Hex Rays
Hex Rays Blog —  State of the art code analysis

FindCrypt

While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.

The idea behind it pretty simple: since almost all crypto algorithms use magic constants, we will just look for these constants in the program body. Here is how we would do it manually:
http://www.sockpuppet.org/tqbf/log/2006/01/two-things.html
This approach will fail if the S-boxes have been altered but in most cases they are untouched (can you admit that you understand all consequences of modifying an S-box, say, in AES?)
The plugin supports virtually all crypto algorithms and hash functions. I also added the zlib library constants to the list just for the user convenience. Here is the full list:

  • Blowfish
  • Camellia
  • CAST
  • CAST256
  • CRC32
  • DES
  • GOST
  • HAVAL
  • MARS
  • MD2
  • MD4
  • MD5
  • PKCS_MD2 (byte sequence used in PKCS envelope)
  • PKCS_MD5 (byte sequence used in PKCS envelope)
  • PKCS_RIPEMD160 (byte sequence used in PKCS envelope)
  • PKCS_SHA256 (byte sequence used in PKCS envelope)
  • PKCS_SHA384 (byte sequence used in PKCS envelope)
  • PKCS_SHA512 (byte sequence used in PKCS envelope)
  • PKCS_Tiger (byte sequence used in PKCS envelope)
  • RawDES
  • RC2
  • RC5
  • RC6
  • Rijndael
  • SAFER
  • SHA-1
  • SHA-256
  • SHA-512
  • SHARK
  • SKIPJACK
  • Square
  • Tiger
  • Twofish
  • WAKE
  • Whirlpool
  • zlib

Please note that the list does not contain the IDEA algorithm because it usually builds its tables on the fly. Other algorithms can be added if needed.
The plugin is very easy to use – just select it from the plugins menu and it will do its job. At the end it will display a message box like this:

It also will rename all found arrays and put them in the marked location list:

The same approach can be used to find other magic constants and strings. The plugin can also be automated – just hook to the ph.newfile processor module event and run the search.
The source code, as usual, comes with the plugin: findcrypt.zip
Have (cryptic) fun!

Go to top of page