Tuesday, March 1, 2011

bfcrypt - Crypto scanner

There are several existing crypto scanners, but they are all for Windows, and are closed source:

  • PEiD with the Krypto Analyzer (KANAL) plugin
  • IDA Pro with the Findcrypt plugin
  • OllyDbg with the SnD Crypto Scanner
  • x3chun's Crypto Searcher
  • Keygener Assistant
  • Hash & Crypto Detector (HCD)
  • Draft Crypto Analyzer (DRACA)
    As I needed a tool for analyzing firmware images under Linux, I've started coding my own, called bfcrypt and available on github under the GPLv2 license.

    For now, it can detect Blowfish and MD5, but it will support more in the future.


    $ bfcrypt ShrekW.BIN
    Blowfish P-array  (0x243f6a88) found at 0x0008bc90
    Blowfish S-box[0] (0xd1310ba6) found at 0x0008bcd8
    Blowfish S-box[1] (0x4b7a70e9) found at 0x0008c0d8
    Blowfish S-box[2] (0xe93d5a68) found at 0x0008c4d8
    Blowfish S-box[3] (0x3a39ce37) found at 0x0008c8d8


    1. Findcrypt is opensource plugin for IDA and detects 47 algos

    2. Nice tool. Always happy to have new alternatives.

      Just fyi there are two tools you might find usefull:

      * Sigscan
      opensource, works on linux and osx and finds oodles of signatures

      * Signsrch
      opensource but windows. I've used it via wine with success

    3. @Rexman: I've listed Findcrypt in the post, and while it's nice, it's only for Windows I think.

    4. @cyphunk: Many thanks for the links. I've trying signsrch, and it also works under Linux. It's really awesome and I already know that bfcrypt will never be as good :)

      I'll try sigscan. That's too bad those 2 tools are not more referenced, because I've done quite a lot of searching before starting bfcrypt, any never seen any of them mentionned. Where did you hear about sigscan?

      Anyway, I really wanted to learn how to code crypto scanning, because I've been curious about the subject for a long time, and for me KANAL and other tools have always been like black magic :) And in the process I've learnt things about S-boxes, polynomials, and all those constants that can be detected.

      Many thanks to both of you for your comments!

    5. @goundoulf I was also a bit bothered when I found it years after I was looking for it. I dont remember how I found it. Sometime last year.

      so I guess its a shame that you have one for linux now, for your education objectives (and a shame I found it, for mine)
      you're implementation is similar to one of the two i listed, i cant remember. So you were in the right direction. The other has a different implementation (or just different data structures and search routines).