d3v1l401 / findcrypt-ghidra Goto Github PK

View Code? Open in Web Editor NEW

497.0 25.0 50.0 2.58 MB

IDA Pro's FindCrypt ported to Ghidra, with an updated and customizable signature database

Home Page: https://d3vsite.org/

License: GNU General Public License v3.0

Java 7.03% C++ 92.87% C 0.10%

cryptography ghidra plugin cryptography-tools cryptoanalysis reverse-engineering

findcrypt-ghidra's Introduction

FindCrypt - Ghidra Edition

This project is discountinued as I can't keep it maintained, please refer to the Forks or variations of this project such as this one. Feel free to open an issue if you wish to add your project to the list of derivative work, with a short description

While for years we used IDA Pro and its incredible plugins developed by its huge community, Ghidra came out recently (at the time of writing) showing a lot of potential and an incredible modular design for customization both in Python or Java.

As most of you know, FindCrypt, a plugin made by nonetheless than Ilfak Guilfanov himself for IDA, is essential for quickly find references to Cryptography functions in the target and extremely useful in the field of Reverse Engineering.

I'm trying to move to Ghidra and the very first thing I noticed is how important is the plugin to me, so I took the responsibility to migrate it, in Java, without sacrificing any signature and try to improve it as well.

This software is being developed and tested, if you encounter any problem please proceed into the Issues section

Installation

Windows

Find your Ghidra installation directory (e.g. "E:\Reversing Softwares\ghidra_9.0")
Move "FindCrypt.java" into "Ghidra\Features\BytePatterns\ghidra_scripts"
Move "findcrypt_ghidra" (database directory) into "C:\Users\your user"
Be sure Ghidra can access the "findcrypt_ghidra" directory both for reading and writing.

Linux

Find your Ghidra installation directory (e.g. ~/ghidra)
Move "FindCrypt.java" into "~/ghidra/Features/BytePatterns/ghidra_scripts"
Move "findcrypt_ghidra" (database directory) into ~/ (or $HOME)
Be sure Ghidra can access the "~/findcrypt_ghidra" directory both for reading and writing.

Usage

Once you started your project and opened the disassembler, use the Script Manager window and search for "FindCrypt.java", by double clicking or pressing "Run" will execute the script and a result screen is shown if something is found.

Database

The database is a binary file I serialized myself, it's very easy to understand and very basic but functional for its goal. The database contains all of the 79 algorithms constants implemented by Ilfak, no sacrifices have been made while migrating them, while also adding more and more by the contributors.

There's a total of 122 detectable constants in the database, related to:

Raw Primitives
- Keccak (SHA-3)
Elliptic Curves
- Donna32 (EC25519), Donna64 (EC25519)
Stream ciphers
- Chacha, Salsa, Sosemanuk
Block ciphers
- Blowfish, Camellia, DES, TripleDES, RC2, SHARK, Cast, Square, WAKE, Skipjack, HIGHT, Kalyna, LEA, SEED, SCHACAL2, SIMON-64, SIMON-128, TEA/TEAN/XTEA/XXTEA
Hash funcions
- Whirlpool, MD2, MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512, Tiger, RIPEMD160, HAVAL, BLAKE2
AES Family
- AES, RC5/RC6, MARS, Twofish, CAST-256, GOST, SAFER
Compression
- ZLib

To include more constants of your choice, simply refer to the "FCExporter" project and perhaps also share your new entries :)

Database Updating

The script is now using an internal auto update system synchronized with the latest database version in this repository. The centralized repository synchronization is by default turned on, this is to ensure the user always has the latest version possible and therefore obtain best results from the script, if you wish to turn it off:

Open the "FindCrypt.java" file and find the '__FORCE_NO_DBUPDATE' variable (line 705).
Replace "false" with "true".

Script Updating

While the database is by design modular and can be updated automatically, the script can not; but the script will check the current version and prompt the user to check this repository latest version for download, with the list of changes from the new version.

The script update message is prompt only once per session.

Proceed to download the latest version of "FindCrypt.java" and replace it in Ghidra's script directory.

Also this feature is turned on by default, if you wish to disable it, follow above mentioned steps on '__FORCE_NO_SCRIPTUPDATE' (line 707).

Credits

d3vil401 - [email protected], d3vil401#7685 (Discord), https://d3vsite.org/

Ilfak Guilfanov - https://twitter.com/ilfak

NSA (Ghidra) - https://ghidra-sre.org/

License

GNU GPLv3 - Refer to "LICENSE"

Using Crypto++ - Refer to Licenses\Crypto++.txt

findcrypt-ghidra's People

Contributors

Stargazers

Watchers

Forkers

gragonvlad peterg75 fengjixuchui lolerloler louwangzhiyuy heruix gdcollectdata explife0011 fcccode sepppenner sigma-random andrey-kovinjonok crackercat lallouslab vkandola d0p1ng marcomafcorp seabreg freemanzyq mwales hush-z tallpid mrswiss maciejmacko pawlos learath2 junknet 5l1v3r1 xzvb12 bobbiesuedevrecruiter jhonglue arukaminado kfricilone gitmirar arcfyr3 redjohn04 compilerwarning ghidrapluginproject sprgroup pokemond mgp25 askme765cs anonymouslgd jeff-cn zeqiii alisacodedragon sanjuwish ghost-rs gauravssnl iambluefred

findcrypt-ghidra's Issues

Add alternative magic constant for XTEA

Thx for this great extension.

I've tried to test it on one of the binaries which contains XTEA crypto and was surprised to get no results. I've reversed the database and noticed that the constant for TEA_DELTA is 0x9E3779B9. But this challenge was using an alternative value which is 0x61C88647 and instead of adding it, subtracts.

More about this here: https://crypto.stackexchange.com/a/12570/41535

It would be nice to detect that too.

Tried to find if there's any tool to extend the DB sot that I could send a PR. Is the FCExporter I should use to generate the new DB? Is so I'll try to compile and send a PR if it's ok to add this additional constant for XTEA.

FYI the challenge was MugatuWare from Flare-On 2019 (it was in the dll, not initial exe).

No results FindCrypt on MacOS

When running FindCrypt on MacOS Mojave (latest update), it basically doesn't print any result, meaning it doesn't show popup box.

Installation (as per MacOS):

$ ll ~/ghidra_scripts
total 96
-rw-r--r--  1 x  staff    45K Apr 22 03:21 FindCrypt.java

$ md5 ~/findcrypt_ghidra/database.d3v
MD5 (/Users/x/findcrypt_ghidra/database.d3v) = e2e8b69d6f2d51a643f9b8ec430a7839

Result:

FindCrypt.java> Running...
FindCrypt.java> Finished!

"Cannot Find Symbol" variable file - Fix

Upon following the install instructions I got the following error:

FindCrypt.java:696: error: cannot find symbol
	private static final String __DEFAULT_LOAD_DIR = "findcrypt_ghidra" + File.separator + "database.d3v";
	                                                                      ^
  symbol:   variable File
  location: class FindCrypt
FindCrypt.java:761: error: cannot find symbol
				DataInputStream _stream = new DataInputStream(new FileInputStream(cwd + File.separator + __DEFAULT_LOAD_DIR));
				                                                                        ^
  symbol:   variable File
  location: class EntryManager
2 errors
> Unable to locate script class: Unable to compile class: FindCrypt.java

This was fixed by adding import java.io.File; to FindCrypt.java

HMAC Support

This is more of a question than an issue. Quite simply: Does this script also support finding HMAC?

I'm reversing a binary that I'm quite sure uses HMAC with SHA1. The script was able to correctly identify the SHA1 portion of the binary. However, what I'm mostly interested in is finding the key used during the HMAC procedure. HMAC does has some magic number constants, notably 0x36 and 0x5c, but I haven't had much luck finding where that part of the implementation occurs.

Thanks!

Issue with detecting crypto algorithms

I was playing a bit with the plugin and found another case/issue. I did poked around in the plugin code and database and I'm not sure how it supposed to work. I have a binary that utilized SALSA20 and Blake2. I'm seeing the IV constants in the code

and although FindCrypt has them defined in the DB the plugin doesn't report anything.

What I noticed that the BLAKE2 (or any other) constants are passed to findBytes as one 64-byte long array and of course since they are not in one place they are not correctly discovered. I get that it detects the crypto if those constants are stored in one locations as a continuous bytes.

Was that done on purpose? I think it would be better to search for separate const values but that would probably report same algo in multiple - closely located - addresses. To mitigate that those could be compacted if for example they are withing one function scope.

Alternatively, each array could be also represented as a separate consts values but that would bloat the DB.

Would that be ok, if I try to come up with updated DB and script to cover those those cases and send PR? Any preferred solution?

Any installing suggestions about Ghidra on MacOS?

Hello, I use MacOS, so I wonder if I could install this tool on my Mac for Ghidra?

Thank you.