Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-03-2021, 23:05
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 75
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Any current Crypto Scanners or tools like KANAL in use?

Hi,

Is there or are there any current, scriptable (for signature updates) programs for the detection of cryptographic algorithms in executable files like KANAL for PEiD in use by some members here in this forum?

I have been searching on the web for some time now without success.

I have some old programs, most of which were downloaded as far back as 2001 that I have found now to contain compiled cryptographic algorithms that are not at all or falsely detected by the likes of KANAL, SND_RT Crypto Scanner or several crypto plug-ins for IDA.

Typical examples are some compiled crypto functions in some KingConvert software, with a Golden Ratio like initialization table typical with TEAN, the RCs and so on, but it uses some constants of the DES-S-Box. The decryption routine seems symmetric and has similarities to DES, AES, Rijndael, but yet is not any of these, and at least the comon ones I know of.

Also it would great to have the possibility to update the signatures for the detection of protections like OnGuard, TRegware, Matrix Encryption which I have found in old and current software I have managed to keygen.

In this short intro of the article from 2019 the authors Han Seong Lee and Hyung-Woo Lee write:
Quote:
Executable binary files can be developed using cryptographic modules using open libraries such as OpenSSL and Crypto++ in Windows environments. To determine the embedded encryption algorithms and detect cryptographic modules used in binary files, a high degree of knowledge on internal structure is required in de-assembling and analyzing. And the reverse engineering process on executable binary file is very difficult. Therefore, we developed an automatic detection tool that can automatically detect the cryptographic algorithm to efficiently analyze cryptographic algorithms as a form of IDA plug-in module. This tool can be used to detect and track cryptographic algorithms used in arbitrary executables on Windows OS system
Unfortunately there was no mention of the name of the plug-in so that it can be sought for.

Regards,
TemPoMat
Reply With Quote
  #2  
Old 06-04-2021, 00:41
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 111
Rept. Given: 100
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 322
Thanks Rcvd at 135 Times in 46 Posts
sh3dow Reputation: 77
It would be really helpful if you named the several crypto plug-ins for IDA that you used to make it easier for both of us, so we don't give you the same plug-ins you already used and find unhelpful and to prevent wasting time.
Reply With Quote
  #3  
Old 06-04-2021, 02:14
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 75
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
These are the crypto signatures I have and mostly use:

RESIGSv018PUB.sig
FGint.sig
FGintPackage.sig

ECElGamal.sig
ECDSA.sig
ECGFp.sig
FGIntRSA.sig
FGIntPrimeGeneration.sig
FGIntGOSTDSA.sig
FGintElGamal.sig
FGIntDSA.sig
Reply With Quote
The Following User Says Thank You to TempoMat For This Useful Post:
niculaita (06-04-2021)
  #4  
Old 06-04-2021, 09:35
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 621
Rept. Given: 19
Rept. Rcvd 41 Times in 25 Posts
Thanks Given: 570
Thanks Rcvd at 928 Times in 423 Posts
chants Reputation: 41
This sounds like a perfect case for FLIRT signatures especially if public libraries or reference implementations are involved.

One thought is also to look for signatures for big integer implementations in commonly used libraries like gnu mp/gmp or boost has cpp_int and libtommath, TTMath, BIGINT of OpenSSL, etc. Granted this covers mostly public key crypto like RSA or ECDSA. And there are do many libraries with so many versions that it would be time consuming to be thorough. And symmetric ciphers or hash functions which arent using such arithmetic but mixing like with AES and DES, would be reliant on solely specific signatures.

Of course with custom implementations which is not hard to do even for big integer, it becomes nearly impossible and you are stuck with heuristics and common patterns. Even SBoxes are customizable and its known to be done as long as the math behind it is correctly preserving security of the affine transforms.

It would be really nice to have a huge signature database of the common ones though as most developers are not engineering custom solutions.

Also if Windows API is used, it shouldn't be hard to check the DLL imports.
Reply With Quote
  #5  
Old 06-04-2021, 10:02
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 299
Rept. Given: 127
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 80
Thanks Rcvd at 44 Times in 19 Posts
TQN Reputation: 11
you can try this plugin: https://github.com/HongThatCong/FindCrypt3
This plugin is not done yet
Reply With Quote
The Following User Says Thank You to TQN For This Useful Post:
schrodyn (06-05-2021)
  #6  
Old 06-04-2021, 16:23
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 111
Rept. Given: 100
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 322
Thanks Rcvd at 135 Times in 46 Posts
sh3dow Reputation: 77
Quote:
Originally Posted by TempoMat View Post
Unfortunately there was no mention of the name of the plug-in so that it can be
The tool they developed wasn't open source and this is the problem of academic publishing. so the name of it wouldn't help you at all. though they mentioned many tools you find them here [https://ieeexplore.ieee.org/document/8866910/references#references]

I used my university email hoping he will send the code to me and I will share it here.

