在IDA中使用“密码算法识别插件FindCrypt2”
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
在IDA中使⽤“密码算法识别插件FindCrypt2”
FindCrypt2是个功能强⼤的IDA插件,是FindCrypt的第⼆版,⽀持⼩端和⼤端格式
(works with both little and big endian programs. It knows to reuse old slots in the bookmarks if run repeatedly. It is fully automatic and scans each new created database. Manual scan is still available.)
从⽹上下载到的IDA5.1包是个功能齐全的软件包。
包括了SDK等重要部分(未包括hex-rays Decompiler)。
从⽹上可以下载到FindCrypt2包,有些会包含编译好的findcrypt.plw,只需拷贝到IDA的plugins⽬录即可。
若未包含findcrypt.plw,或者版本不符,可以使⽤IDASDK对FindCrypt2的源码进⾏编译,⽣成findcrypt.plw。
我下载的已经包含findcrypt.plw,放到IDA5.1的plugins⽬录,启动并打开⼀个exe⽂件,在分析阶段就已经看到了FindCrypt2的分析结果。
也可以通过
Edit >> Plugins >>Find Crypt v2 执⾏。
----------------------------------------------------------------------------------------------
File 'C:\Program Files\FoxitReader\Foxit Reader.exe' is successfully loaded into the database.
4B18DD: found sparse constants for SHA-1
4B2FAD: found sparse constants for MD4
4B30C0: found sparse constants for MD5
53A69C: found sparse constants for MD4
53A8E9: found sparse constants for MD5
86E584: found const array Rijndael_Te0 (used in Rijndael)
86E984: found const array Rijndael_Te1 (used in Rijndael)
86ED84: found const array Rijndael_Te2 (used in Rijndael)
86F184: found const array Rijndael_Te3 (used in Rijndael)
86F584: found const array Rijndael_Td0 (used in Rijndael)
86F984: found const array Rijndael_Td1 (used in Rijndael)
86FD84: found const array Rijndael_Td2 (used in Rijndael)
870184: found const array Rijndael_Td3 (used in Rijndael)
870598: found const array PKCS_DigestDecoration_MD2 (used in PKCS_MD2)
8705B0: found const array PKCS_DigestDecoration_MD5 (used in PKCS_MD5)
87B534: found const array Rijndael_Te0 (used in Rijndael)
87B934: found const array Rijndael_Te1 (used in Rijndael)
87BD34: found const array Rijndael_Te2 (used in Rijndael)
87C134: found const array Rijndael_Te3 (used in Rijndael)
87C534: found const array Rijndael_Td0 (used in Rijndael)
87C934: found const array Rijndael_Td1 (used in Rijndael)
87CD34: found const array Rijndael_Td2 (used in Rijndael)
87D134: found const array Rijndael_Td3 (used in Rijndael)
8C72E0: found const array zinflate_lengthExtraBits (used in zlib)
8C7354: found const array zinflate_distanceExtraBits (used in zlib)
94C850: found const array CRC32_m_tab (used in CRC32)
Found 26 known constant arrays in total.
----------------------------------------------------------------------------------------------
双击输出窗⼝中的输出⾏中的地址,即可在代码窗⼝转到相应的代码。