GitBook: [master] 409 pages and 18 assets modified

SUMMARY.md

@@ -364,7 +364,7 @@
 
 * [Common API used in Malware](reversing/common-api-used-in-malware.md)
 * [Reversing Tools](reversing/reversing-tools.md)
-* [Cryptographic Algorithms](reversing/cryptographic-algorithms.md)
+* [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms.md)
 * [Word Macros](reversing/word-macros.md)
 
 ## Exploiting

reversing/cryptographic-algorithms.md

@@ -1,4 +1,4 @@
-# Cryptographic Algorithms
+# Cryptographic/Compression Algorithms
 
 ## Identifying Algorithms
 
@@ -10,7 +10,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
 
 If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
 
-![](../.gitbook/assets/image%20%28190%29.png)
+![](../.gitbook/assets/image%20%28254%29.png)
 
 Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
 
@@ -26,7 +26,7 @@ Compresses and decompresses a given buffer of data.
 
 Initiates the hashing of a stream of data. If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
 
-![](../.gitbook/assets/image%20%28172%29.png)
+![](../.gitbook/assets/image%20%28227%29.png)
 
   
 Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
@@ -49,11 +49,11 @@ You can search any of the other constants and you will obtain \(probably\) the s
 If the code doesn't have any significant constant it may be **loading information from the .data section**.  
 You can access that data, **group the first dword** and search for it in google as we have done in the section before:
 
-![](../.gitbook/assets/image%20%28158%29.png)
+![](../.gitbook/assets/image%20%28215%29.png)
 
 In this case, if you look for **0xA56363C6** you can find that it's related to the **tables of the AES algorithm**.
 
-## RC4
+## RC4 **\(Symmetric Crypt\)**
 
 ### Characteristics
 
@@ -69,17 +69,17 @@ It's composed of 3 main parts:
 
 ### **Initialization stage/Substitution Box:** \(Note the number 256 used as counter and how a 0 is written in each place of the 256 chars\)
 
-![](../.gitbook/assets/image%20%28215%29.png)
+![](../.gitbook/assets/image%20%28314%29.png)
 
 ### **Scrambling Stage:**
 
-![](../.gitbook/assets/image%20%28227%29.png)
+![](../.gitbook/assets/image%20%28331%29.png)
 
 ### **XOR Stage:**
 
-![](../.gitbook/assets/image%20%28243%29.png)
+![](../.gitbook/assets/image%20%28344%29.png)
 
-## **AES**
+## **AES \(Symmetric Crypt\)**
 
 ### **Characteristics**
 
@@ -89,9 +89,9 @@ It's composed of 3 main parts:
 
 ### SBox constants
 
-![](../.gitbook/assets/image%20%28207%29.png)
+![](../.gitbook/assets/image%20%28270%29.png)
 
-## Serpent
+## Serpent **\(Symmetric Crypt\)**
 
 ### Characteristics
 
@@ -103,7 +103,83 @@ It's composed of 3 main parts:
 In the following image notice how the constant **0x9E3779B9** is used \(note that this constant is also used by other crypto algorithms like **TEA** -Tiny Encryption Algorithm\).  
 Also note the **size of the loop** \(**132**\) and the **number of XOR operations** in the **disassembly** instructions and in the **code** example:
 
+![](../.gitbook/assets/image%20%28260%29.png)
+
+As it was mentioned before, this code can be visualized inside any decompiler as a **very long function** as there **aren't jumps** inside of it. The decompiled code can look like the following:
+
 ![](../.gitbook/assets/image%20%28198%29.png)
 
+Therefore, it's possible to identify this algorithm checking the **magic number** and the **initial XORs**, seeing a **very long function** and **comparing** some **instructions** of the long function **with an implementation** \(like the shift left by 7 and the rotate left by 22\).
+
+## RSA **\(Asymmetric Crypt\)**
+
+### Characteristics
+
+* More complex than symmetric algorithms
+* There are no constants! \(custom implementation are difficult to determine\)
+* KANAL \(a crypto analyzer\) fails to show hints on RSA ad it relies on constants.
+
+### Identifying by comparisons
+
+![](../.gitbook/assets/image%20%28243%29.png)
+
+* In line 11 \(left\) there is a `+7) >> 3` which is the same as in line 35 \(right\): `+7) / 8`
+* Line 12 \(left\) is checking if `modulus_len < 0x040` and in line 36 \(right\) it's checking if `inputLen+11 > modulusLen`
+
+## MD5 & SHA \(hash\)
+
+### Characteristics
+
+* 3 functions: Init, Update, Final
+* Similar initialize functions
+
+### Identify
+
+#### Init
+
+You can identify both of them checking the constants. Note that the sha\_init has 1 constant that MD5 doesn't have:
+
+![](../.gitbook/assets/image%20%28158%29.png)
+
+#### MD5 Transform
+
+Note the use of more constants
+
+![](../.gitbook/assets/image%20%28172%29.png)
+
+## CRC \(hash\)
+
+* Smaller and more efficient as it's function is to find accidental changes in data
+* Uses lookup tables \(so you can identify constants\)
+
+### Identify
+
+Check **lookup table constants**:
+
+![](../.gitbook/assets/image%20%28335%29.png)
 
 
+
+A CRC hash algorithm looks like:
+
+![](../.gitbook/assets/image%20%28252%29.png)
+
+
+
+## APLib \(Compression\)
+
+### Characteristics
+
+* Not recognizable constants
+* You can try to write the algorithm in python and search for similar things online
+
+### Identify
+
+The graph is quiet large:
+
+![](../.gitbook/assets/image%20%28343%29.png)
+
+Check **3 comparisons to recognise it**:
+
+![](../.gitbook/assets/image%20%28190%29.png)
+