Kanal how does signature analysis work?

[5Alive]

Hi guys,
I'm a new member of this great forum. I'm also new to the art of reversing and hoping to reverse a Delphi app.

I scanned the exe with Kanal v2.2 tool and it reports that it contains RC5/RC6 crypto signatures.

Is the signature a recognisable block of bytes which are the opcodes used in the algorithm? Or is a signature defined in some other way?

Be as technical as you want any reply.

Thanks for your help

Most crypto algorithms use certain constants to initialize/assist the computation. It probably searches for these.

For example, md5:

0x67452301;
0xefcdab89;
0x98badcfe;
0x10325476;

[ArC]

Hmmm.....
If KANAL used those constants for detecting crypto algos
in exeutables, I'd understand why it doesn't show us
the address of the crypto code.
Many ppl asked sKAMER whether he could improve
KANAL in that way that it shows us the address
of the crypto code.
I'd also understand why it does not detect the RSA algo:
'cause it does not use any constants.

none ask me, if i remember..but im bussy atm

try ask snaker - this is dsk* a deadly-skills-coder

i think this elite hero have too much time than me

[5Alive]

That could be the answer, RC5 uses 2 constants :
1.) the base of natural logarithms
2.) the golden ratio.

I expect RC6 will be the same as this too is a parameterized algorithm where block size, key size, and the number of rounds are variable; with a 2040 bit upper limit on the key size.

Are the any crypto experts on this forum that know how to exploit poorly implemented rc5 code to obtain private keys?

Or has anyone seen keygens for apps that use rc5 in there protection scheme? I need all the help I can get.

All my searches point to the distributed.net site which is of no real help to me.

Thanks for the replies so far.

5Alive

[ArC]

I don't have much experiance with RC5
but I could imagine that you will find that
key when you trace the app....

To the best of my knowledge RC5 is a private-key-only
cipher.
This means that the key used for decryption is the same
that is used for encryption.

Correct me if I'm wrong

[5Alive]

Quote:

Originally posted by ArC
I don't have much experiance with RC5
but I could imagine that you will find that
key when you trace the app....

You make it sound so easy.

You are right RC5 only uses a private key of variable length,
it is a symmetric block cipher meaning that the same key is used for both encryption and decryption.

5Alive.

rc5 isnt a hard stuff

[5Alive]

Quote:

Originally posted by sKAMER
rc5 isnt a hard stuff

Are you speaking from experience? Any knowledge you can share would be very helpful to me.

What is the best approach to finding a private key as they are not hidden in the code anywhere.

Thanks.

5Alive.

any crypto defeating depends on crypto implementation

where can i get Kanal v2.2 to download

[5Alive]

Naturally, can what should I be looking for?

You should try Dede and look for used units, there are only few implementations of RC5 on net. I dont'n know what you're trying to crack but I'd bet that it will use DCPCrypt1/2(hxxp://www.cityinthesky.co.uk/). Load it into Delphi, make sample app, debug in Delphi internal debugger and learn.

i am a newbe at crytography. need help decripting a file and i do not know where to start, the file i am decrypting has no attchments to it . i made a copy of the file and put a attchment txt to it and open it in read form it is encrypted . how do i fix it

[5Alive]

Quote:

Originally posted by 31415926535
You should try Dede and look for used units, there are only few implementations of RC5 on net. I dont'n know what you're trying to crack but I'd bet that it will use DCPCrypt1/2(hxxp://www.cityinthesky.co.uk/). Load it into Delphi, make sample app, debug in Delphi internal debugger and learn.

Thanks for nonambiguous comments, I am using DeDe which is a great tool and has helped me a lot in understanding how the program works, though I still have much to learn.

I was hoping that it uses a standard library suchs as DCPCrypt, it uses something called TCipherStreamFactoryRC5 to handle the decryption.

Web searches have proved fruitless, so I can only guess it is a custom lib. Anyone heard of this ?

5Alive