FindCrypt

While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.


The idea behind it pretty simple: since almost all crypto algorithms use magic constants, we will just look for these constants in the program body. Here is how we would do it manually:
http://www.sockpuppet.org/tqbf/log/2006/01/two-things.html
This approach will fail if the S-boxes have been altered but in most cases they are untouched (can you admit that you understand all consequences of modifying an S-box, say, in AES?)
The plugin supports virtually all crypto algorithms and hash functions. I also added the zlib library constants to the list just for the user convenience. Here is the full list:

  • Blowfish
  • Camellia
  • CAST
  • CAST256
  • CRC32
  • DES
  • GOST
  • HAVAL
  • MARS
  • MD2
  • MD4
  • MD5
  • PKCS_MD2 (byte sequence used in PKCS envelope)
  • PKCS_MD5 (byte sequence used in PKCS envelope)
  • PKCS_RIPEMD160 (byte sequence used in PKCS envelope)
  • PKCS_SHA256 (byte sequence used in PKCS envelope)
  • PKCS_SHA384 (byte sequence used in PKCS envelope)
  • PKCS_SHA512 (byte sequence used in PKCS envelope)
  • PKCS_Tiger (byte sequence used in PKCS envelope)
  • RawDES
  • RC2
  • RC5
  • RC6
  • Rijndael
  • SAFER
  • SHA-1
  • SHA-256
  • SHA-512
  • SHARK
  • SKIPJACK
  • Square
  • Tiger
  • Twofish
  • WAKE
  • Whirlpool
  • zlib

Please note that the list does not contain the IDEA algorithm because it usually builds its tables on the fly. Other algorithms can be added if needed.
The plugin is very easy to use – just select it from the plugins menu and it will do its job. At the end it will display a message box like this:

It also will rename all found arrays and put them in the marked location list:

The same approach can be used to find other magic constants and strings. The plugin can also be automated – just hook to the ph.newfile processor module event and run the search.
The source code, as usual, comes with the plugin: findcrypt.zip
Have (cryptic) fun!

This entry was posted in IDA Pro. Bookmark the permalink.

14 Responses to FindCrypt

  1. Guest says:

    Is your plugin endianness independant ?
    Thanks for this plugin. It is welcome !

  2. Guest says:

    Sorry, I have found the answer to my question in source code comments :
    > // NB: This plugin works only for little endian programs

  3. frank boldewin says:

    hi ilfak,
    this is cool. i recently had a discussion with halvar about a tool, that would do such work. reason for this was an algorithm i’ve reversed for security vulns some days ago(norman npep) and it took me some time, before i realized that it’s blowfish and i though on writing a tool,
    that is able to detect several well known algos. now you’ve done this fine work and all what’s left to say is: thanx man!
    cheers,
    frank

  4. Claudia says:

    Quite useful!
    I’m just sorry I use a Mac. *sigh*

  5. Dnix says:

    Nice plugin , However using it twice on same file inserted 2 marked locations , wonder how I delete a marked location in IDA :)

  6. lallous says:

    Hello Ilfak,
    Thanks,
    Good work.

  7. J.C. Roberts says:

    Nicely Done Ilfak!
    Another way to target crypto routines is looking for them via signatures of commonly used libraries. Like sboxes, a lot of people won’t mess with rolling their own crypto routines.
    I used the lib approach to figure out the particular version of Eric A Young’s SSL implementation (SSLeay) a few years ago. The code was borrowed/pilfered/solen/whatever (a license violation on a very libral BSD+credit licensing) and put into a commercial program without attribution. Details were on the main IDA borad fourm a few years ago.
    kind regards,
    JCR

  8. Ilfak Guilfanov says:

    JCR,
    Using signatures is a good idea – they are more precise and add more information to the disassembly. These advantages have a price: a signature must be created for each compiler/platform/options combination.
    I remember the discussion on the IDA forum and your idea of modifying FLIRT to work with constant values. When writing this plugin I remembered and reconsidered it. If I had more time I would have implemented something similar to FLIRT for constants. FindCrypt is a compromise and handles only manually selected constants but I hope it will be useful for many researchers.
    It would be nice to make FindcCrypt fully automatic and byte-sex independent. Something for the future :)

  9. Guest says:

    Hmm. Am i doing something stupid, or the plugin doesn’t compile on earlier versions (e.g. 4.7)?
    Good work, Ilfak.

  10. Ilfak Guilfanov says:

    It is for 4.9+

  11. J.C. Roberts says:

    Ilfak,
    I know what you mean… There’s a lot of work involved with *just* setting up any sort of library based approach.
    Over the years, you’ve consistently amazed me with the way you always manage to come up with an elegant and well balanced solution. -The stuff I usually come up with is most often heavy weight, overy detailed, very time consuming and requires lots of storage and processing power. ;-)
    For most usage, FindCrypt gives you what you need most, the knowledge of what’s there. If a user needs more detail, they can go start playing with specificly targeted libraries for that particular crypto. It’s a heck of a lot easier than a behemoth library scan that trys (and probably fails) to know about everything.
    Similar problems would be true, and to a greater degree, for a more generic “FLIRT For Constants” approach for finding commonly used libs/things/etc. Ignoring the man hours spent in creation, just the amount of data and processing power required will most likely be prohibitive.
    None the less, it still sounds like heck of a lot of fun to run something like that on a super computing cluster. ;-)
    JCR

  12. nc says:

    Re: Dnix
    A handy way to delete the marks your plugin/script has previously generated, without interfering with custom marks is to prepend all the marks from that plugin/script with a simple unique id, say “[FindCrypt]:”.
    And then include something like this (this is the IDC version):

    static delete_marks(magic_str)
    {
    auto i;
      for (i = 1024; i > 0; --i)
      {
        if ((GetMarkedPos(i) != -1) && (strstr(GetMarkComment(i), magic_str) == 0))
          MarkPosition(GetMarkedPosition(i), 0, 0, 0, i, "");
      }
    }
    

    and calling it like this:

    delete_marks("FindCrypt]:");
    
  13. Jason Geffner says:

    I’ve actually had pretty good luck with the Krypto Analyzer (“KANAL”) plugin for PEiD (http://peid.has.it). It’s able to find the following in a binary:
    “BLOWFISH, CAST, CRC16/32, DES, DESX, FROG, GOST, HAVAL, ICE, ICELOCK, MARS, MD4/5, MISTY, NEWDES, Q128, RC2/5/6, RIJNDAEL, RIPEMD, SHA, SHARK, SKIPJACK, SNEFRU, SQUARE, TIGER, TWOFISH & other”

  14. Ilfak Guilfanov says:

    Thanks, I was not aware of this. Seems to do more or less the same thing.