--


In the meantime there:

1- Findcrypt and Findcrypt2 and FindCrypt3

2- Findcrypt-yara (Yara based)

3- idascope
- https://hex-rays.com/contests_details/contest2012/#idascope
- https://pnx-tf.blogspot.com/2012/07/introducing-idascope.html
- https://danielplohmann.github.io/blog/2012/08/15/crypto_identification.html

4- IDAsignsrch, and its original commandline version
- http://www.macromonkey.com/bb/index.php/topic,22.0.html
- https://hex-rays.com/contests_details/contest2012/#IDA_Signsrch

Last edited by sh3dow; 06-04-2021 at 16:35. Reason: Fix Formating
Reply With Quote
The Following 4 Users Say Thank You to sh3dow For This Useful Post:
Artic (09-19-2021), niculaita (06-05-2021), schrodyn (06-05-2021), TQN (06-08-2021)
  #7  
Old 06-10-2021, 14:52
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 43
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 43 Times in 23 Posts
JMP-JECXZ Reputation: 0
Keygener Assistant can detect crypto too
Reply With Quote
  #8  
Old 06-15-2021, 05:06
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 75
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by sh3dow View Post
Thanks for the links.

Sorry for forgetting to mention earlier that I have had and tried the FindCrypt and FindCrypt2 plugins already.
They were mostly useless in detecting cryptos in most of the apps I have tried them on, so I rarely use them.

FindCrypt3 is for v7.x so I can't test it right now.

I downloaded and tried to use the ida-sigsearch plugin without success.
It turned out it was not compatible to the IDA 6.1, which was the version I was using until now.
I managed to get a v6.8 (as the author of the plugin had stated that it was tested on v6.5) and was able to invoke it.
However the result wasn’t all that promising.
There was even a false positive for a TEA hit on a modified MD5 Init Table with the TEA key schedule const 0x9E3779B9

Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.
Reply With Quote
  #9  
Old 06-15-2021, 05:17
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 75
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by JMP-JECXZ View Post
Keygener Assistant can detect crypto too
Thanks for the tip.
I have never used that option until I read your post.
Well interestingly it was able to detect TRegware in all the apps I tested it on that use this routine for their serials.
Generally, it gave a lot of false positives for cryptos with most of the apps, but hits on Hashes were mostly accurate.
Reply With Quote
  #10  
Old 06-15-2021, 19:33
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 111
Rept. Given: 100
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 322
Thanks Rcvd at 135 Times in 46 Posts
sh3dow Reputation: 77
Quote:
Originally Posted by TempoMat View Post
Thanks for the links.
Running Idascope.py script gives errors on line 41 in idscope.py, and subsequently in WinApiProvider.py (on line 36) and Downloader.py (on line 32).
If am able to resolve the issues to run it successfully, I will report back with my findings.

Install Requests library.

PHP Code:
python -m pip install requests 
Reply With Quote
  #11  
Old 07-10-2021, 02:47
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 75
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 20 Times in 15 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by sh3dow View Post
Install Requests library.

PHP Code:
python -m pip install requests 
I have tried to install the requests on different WinOS without success.

In the meantime, I’ve spent some time reading different papers on the strength of Yara and decided to try to write some rules for OnGuard, Matrix Decryption and TRegware for the start.
It was during this time that I realized for the first time that x64Dbg at least up to the snapshot from March, 28 2019 had Yara implemented as dll.
So I decided to test my attempts of the yara rules in it.

It worked most of the times in x64Dbg if I don’t use the “pe” and “math” options in the rules, which I needed, to limit the scanning only to MZ header files.
Also the version in x64Dbg only scans the file in its current active CPU, even if you select a different directory to scan, and this I presume could be the reason the "pe" option fails.

So in the end I was able to write - thanks to some code snippets from the net - a wrapper in classic VB to execute and capture the result of the console version of the latest compiled yara32.
Tries were made with single files as well as nested folders with pretty decent results in timing and hits in the results I have added rules of the signatures of these three modules to the “crypto_signatures.yara” found example @ https://github.com/Yara-Rules/rules/tree/master/crypto
Reply With Quote
  #12  
Old 07-20-2021, 03:06
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 196
Rept. Given: 105
Rept. Rcvd 25 Times in 16 Posts
Thanks Given: 344
Thanks Rcvd at 77 Times in 35 Posts
an0rma1 Reputation: 25
Hi, I was going to suggest Crypto Checker, as you said not new since 2016, but I've used with success many times. Anyway, looking for the files online found this nice listing of programs to analyze specifically crypto stuff,
https://www.manhunter.ru/underground/954_programmi_dlya_poiska_kriptoalgoritmov_v_ispolnyaemih_faylah.html

For binaries packing/modification, I think the best nowadays are ExePeInfo and DIE. I like specially this last one because the database done via scripting, and the huge support for DOS stuff.
Reply With Quote
  #13  
Old 08-29-2021, 21:37
nathan nathan is offline
Friend
 
Join Date: Jul 2009
Posts: 37
Rept. Given: 4
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 17
Thanks Rcvd at 24 Times in 17 Posts
nathan Reputation: 5
Any Linux support for crypto checkers ?
Reply With Quote
  #14  
Old 09-18-2021, 00:53
aliali aliali is offline
Friend
 
Join Date: Jan 2002
Posts: 57
Rept. Given: 4
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 7 Posts
aliali Reputation: 8
Quote:
Originally Posted by nathan View Post
Any Linux support for crypto checkers ?
This might help you.

https://github.com/Wind-River/crypto-detector
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 19:50.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )