Hi

While reversing some windows malware, a lot of crypto-related strings appears, several indicating that openssl 0.9.8e libraries have been used.
I have tried compiling that version with both VC++ 2005 and 2008, and generating ida pro signatures, but is only able to identify a couple of functions. So i guess i am using wrong compiler settings etc.
I would rather avoid spending time reversing crypto-functions, so i wonder how you would go about identifying the openssl functions?
Is there a better way to approach the problem?

Best regards,
Lasse

I would first try to identify what compiler was used to compile your malware. If you can determine that, you're home free. Just obtain the same compiler, and do what you did previously.

It could be MinGW, or maybe a Borland compiler. Just have a look around, and see if you find anything that definitively identifies what you're looking at.

Would try that, except i am positive that the malware itself has been compiled with a Visual C compiler, since when i apply signatures from the visual c runtime library, ida pro recognizes a couple of thousand functions.
Is there a way to tell if the openssl source files were used directly in the compilation, or if they were compiled separately as a static library at first?

This is of interest to me too! I have a different program I'm trying to reverse engineer with IDA Pro and I'm trying to identify some of the functions called unknown_libname_xx.Most of them are from the visual c runtime, and I was wondering how to detect and obtain the exact same version of the msvcrt.lib file.
Not trying to steal the thread, but any help is appreciated and probably the same algorithm applies to him detecting the proper library for his program, too.
Thanks!