Identifying crypto algorithm [Archive] - RCE Messageboard's Regroupment

View Full Version : Identifying crypto algorithm

DaBookshah

June 22nd, 2007, 04:50

I have 3 questions, in relation to the following disassembly snippet:

Code:



004C9A20     33C0           XOR EAX,EAX

004C9A22  |. 8A4424 08      MOV AL,BYTE PTR SS:[ESP+8]

004C9A26  |> 53             PUSH EBX

004C9A27  |. 8BD8           MOV EBX,EAX

004C9A29  |. C1E0 08        SHL EAX,8

004C9A2C  |. 8B5424 08      MOV EDX,DWORD PTR SS:[ESP+8]

004C9A30  |. F7C2 03000000  TEST EDX,3

004C9A36  |. 74 15          JE SHORT 004C9A4D

004C9A38  |> 8A0A           /MOV CL,BYTE PTR DS:[EDX]

004C9A3A  |. 83C2 01        |ADD EDX,1

004C9A3D  |. 3ACB           |CMP CL,BL

004C9A3F  |.^74 CF          |JE SHORT 004C9A10

004C9A41  |. 84C9           |TEST CL,CL

004C9A43  |. 74 51          |JE SHORT 004C9A96

004C9A45  |. F7C2 03000000  |TEST EDX,3

004C9A4B  |.^75 EB          \JNZ SHORT 004C9A38

004C9A4D  |> 0BD8           OR EBX,EAX

004C9A4F  |. 57             PUSH EDI

004C9A50  |. 8BC3           MOV EAX,EBX

004C9A52  |. C1E3 10        SHL EBX,10

004C9A55  |. 56             PUSH ESI

004C9A56  |. 0BD8           OR EBX,EAX

004C9A58  |> 8B0A           /MOV ECX,DWORD PTR DS:[EDX]

004C9A5A  |. BF FFFEFE7E    |MOV EDI,7EFEFEFF

004C9A5F  |. 8BC1           |MOV EAX,ECX

004C9A61  |. 8BF7           |MOV ESI,EDI

004C9A63  |. 33CB           |XOR ECX,EBX

004C9A65  |. 03F0           |ADD ESI,EAX

004C9A67  |. 03F9           |ADD EDI,ECX

004C9A69  |. 83F1 FF        |XOR ECX,FFFFFFFF

004C9A6C  |. 83F0 FF        |XOR EAX,FFFFFFFF

004C9A6F  |. 33CF           |XOR ECX,EDI

004C9A71  |. 33C6           |XOR EAX,ESI

004C9A73  |. 83C2 04        |ADD EDX,4

004C9A76  |. 81E1 00010181  |AND ECX,81010100

004C9A7C  |. 75 1C          |JNZ SHORT 004C9A9A

004C9A7E  |. 25 00010181    |AND EAX,81010100

004C9A83  |.^74 D3          |JE SHORT 004C9A58

004C9A85  |. 25 00010101    |AND EAX,1010100

004C9A8A  |. 75 08          |JNZ SHORT 004C9A94

004C9A8C  |. 81E6 00000080  |AND ESI,80000000

004C9A92  |.^75 C4          \JNZ SHORT 004C9A58

004C9A94  |> 5E             POP ESI

004C9A95  |. 5F             POP EDI

004C9A96  |> 5B             POP EBX

004C9A97  |. 33C0           XOR EAX,EAX

004C9A99  |. C3             RETN

Based on the complexity and the place I found it, I think this is some sort of hashing algorithm.
1. Does anyone recognise it? I know the names of a bunch of algorithms (md5, sha-1, blowfish), which I looked up on wikipedia, but I couldn't place it.
2. When I'm trying to find information of this sort, is there a 'best' way/place to look for information?
3. I think I recall vaugely reading about exe analysers which could detect the presence of certain algorithms in a file, maybe based on searching for certain tables? I tried using google, but couldn't find anything because I didn't really know what I was looking for. Can anyone point me in the right direction?

Thank you very much for your time.

naides

June 22nd, 2007, 05:00

Answer 3: The KANAL plug-in for PEID may identify some algos by looking for signatures contained in tables and the poly.

LLXX

June 22nd, 2007, 08:06

Code:

int f_004c9a20(char *p_b, char p_a) {



 char d;



 while(p_b&3) {

  d = *(p_b++);

  if(d==p_a) goto l_004c9a10; // WARNING: Jump out of function.

  if(!d) return 0;

 }

 int b = ((p_a | (p_a << 8)) << 16) | (p_a | (p_a << 8));

 int a, e, g;

do {

  g = 0x7efefeff + (*(int *)p_b);

  e = (~((*(int *)p_b) ^ b)) ^ (0x7efefeff + ((*(int *)p_b) ^ b));

  a = (~(*(int *)p_b)) ^ (0x7efefeff + (*(int *)p_b));

  p_b += 4;

  if((e &= 0x81010100)!=0) goto l_004c9a9a; // WARNING: Jump out of function.

 } while(((a &= 0x81010100) == 0)||(a & 0x01010100 == 0)&&((g & 0x80000000 != 0));

 return 0;

}

Sure doesn't look like any hash function I've seen before...

reverser

June 22nd, 2007, 10:33

This is just MSVC's strchr(). See crt\src\intel\strchr.asm.

DaBookshah

June 22nd, 2007, 10:50

That'll teach me. And to think, if I had chucked it into ida it would probably have told me that.....But damn, that's one hard to understand fragment.

naides

June 22nd, 2007, 11:05

Hey Reverser: Have you memorized all the VC library?

blabberer

June 22nd, 2007, 12:29

well there is no need to memorize if you use flirt equivalent plugins
like godup, and i saw one recently some where which is supposed to be better thay all sacn and name the functions

naides keep a watch for
004C9A76 |. 81E1 00010181 |AND ECX,81010100
004C9A5A |. BF FFFEFE7E |MOV EDI,7EFEFEFF

the constant 81010100 , 7efefeff

thats almost a permanent feature in all the str#### functions

some magic constants that add up to 2^32 -1

004C9A30 |. F7C2 03000000 TEST EDX,3

this testing with 3 constant

thats alignment check

LLXX

June 22nd, 2007, 17:56

Quote:

[Originally Posted by reverser;66601]This is just MSVC's strchr(). See crt\src\intel\strchr.asm.

Wow. I wonder if this really has any advantage over a simple repnz scasb.

The fragment in the OP doesn't even look like hand-coded Asm, it looks like compiler output (which is why I tried the decompiler, which then subsequently complained that there were two jumps out of the not-a-complete-function...)

reverser

June 22nd, 2007, 19:54

It scans the middle of the string by dwords, so I guess it's faster for long strings (not bored enough to measure). BTW, the non-inline versions of some other functions (strlen, strncpy etc) also use the same trick.
Here's a strlen implementation with some comments:
http://www.lrdev.com/lr/c/strlen.c
memchr example:
http://www.google.com/codesearch?q=show

9u_JuWA-0Y:NpSLgK5a8cg:PnDvgFna9Y4

Willebul

July 13th, 2007, 02:50

Hi

I had a look at this a while ago , makes more sense in a ida flow

Wb