I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:

  1. it works with both little and big endian programs
  2. it knows to reuse old slots in the bookmarks if run repeatedly
  3. it is fully automatic and scans each new created database. manual scan is still available

Future possible improvement: a tool which would extract constant arrays from the source code of any project. This tool can be written on perl or python and will be quite simple (we only have to handle constant array definitions in C). More sophisticated tool could also take care of type definitions like “typedef long LONG”…
For your convenience, here are links to both versions: and
Compare them to see the differences, there aren’t many!

One thought on “FindCrypt2”

  1. Wonderful works!
    I believe it will help me much more than any previous version of IDA. thanks a lot.
    And, I think that not only the magic numbers but also some dissemble bytes nearby can help identify the crypt algorithm, sometimes even more precisely. some IV or magic numbers are in fact nearly nonsence and don’t have any cryptoanalysis sense. such as those 2^32*sin(i) in MD5, which I think can be simply replaced by 2^32*sin(i+0.3) while none business of its security. Another example, according to my experience, I tell out blowfish by not any magic number but the box of 1000h bytes (related to the key), where can be easily ditinguished by those dissembly code referencing the box such as “… [ebx+edx*4+400h] … [ebx+edx*4+800h] … +C00h] … “. I know that these bytes will depend on source codes and the compiler. But I do think it is valueable to implement such a criterion.

Comments are closed.