PDA

View Full Version : find encryption algorithm used in malware,binary or its config file


charlie
November 30th, 2012, 10:03
When we are reversing a malware, a binary file or a config file many experienced quickly say what its encrypted with , for example usually its 'RC4' encryption algorithm. Is this something which comes with experience or is it based on the pattern of the op code/bytes or is there a tool find the algorithm. How can we tell the encryption algorithm ? I know that certain standard encryption algorithms like blowfish, aes etc leave markers and typical signs , the one i'm usually wondering about is 'RC4' , how to find them. Can anyone share their knowledge about this ?

Thanks

Charlie

Kayaker
December 1st, 2012, 02:06
I think people often use the included KANAL Krypto plugin for PEiD. The home of PEiD is now

http://www.woodmann.com/BobSoft/

You could also look at the IDA FindCrypt plugin:

http://www.hexblog.com/?p=27

I believe there is also an OllyDbg port of FindCrypt around.

charlie
December 1st, 2012, 13:51
Thanks Kayaker