在IDA中使用“密码算法识别插件 FindCrypt2”
FindCrypt2是个功能强大的IDA插件,是FindCrypt的第二版,支持小端和大端格式(works with both little and big endian programs. It knows to reuse old slots in the bookmarks if run repeatedly. It is fully automatic and scans each new created database. Manual scan is still available.).
从网上下载到的IDA5.1包是个功能齐全的软件包。包括了SDK等重要部分(未包括hex-rays Decompiler)。
从网上可以下载到FindCrypt2包,有些会包含编译好的findcrypt.plw,只需拷贝到IDA的plugins目录即可。
若未包含findcrypt.plw,或者版本不符,可以使用IDASDK对FindCrypt2的源码进行编译,生成findcrypt.plw。
我下载的这个包中已经包含findcrypt.plw,放到IDA5.1的plugins目录,启动并打开一个exe文件,在分析阶段就已经看到了FindCrypt2的分析结果。也可以通过Edit >> Plugins >>Find Crypt v2 执行。
----------------------------------------------------------------------------------------------
File 'C:\Program Files\FoxitReader\Foxit Reader.exe' is successfully loaded into the database.
4B18DD: found sparse constants for SHA-1
4B2FAD: found sparse constants for MD4
4B30C0: found sparse constants for MD5
53A69C: found sparse constants for MD4
53A8E9: found sparse constants for MD5
86E584: found const array Rijndael_Te0 (used in Rijndael)
86E984: found const array Rijndael_Te1 (used in Rijndael)
86ED84: found const array Rijndael_Te2 (used in Rijndael)
86F184: found const array Rijndael_Te3 (used in Rijndael)
86F584: found const array Rijndael_Td0 (used in Rijndael)
86F984: found const array Rijndael_Td1 (used in Rijndael)
86FD84: found const array Rijndael_Td2 (used in Rijndael)
870184: found const array Rijndael_Td3 (used in Rijndael)
870598: found const array PKCS_DigestDecoration_MD2 (used in PKCS_MD2)
8705B0: found const array PKCS_DigestDecoration_MD5 (used in PKCS_MD5)
87B534: found const array Rijndael_Te0 (used in Rijndael)
87B934: found const array Rijndael_Te1 (used in Rijndael)
87BD34: found const array Rijndael_Te2 (used in Rijndael)
87C134: found const array Rijndael_Te3 (used in Rijndael)
87C534: found const array Rijndael_Td0 (used in Rijndael)
87C934: found const array Rijndael_Td1 (used in Rijndael)
87CD34: found const array Rijndael_Td2 (used in Rijndael)
87D134: found const array Rijndael_Td3 (used in Rijndael)
8C72E0: found const array zinflate_lengthExtraBits (used in zlib)
8C7354: found const array zinflate_distanceExtraBits (used in zlib)
94C850: found const array CRC32_m_tab (used in CRC32)
Found 26 known constant arrays in total.
4B18DD: found sparse constants for SHA-1
4B2FAD: found sparse constants for MD4
4B30C0: found sparse constants for MD5
53A69C: found sparse constants for MD4
53A8E9: found sparse constants for MD5
86E584: found const array Rijndael_Te0 (used in Rijndael)
86E984: found const array Rijndael_Te1 (used in Rijndael)
86ED84: found const array Rijndael_Te2 (used in Rijndael)
86F184: found const array Rijndael_Te3 (used in Rijndael)
86F584: found const array Rijndael_Td0 (used in Rijndael)
86F984: found const array Rijndael_Td1 (used in Rijndael)
86FD84: found const array Rijndael_Td2 (used in Rijndael)
870184: found const array Rijndael_Td3 (used in Rijndael)
870598: found const array PKCS_DigestDecoration_MD2 (used in PKCS_MD2)
8705B0: found const array PKCS_DigestDecoration_MD5 (used in PKCS_MD5)
87B534: found const array Rijndael_Te0 (used in Rijndael)
87B934: found const array Rijndael_Te1 (used in Rijndael)
87BD34: found const array Rijndael_Te2 (used in Rijndael)
87C134: found const array Rijndael_Te3 (used in Rijndael)
87C534: found const array Rijndael_Td0 (used in Rijndael)
87C934: found const array Rijndael_Td1 (used in Rijndael)
87CD34: found const array Rijndael_Td2 (used in Rijndael)
87D134: found const array Rijndael_Td3 (used in Rijndael)
8C72E0: found const array zinflate_lengthExtraBits (used in zlib)
8C7354: found const array zinflate_distanceExtraBits (used in zlib)
94C850: found const array CRC32_m_tab (used in CRC32)
Found 26 known constant arrays in total.
----------------------------------------------------------------------------------------------
双击输出窗口中的输出行中的地址,即可在代码窗口转到相应的代码。