Krypto-like #632

Closed
jvoisin opened this Issue Feb 14, 2014 · 9 comments

Comments

Projects
None yet
5 participants
@jvoisin
Collaborator

jvoisin commented Feb 14, 2014

Something like the KAnal (KrytpoAnalyzer) of PEiD or FindCrypt from IDA would be nice to have in r2.

@condret

This comment has been minimized.

Show comment Hide comment
@condret

condret Feb 14, 2014

Collaborator

I like the idea, but maybe we should try to do it better than IDA. Sometimes there are no constant values, for example the intel SGX-stuff. We should look out for opcodes too, like cpuid. This shows what I mean:
http://runas-racer.com/foo/sgx.png
http://css.csail.mit.edu/6.858/2013/readings/intel-sgx.pdf

Collaborator

condret commented Feb 14, 2014

I like the idea, but maybe we should try to do it better than IDA. Sometimes there are no constant values, for example the intel SGX-stuff. We should look out for opcodes too, like cpuid. This shows what I mean:
http://runas-racer.com/foo/sgx.png
http://css.csail.mit.edu/6.858/2013/readings/intel-sgx.pdf

@jvoisin

This comment has been minimized.

Show comment Hide comment
@jvoisin

jvoisin Feb 17, 2014

Collaborator

Since we already have /R for searching ROP gadgets, what about /K ?
Searching for crypto constant should be easy to implement.

Collaborator

jvoisin commented Feb 17, 2014

Since we already have /R for searching ROP gadgets, what about /K ?
Searching for crypto constant should be easy to implement.

@radare

This comment has been minimized.

Show comment Hide comment
@radare

radare Feb 17, 2014

Owner

We have /A for looking for expanded aes keys. The command itself is not that imprtant. Just Provide a working implementation :)

On 17 Feb 2014, at 13:50, jvoisin notifications@github.com wrote:

Since we already have /R for searching ROP gadgets, what about /K ?
Searching for crypto constant should be easy to implement.


Reply to this email directly or view it on GitHub.

Owner

radare commented Feb 17, 2014

We have /A for looking for expanded aes keys. The command itself is not that imprtant. Just Provide a working implementation :)

On 17 Feb 2014, at 13:50, jvoisin notifications@github.com wrote:

Since we already have /R for searching ROP gadgets, what about /K ?
Searching for crypto constant should be easy to implement.


Reply to this email directly or view it on GitHub.

@Maijin

This comment has been minimized.

Show comment Hide comment
@Maijin

Maijin Mar 18, 2014

Collaborator

This one is also very interessting https://github.com/sandsmark/signsrch and quite efficient ;)

Collaborator

Maijin commented Mar 18, 2014

This one is also very interessting https://github.com/sandsmark/signsrch and quite efficient ;)

@jvoisin

This comment has been minimized.

Show comment Hide comment
@jvoisin

jvoisin Apr 28, 2014

Collaborator

I think that we should use yara (a0d3af6) for this.
What about adding a crypo.yara file into the tree ?

Collaborator

jvoisin commented Apr 28, 2014

I think that we should use yara (a0d3af6) for this.
What about adding a crypo.yara file into the tree ?

@radare

This comment has been minimized.

Show comment Hide comment
@radare

radare Apr 28, 2014

Owner

Looks legit.

On 28 Apr 2014, at 03:34, jvoisin notifications@github.com wrote:

I think that we should use yara (a0d3af6) for this.
What about adding a crypo.yara file into the tree ?


Reply to this email directly or view it on GitHub.

Owner

radare commented Apr 28, 2014

Looks legit.

On 28 Apr 2014, at 03:34, jvoisin notifications@github.com wrote:

I think that we should use yara (a0d3af6) for this.
What about adding a crypo.yara file into the tree ?


Reply to this email directly or view it on GitHub.

@Maijin

This comment has been minimized.

Show comment Hide comment
@Maijin

Maijin Apr 28, 2014

Collaborator

Some rules for crypto: https://github.com/Phoul/yara_rules

Collaborator

Maijin commented Apr 28, 2014

Some rules for crypto: https://github.com/Phoul/yara_rules

@radare

This comment has been minimized.

Show comment Hide comment
@radare

radare Apr 28, 2014

Owner

The yara plugin should handle a system and user directory to get those files from there. We may want to distribute those .yara rules with r2 and ocasionally run them at start with an eval config

On 28 Apr 2014, at 13:56, Maijin notifications@github.com wrote:

Some rules for crypto: https://github.com/Phoul/yara_rules


Reply to this email directly or view it on GitHub.

Owner

radare commented Apr 28, 2014

The yara plugin should handle a system and user directory to get those files from there. We may want to distribute those .yara rules with r2 and ocasionally run them at start with an eval config

On 28 Apr 2014, at 13:56, Maijin notifications@github.com wrote:

Some rules for crypto: https://github.com/Phoul/yara_rules


Reply to this email directly or view it on GitHub.

@jvoisin

This comment has been minimized.

Show comment Hide comment
@jvoisin

jvoisin Apr 30, 2014

Collaborator

Phoul added a license to its files (GPL).
I added them to r2 :)

Collaborator

jvoisin commented Apr 30, 2014

Phoul added a license to its files (GPL).
I added them to r2 :)

@jvoisin jvoisin closed this Apr 30, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment