Wednesday, December 21, 2011

IDA FindCrypt

Finally a great IDA Plugin for Cryptography. Often we'd like to know what kind of cryptographic algorithm has been used in the binary we are analyzing: FindCrypt comes to help us ! The idea behind this Plugin is pretty simple: since almost all cryptographic algorithms use magic constants placed inside the binary, FindCrypt just looks for these constants in the program body.
"This approach will fail if the S-boxes have been altered but in most cases they are untouched (can you admit that you understand all consequences of modifying an S-box, say, in AES?)"
 The plugin supports the following crypto algorithms:

  • Blowfish
  • Camellia 
  • CAST 
  • CAST256 
  • CRC32 
  • DES 
  • GOST 
  • HAVAL
  • MARS 
  • MD2
  • MD4 
  • MD5
  • PKCS_MD2 (byte sequence used in PKCS envelope) 
  • PKCS_MD5 (byte sequence used in PKCS envelope)
  • PKCS_RIPEMD160 (byte sequence used in PKCS envelope)
  • PKCS_SHA256 (byte sequence used in PKCS envelope) 
  • PKCS_SHA384 (byte sequence used in PKCS envelope) 
  • PKCS_SHA512 (byte sequence used in PKCS envelope) 
  • PKCS_Tiger (byte sequence used in PKCS envelope) 
  • RawDES 
  • RC2 
  • RC5
  • RC6 
  • Rijndael 
  • SAFER 
  • SHA-1 
  • SHA-256 
  • SHA-512 
  • SHARK 
  • SKIPJACK 
  • Square 
  • Tiger 
  • Twofish 
  • WAKE 
  • Whirlpool 
  • zlib
The Plugin is very simple to be used just select it from the Plugin menu and it will do its job ending up with the following window:


It will also rename the constant arrays and it will put them in the marked location list. I definitely suggest this great Plugin to everybody who's working in reversing engineering. Good joob Guilfanov ! Download it directly from here.

1 comment:

hermes bag said...

Great information. Thanks for share.