From Collaborative RCE Tool Library

Jump to: navigation, search

SnD Crypto Scanner (Olly/Immunity Plugin)

Tool name: SnD Crypto Scanner (Olly/Immunity Plugin)
Rating: 0.0 (0 votes)
Author: Loki                        
Website: http://tuts4you.com/forum/index.php?showtopic=15447
Current version: 0.5 (beta)
Last updated: March 30, 2008
Direct D/L link: http://www.tuts4you.com/download.php?view.2222
License type: Freeware
Description: A scanner for crypto signatures as an Olly/Immunity Plugin:

(Following text from the forum thread)
Been coding this for a while and now kinda got bored with it so releasing it as a beta. Sure I'll go back to it again later... just need to do something else now.

Hopefully you will find this useful - the advantage of having it as a plugin means that breakpoints can easily be set where required, and signatures can be located quickly.


Setting Breakpoints:
The buttons try and use a little bit (not much :P) intelligence when setting breakpoints. In the data section, "hardware on access" or "memory access" breakpoints are set on the specific VA referenced. In the code section, a 'hardware on execution' breakpoint is set at the beginning of the disassembled line the referenced dword is on. Hope that makes a little sense :)


Limitations:
Signatures are either made up of dwords or byte sequences. This gives 2 main weaknesses:
- some algorithms use similar dwords, distinguishing between them is not always simple.
- the algorithm finds the first instance of a given dword in a signature. If you have code which has multiple algorithms which use some of the same dwords, the referenced VA will always point to the first instance in the file.

Without doing some in depth analysis, its impossible to determine which algorithm uses a specific instance of a dword. This tool is therefore only going to make analysis a little easier, not do it for you.


Future Development:
Currently the plugin uses the plugin API to get the current file name and then reads it into allocated memory. It does not read memory inside Olly. This means packed files will need to be unpacked and the unpacked instance debugged. In future I plan to give an option to either scan the file or memory (perhaps even a specified memory range).

If you have an idea for development, want to add signatures or just want to tell me how crap this is, please go for it :)
Related URLs: No related URLs have been submitted for this tool yet


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!



If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)


Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Needs New Category  (3)