PDA

View Full Version : Identifying crypto algorithm


DaBookshah
June 22nd, 2007, 04:50
I have 3 questions, in relation to the following disassembly snippet:

Code:

004C9A20 33C0 XOR EAX,EAX
004C9A22 |. 8A4424 08 MOV AL,BYTE PTR SS:[ESP+8]
004C9A26 |> 53 PUSH EBX
004C9A27 |. 8BD8 MOV EBX,EAX
004C9A29 |. C1E0 08 SHL EAX,8
004C9A2C |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
004C9A30 |. F7C2 03000000 TEST EDX,3
004C9A36 |. 74 15 JE SHORT 004C9A4D
004C9A38 |> 8A0A /MOV CL,BYTE PTR DS:[EDX]
004C9A3A |. 83C2 01 |ADD EDX,1
004C9A3D |. 3ACB |CMP CL,BL
004C9A3F |.^74 CF |JE SHORT 004C9A10
004C9A41 |. 84C9 |TEST CL,CL
004C9A43 |. 74 51 |JE SHORT 004C9A96
004C9A45 |. F7C2 03000000 |TEST EDX,3
004C9A4B |.^75 EB \JNZ SHORT 004C9A38
004C9A4D |> 0BD8 OR EBX,EAX
004C9A4F |. 57 PUSH EDI
004C9A50 |. 8BC3 MOV EAX,EBX
004C9A52 |. C1E3 10 SHL EBX,10
004C9A55 |. 56 PUSH ESI
004C9A56 |. 0BD8 OR EBX,EAX
004C9A58 |> 8B0A /MOV ECX,DWORD PTR DS:[EDX]
004C9A5A |. BF FFFEFE7E |MOV EDI,7EFEFEFF
004C9A5F |. 8BC1 |MOV EAX,ECX
004C9A61 |. 8BF7 |MOV ESI,EDI
004C9A63 |. 33CB |XOR ECX,EBX
004C9A65 |. 03F0 |ADD ESI,EAX
004C9A67 |. 03F9 |ADD EDI,ECX
004C9A69 |. 83F1 FF |XOR ECX,FFFFFFFF
004C9A6C |. 83F0 FF |XOR EAX,FFFFFFFF
004C9A6F |. 33CF |XOR ECX,EDI
004C9A71 |. 33C6 |XOR EAX,ESI
004C9A73 |. 83C2 04 |ADD EDX,4
004C9A76 |. 81E1 00010181 |AND ECX,81010100
004C9A7C |. 75 1C |JNZ SHORT 004C9A9A
004C9A7E |. 25 00010181 |AND EAX,81010100
004C9A83 |.^74 D3 |JE SHORT 004C9A58
004C9A85 |. 25 00010101 |AND EAX,1010100
004C9A8A |. 75 08 |JNZ SHORT 004C9A94
004C9A8C |. 81E6 00000080 |AND ESI,80000000
004C9A92 |.^75 C4 \JNZ SHORT 004C9A58
004C9A94 |> 5E POP ESI
004C9A95 |. 5F POP EDI
004C9A96 |> 5B POP EBX
004C9A97 |. 33C0 XOR EAX,EAX
004C9A99 |. C3 RETN


Based on the complexity and the place I found it, I think this is some sort of hashing algorithm.
1. Does anyone recognise it? I know the names of a bunch of algorithms (md5, sha-1, blowfish), which I looked up on wikipedia, but I couldn't place it.
2. When I'm trying to find information of this sort, is there a 'best' way/place to look for information?
3. I think I recall vaugely reading about exe analysers which could detect the presence of certain algorithms in a file, maybe based on searching for certain tables? I tried using google, but couldn't find anything because I didn't really know what I was looking for. Can anyone point me in the right direction?

Thank you very much for your time.

naides
June 22nd, 2007, 05:00
Answer 3: The KANAL plug-in for PEID may identify some algos by looking for signatures contained in tables and the poly.

LLXX
June 22nd, 2007, 08:06
Code:
int f_004c9a20(char *p_b, char p_a) {

char d;

while(p_b&3) {
d = *(p_b++);
if(d==p_a) goto l_004c9a10; // WARNING: Jump out of function.
if(!d) return 0;
}
int b = ((p_a | (p_a << 8)) << 16) | (p_a | (p_a << 8));
int a, e, g;
do {
g = 0x7efefeff + (*(int *)p_b);
e = (~((*(int *)p_b) ^ b)) ^ (0x7efefeff + ((*(int *)p_b) ^ b));
a = (~(*(int *)p_b)) ^ (0x7efefeff + (*(int *)p_b));
p_b += 4;
if((e &= 0x81010100)!=0) goto l_004c9a9a; // WARNING: Jump out of function.
} while(((a &= 0x81010100) == 0)||(a & 0x01010100 == 0)&&((g & 0x80000000 != 0));
return 0;
}
Sure doesn't look like any hash function I've seen before...

reverser
June 22nd, 2007, 10:33
This is just MSVC's strchr(). See crt\src\intel\strchr.asm.

DaBookshah
June 22nd, 2007, 10:50
That'll teach me. And to think, if I had chucked it into ida it would probably have told me that.....But damn, that's one hard to understand fragment.

naides
June 22nd, 2007, 11:05
Hey Reverser: Have you memorized all the VC library?

blabberer
June 22nd, 2007, 12:29
well there is no need to memorize if you use flirt equivalent plugins
like godup, and i saw one recently some where which is supposed to be better thay all sacn and name the functions

naides keep a watch for
004C9A76 |. 81E1 00010181 |AND ECX,81010100
004C9A5A |. BF FFFEFE7E |MOV EDI,7EFEFEFF


the constant 81010100 , 7efefeff thats almost a permanent feature in all the str#### functions

some magic constants that add up to 2^32 -1


004C9A30 |. F7C2 03000000 TEST EDX,3

this testing with 3 constant

thats alignment check

LLXX
June 22nd, 2007, 17:56
Quote:
[Originally Posted by reverser;66601]This is just MSVC's strchr(). See crt\src\intel\strchr.asm.
Wow. I wonder if this really has any advantage over a simple repnz scasb.

The fragment in the OP doesn't even look like hand-coded Asm, it looks like compiler output (which is why I tried the decompiler, which then subsequently complained that there were two jumps out of the not-a-complete-function...)

reverser
June 22nd, 2007, 19:54
It scans the middle of the string by dwords, so I guess it's faster for long strings (not bored enough to measure). BTW, the non-inline versions of some other functions (strlen, strncpy etc) also use the same trick.
Here's a strlen implementation with some comments:
http://www.lrdev.com/lr/c/strlen.c
memchr example:
http://www.google.com/codesearch?q=show9u_JuWA-0Y:NpSLgK5a8cg:PnDvgFna9Y4

Willebul
July 13th, 2007, 02:50
Hi

I had a look at this a while ago , makes more sense in a ida flow

Wb