GitBook: [master] 409 pages and 18 assets modified
Before Width: | Height: | Size: 47 KiB After Width: | Height: | Size: 473 KiB |
Before Width: | Height: | Size: 7.5 KiB After Width: | Height: | Size: 798 KiB |
Before Width: | Height: | Size: 8.1 KiB After Width: | Height: | Size: 339 KiB |
Before Width: | Height: | Size: 406 KiB After Width: | Height: | Size: 329 KiB |
Before Width: | Height: | Size: 216 KiB After Width: | Height: | Size: 172 KiB |
Before Width: | Height: | Size: 394 KiB After Width: | Height: | Size: 47 KiB |
Before Width: | Height: | Size: 245 KiB After Width: | Height: | Size: 7.5 KiB |
Before Width: | Height: | Size: 294 KiB After Width: | Height: | Size: 353 KiB |
After Width: | Height: | Size: 244 KiB |
After Width: | Height: | Size: 798 KiB |
After Width: | Height: | Size: 8.1 KiB |
After Width: | Height: | Size: 406 KiB |
After Width: | Height: | Size: 216 KiB |
After Width: | Height: | Size: 394 KiB |
After Width: | Height: | Size: 245 KiB |
After Width: | Height: | Size: 400 KiB |
After Width: | Height: | Size: 172 KiB |
After Width: | Height: | Size: 294 KiB |
|
@ -364,7 +364,7 @@
|
|||
|
||||
* [Common API used in Malware](reversing/common-api-used-in-malware.md)
|
||||
* [Reversing Tools](reversing/reversing-tools.md)
|
||||
* [Cryptographic Algorithms](reversing/cryptographic-algorithms.md)
|
||||
* [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms.md)
|
||||
* [Word Macros](reversing/word-macros.md)
|
||||
|
||||
## Exploiting
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Cryptographic Algorithms
|
||||
# Cryptographic/Compression Algorithms
|
||||
|
||||
## Identifying Algorithms
|
||||
|
||||
|
@ -10,7 +10,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
|
|||
|
||||
If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
|
||||
|
||||
![](../.gitbook/assets/image%20%28190%29.png)
|
||||
![](../.gitbook/assets/image%20%28254%29.png)
|
||||
|
||||
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
|
||||
|
||||
|
@ -26,7 +26,7 @@ Compresses and decompresses a given buffer of data.
|
|||
|
||||
Initiates the hashing of a stream of data. If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
|
||||
|
||||
![](../.gitbook/assets/image%20%28172%29.png)
|
||||
![](../.gitbook/assets/image%20%28227%29.png)
|
||||
|
||||
|
||||
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
|
||||
|
@ -49,11 +49,11 @@ You can search any of the other constants and you will obtain \(probably\) the s
|
|||
If the code doesn't have any significant constant it may be **loading information from the .data section**.
|
||||
You can access that data, **group the first dword** and search for it in google as we have done in the section before:
|
||||
|
||||
![](../.gitbook/assets/image%20%28158%29.png)
|
||||
![](../.gitbook/assets/image%20%28215%29.png)
|
||||
|
||||
In this case, if you look for **0xA56363C6** you can find that it's related to the **tables of the AES algorithm**.
|
||||
|
||||
## RC4
|
||||
## RC4 **\(Symmetric Crypt\)**
|
||||
|
||||
### Characteristics
|
||||
|
||||
|
@ -69,17 +69,17 @@ It's composed of 3 main parts:
|
|||
|
||||
### **Initialization stage/Substitution Box:** \(Note the number 256 used as counter and how a 0 is written in each place of the 256 chars\)
|
||||
|
||||
![](../.gitbook/assets/image%20%28215%29.png)
|
||||
![](../.gitbook/assets/image%20%28314%29.png)
|
||||
|
||||
### **Scrambling Stage:**
|
||||
|
||||
![](../.gitbook/assets/image%20%28227%29.png)
|
||||
![](../.gitbook/assets/image%20%28331%29.png)
|
||||
|
||||
### **XOR Stage:**
|
||||
|
||||
![](../.gitbook/assets/image%20%28243%29.png)
|
||||
![](../.gitbook/assets/image%20%28344%29.png)
|
||||
|
||||
## **AES**
|
||||
## **AES \(Symmetric Crypt\)**
|
||||
|
||||
### **Characteristics**
|
||||
|
||||
|
@ -89,9 +89,9 @@ It's composed of 3 main parts:
|
|||
|
||||
### SBox constants
|
||||
|
||||
![](../.gitbook/assets/image%20%28207%29.png)
|
||||
![](../.gitbook/assets/image%20%28270%29.png)
|
||||
|
||||
## Serpent
|
||||
## Serpent **\(Symmetric Crypt\)**
|
||||
|
||||
### Characteristics
|
||||
|
||||
|
@ -103,7 +103,83 @@ It's composed of 3 main parts:
|
|||
In the following image notice how the constant **0x9E3779B9** is used \(note that this constant is also used by other crypto algorithms like **TEA** -Tiny Encryption Algorithm\).
|
||||
Also note the **size of the loop** \(**132**\) and the **number of XOR operations** in the **disassembly** instructions and in the **code** example:
|
||||
|
||||
![](../.gitbook/assets/image%20%28260%29.png)
|
||||
|
||||
As it was mentioned before, this code can be visualized inside any decompiler as a **very long function** as there **aren't jumps** inside of it. The decompiled code can look like the following:
|
||||
|
||||
![](../.gitbook/assets/image%20%28198%29.png)
|
||||
|
||||
Therefore, it's possible to identify this algorithm checking the **magic number** and the **initial XORs**, seeing a **very long function** and **comparing** some **instructions** of the long function **with an implementation** \(like the shift left by 7 and the rotate left by 22\).
|
||||
|
||||
## RSA **\(Asymmetric Crypt\)**
|
||||
|
||||
### Characteristics
|
||||
|
||||
* More complex than symmetric algorithms
|
||||
* There are no constants! \(custom implementation are difficult to determine\)
|
||||
* KANAL \(a crypto analyzer\) fails to show hints on RSA ad it relies on constants.
|
||||
|
||||
### Identifying by comparisons
|
||||
|
||||
![](../.gitbook/assets/image%20%28243%29.png)
|
||||
|
||||
* In line 11 \(left\) there is a `+7) >> 3` which is the same as in line 35 \(right\): `+7) / 8`
|
||||
* Line 12 \(left\) is checking if `modulus_len < 0x040` and in line 36 \(right\) it's checking if `inputLen+11 > modulusLen`
|
||||
|
||||
## MD5 & SHA \(hash\)
|
||||
|
||||
### Characteristics
|
||||
|
||||
* 3 functions: Init, Update, Final
|
||||
* Similar initialize functions
|
||||
|
||||
### Identify
|
||||
|
||||
#### Init
|
||||
|
||||
You can identify both of them checking the constants. Note that the sha\_init has 1 constant that MD5 doesn't have:
|
||||
|
||||
![](../.gitbook/assets/image%20%28158%29.png)
|
||||
|
||||
#### MD5 Transform
|
||||
|
||||
Note the use of more constants
|
||||
|
||||
![](../.gitbook/assets/image%20%28172%29.png)
|
||||
|
||||
## CRC \(hash\)
|
||||
|
||||
* Smaller and more efficient as it's function is to find accidental changes in data
|
||||
* Uses lookup tables \(so you can identify constants\)
|
||||
|
||||
### Identify
|
||||
|
||||
Check **lookup table constants**:
|
||||
|
||||
![](../.gitbook/assets/image%20%28335%29.png)
|
||||
|
||||
|
||||
|
||||
A CRC hash algorithm looks like:
|
||||
|
||||
![](../.gitbook/assets/image%20%28252%29.png)
|
||||
|
||||
|
||||
|
||||
## APLib \(Compression\)
|
||||
|
||||
### Characteristics
|
||||
|
||||
* Not recognizable constants
|
||||
* You can try to write the algorithm in python and search for similar things online
|
||||
|
||||
### Identify
|
||||
|
||||
The graph is quiet large:
|
||||
|
||||
![](../.gitbook/assets/image%20%28343%29.png)
|
||||
|
||||
Check **3 comparisons to recognise it**:
|
||||
|
||||
![](../.gitbook/assets/image%20%28190%29.png)
|
||||
|
||||
|
|