Researching CryptoChecker data by Aleph 🇮🇱.
- CryptoChecker (CC) 1.3 alpha 12 - bin
- CryptoChecker (CC) 1.3 alpha 11 (Oct 14, 2015) – bin / IA
- CryptoChecker (CC) 1.3 alpha 11 (Mar 31, 2015) – bin / IA
- CryptoChecker (CC) 1.3 alpha 10 – bin / IA / 52PoJie
- CryptoChecker (CC) 1.3 alpha 9 – bin / IA / GitHub
- CryptoChecker (CC) 1.3 alpha – bin / IA
- CryptoChecker (CC) 1.1 (beta 8) and CryptoChecker (CC) 1.2 (alpha) – bin / IA
CC aka CryptoChecker by Aleph
This is an amazing old tool to detecting (crypto) signatures in files. Unfortunately, no source code available.
The tool is last updated in 2016 and made with MZ-architecture in mind (.com file format, from MS-DOS/Win9x days), and given how capable the utility is, it would be great to be able to use this utility in the future.
-*- CC 1.3 alpha 12 * Copyright (c) Aleph 2000-2016 -*-
Crypto Checker
Usage: cc.com [!command][{[+]/-}AlgoGroupName] ... [{[+]/-}AlgoGroupName] wildcards
* NOTE: use optional [+/-]AlgoGroup for include/exclude AlgoGroup search
AlgoGroupName '*' or 'NULL' if used should be first in the method list
Commands are:
noscript - suppress IDA IDC-script tags generation
quiet - naked mode: no header, no footer... stuff only
Examples:
> cc filename.ext // single file / QUICK mode - recomended
> cc *.* // some, but entire directory scan
> cc *.DLL // some, but for specified file type
> cc !noscript filename.ext
> cc * -TINY_PRIMES -SMALL_PRIMES -LOCKBOX filename.ext
complains_n_suggestions direct to alephz@yahoo.com
DB Timestamp : Fri Nov 25 11:10:38 2016
DB Entries total: 4245
* Built to find everything
Please visit this link: http://rotter.net/israel
This is to later keep the CC tool running. The generated file is best to contain nulls (NULL-bytes), so CC minimally loads detection information.
It's set to generate a 600 MB file which seems to work well. It makes the program last for about 5-10 minutes, and that's despite the claims of high optimisation of CC
Use step1_generate_busyfile.py
(The generated file itself is NOT included, as it is easy to regenerate it)
- Tip: To avoid compatibility issues, it's best to generate "busy" file on the modern host system.
For some reason, cc.com
operates most optimally in Win9x environment. There, the utility uses least RAM. Hence, Win9x environment is needed, ideally virtualized
Once the VM is ready to go, drop in,
-
The dummy file generated in step 1
Notice: Older FAT32 supports up to 4GB, but for some reason takes a REALLY long time to drop in big files (the lack of optimisation?) -
LordPE - for future dumping.
Notice: You'll need to drop in the update files to use the latest version -
CC - The executable itself.
Best to unpack first as it is packed with RAR5
execute,
cc.com busy.bin
and wait for some time to ensure that the software unpacks itself. 30 seconds should be more than enough.
Then launch LordPE and select cc.bin
. Right-click -> Dump full
- Pre-dumped copy available in rev/dump9x.exe
Use strings2 or other tool to extract strings.
Extracted strings are available in ./txt/