use FindCrypt plugin for ida pro http://www.hexblog.com/?p=27
While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions. The idea behind it pretty simple: since almost all crypto algorithms use magic constants, we will just look for these constants in the program body. Here is how we would do it manually: http://www.sockpuppet.org/tqbf/log/2006/01/two-things.html This approach will fail if the S-boxes have been altered but in most cases they are untouched (can you admit that you understand all consequences of modifying an S-box, say, in AES?) The plugin supports virtually all crypto algorithms and hash functions. I also added the zlib library constants to the list just for the user convenience. Here is the full list: PHP Code:
The plugin is very easy to use ¨C just select it from the plugins menu and it will do its job. At the end it will display a message box like this: http://www.hexblog.com/ida_pro/pix/f...t_finished.gif It also will rename all found arrays and put them in the marked location list: http://www.hexblog.com/ida_pro/pix/findcrypt_marks.gif The same approach can be used to find other magic constants and strings. The plugin can also be automated ¨C just hook to the ph.newfile processor module event and run the search. The source code, as usual, comes with the plugin: findcrypt.zip Have (cryptic) fun! |
The Following User Gave Reputation+1 to sh3dow For This Useful Post: | ||
The Old Pirate (12-27-2014) |
#6
|
|||
|
|||
Findcrypt doesn't find anything. I can't find any constants similar to these from findcrypt source code in the disassembly of the algo. I also don't believe it's a compression since the output has the same length as input.
__________________
http://youtu.be/H0QfVDebLFg |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Identify an unknown 64 bit Packer | Kurapica | General Discussion | 1 | 07-06-2021 01:05 |
How to identify the address where the test is done? | byvs | General Discussion | 13 | 10-25-2016 08:40 |
Trying to identify crypto algorithm | SiNTAX | General Discussion | 4 | 06-17-2010 03:23 |