d3v1l401 / findcrypt-ghidra Goto Github PK

Hello, I use MacOS, so I wonder if I could install this tool on my Mac for Ghidra?

Thank you.

This is more of a question than an issue. Quite simply: Does this script also support finding HMAC?

I'm reversing a binary that I'm quite sure uses HMAC with SHA1. The script was able to correctly identify the SHA1 portion of the binary. However, what I'm mostly interested in is finding the key used during the HMAC procedure. HMAC does has some magic number constants, notably 0x36 and 0x5c, but I haven't had much luck finding where that part of the implementation occurs.

Thanks!

Thx for this great extension.

I've tried to test it on one of the binaries which contains XTEA crypto and was surprised to get no results. I've reversed the database and noticed that the constant for TEA_DELTA is 0x9E3779B9. But this challenge was using an alternative value which is 0x61C88647 and instead of adding it, subtracts.

More about this here: https://crypto.stackexchange.com/a/12570/41535

It would be nice to detect that too.

Tried to find if there's any tool to extend the DB sot that I could send a PR. Is the FCExporter I should use to generate the new DB? Is so I'll try to compile and send a PR if it's ok to add this additional constant for XTEA.

FYI the challenge was MugatuWare from Flare-On 2019 (it was in the dll, not initial exe).

Upon following the install instructions I got the following error:

FindCrypt.java:696: error: cannot find symbol
	private static final String __DEFAULT_LOAD_DIR = "findcrypt_ghidra" + File.separator + "database.d3v";
	                                                                      ^
  symbol:   variable File
  location: class FindCrypt
FindCrypt.java:761: error: cannot find symbol
				DataInputStream _stream = new DataInputStream(new FileInputStream(cwd + File.separator + __DEFAULT_LOAD_DIR));
				                                                                        ^
  symbol:   variable File
  location: class EntryManager
2 errors
> Unable to locate script class: Unable to compile class: FindCrypt.java

This was fixed by adding import java.io.File; to FindCrypt.java

I was playing a bit with the plugin and found another case/issue. I did poked around in the plugin code and database and I'm not sure how it supposed to work. I have a binary that utilized SALSA20 and Blake2. I'm seeing the IV constants in the code

and although FindCrypt has them defined in the DB the plugin doesn't report anything.

What I noticed that the BLAKE2 (or any other) constants are passed to findBytes as one 64-byte long array and of course since they are not in one place they are not correctly discovered. I get that it detects the crypto if those constants are stored in one locations as a continuous bytes.

Was that done on purpose? I think it would be better to search for separate const values but that would probably report same algo in multiple - closely located - addresses. To mitigate that those could be compacted if for example they are withing one function scope.

Alternatively, each array could be also represented as a separate consts values but that would bloat the DB.

Would that be ok, if I try to come up with updated DB and script to cover those those cases and send PR? Any preferred solution?

When running FindCrypt on MacOS Mojave (latest update), it basically doesn't print any result, meaning it doesn't show popup box.

Installation (as per MacOS):

$ ll ~/ghidra_scripts
total 96
-rw-r--r--  1 x  staff    45K Apr 22 03:21 FindCrypt.java

$ md5 ~/findcrypt_ghidra/database.d3v
MD5 (/Users/x/findcrypt_ghidra/database.d3v) = e2e8b69d6f2d51a643f9b8ec430a7839

Result:

FindCrypt.java> Running...
FindCrypt.java> Finished!