Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-05-2014, 09:20
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Arrow Is this RSA algorithm?

****************
File for static debug:
****************

https://app.box.com/s/npyh7dgjsvr3cdwm9b0a

Some clue indicate SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac call may use RSA algorithm, but can't find the public key after long time debug, anyone can give help?

SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca => call SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac => call rsa_eay.c


**********************
IDA F5 => Pseudo code
**********************

if ( SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca(v14, v17, v18, v13, 1) == -1 )
{
v15 = 0;
dword_282C990 = SNPSle_0b7605938c156c1e7171bec194fc1df0();
snpsFreeFunc(v18);
snpsFreeFunc(v17);
}
else
{
v15 = SNPSle_e70385d734271e1f();
SNPSle_a319640d45ef7860(v15, v18);
snpsFreeFunc(v18);
snpsFreeFunc(v17);
}
return v15;

*************************************************
Function SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca
*************************************************

.text:0129A65C mov edx, [esp+24h]
.text:0129A660 mov dword ptr [esp+10h], 1
.text:0129A668 mov [esp+0Ch], esi
.text:0129A66C mov [esp+8], edx
.text:0129A670 mov edx, [esp+20h]
.text:0129A674 mov [esp], eax
.text:0129A677 mov [esp+4], edx
.text:0129A67B call SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca

.text:012FF9C0 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca proc near
.text:012FF9C0 ; CODE XREF: SNPSle_8c043950c9569b2b28b737acdf3db27f+16Bp
.text:012FF9C0 ; SNPSle_5b20c9bca9f2e8472400b8222d99bf873af76a24be776844+6Fp ...
.text:012FF9C0
.text:012FF9C0 var_1C = dword ptr -1Ch
.text:012FF9C0 var_18 = dword ptr -18h
.text:012FF9C0 var_14 = dword ptr -14h
.text:012FF9C0 var_10 = dword ptr -10h
.text:012FF9C0 var_C = dword ptr -0Ch
.text:012FF9C0 arg_0 = dword ptr 4
.text:012FF9C0 arg_4 = dword ptr 8
.text:012FF9C0 arg_8 = dword ptr 0Ch
.text:012FF9C0 arg_C = dword ptr 10h
.text:012FF9C0 arg_10 = dword ptr 14h
.text:012FF9C0
.text:012FF9C0 sub esp, 1Ch
.text:012FF9C3 mov edx, [esp+1Ch+arg_C]
.text:012FF9C7 mov eax, [esp+1Ch+arg_10]
.text:012FF9CB mov ecx, [edx+8]
.text:012FF9CE mov [esp+1Ch+var_C], eax
.text:012FF9D2 mov eax, [esp+1Ch+arg_8]
.text:012FF9D6 mov [esp+1Ch+var_10], edx
.text:012FF9DA mov [esp+1Ch+var_14], eax
.text:012FF9DE mov eax, [esp+1Ch+arg_4]
.text:012FF9E2 mov [esp+1Ch+var_18], eax
.text:012FF9E6 mov eax, [esp+1Ch+arg_0]
.text:012FF9EA mov [esp+1Ch+var_1C], eax
.text:012FF9ED call dword ptr [ecx+8] => call 013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac
.text:012FF9F0 add esp, 1Ch
.text:012FF9F3 retn
.text:012FF9F3 SNPSle_dcd7600bcfd6e0ca05f8cd0732bfb7ca endp

*****************************************************************
Function SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac
*****************************************************************

.text:013BA9F0 SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac proc near
.text:013BA9F0 ; DATA XREF: .data:02796748o
......
.text:013BAA9F lea eax, (aRsa_eay_c - 26FB44Ch)[ebx] ; "rsa_eay.c"
......
.text:013BAE7D SNPSle_f7c94ba85f016ab01b4ebe56a4a7d20652744f697ac58fac endp
Reply With Quote
  #2  
Old 08-05-2014, 15:50
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Have you tried applying some of the well know crypto lib sigs in IDA ?.

Git
Reply With Quote
  #3  
Old 08-05-2014, 16:02
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
The code you posted just moves some arguments around and does nothing which would help to identify anything.

"rsa_eay.c" is part of the OpenSSL package. If OpenSSL is linked to your code, it naturally contains RSA, but also dozens of other crypto algorithms. It doesn't mean the algorithms are actually used for anything.

The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files.
Reply With Quote
  #4  
Old 08-05-2014, 16:29
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Git View Post
Have you tried applying some of the well know crypto lib sigs in IDA ?.

Git
Dear Git,

I use findcrypt.plw, would you help recommend some other crypto lib sigs that maybe helpful? I have few experience on this kind of lib sigs, you guide will be very appreciated, thanks.
Reply With Quote
  #5  
Old 08-05-2014, 16:32
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Kerlingen View Post
The code you posted just moves some arguments around and does nothing which would help to identify anything.

"rsa_eay.c" is part of the OpenSSL package. If OpenSSL is linked to your code, it naturally contains RSA, but also dozens of other crypto algorithms. It doesn't mean the algorithms are actually used for anything.

The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files.
Yes, I confirm the code call "rsa_eay.c", but I don't know how to deal with it, would you please give a little more details on how to complile OpenSSL and create IDA signature? Is there any post can be referenced? Thanks.
Reply With Quote
  #6  
Old 08-05-2014, 20:07
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
the ida scope plugin does a very nice jobb checking crypto.I did a fix for ida 6.1 here http://techbliss.org/threads/idascope-v1-1-yara-scanning-fixed-for-ida-6-1-python-2-7.484/#post-1509
and there is also the RSA key finder script. http://kyprizel.net/work/ida_rsakeyfinder.html /(python needed)
Reply With Quote
  #7  
Old 08-05-2014, 20:26
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
the RSA finder script had the wrong link
http://kyprizel.net/work/ida_rsakeyfinder.html
Reply With Quote
  #8  
Old 08-06-2014, 10:14
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Storm Shadow View Post
the RSA finder script had the wrong link
http://kyprizel.net/work/ida_rsakeyfinder.html
I try this RSA finder script, but seems find nothing, even for a simple RSA demo case as attached, it find nothing, I'm not sure whether my usage issue. The check output in IDA list as below.

Searching for X.509 Public Key Infrastructure Certificates
Searching for PKCS #8: Private-Key Information Syntax Standard
Key scan complete.

public key for attached demo case:
n=80C07AFC9D25404D6555B9ACF3567CF1, e=10001
Attached Files
File Type: zip RSAKeyGenMe.zip (48.2 KB, 9 views)
Reply With Quote
  #9  
Old 08-06-2014, 10:51
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Kerlingen View Post
The calling convention looks strange, it seems to be some exotic compiler (maybe Cygwin?). So you might have to recompile OpenSSL yourself to create IDA signature files.
This is a ELF format under RHEL OS, would you let me know which library file of openssl (such as libeay32.lib under windows) I should use to generate IDA signature? thanks.
Reply With Quote
  #10  
Old 08-06-2014, 11:34
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@bridgeic: Use a compiler there to compile OpenSLL in that specific format. Then use the IDA SDK tools (available everywhere) to generate FLIRT signatures. Nobody can really do that for you, just look up a guide on 'compiling openssl in linux' or something.

RHEL is RedHat Enterprise?

Greetings
Reply With Quote
  #11  
Old 08-06-2014, 11:45
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by mr.exodia View Post
@bridgeic: Use a compiler there to compile OpenSLL in that specific format. Then use the IDA SDK tools (available everywhere) to generate FLIRT signatures. Nobody can really do that for you, just look up a guide on 'compiling openssl in linux' or something.
Yes, I have experience on using FLAIR, and I also compile openssl under RHEL5 succesfully. I just don't know which library files in openssl should be used as the input for pelf to generate openssl IDA signature file. Would you give some help on this? Thanks.

Quote:
Originally Posted by mr.exodia View Post
RHEL is RedHat Enterprise?
Greetings
Yes, it is.
Reply With Quote
  #12  
Old 08-06-2014, 11:50
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
So far still no progress, I can upload all files needed on dynamic debug if anyone can give some help or direction kindly(the total files are some big, about 500M), thanks in advance.
Reply With Quote
  #13  
Old 08-06-2014, 11:58
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@bridgeic: Just create a list of all files included, I really have no clue, probably you need .a or .elf files...

Greetings
Reply With Quote
  #14  
Old 08-06-2014, 17:18
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
As Kerlingen suggests you need the correct sig file for the compiler used. If it is an unusual compiler you will have to compile it yourself. One you have the .lib used to link in the openssl functions, use IDA's Flirt tools to convert .lib to .sig. Put the .sig in the sig directory and proceed to apply that sig to your disassembly. Many openssl functions should now be identified with the correct names.

Git
Reply With Quote
  #15  
Old 08-06-2014, 23:04
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by bridgeic View Post
I try this RSA finder script, but seems find nothing, even for a simple RSA demo case as attached, it find nothing, I'm not sure whether my usage issue. The check output in IDA list as below.

Searching for X.509 Public Key Infrastructure Certificates
Searching for PKCS #8: Private-Key Information Syntax Standard
Key scan complete.

public key for attached demo case:
n=80C07AFC9D25404D6555B9ACF3567CF1, e=10001
the script searches for the public rsa key header in certicates as shown here.

http://etherhack.co.uk/asymmetric/docs/rsa_key_breakdown.html

it wouldent find anything in the demo case( source for your file here) http://read.pudn.com/downloads149/sourcecode/crypt/645649/KeyGen/src/RSAKeyGen.c__.htm
it cant find random public keys

Last edited by Storm Shadow; 08-06-2014 at 23:09.
Reply With Quote
The Following User Gave Reputation+1 to Storm Shadow For This Useful Post:
bridgeic (08-15-2014)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Find the Algorithm mcr4ck General Discussion 3 05-26-2020 18:19
Find the Algorithm mcr4ck General Discussion 18 02-06-2020 15:43


All times are GMT +8. The time now is 16:31.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )