Understanding Common Encryption and Decryption Algorithms

Understanding Common Encryption and Decryption Algorithms

This article is an excellent piece from the Kuanxue Forum.

Author ID on Kuanxue Forum: Awei

IntroductionTo engage with cryptography before analyzing ransomware, some algorithms are indeed too complex, and my brother finds it quite challenging, so I won’t embarrass myself. There may also be unnoticed errors, and I hope everyone can point them out to avoid misleading others. Thank you, masters. This article does not elaborate too much on the principles of common encryption and decryption algorithms; many others have explained them well. I stand on the shoulders of giants. This article is merely for feature identification to assist in daily analysis. Two tools, the IDA plugin FindCrypt2 and PEiD’s KANA, are very useful for algorithm identification.Base64

>>>>

Historical Development

Base64 was originally used for email transmission protocols because the email transmission protocol only supports ASCII character transmission. Therefore, if binary files, such as images or videos, need to be transmitted, it is impossible. Base64 can encode the content of binary files into content that only contains ASCII characters, making it possible to transmit. In simple terms, it is to be compatible with various data formats.

>>>>

Basic Principles

It uses a method of replacing every three bytes with four bytes, converting 3×8 bits binary to 4×6 bits, with the first two bits padded with 0. If there are not enough characters to convert, empty characters are used for padding. (If 1 byte or 2 bytes are input, then only 2 or 3 output characters can be used) Using the character table“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/”for replacement Base24:“BCDFGHJKMPQmogRTVWXY2346789” Base32:“ABCDEFGHJKLMNOPQRSTUVWXYZ234567” Base60:“0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx”

>>>>

Initial Exploration of Reverse Engineering

FindCrypt2 and KANA can identify the replacement table. So first focus on the replacement table, then pay attention to the relevant bitwise operations, which may be related to base algorithms. Pseudocode for encoding:Understanding Common Encryption and Decryption Algorithms

>>>>

Modified Base64

1. Change the order of characters in the replacement table or modify the replacement table:2. Divide the replacement table into several non-continuous parts and retrieve them according to the offset, or perform encryption.Well, specific issues should be analyzed specifically.One-way hashCommon algorithms include MD5 and SHA-1.

>>>>

MD5

Features

Here, I will summarize some of the things I need based on what has been well discussed regarding encryption and decryption.https://zhuanlan.zhihu.com/p/37257569 Understanding Common Encryption and Decryption Algorithms1. Pad the message to make its length congruent to 448 mod 512 to prepare for the subsequent 64-bit length padding.2. Padding method: append a 1 to the end of the message, then pad with 0, padding length 0<x<=512.The initialization requires using 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476.3. Then proceed with data processing; relevant details can be found in books and source code. It requires using a left shift array { 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7,12, 17, 22, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20,4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 6, 10,15, 21, 6, 10, 15, 21, 6, 10, 15, 21,, 6, 10, 15, 21 } and an array of 64 additive constants storing 32-bit bytes, derived from 2^32 * (abs(sin(i))) where i ranges from 1 to 64.{ 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee, 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501, 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be, 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821, 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa, 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8, 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed, 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a, 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c, 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70, 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05, 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665, 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039, 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1, 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1, 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391 };4.

#define F(x, y, z) (((x) &amp; (y)) | ((~(x)) &amp; (z)))
#define G(x, y, z) (((x) &amp; (z)) | ((y) &amp; (~(z))))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~(z))))

5. Group the 512-bit message into 16 groups of 32 bits and perform 4*16 operations.6. 128-bit hash value.

Reverse Identification

FindCrypt2 and PEiD’s KANA can identify additive constants. Use MD5KeyGen.exe from encryption and decryption for analysis and learning.1. Register initialization

Understanding Common Encryption and Decryption Algorithms

2. Pseudocode for the MD5 calculation partUnderstanding Common Encryption and Decryption AlgorithmsEvery 16 hard-coded constants used will reveal a change in the algorithm. See the previous point for detailed algorithms.3. This simply confirms it is the MD5 algorithm, and then it can be traced back fromUnderstanding Common Encryption and Decryption AlgorithmsIDA recognition has some issues; the assembly shows both are equal.4. Understanding Common Encryption and Decryption Algorithmsv11 is the replacement table, indicating that v4 may be the calculated value. Dynamic debugging reveals that filtering out the previous judgments leads to the MD5 calculation value:Understanding Common Encryption and Decryption AlgorithmsThis indicates that the string “www.pediy.com” was added midway.5. Understanding Common Encryption and Decryption Algorithmssub_4012E0 integrates the string addition and copy function, which is exactly equal to the original string minus 64 bits, and calculates MD5 directly.Understanding Common Encryption and Decryption Algorithms6. The general process is almost analyzed; basically, modifying the original MD5 algorithm can yield a keygen.

#!python3
import hashlib
str = input()
str +='www.pediy.com'
hash = hashlib.md5()
hash.update(str.encode('utf-8'))
hash = hash.hexdigest()
code = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ"
serial = ""
for i in range(0,len(hash),2):
    a = '0x' + hash[i]+hash[i+1]
    serial = serial+code[eval(a)%32]
serial = serial[:4] + '-' + serial[4:8] +'-' + serial[8:12] +'-'+serial[12:16]
print(serial)

Understanding Common Encryption and Decryption Algorithms

Modified

1. Four constants may be changed.2. Change the characters after input, add or perform certain operations, etc.3. The hash processing process may change.

>>>>

SHA Algorithm

Hash length: SHA-1 160 bits, SHA-256 256 bits, SHA-384 384 bits, SHA-512 512 bits. SHA-2 includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

SHA-1

Reference for principles:https://www.wosign.com/News/news_2018121101.htmIt is explained in detail.

Features

1. Message padding is the same as MD5; 512 bits per group, then 16 groups x 32 bits, then expanded to 80 groups x 32 bits, performing 4*20 operations.2. Use this function to calculate A, B, C, D, E <- [(A<<5) + ft(B, C, D) + E + Wt + Kt], A, (B<<30), C, D, f function pseudocode is below:

#define F0(x,y,z) ((x&amp;y)|((~x)&amp;z))
#define F1(x,y,z) (x^y^z)
#define F2(x,y,z) ((x&amp;y) | (x&amp;z)|(y&amp;z))
#define F3(x,y,z) (x^y^z)

3. Use constants

#define K0 0x5a827999L
#define K1 0x6ed9eba1L
#define K2 0x8f1bbcdcL
#define K3 0xca62c1d6L

Initialize the hash values of the registers:

#define H0 0x67452301L
#define H1 0xefcdab89L
#define H2 0x98badcfeL
#define H3 0x10325476L
#define H4 0xc3d2e1f0L

Initial Exploration of SHA-1 Encryption

Use the example program from encryption and decryption 6.1.2.1. FindCrypt plugin identifies SHA-1 constants:Understanding Common Encryption and Decryption Algorithms2. Check the input; Name is not empty, Serial is 20 bits:Understanding Common Encryption and Decryption Algorithms3. Basic process:Understanding Common Encryption and Decryption Algorithms4. Keygen

#!python3
import hashlib
output = []
str = input()
hash = hashlib.sha1()
hash.update(str.encode('utf-8'))
hash = hash.hexdigest()
xor_str_1 = [0x50,0x45,0x44,0x49,0x59,0x20,0x46,0x6F ,0x72 ,0x75, 0x6D,0x00 ]
xor_str_2 = "pediy.com"
num = 0
# print(hash)
for i in range(0,34,2):
    if i &gt; 22:
        b = '0x' + (hash[i] + hash [i+1])
        a = eval(b) ^ eval(output[int((i/2))-12])
        output.append(hex(a))
        continue
    b = '0x' + (hash[i] + hash [i+1])
    a = eval(b) ^ (xor_str_1[int(i/2)])
    output.append(hex(a))
 
for i in range(34,40,2):
    b = '0x' + (hash[i] + hash [i+1])
    a = eval(b) ^ ord(xor_str_2[int(i/2)-17])
    output.append(hex(a))
for i in range(10):
    output[10+i] = hex(eval(output[i]) ^ eval(output[10+i]))
 
for i in range(10,20):
    print('{:0&gt;2}'.format((output[i][2:]).upper()),end = "")

Success!Understanding Common Encryption and Decryption Algorithms5. Reference for the calculation function pseudocode.Understanding Common Encryption and Decryption Algorithms

>>>>

Summary

Pay attention to the byte and bit conversion functions; they can be confusing if not familiar.

for (i=0;i&lt;20;i++)
{ /* convert to bytes */
    hash[i]=((sh-&gt;h[i/4]&gt;&gt;(8*(3-i%4))) &amp; 0xffL);
}

Symmetric encryption

>>>>

RC4

RC4 generates a pseudo-random stream called the key stream, which is equal in length to the encrypted data. The key stream is XORed with the data for encryption and decryption. The key stream generation is divided into two parts: KSA and PRGA.1. The Key-Scheduling Algorithm (KSA):

Initialize a 256-byte array S in ascending order: 0,1,2,3,4.....,254,255.

Use the key to fill a 256-byte array T; if the length is insufficient, rotate and fill until full.

Randomize the array S.

int j = 0;
for (i = 0;i&lt;256;i++){
    j =(j+S[i]+T[i])%256;
    swap(S[i],S[j]);
}

2. The Pseudo-Random Generation Algorithm (PRGA):

int i, j = 0;
while (data_length--) {
    i = (i + 1) % 256;
    i = (i + 1) % 256;
    j = (j + S[i]) % 256;
    swap(S[i], S[j]);
    int t = (S[i] + S[j]) % 256;
    int k = S[t];
    // k is the encryption key, XOR directly with the data or store it in an array and XOR at the end.
}

3. Complete function code:

#include&lt;iostream&gt;
using namespace std;

int S[256] = { 0 };

void swap(int&amp; a, int&amp; b) {
    int c = a;
    a = b;
    b = c;
}
void KSA(unsigned char key[], int len) {
    for (size_t i = 0; i &lt; 256; i++) S[i] = i;
    int j = 0;
    for (size_t i = 0; i &lt; 256; i++)
    {
        j = (j + S[i] + key[i % len]) % 256;
        swap(S[i], S[j]);
    }
}
void PRGA(unsigned char data[], int len) {
    int i = 0, j = 0, num = 0;
    int data_length = len;
    while (data_length--) {
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        swap(S[i], S[j]);
        int t = (S[i] + S[j]) % 256;
        int k = S[t];
        data[num] = (data[num] ^ k);
        num++;
    }
}

int main() {
    unsigned char key[] = "xwdidi.com";
    unsigned char data[] = "bbspediycom";
    KSA(key, strlen((char*)key));
    PRGA(data,strlen((char*)data));
    for (size_t i = 0; i &lt; strlen((char*)data); i++)
    {
        cout &lt;&lt; hex &lt;&lt; (int)data[i] &lt;&lt; " ";
    }
    return 0;
}

Initial Exploration of Reverse Identification of RC4Use the RC4Sample from encryption and decryption for analysis and learning.

Main Function Body Pseudocode

Understanding Common Encryption and Decryption AlgorithmsThe two middle functions are likely KSA and PRGA.

sub_401000

Pseudocode full diagram:Understanding Common Encryption and Decryption AlgorithmsYou can see the do-while loop in the middle, with an array of 256 bits initialized. This indicates that a1+2 is the position of an s-box array, where *a1 and a1[0] are two int variables. In the following loop, the swapping and calculation of j are interleaved. 30, 31, 34, 35, 36 are the positions for calculating j, while 30, 33, 34 are for swapping. By comparing v3 with a3, the effect of taking the key length modulo can be obtained. v8 is the s-box value taken for each loop.

sub_401070

Understanding Common Encryption and Decryption AlgorithmsAt first glance, it seems to perform XOR operations, which may be PRGA. Upon closer examination, it is found that result[2] is actually the address of the s-box, while other variables are offsets relative to the base address. 30, 31, 34, 35, 36 are actually the swap function, while others are for obtaining the XOR key’s required offset calculations.

Modified RC4

1. Use other algorithms to encrypt parameters, merging with other encryption algorithms.2. The internal data of the S-box is fixed.

>>>>

Summary

Regarding loops, if there are 256 or 0x100 keywords, obtaining the string length and using processed values again for XOR raises suspicion of RC4 encryption.

>>>>

TEA

XTEA, XXTEA, and TEA can be recognized by 0x9E3779B9; a detailed analysis will be written later when time permits.AES

>>>>

Basic Principles

Block length: 128 bits Key length: 128, 192, 256 bits Rounds: 10, 12, 14 respectively Set Nr as the r+1 round function, copy the input into the state array, perform an initial round key addition operation, and execute Nr round functions to transform the state array, where the last round is different from the previous Nr-1 rounds. Finally, copy the final state array to the output array to obtain the final ciphertext (quoted from encryption and decryption). AES-128:Understanding Common Encryption and Decryption AlgorithmsRound key addition (AddRoundKey): This process involves a simple XOR calculation between the state elements and the round key and requires three parameters. Byte substitution (SubBytes): This operation uses an S-box for lookup and byte replacement. S-box: Understanding Common Encryption and Decryption AlgorithmsRow shifting (ShiftRows): The array size is 4×4 bytes; the first row remains unchanged, the second row shifts left by 1 byte, the third row shifts left by 2 bytes, and the fourth row shifts left by 3 bytes. Column mixing (MixColumns): This operates on a column basis, which can be viewed as performing matrix multiplication, with the matrix being ((02,03,01,01)(01,02,03,01)(01,01,02,03)(03,01,01,02)). Key expansion (KeyExpansion): Generates Nr+1 32-bit double words through the key expansion algorithm. Decryption is simply the reverse process.

>>>>

Space for Time

Most of the time, common AES uses space to replace time. It combines several steps of the round function into a simple lookup operation, with the exception of the last step, which requires conventional processing. Then, four T-tables are needed, each requiring 256 4-byte 32-bit doubles, resulting in 4kb of storage space. For each round, there are 4 lookup operations and 4 XOR operations, totaling four times, with 16 rounds of lookup and 16 rounds of XOR. T-table data diagram:Understanding Common Encryption and Decryption Algorithms

t0 = Te0[s0 &gt;&gt; 24] ^ Te1[(s1 &gt;&gt; 16) &amp; 0xff] ^ Te2[(s2 &gt;&gt; 8) &amp; 0xff] ^ Te3[s3 &amp; 0xff] ^ rk[round*4];
t1 = Te0[s1 &gt;&gt; 24] ^ Te1[(s2 &gt;&gt; 16) &amp; 0xff] ^ Te2[(s3 &gt;&gt; 8) &amp; 0xff] ^ Te3[s0 &amp; 0xff] ^ rk[round*4+1];
t2 = Te0[s2 &gt;&gt; 24] ^ Te1[(s3 &gt;&gt; 16) &amp; 0xff] ^ Te2[(s0 &gt;&gt; 8) &amp; 0xff] ^ Te3[s1 &amp; 0xff] ^ rk[round*4+2];
t3 = Te0[s3 &gt;&gt; 24] ^ Te1[(s0 &gt;&gt; 16) &amp; 0xff] ^ Te2[(s1 &gt;&gt; 8) &amp; 0xff] ^ Te3[s2 &amp; 0xff] ^ rk[round*4+3];

>>>>

Initial Exploration of Reverse Identification of RC4

Again, using the sample from encryption and decryption.1. FindCrypt identifies MD5 and AES:Understanding Common Encryption and Decryption Algorithms2. The serial length is 32 bytes, which is exactly 128 bits in hexadecimal.Understanding Common Encryption and Decryption Algorithms3. Static analysis is generally like this; next, let’s see dynamically:Understanding Common Encryption and Decryption Algorithms4. sub_401320 pushes the address of the initialized register array, name, length:

Understanding Common Encryption and Decryption Algorithms

5. Finally, obtain the 128-bit MD5 hash value.Understanding Common Encryption and Decryption Algorithms6. Execute sub_401EC0

Understanding Common Encryption and Decryption Algorithms

7. The S-box in memory:Understanding Common Encryption and Decryption Algorithms8. Detailed algorithms are omitted:Understanding Common Encryption and Decryption AlgorithmsThere are many shift and XOR operations in the function, and it’s too large to screenshot everything.9. Keygen

#!python3
from Crypto.Cipher import AES
import hashlib
#"xwdidi" md5
hash = b"\x39\xd7\x8e\xe5\x67\xf3\xf2\x96\xad\x84\x8d\x3f\xcd\xb1\xd4\x61"
key = b"\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3c"
cipher = AES.new(key,AES.MODE_ECB)
plaintext = cipher.decrypt(hash)
for i in plaintext:
    print(hex(i)[2:].upper(),end="")

>>>>

Encryption Mode and Padding Mode

  • ECB: The message to be encrypted is divided into several blocks according to the block size of the block cipher and each block is independently encrypted.

  • CBC: Each plaintext block is XORed with the previous ciphertext block before encryption.

  • CTR

  • OCF

  • CFB

ECB and CBC

  • PKCS7Padding: Assuming that the data length needs to be padded with n (n>0) bytes to align, then n bytes are padded, each byte is n; if the data itself is already aligned, then a block of data equal to the block size is padded, with each byte being the block size.

  • PKCS5Padding: A subset of PKCS7Padding, with a fixed block size of 8 bytes.

  • Zero-Padding uses 0 for padding (suitable for strings that end with \0 for encryption and decryption).

Asymmetric encryption

>>>>

RSA

Basic Principles

1. Choose two distinct large prime numbers p and q, calculate n=p*q.2. According to Euler’s function, obtain r=φ(n)=φ(p)φ(q)=(p−1)(q−1).3. Choose an integer that is coprime to e and less than r, and obtain c as the modular inverse of d concerning r, such that ed ≡ 1 mod r.4. Destroy p and q; at this point, (n,e) is the public key, and (n,d) is the private key.5. $$EncryptionEncrypt n^e ≡ c mod N, message decryption c^d ≡ n mod N \\ (it only needs to prove n^{ed} ≡nmod N)$$

Initial Exploration of RSA

It was found that this program has the same logic as the one using the Miracl library for calculations, so let’s analyze it briefly.Understanding Common Encryption and Decryption Algorithms1. Check each data one by one to see if it is among 0123456789abcdeABCDEF; if so, report an error directly.Understanding Common Encryption and Decryption Algorithms2. Parameter initializationUnderstanding Common Encryption and Decryption Algorithms3. Assign m to Serial, large numbers n and e.Understanding Common Encryption and Decryption Algorithms4. Calculate the modulusUnderstanding Common Encryption and Decryption Algorithms5. Compare to determine correctnessUnderstanding Common Encryption and Decryption Algorithms6. Thus, we know that the serial undergoes RSA decryption and is compared with the input. We learn that n=0x80C07AFC9D25404D6555B9ACF3567CF1 and e=0x10001.7. Use the RSATool’s Factor N function for large number factorization to obtain p=0xA554665CC62120D3, q=0xC75CB54BEDFA30AB.8. Input E, click Calc. D to get d=0x651A40B9739117EF505DBC33EB8F442D.9. The hexadecimal representation of xwdidi is 787764696469; using a big number calculator to compute c ^d ≡ m mod N gives m=0x5D99FFF7B67285275C8639BCEF982B7, which returns Success! when input into the software.10. Keygen

#!python3
import binascii
c =input()
a = ""
for i in c:
    a = a + hex(ord(i))
# print(a)
a = a.replace("0x","")
e = "0x" + a
# print(e)
result = pow(eval(e),0x651A40B9739117EF505DBC33EB8F442D,0x80C07AFC9D25404D6555B9ACF3567CF1)
print(hex(result)[2:])

11. Part of the pseudocode for the powmod function as a reference:Understanding Common Encryption and Decryption Algorithms

>>>>

Mircal Large Number Calculation Library

The Mircal library is commonly used and requires further familiarity to facilitate analysis. The header files are mircal.h and mirdef.h, and the library file is ms32.lib. Below are the magic numbers for the large number calculation library functions.

MIRACL MAGIC NUMBERS TABLE:
                       by bLaCk-eye
        from an original idea by bF!^k23
        Modified by cnbragon for miracl v5.01
 
NUMBER OF FUNCTIONS: 96h
 
innum equ 01h .
otnum equ 02h .
jack equ 03h .
normalise equ 04h .
multiply equ 05h .
divide equ 06h .
incr equ 07h .
decr equ 08h .
premult equ 09h .
subdiv equ 0Ah .
fdsize equ 0Bh .
egcd equ 0Ch .
cbase equ 0Dh .
cinnum equ 0Eh .
cotnum equ 0Fh .
nroot equ 10h .
power equ 11h .
powmod equ 12h .
bigdig equ 13h .
bigrand equ 14h .
nxprime equ 15h .
isprime equ 16h .
mirvar equ 17h .
mad equ 18h .
multi_inverse equ 19h .
putdig equ 1Ah .
add                    equ 1Bh .
subtract equ 1Ch .
mirsys equ 1Dh .
xgcd equ 1Eh .
fpack equ 1Fh .
dconv equ 20h .
mr_shift equ 21h .
mround equ 22h .
fmul equ 23h .
fdiv equ 24h .
fadd equ 25h .
fsub equ 26h .
fcomp equ 27h .
fconv equ 28h .
frecip equ 29h .
fpmul equ 2Ah .
fincr equ 2Bh .
;null entry
ftrunc equ 2Dh .
frand equ 2Eh .
sftbit equ 2Fh .
build equ 30h .
logb2 equ 31h .
expint equ 32h .
fpower equ 33h .
froot equ 34h .
fpi equ 35h .
fexp equ 36h .
flog equ 37h .
fpowf equ 38h .
ftan equ 39h .
fatan equ 3Ah .
fsin equ 3Bh .
fasin equ 3Ch .
fcos equ 3Dh .
facos equ 3Eh .
ftanh equ 3Fh .
fatanh equ 40h .
fsinh equ 41h .
fasinh equ 42h .
fcosh equ 43h .
facosh equ 44h .
flop equ 45h .
gprime equ 46h .
powltr equ 47h .
fft_mult equ 48h .
crt_init equ 49h .
crt equ 4Ah .
otstr equ 4Bh .
instr equ 4Ch .
cotstr equ 4Dh .
cinstr equ 4Eh .
powmod2 equ 4Fh .
prepare_monty equ 50h .
nres equ 51h .
redc equ 52h .
nres_modmult equ 53h .
nres_powmod equ 54h .
nres_moddiv equ 55h .
nres_powltr equ 56h .
divisible equ 57h .
remain equ 58h .
fmodulo equ 59h .
nres_modadd equ 5Ah .
nres_modsub equ 5Bh .
nres_negate equ 5Ch .
ecurve_init equ 5Dh .
ecurve_add equ 5Eh .
ecurve_mult equ 5Fh .
epoint_init equ 60h .
epoint_set equ 61h .
epoint_get equ 62h .
nres_powmod2 equ 63h .
nres_sqroot equ 64h .
sqroot equ 65h
nres_premult equ 66h .
ecurve_mult2 equ 67h .
ecurve_sub equ 68h .
ecurve_multi_add equ 69h .
ecurve2_init equ 6Ah .
epoint2_init equ 7Bh .
epoint2_set equ 7Dh .
epoint2_norm equ 7Eh .
epoint2_get equ 7Fh .
epoint2_comp equ 80h .
ecurve2_add equ 81h .
epoint2_negate equ 82h .
ecurve2_sub equ 83h .
ecurve2_multi_add equ 84h .
ecurve2_mult equ 85h .
ecurve2_multn equ 86h .
ecurve2_mult2 equ 87h .
ebrick2_init equ 88h .
mul2_brick equ 89h .
prepare_basis equ 8Ah .
strong_bigrand equ 8Bh .
bytes_to_big equ 8Ch .
big_to_bytes equ 8Dh .
set_io_buffer_size equ 8Eh .
epoint_getxyz equ 8Fh .
ecurve_double_add equ 90h .
nres_double_inverse equ 91h .
double_inverse equ 92h .
epoint_x equ 93h .
hamming equ 94h .
expb2 equ 95h .
bigbits equ 96h .

>>>>

Disassembly Identification

Disassembly identification focuses on examining the function’s internal mov doword ptr [eax+ecx*4+20], yy format disassembly code, where yy is the magic number. Understanding Common Encryption and Decryption AlgorithmsThis is the function comparison diagram:

sub_401730:

Understanding Common Encryption and Decryption Algorithms

sub_403BD0:

Understanding Common Encryption and Decryption Algorithms

Other functions will not be individually found; they can all be seen inside the functions. This is basically how to identify them.Reference“Encryption and Decryption 4” https://www.cnblogs.com/gambler/p/9075415.html http://dyf.ink/reverse/Identify-Encode-Encryption/introduction/ https://xz.aliyun.com/t/5644 https://www.zhihu.com/question/36306744 https://bbs.pediy.com/thread-251248.htm http://dyf.ink/crypto/asymmetric/rsa/rsa_theory/ https://www.kancloud.cn/kancloud/rsa_algorithm/48484 https://juejin.im/entry/5b1bab6b6fb9a01e605fcddd https://cloud.tencent.com/developer/article/1040293 https://www.cnblogs.com/starwolf/p/3365834.html https://github.com/matt-wu/AES/blob/master/README.mdUnderstanding Common Encryption and Decryption Algorithms– End –Understanding Common Encryption and Decryption Algorithms

Kuanxue ID:Awei

https://bbs.pediy.com/user-779000.htm

* This article is original by Awei from the Kuanxue Forum; please indicate the source if reprinted from the Kuanxue community.

Recommended articles++++

Understanding Common Encryption and Decryption Algorithms

* Newbie Panda Burning Incense Learning Notes

* GandCrab v5.2 Analysis

* Custom Xposed Framework

* Android 4.4 From url.openConnection to DNS Resolution

* Detailed analysis of retdlresolve technology through a pwn problem

A must-read book in the advanced security circle.Understanding Common Encryption and Decryption AlgorithmsUnderstanding Common Encryption and Decryption AlgorithmsUnderstanding Common Encryption and Decryption AlgorithmsClick “Read the original text” to recharge together!

Leave a Comment