Results 1 to 8 of 8

Thread: How to know which algo is used ?

  1. #1
    MarcElBichon
    Guest

    Cool How to know which algo is used ?

    You can find on the net how to resolve many algo (cryptographs works)

    But how to know which algo is used in software or crackme (TMG crackmes) ? Do there exit tutorials ?

    thanks

    Mike
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    decx
    Guest
    First of all, when you know it uses some kind of encryption, see if you can detect the encryption type, is it hashing, secret key, or public key alike. Then you can look at the encryption initialization constants, like SHA and MD5 is easy to detect as they have some constants like :

    T1 0xd76aa478
    T2 0xe8c7b756
    T3 0x242070db

    etc. Many other algorithm has similar tags known as initialization constants. If you cant find any of those, try looking at the source code of the most likely to be used algos. I have a small archive os assembly listenings of encryption algos, this way i can compare the assembly code pretty quick to determine the encryption used.

    But the question is not always to detect the encryption, its mainly a question about howto break it. You wont want to be factoring a large RSA, ElGamal or ECC. But for the hashing, small rsa's ( N <= 256bit max..) and secret key algos its definitely possible.
    But be aware that some companies has simple proprietary encryption algoes designed inhouse, these are useually simple xor encryptions. Dont let that fool you, and happy cracking
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    decx
    Guest
    I think i should post an example too, this is from MD5 used in a very popular CAD program.
    Analysing the licensing system will lead you to the suspicion it uses some kind of encryption to generate and validate the keyfiles, actually it was simple since it contained names like NewUserHashFingerprint etc. So knowing it was a hashing algo was rather obvious, but determining the algo was done pretty quick too. Observe the assembly listenings below:

    .text:5388C590 mov eax, [esp+arg_0]
    .text:5388C594 xor ecx, ecx
    .text:5388C596 mov [eax+14h], ecx
    .text:5388C599 mov [eax+10h], ecx
    .text:5388C59C mov dword ptr [eax], 67452301h
    .text:5388C5A2 mov dword ptr [eax+4], 0EFCDAB89h
    .text:5388C5A9 mov dword ptr [eax+8], 98BADCFEh
    .text:5388C5B0 mov dword ptr [eax+0Ch], 10325476h
    .text:5388C5B7 retn
    .text:5388C5B7 sub_5388C590 endp
    .text:5388C5B7

    Now looking in md5.c we see this:
    void
    md5_init(md5_state_t *pms)
    {
    pms->count[0] = pms->count[1] = 0;
    pms->abcd[0] = 0x67452301;
    pms->abcd[1] = 0xefcdab89;
    pms->abcd[2] = 0x98badcfe;
    pms->abcd[3] = 0x10325476;
    }

    Pretty obvious huh?
    Traceing further will also reveal the Tx constants.

    When you see a call with a lot of ror, shr, mov, add, lea etc. juggeling with alot of numbers, you might want to look at it in ida and check out what it might be.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    goatass
    Guest
    Hey MarcElBichon, the toughest part is identifying what algo is used. You have to know the algorithms especialy how they check valid signatures or how they decrypt. I wrote a paper on keygening tE!'s keygenme #2 which used RipeMD-160 hashing and RSA signature. When I started looking at it I had no idea what I was looking at, so I looked around and I found places where error messages are generated and I saw some string refs. for MIRACLE so I started looking into crypto algorithms, checked out tE! site, got some source codes looked them over and looked over the disassembly of the keygenme and started labeling founctions until I isolated the checking routines, then identifying them was a bit easier.

    You just have to know how signature checks, initialization routines, decryption routines, etc, for different algorithms look like in assembly and that will make life much simpler.

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Sphinx
    Guest

    Unhappy MD5

    hello all,

    i know that something is using MD5 but how de hell do you start with reversing this??
    thanks to this thread i could indentify the algo used but after this what do you do next?

    i really could use some suggestions
    I started searching for all info i can find about md5.

    Thx Sphinx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    DakienDX
    Guest
    Hello Sphinx !

    Reversing MD5??? Well, do it and you'll be a very rich man.

    If you know that MD5 is used, you must find out how.

    It could be used like "Serial = MD5(UserName)+MD5(EMail)" or "If MD5(LicenseFile) = RSADecryptedValue then FileInfoOK else RegBadFile".

    I suggest to set a breakpoint in the MD5 proc, when you reach it, do a "P RET" and set a breakpoint on the call to the procedure. So the next time you'll know which data is hashed by MD5. After that you can trace further and se which value is compared to the hash value. Few patches for the beginning or keygen to go further and your problem is solved.

    Easy, isn't it?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Unregistered
    Guest

    md5 / reverse engineering

    Most MD5 implementations have 3 functions:

    MD5Init - Initialize the MD5 hash variables
    MD5Update - Update the MD5 hash against the data
    MD5Finish - Translate the hash variables to a string (or was it 4 longs)

    So you can rename the function names in IDA or something and it will make your job a whole lot easier.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Sphinx
    Guest

    Oke that helps a lot

    hello again,

    thanks for the replies now i know how to start I`m on my way now.

    l8er

    Sphinx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. testing algo
    By dion in forum Off Topic
    Replies: 6
    Last Post: November 19th, 2008, 15:06
  2. Emulator for old Hardlock algo.?
    By freenet in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: July 11th, 2007, 09:55
  3. hash algo help
    By ramin_rad2000 in forum RCE Cryptographics
    Replies: 5
    Last Post: September 7th, 2004, 15:49
  4. des modified algo
    By LiSa in forum RCE Cryptographics
    Replies: 1
    Last Post: May 30th, 2003, 03:01
  5. E changed to 1 in RSA algo.
    By Problem in forum RCE Cryptographics
    Replies: 1
    Last Post: November 7th, 2001, 11:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •