Results 1 to 10 of 10

Thread: Identifying crypto algorithm

  1. #1
    DaBookshah
    Guest

    Identifying crypto algorithm

    I have 3 questions, in relation to the following disassembly snippet:

    Code:
    004C9A20     33C0           XOR EAX,EAX
    004C9A22  |. 8A4424 08      MOV AL,BYTE PTR SS:[ESP+8]
    004C9A26  |> 53             PUSH EBX
    004C9A27  |. 8BD8           MOV EBX,EAX
    004C9A29  |. C1E0 08        SHL EAX,8
    004C9A2C  |. 8B5424 08      MOV EDX,DWORD PTR SS:[ESP+8]
    004C9A30  |. F7C2 03000000  TEST EDX,3
    004C9A36  |. 74 15          JE SHORT 004C9A4D
    004C9A38  |> 8A0A           /MOV CL,BYTE PTR DS:[EDX]
    004C9A3A  |. 83C2 01        |ADD EDX,1
    004C9A3D  |. 3ACB           |CMP CL,BL
    004C9A3F  |.^74 CF          |JE SHORT 004C9A10
    004C9A41  |. 84C9           |TEST CL,CL
    004C9A43  |. 74 51          |JE SHORT 004C9A96
    004C9A45  |. F7C2 03000000  |TEST EDX,3
    004C9A4B  |.^75 EB          \JNZ SHORT 004C9A38
    004C9A4D  |> 0BD8           OR EBX,EAX
    004C9A4F  |. 57             PUSH EDI
    004C9A50  |. 8BC3           MOV EAX,EBX
    004C9A52  |. C1E3 10        SHL EBX,10
    004C9A55  |. 56             PUSH ESI
    004C9A56  |. 0BD8           OR EBX,EAX
    004C9A58  |> 8B0A           /MOV ECX,DWORD PTR DS:[EDX]
    004C9A5A  |. BF FFFEFE7E    |MOV EDI,7EFEFEFF
    004C9A5F  |. 8BC1           |MOV EAX,ECX
    004C9A61  |. 8BF7           |MOV ESI,EDI
    004C9A63  |. 33CB           |XOR ECX,EBX
    004C9A65  |. 03F0           |ADD ESI,EAX
    004C9A67  |. 03F9           |ADD EDI,ECX
    004C9A69  |. 83F1 FF        |XOR ECX,FFFFFFFF
    004C9A6C  |. 83F0 FF        |XOR EAX,FFFFFFFF
    004C9A6F  |. 33CF           |XOR ECX,EDI
    004C9A71  |. 33C6           |XOR EAX,ESI
    004C9A73  |. 83C2 04        |ADD EDX,4
    004C9A76  |. 81E1 00010181  |AND ECX,81010100
    004C9A7C  |. 75 1C          |JNZ SHORT 004C9A9A
    004C9A7E  |. 25 00010181    |AND EAX,81010100
    004C9A83  |.^74 D3          |JE SHORT 004C9A58
    004C9A85  |. 25 00010101    |AND EAX,1010100
    004C9A8A  |. 75 08          |JNZ SHORT 004C9A94
    004C9A8C  |. 81E6 00000080  |AND ESI,80000000
    004C9A92  |.^75 C4          \JNZ SHORT 004C9A58
    004C9A94  |> 5E             POP ESI
    004C9A95  |. 5F             POP EDI
    004C9A96  |> 5B             POP EBX
    004C9A97  |. 33C0           XOR EAX,EAX
    004C9A99  |. C3             RETN
    Based on the complexity and the place I found it, I think this is some sort of hashing algorithm.
    1. Does anyone recognise it? I know the names of a bunch of algorithms (md5, sha-1, blowfish), which I looked up on wikipedia, but I couldn't place it.
    2. When I'm trying to find information of this sort, is there a 'best' way/place to look for information?
    3. I think I recall vaugely reading about exe analysers which could detect the presence of certain algorithms in a file, maybe based on searching for certain tables? I tried using google, but couldn't find anything because I didn't really know what I was looking for. Can anyone point me in the right direction?

    Thank you very much for your time.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Answer 3: The KANAL plug-in for PEID may identify some algos by looking for signatures contained in tables and the poly.

  3. #3
    Code:
    int f_004c9a20(char *p_b, char p_a) {
    
     char d;
    
     while(p_b&3) {
      d = *(p_b++);
      if(d==p_a) goto l_004c9a10; // WARNING: Jump out of function.
      if(!d) return 0;
     }
     int b = ((p_a | (p_a << 8)) << 16) | (p_a | (p_a << 8));
     int a, e, g;
    do {
      g = 0x7efefeff + (*(int *)p_b);
      e = (~((*(int *)p_b) ^ b)) ^ (0x7efefeff + ((*(int *)p_b) ^ b));
      a = (~(*(int *)p_b)) ^ (0x7efefeff + (*(int *)p_b));
      p_b += 4;
      if((e &= 0x81010100)!=0) goto l_004c9a9a; // WARNING: Jump out of function.
     } while(((a &= 0x81010100) == 0)||(a & 0x01010100 == 0)&&((g & 0x80000000 != 0));
     return 0;
    }
    Sure doesn't look like any hash function I've seen before...
    Last edited by LLXX; June 22nd, 2007 at 08:08.

  4. #4
    This is just MSVC's strchr(). See crt\src\intel\strchr.asm.

  5. #5
    DaBookshah
    Guest
    That'll teach me. And to think, if I had chucked it into ida it would probably have told me that.....But damn, that's one hard to understand fragment.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hey Reverser: Have you memorized all the VC library?

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,507
    Blog Entries
    15
    well there is no need to memorize if you use flirt equivalent plugins
    like godup, and i saw one recently some where which is supposed to be better thay all sacn and name the functions

    naides keep a watch for
    004C9A76 |. 81E1 00010181 |AND ECX,81010100
    004C9A5A |. BF FFFEFE7E |MOV EDI,7EFEFEFF


    the constant 81010100 , 7efefeff thats almost a permanent feature in all the str#### functions

    some magic constants that add up to 2^32 -1


    004C9A30 |. F7C2 03000000 TEST EDX,3

    this testing with 3 constant

    thats alignment check
    Last edited by blabberer; June 22nd, 2007 at 12:33.

  8. #8
    Quote Originally Posted by reverser View Post
    This is just MSVC's strchr(). See crt\src\intel\strchr.asm.
    Wow. I wonder if this really has any advantage over a simple repnz scasb.

    The fragment in the OP doesn't even look like hand-coded Asm, it looks like compiler output (which is why I tried the decompiler, which then subsequently complained that there were two jumps out of the not-a-complete-function...)

  9. #9
    It scans the middle of the string by dwords, so I guess it's faster for long strings (not bored enough to measure). BTW, the non-inline versions of some other functions (strlen, strncpy etc) also use the same trick.
    Here's a strlen implementation with some comments:
    http://www.lrdev.com/lr/c/strlen.c
    memchr example:
    http://www.google.com/codesearch?q=show:D9u_JuWA-0Y:NpSLgK5a8cg:PnDvgFna9Y4
    Last edited by reverser; June 22nd, 2007 at 19:54. Reason: get rid of smilies

  10. #10
    Willebul
    Guest

    a bit after the fact - Ida Graph

    Hi

    I had a look at this a while ago , makes more sense in a ida flow

    Wb
    Attached Images Attached Images
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. I need help with this crypto algorithm
    By imautopilot in forum RCE Cryptographics
    Replies: 0
    Last Post: April 23rd, 2009, 08:08
  2. Identifying SDK APIs without a library?
    By 5aLIVE in forum The Newbie Forum
    Replies: 12
    Last Post: January 2nd, 2009, 08:08
  3. Identifying a protection
    By kaotix in forum The Newbie Forum
    Replies: 3
    Last Post: March 9th, 2005, 02:56
  4. Identifying Protection
    By xollox in forum The Newbie Forum
    Replies: 22
    Last Post: May 25th, 2004, 03:27
  5. $$$ for crypto weakness in a cool simple algorithm
    By Snatch in forum RCE Cryptographics
    Replies: 4
    Last Post: July 19th, 2002, 04:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •