cryptographic function identification in obfuscated binary … · 2019-03-05 · crypto searcher...
TRANSCRIPT
![Page 1: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/1.jpg)
Cryptographic Function Identification in Obfuscated Binary Programs
REcon 2012
Joan Calvet – [email protected]
![Page 2: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/2.jpg)
Presentation Outline
Introduction to the Problem
Proposed Solution
Examples
What’s Next ?
2
![Page 3: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/3.jpg)
INTRODUCTION TO THE PROBLEM
3
![Page 4: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/4.jpg)
What’s this ?
4
![Page 5: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/5.jpg)
What’s this ?
5
![Page 6: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/6.jpg)
6
![Page 7: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/7.jpg)
Tools Answer
Crypto Searcher “TEA”
Draca v0.5.7b “TEA/RC5/RC6”
Findcrypt v2 Ø
Hash & Crypto Detector v1.4 “TEA/XTEA/TEAN”
PEiD KANAL v2.92 “TEA/N, RC5, RC6”
Kerckhoffs Ø
Signsrch 0.1.7 “TEA”
SnD Crypto Scanner v0.5b Ø
7
![Page 8: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/8.jpg)
Tools Answer
Crypto Searcher “TEA”
Draca v0.5.7b “TEA/RC5/RC6”
Findcrypt v2 Ø
Hash & Crypto Detector v1.4 “TEA/XTEA/TEAN”
PEiD KANAL v2.92 “TEA/N, RC5, RC6”
Kerckhoffs Ø
Signsrch 0.1.7 “TEA”
SnD Crypto Scanner v0.5b Ø
That’s indeed the Tiny Encryption Algorithm!
8
![Page 9: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/9.jpg)
What about this one?
9
![Page 10: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/10.jpg)
What about this one?
No particular constants
10
![Page 11: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/11.jpg)
Tools Answer
Crypto Searcher Ø
Draca v0.5.7b Ø
Findcrypt v2 Ø
Hash & Crypto Detector v1.4 Ø
PEiD KANAL v2.92 Ø
Kerckhoffs Ø
Signsrch 0.1.7 Ø
SnD Crypto Scanner v0.5b Ø
11
![Page 12: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/12.jpg)
Tools Answer
Crypto Searcher Ø
Draca v0.5.7b Ø
Findcrypt v2 Ø
Hash & Crypto Detector v1.4 Ø
PEiD KANAL v2.92 Ø
Kerckhoffs Ø
Signsrch 0.1.7 Ø
SnD Crypto Scanner v0.5b Ø
Sigh.. That was still TEA!
12
![Page 13: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/13.jpg)
What Can We Do ?
• How to recognize different TEA implementations in a more reliable way ?
• Is there something such implementations have to share ?
(If so, we could use it in obfuscated programs!)
13
![Page 14: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/14.jpg)
Input-Output Relationship
For a key K and an encrypted text C, any TEA implementation produces the same decrypted text C’.
14
![Page 15: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/15.jpg)
Input-Output Relationship
For a key K and an encrypted text C, any TEA implementation produces the same decrypted text C’.
Could we identify TEA implementations by using their deterministic I/O relationship ?
(or any other cipher)
15
![Page 16: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/16.jpg)
PROPOSED SOLUTION
16
![Page 17: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/17.jpg)
Let’s say P is a program implementing an unknown cryptographic algorithm.
17
How To Use Input-Output Relationship ?
![Page 18: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/18.jpg)
Let’s say P is a program implementing an unknown cryptographic algorithm.
First idea: execute P on all possible input states and check if the outputs are the same than a known cryptographic algorithm.
(not realistic!)
18
How To Use Input-Output Relationship ?
![Page 19: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/19.jpg)
Let’s say P is a program implementing an unknown cryptographic algorithm.
First idea: execute P on all possible input states and check if the outputs are the same than a known cryptographic algorithm.
(not realistic!)
But we can observe one particular P execution and collect its input-output parameter values...
19
How To Use Input-Output Relationship ?
![Page 20: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/20.jpg)
For example:
0xDEADBEEF
0x42
P
0xCAFEBABE
20
![Page 21: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/21.jpg)
For example:
• Now imagine that when we execute a reference implementation of TEA with the key 0x42 and the input text 0xCAFEBABE, it produces 0xDEADBEEF.
What does it mean for P?
0xDEADBEEF
0x42
P
0xCAFEBABE
21
![Page 22: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/22.jpg)
For example:
• Now imagine that when we execute a reference implementation of TEA with the key 0x42 and the input text 0xCAFEBABE, it produces 0xDEADBEEF.
What does it mean for P?
• It proves that P implements TEA on these particular input values.
0xDEADBEEF
0x42
P
0xCAFEBABE
22
![Page 23: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/23.jpg)
Final Goal
• We are going to prove that a particular program P behaves like a known cryptographic algorithm during a particular execution.
• It means that we are not going to prove a general semantic equivalence between P and a cryptographic algorithm.
23
![Page 24: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/24.jpg)
Workflow
Given a program P:
Step 1: Collect P execution trace.
Step 2: Extract possible cryptographic algorithms with their parameters from P execution trace (here is the magic).
Step 3: Identify these algorithms by comparing their I/O relationship with those of known algorithms.
24
![Page 25: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/25.jpg)
STEP 1: COLLECT EXECUTION TRACE
25
![Page 26: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/26.jpg)
Execution Trace
Pin: Dynamic Binary Instrumentation framework.
Address Instruction
Read Registers
Written Registers
Read Memory
Written Memory
4012b3 push ebp ebp 0012de28
esp 0012bd98 esp 0012bd94 12bd94 0012de28
4012b4 mov ebp, esp esp 0012bd94 ebp 0012bd94
4012b6 push ebx ebx 02f00010
esp 0012bd84 esp 0012bd80 12bd80 2f00010
... 26
![Page 27: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/27.jpg)
STEP 2: CRYPTOGRAPHIC ALGORITHM EXTRACTION
27
![Page 28: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/28.jpg)
How To Find Crypto Code ? (1)
• Cryptographic code constitutes only a part of programs, we need a way to find it.
28
![Page 29: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/29.jpg)
How To Find Crypto Code ? (1)
• Cryptographic code constitutes only a part of programs, we need a way to find it.
• As we want to play with obfuscated programs, IDA functions will not be enough...
29
![Page 30: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/30.jpg)
In obfuscated programs, such things can happen:
Win32.Swizzor’s packer
30
![Page 31: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/31.jpg)
• Cryptographic algorithms usually apply a same treatment on their input-output parameters.
31
How To Find Crypto Code ? (2)
![Page 32: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/32.jpg)
• Cryptographic algorithms usually apply a same treatment on their input-output parameters.
• It makes loops a cryptographic code feature.
32
How To Find Crypto Code ? (2)
![Page 33: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/33.jpg)
• Cryptographic algorithms usually apply a same treatment on their input-output parameters.
• It makes loops a cryptographic code feature.
• But there are loops everywhere, not only in crypto... What kind of loops are we looking for ?
33
How To Find Crypto Code ? (2)
![Page 34: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/34.jpg)
Loops ?
Win32.Mebroot
34
![Page 35: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/35.jpg)
Loops ?
Win32.Mebroot Unrolling optimization
35
![Page 36: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/36.jpg)
Loops ?
Win32.Mebroot Unrolling optimization
36
![Page 37: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/37.jpg)
Looooops
• We look for the same operations applied repeatedly on a set of data.
37
![Page 38: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/38.jpg)
Looooops
• We look for the same operations applied repeatedly on a set of data.
“A loop is the repetition of a same sequence of machine instructions at least two times.”
(This sequence of instructions is the loop body.)
38
![Page 39: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/39.jpg)
Example
...
401325
401327
401329
40132c
401325
401327
401329
40132c
...
...
add ebx, edi
sub edx, ebx
dec dword ptr [ebp+0xc]
jnz 0x401325
add ebx, edi
sub edx, ebx
dec dword ptr [ebp+0xc]
jnz 0x401325
...
Execution Trace
39
![Page 40: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/40.jpg)
Example
...
401325
401327
401329
40132c
401325
401327
401329
40132c
...
...
add ebx, edi
sub edx, ebx
dec dword ptr [ebp+0xc]
jnz 0x401325
add ebx, edi
sub edx, ebx
dec dword ptr [ebp+0xc]
jnz 0x401325
...
Iteration 1
Iteration 2
Execution Trace
40
![Page 41: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/41.jpg)
Example
...
401325
401327
401329
40132c
401325
401327
401329
40132c
...
...
add ebx, edi
sub edx, ebx
dec dword ptr [ebp+0xc]
jnz 0x401325
add ebx, edi
sub edx, ebx
dec dword ptr [ebp+0xc]
jnz 0x401325
...
Iteration 1
Iteration 2
Execution Trace
41
Loop
![Page 42: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/42.jpg)
What About Nested Loops ?
Simplified CFG
42
![Page 43: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/43.jpg)
What About Nested Loops ?
A B B B C A B B C
Execution trace
Simplified CFG
43
![Page 44: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/44.jpg)
What About Nested Loops ?
A B B B C A B B C
Loop B 3 iterations
Loop B 2 iterations
Execution trace
Simplified CFG
44
![Page 45: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/45.jpg)
What About Nested Loops ?
A B B B C A B B C
Execution trace
Simplified CFG
45
![Page 46: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/46.jpg)
What About Nested Loops ?
A B B B C A B B C
Different!
Execution trace
Simplified CFG
46
![Page 47: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/47.jpg)
What About Nested Loops ?
A B B B C A B B C
Execution trace
Simplified CFG
47
![Page 48: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/48.jpg)
What About Nested Loops ?
A B B B C A B B C
A X C A X C
Trace Rewriting
Execution trace
Simplified CFG
48
![Page 49: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/49.jpg)
What About Nested Loops ?
A B B B C A B B C
A X C A X C
Ok !
Trace Rewriting
Execution trace
Simplified CFG
49
![Page 50: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/50.jpg)
Loop Detection Algorithm
1. Detects two repetitions of a loop body in the execution trace.
(non trivial, language w.w is non-context-free)
2. Replaces in the trace the detected loop by a symbol representing their body.
3. Goes back to step 1 if new loops have been detected.
50
![Page 51: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/51.jpg)
What’s Next ?
• We extracted possible cryptographic code from execution traces thanks to a particular loop definition.
51
![Page 52: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/52.jpg)
What’s Next ?
• We extracted possible cryptographic code from execution traces thanks to a particular loop definition.
• For the moment, we assume that each possible cryptographic algorithm corresponds to one single loop.
52
![Page 53: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/53.jpg)
What’s Next ?
• We extracted possible cryptographic code from execution traces thanks to a particular loop definition.
• For the moment, we assume that each possible cryptographic algorithm corresponds to one single loop.
• How can we define parameters from the bytes read and written in the execution trace ?
53
![Page 54: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/54.jpg)
Loop Parameters (1)
• Distinction between input and output bytes in the execution trace:
– Input bytes have been read without having been previously written.
– Output bytes have been written.
54
![Page 55: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/55.jpg)
Loop Parameters (2)
• We want to group together bytes belonging to the same cryptographic parameter (key, input text...).
55
![Page 56: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/56.jpg)
Loop Parameters (2)
• We want to group together bytes belonging to the same cryptographic parameter (key, input text...).
What criteria can we use ?
56
![Page 57: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/57.jpg)
Loop Parameters (3)
• Grouping of several bytes into the same parameter:
1. If they are adjacent in memory (too large!)
57
![Page 58: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/58.jpg)
Loop Parameters (3)
• Grouping of several bytes into the same parameter:
1. If they are adjacent in memory (too large!)
2. And if they are manipulated by the same instruction in the loop body.
58
![Page 59: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/59.jpg)
Loop Parameters (3)
• Grouping of several bytes into the same parameter:
1. If they are adjacent in memory (too large!)
2. And if they are manipulated by the same instruction in the loop body.
59
add ebx, edi
mov eax, [ebx]
...
add ebx, edi
mov eax, [ebx]
...
![Page 60: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/60.jpg)
Loop Parameters (3)
• Grouping of several bytes into the same parameter:
1. If they are adjacent in memory (too large!)
2. And if they are manipulated by the same instruction in the loop body.
60
add ebx, edi
mov eax, [ebx]
...
add ebx, edi
mov eax, [ebx]
...
Iteration 1
Iteration 2
![Page 61: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/61.jpg)
Loop Parameters (3)
• Grouping of several bytes into the same parameter:
1. If they are adjacent in memory (too large!)
2. And if they are manipulated by the same instruction in the loop body.
61
add ebx, edi
mov eax, [ebx]
...
add ebx, edi
mov eax, [ebx]
...
Iteration 1
Iteration 2
![Page 62: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/62.jpg)
Loop Parameters (3)
• Grouping of several bytes into the same parameter:
1. If they are adjacent in memory (too large!)
2. And if they are manipulated by the same instruction in the loop body.
62
add ebx, edi
mov eax, [ebx]
...
add ebx, edi
mov eax, [ebx]
...
Iteration 1
Iteration 2
![Page 63: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/63.jpg)
Loop Parameters (4)
• A parameter is then defined by:
– An identifier: “(memory address|register name):size”
– A value
63
![Page 64: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/64.jpg)
Let’s Recap With a Use-Case
• Tiny Encryption Algorithm: – Block cipher
– 16-byte key
– 8-byte input text
– Magic constant delta (0x9E3779B9)
• We built a toy program calling the TEA decryption function on: – Key : 0xDEADBEE1...DEADBEE4
– Encrypted text: 0x0123456789ABCDEF 64
![Page 65: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/65.jpg)
65
Step 1 : Gather Execution Trace
First instruction
Last instruction
![Page 66: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/66.jpg)
66
B
Step 2 : Recognize Loops
B B ...
Machine instruction sequence B is repeated
![Page 67: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/67.jpg)
67
B B B ...
Step 2 : Recognize Loops
![Page 68: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/68.jpg)
68
Step 3 : Define Loop Parameters
1
2
3 6
5
4
LOOP
Each loop is then a possible cryptographic algorithm!
![Page 69: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/69.jpg)
Final Model
69
![Page 70: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/70.jpg)
Final Model
Key
70
![Page 71: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/71.jpg)
Final Model
Key Encrypted text
71
![Page 72: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/72.jpg)
Final Model
Key Encrypted text
Decrypted text
72
![Page 73: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/73.jpg)
STEP 3: CRYPTO ALGORITHM IDENTIFICATION
73
![Page 74: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/74.jpg)
Input 1: unknown algorithm A with its parameter values
74
![Page 75: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/75.jpg)
Input 1: unknown algorithm A with its parameter values
Input 2: reference implementations for common crypto algo
def tea (input_text, key):
...
def xtea (input_text, key):
...
def rc4 (input_text, key):
...
75
![Page 76: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/76.jpg)
Question
• Is there a way to combine A input values such that tea(), xtea() or rc4() would produce a combination of A output values ?
76
![Page 77: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/77.jpg)
Question
• Is there a way to combine A input values such that tea(), xtea() or rc4() would produce a combination of A output values ?
• Some difficulties: – Parameter division: a same cryptographic parameter
can be divided into several loop parameter.
77
![Page 78: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/78.jpg)
Question
• Is there a way to combine A input values such that tea(), xtea() or rc4() would produce a combination of A output values ?
• Some difficulties: – Parameter division: a same cryptographic parameter
can be divided into several loop parameter.
– Parameter order: no particular order for A parameters.
78
![Page 79: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/79.jpg)
Question
• Is there a way to combine A input values such that tea(), xtea() or rc4() would produce a combination of A output values ?
• Some difficulties: – Parameter division: a same cryptographic parameter
can be divided into several loop parameter.
– Parameter order: no particular order for A parameters.
– Parameter number: we collect more than the cryptographic parameters.
79
![Page 80: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/80.jpg)
Brute-Force!
80
![Page 81: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/81.jpg)
81
A
![Page 82: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/82.jpg)
82
1. Generate all possible values with A input parameters:
1. Length 4: 00000020, 01234567, deadbee3...
2. Length 8: 0000002001234567, 00000020deadbee3,..
3. ...
A
![Page 83: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/83.jpg)
83
1. Generate all possible values with A input parameters:
1. Length 4: 00000020, 01234567, deadbee3...
2. Length 8: 0000002001234567, 00000020deadbee3,..
3. ...
2. Same thing with A output parameters.
A
![Page 84: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/84.jpg)
84
1. Generate all possible values with A input parameters:
1. Length 4: 00000020, 01234567, deadbee3...
2. Length 8: 0000002001234567, 00000020deadbee3,..
3. ...
2. Same thing with A output parameters.
3. For TEA reference implementation:
1. Possible input texts (8 bytes): 0000002001234567,...
A
![Page 85: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/85.jpg)
85
1. Generate all possible values with A input parameters:
1. Length 4: 00000020, 01234567, deadbee3...
2. Length 8: 0000002001234567, 00000020deadbee3,..
3. ...
2. Same thing with A output parameters.
3. For TEA reference implementation:
1. Possible input texts (8 bytes): 0000002001234567,...
2. Possible keys (16 bytes): ...
A
![Page 86: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/86.jpg)
86
1. Generate all possible values with A input parameters:
1. Length 4: 00000020, 01234567, deadbee3...
2. Length 8: 0000002001234567, 00000020deadbee3,..
3. ...
2. Same thing with A output parameters.
3. For TEA reference implementation:
1. Possible input texts (8 bytes): 0000002001234567,...
2. Possible keys (16 bytes): ...
3. Execute our TEA reference implementation on each possible pair (input text, key)
A
![Page 87: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/87.jpg)
87
1. Generate all possible values with A input parameters:
1. Length 4: 00000020, 01234567, deadbee3...
2. Length 8: 0000002001234567, 00000020deadbee3,..
3. ...
2. Same thing with A output parameters.
3. For TEA reference implementation:
1. Possible input texts (8 bytes): 0000002001234567,...
2. Possible keys (16 bytes): ...
3. Execute our TEA reference implementation on each possible pair (input text, key)
4. If the output has been produced during step 2: success!
A
![Page 88: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/88.jpg)
~ 2 minutes
88
![Page 89: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/89.jpg)
EXAMPLES!
Malware And TEA
89
![Page 90: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/90.jpg)
Storm Worm
• Several internet references about the use of TEA in the Storm Worm packer (aka Tibs).
• Let’s take a look to the code...
90
![Page 91: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/91.jpg)
91
![Page 92: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/92.jpg)
TEA delta
TEA round number
Classic TEA operations
92
![Page 93: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/93.jpg)
Let’s try our tool...
TEA delta
TEA round number
Classic TEA operations
93
![Page 94: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/94.jpg)
TRACER
Execution Trace
CRYPTO EXTRACTION Storm
Worm Sample
Unknown
Algorithms
94
![Page 95: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/95.jpg)
• For the previous loop, we extracted many unknown algorithms like these ones:
95
![Page 96: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/96.jpg)
• For the previous loop, we extracted many unknown algorithms like these ones:
96
![Page 97: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/97.jpg)
• For the previous loop, we extracted many unknown algorithms like these ones:
Looks like 8-byte cipher block (like TEA!)
97
![Page 98: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/98.jpg)
Unknown Algorithms
IDENTIFICATION
...
98
![Page 99: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/99.jpg)
WTF ?
99
![Page 100: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/100.jpg)
Original TEA source code
Storm Worm implementation
100
![Page 101: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/101.jpg)
Original TEA source code
Storm Worm implementation
101
![Page 102: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/102.jpg)
Original TEA source code
Storm Worm implementation
102
![Page 103: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/103.jpg)
Original TEA source code
Storm Worm implementation
This is not TEA: parenthesis at the wrong place!
103
![Page 104: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/104.jpg)
Ok, Storm Worm implementation added to the base... (this is not TEA)
104
![Page 105: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/105.jpg)
Trojan.SilentBanker
• Several internet references about the use of TEA in SilentBanker.
• Let’s take a look to the code...
(sounds familiar, isn’t it ?)
105
![Page 106: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/106.jpg)
106
![Page 107: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/107.jpg)
= sub [ebp+arg_0], 0x9E3779B9
TEA round number
TEA classic constant (delta * round number)
Classic TEA operations
107
![Page 108: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/108.jpg)
= sub [ebp+arg_0], 0x9E3779B9
TEA round number
TEA classic constant (delta * round number)
Classic TEA operations Let’s try our tool...
108
![Page 109: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/109.jpg)
• For the previous loop, we extracted many unknown algorithms like these ones:
109
![Page 110: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/110.jpg)
• For the previous loop, we extracted many unknown algorithms like these ones:
Looks like 8-byte cipher block (like TEA!)
110
![Page 111: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/111.jpg)
Fail.. Again !?
111
![Page 112: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/112.jpg)
Same implementation than in the Storm Worm!
112
!!
![Page 113: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/113.jpg)
• They probably both copied/pasted a wrong source code from the internet.
• Started to look for it: Google, TEA Wikipedia page,... nothing!
• At some point, I remembered something these two malware families have in common...
113
![Page 114: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/114.jpg)
They both came from Russia!
114
![Page 115: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/115.jpg)
115
![Page 116: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/116.jpg)
116
![Page 117: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/117.jpg)
117
![Page 118: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/118.jpg)
Russian Website
TEA source code
118
![Page 119: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/119.jpg)
Russian Website
TEA source code
Storm Worm
119
![Page 120: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/120.jpg)
MORE EXAMPLES!
RC4
120
![Page 121: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/121.jpg)
RC4 (1)
• RC4 algorithm:
– Stream cipher
– Variable-length key
– Two loops generate a pseudorandom stream into a 256 bytes substitution-box (S-BOX).
– A final loop does the actual decryption.
• We have to extend our model to regroup different loops into a same algorithm.
121
![Page 122: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/122.jpg)
Interlude: Loop Data Flow
• Two loops L1 and L2 are in the same algorithm:
– If L1 started before L2 in the trace.
– If L2 uses as input parameter an output parameter of L1.
(or the contrary!)
122
![Page 123: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/123.jpg)
RC4 (2)
• We built a toy program calling the RC4 decryption function on:
– Key : “SuperKeyIsASuperKey” (19 bytes)
– Encrypted text: “AAA....AA” (1024 bytes)
123
![Page 124: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/124.jpg)
Statically speaking it looks like this...
Loop 1
Loop 2
Loop 3
124
![Page 125: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/125.jpg)
125
Tools Answer
Crypto Searcher Ø
Draca v0.5.7b Ø
Findcrypt v2 Ø
Hash & Crypto Detector v1.4 Ø
PEiD KANAL v2.92 Ø
Kerckhoffs Ø
Signsrch 0.1.7 Ø
SnD Crypto Scanner v0.5b Ø
![Page 126: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/126.jpg)
126
Tools Answer
Crypto Searcher Ø
Draca v0.5.7b Ø
Findcrypt v2 Ø
Hash & Crypto Detector v1.4 Ø
PEiD KANAL v2.92 Ø
Kerckhoffs Ø
Signsrch 0.1.7 Ø
SnD Crypto Scanner v0.5b Ø
Let’s try our tool...
![Page 127: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/127.jpg)
127
Step 1 : Gather Execution Trace
First instruction
Last instruction
![Page 128: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/128.jpg)
128
Step 2 : Recognize Loops
L1 L2 L3
![Page 129: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/129.jpg)
129
Step 2 : Recognize Loops
L1 L2 L3
![Page 130: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/130.jpg)
130
Step 3 : Define Loop Parameters
L1 L2 L3
![Page 131: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/131.jpg)
131
Step 4 : Connect Loops With Data-Flow
L1 L2 L3
![Page 132: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/132.jpg)
132
Loop Data Flow Graph (oriented, acyclic)
L1 L2 L3
![Page 133: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/133.jpg)
133
L1 L2 L3
We consider each path in the graph as a possible cryptographic algorithm!
(in order to deal with algorithm combinations)
![Page 134: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/134.jpg)
134
L1 L2 L3
We consider each path in the graph as a possible cryptographic algorithm!
(in order to deal with algorithm combinations)
![Page 135: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/135.jpg)
135
L1 L2 L3
We consider each path in the graph as a possible cryptographic algorithm!
(in order to deal with algorithm combinations)
![Page 136: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/136.jpg)
136
L1 L2 L3
We consider each path in the graph as a possible cryptographic algorithm!
(in order to deal with algorithm combinations)
![Page 137: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/137.jpg)
137
L1 L2 L3
We consider each path in the graph as a possible cryptographic algorithm!
(in order to deal with algorithm combinations)
![Page 138: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/138.jpg)
138
Final model for the longest path
![Page 139: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/139.jpg)
Input text
Output text
139
Final model for the longest path
![Page 140: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/140.jpg)
Key Input text
Output text
140
Final model for the longest path
![Page 141: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/141.jpg)
Key Input text
S-Box Output text
141
Final model for the longest path
![Page 142: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/142.jpg)
142
![Page 143: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/143.jpg)
Win32.Sality.AA
• Several internet references about the use of RC4 in Sality.AA protection layers.
• Let’s take a look...
(suspense...)
143
![Page 144: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/144.jpg)
Loop 1
Loop 2
Loop 3
....
144
![Page 145: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/145.jpg)
Loop 1
Loop 2
Loop 3
....
145
![Page 146: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/146.jpg)
Loop 1
Loop 2
Loop 3
....
Hmpf.. Let’s try!
146
![Page 147: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/147.jpg)
TRACER
Execution Trace
CRYPTO EXTRACTION Sality
Sample
Unknown Algorithms
147
(Multi-loops)
![Page 148: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/148.jpg)
For the previous 3 loops, we extracted one algorithm:
148
![Page 149: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/149.jpg)
For the previous 3 loops, we extracted one algorithm:
149
![Page 150: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/150.jpg)
For the previous 3 loops, we extracted one algorithm:
150
![Page 151: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/151.jpg)
For the previous 3 loops, we extracted one algorithm:
X86 ExecutableCode!
151
![Page 152: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/152.jpg)
For the previous 3 loops, we extracted one algorithm:
X86 ExecutableCode!
152
![Page 153: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/153.jpg)
For the previous 3 loops, we extracted one algorithm:
X86 ExecutableCode!
153
![Page 154: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/154.jpg)
Unknown Algorithm
IDENTIFICATION
...
154
![Page 155: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/155.jpg)
155
![Page 156: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/156.jpg)
RC4 extracted from two Sality.AA binaries
156
![Page 157: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/157.jpg)
RC4 extracted from two Sality.AA binaries
157
![Page 158: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/158.jpg)
RC4 extracted from two Sality.AA binaries
158
![Page 159: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/159.jpg)
RC4 extracted from two Sality.AA binaries
159
![Page 160: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/160.jpg)
RC4 extracted from two Sality.AA binaries
160
![Page 161: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/161.jpg)
RC4 extracted from two Sality.AA binaries
161 Crypto parameters always at the same offsets!
![Page 162: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/162.jpg)
MORE EXAMPLES!
Modified TEA
162
![Page 163: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/163.jpg)
Remember This ?
163
![Page 164: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/164.jpg)
Remember This ?
The magic TEA constant (delta) and the round number are seen as input parameters, because they are initialized before the loop and used inside.
Delta Round number
164
![Page 165: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/165.jpg)
Modified TEA Implementation
• delta = 0x12345678 (normally 0x9E3779B9)
• round number = 16 (normally 32)
165
![Page 166: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/166.jpg)
• TEA reference implementation extended:
def tea (input_text, key):
...
166
![Page 167: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/167.jpg)
• TEA reference implementation extended:
def tea (input_text, key):
...
167
def tea (input_text, key, delta, round_number):
...
![Page 168: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/168.jpg)
• TEA reference implementation extended:
def tea (input_text, key):
...
168
def tea (input_text, key, delta, round_number):
...
![Page 169: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/169.jpg)
Example: Mozilla CTF
• Challenge “Awesome Corp. Secured Ranges”
• Binary program protected by PE Spin
• In the core binary, a strange algorithm...
169
![Page 170: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/170.jpg)
170
![Page 171: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/171.jpg)
171
LOOP 1
![Page 172: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/172.jpg)
172
LOOP 1
Common TEA operations
![Page 173: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/173.jpg)
173
LOOP 1
Common TEA operations
Not the TEA round number
Not the TEA delta
![Page 174: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/174.jpg)
174
![Page 175: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/175.jpg)
175
LOOP 2
![Page 176: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/176.jpg)
176
LOOP 2
TEA round number!
![Page 177: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/177.jpg)
177
Loop Data Flow Graph
LOOP1 LOOP2
3 possible cryptographic algorithms
![Page 178: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/178.jpg)
178
LOOP1 + LOOP2
LOOP1
LOOP2
![Page 179: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/179.jpg)
Method Recap
1. We collect an execution trace.
2. We extract possible cryptographic algorithms with their parameter values.
3. We compare the input-output relationship with known algorithms.
179
We prove that a program behaves like a known crypto algorithm during one particular execution path.
![Page 180: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/180.jpg)
Conclusion (1)
• Interesting alternative to pure syntactic-identification for crypto algorithms: – Resistance against usual obfuscation techniques.
– Gives the exact parameters.
• As any dynamic technique, you have to know how to exhibit interesting execution paths.
• It is easy to bypass, like any program analysis technique
180
![Page 181: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/181.jpg)
Conclusion (2)
• The identification process itself is generic:
– Collect the execution trace
– Extract the type of code you are looking for (here is the magic)
– Get I/O values
– Compare with reference implementations
181
![Page 182: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/182.jpg)
Conclusion (3)
• Nice work: Felix Gröbert “Automatic Identification of Cryptographic Primitives in Software”, 27th CCC
http://code.google.com/p/kerckhoffs/
182
![Page 183: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/183.jpg)
What’s Next ? (1)
• That’s only the beginning! Just wanted to show that it is feasible and useful.
• What about more complex algorithms ? What about hash functions ? Compression algorithms ?
• What about proprietary algorithms ?
183
![Page 184: Cryptographic Function Identification in Obfuscated Binary … · 2019-03-05 · Crypto Searcher “TEA” Draca v0.5.7b “TEA/RC5/RC6” Findcrypt v2 Ø Hash & Crypto Detector v1.4](https://reader034.vdocuments.net/reader034/viewer/2022043011/5fa45c81472f4e16617e0c9c/html5/thumbnails/184.jpg)
• Make a real tool. This one is just a PoC.
• How to use the analyst knowledge ? In practice he often knows where the crypto is, analyzing a complete execution trace is more an academic hobby.
184
What’s Next ? (2)