readme.txt

一个小编辑器

-*-   CC  1.1 (beta 5)  *   Copyright (c) Aleph 2003   -*-

Check for signatures of some popular Crypto Algorithms

Now CC recognized:

   + ANTI-HACK (MeltIce Trick)
   + BLOWFISH (www.counterpane.com)
   + BORLAND rand (www.borland.com)
   + CAST-128, CAST-256
   + CCITT CRC16 (Poly = 8005h)
   + CCITT CRC32, ICRC32 (Poly = 0EDB88320h)
   + CJ PRNG (by Bill Chambers / Bob Jenkins)
   + HAVALx
   + HEAVENTOOLS (www.heaventools.com)
   + HKEYS (M$ Registry Keys)
   + MARS
   + MD4, MD5 (www.rsa.com, RFC-1320, RFC-1321)
   + MSVC rand (www.microsoft.com)
   + PKZIP
   + RC5, RC6 (www.rsa.com, RFC-2040)
   + RIJNDAEL (AES)
   + RIPEMD-128, RIPEMD-160
   + RSDSOFT (www.rsdsoft.com)
   + SHA-160, SHA-256
   + SNEFRU 2.x
   + TIGER
   + TWOFISH
   + WAKE
   + XITECH (www.xitech-europe.co.uk)

Plz, report bugs to alephz@hotpop.com



Tech note:
----------

CC use 3 methods of scan:

1. Quick Scan (the default) - generally, it is a Signature Analysis.

   First, CC try to find very first value from CryptoBox and if was
   triggered, perform hash calc for predefined region size. If hash
   is identical to stored one, found method reported.

2. Dump Mode (Stupid & Slow)

   Just check for each file offset if it match to constants from CryptoBoxes.
   Dump if match. May be useful, if file have different alignment, or not all
   constants was used etc.

   Also, sometimes programmers are too lazy to invent their own constants
   and just steal smth good values from popular algorithms. In Dump Mode
   that trick can be discovered (Ex: PE Explorer (www.heaventools.com) use
   constants from CRC32 and RIJNDAEL Boxes for their own ROL/XOR-based
   encryption).

3. Dump Mode with Extra Scan (Produce a lot of Noise)

   Some as above, but check for any not empty entry from CryptoBoxes.

   This is a last resort !



Tips:
-----

*  If smth found, perform also check for specified family.

      Ex: if found 'CRC32 Polynomial', try -$CRC32 and -$ICRC32 switches.

*  If nothing found, try check 'data' section instead '.text' or 'code'.

*  If nothing found by a QuickScan, try a Dump Mode (-d switch)

*  If nothing found in a Dump Mode, try a Dump Mode with ExtraScan (-x switch)



Sources:
--------

On demand only.

-----------------------------------------------------------
Att:
         Don't even try to ask me, if your nick/mail
         not shined on RCE or other good hacker's site !
-----------------------------------------------------------

History:
--------

1.1 (beta 5)
   
   !  Now Shared MFC (a bit smaller size)
   -  Minor changes in HAVAL detection routine
   +  Simple IDC script for loading CC report into IDA database
     

1.1 (beta 4)

   ! A bit improved
   - RVA not prefixed with DOT for Blowfish
   - Fixed PELib::GetSectionByRVA()
   + HexDump on EntryPoint
    

1.1 (beta 3)

   ! A bit improved
   + PE-Info: Entry Point
   + PE-Info: File/Header CheckSum
   + MSVC CRT Rand() [TLS Based]
   + Anti-Hack ('TRWDEBUG' string reference)
   + Anti-Hack ('TRW2000' string reference)
   + Anti-Hack ('TRW' string reference)
   + Anti-Hack ('REGVXD' string reference)
   + Anti-Hack ('FILEVXD' string reference)
   + Anti-Hack ('BW2K' string reference)


1.1 (beta 2)

   + Anti-Hack ('IsDebuggerPresent' string reference)
   + Anti-Hack ('Kernel32.DLL' string reference)


1.1 (beta)

   ! A lot improved
   * Xitech Pseudo-Random Number Generator (PRNG) properly renamed as Borland one
   - Stupid BUG in main loop. MDx (Init) entry was skipped
   - BUG in RVA-column calculation
   - Duplicated entry for SHA-160 Transform
   - Duplicated entry for RIPEMD-128 Transform
   - Duplicated entry for RIPEMD-160 Transform
   - Duplicated entry for MARS S Box
   + ANTI-HACK (MeltIce Trick)
   + MSVC CRT PRNG (www.microsoft.com)
   + ACM LC PRNG (by William S. England)
   + CJ PRNG (by Bill Chambers / Bob Jenkins)
   + Crypto++ LC PRNG (Improved ACM LC PRG)
   + CCITT CRC16 (Poly = 8005h)
   + HAVALx Improved Detection


1.1 (alpha)

   ! A lot improved
   * Scan only first sect of PE files
   + PE Header Info (for PE files only)
   + RVA column (for PE files only)


1.03

   ! A bit improved
   - Some entries was shown twice on Full Scan
   - Some entries wasn't shown on Full Scan
   + Xitech XOR Encryption Gamma (Proprietary of www.xitech-europe.co.uk)
   + HKEYS (M$ Registry Keys)


1.02

   ! A bit improved
   ! From now, C src available on request

   * Quick Scan set as Default Mode
   - Duplicated entry for Blowfish
   - RIPEMD-160 Transform mistakenly reported as MD4 Transform
   + CAST-128
   + RIPEMD-128
   + HEAVENTOOLS (Proprietary of www.heaventools.com)
   + RSDSOFT (Proprietary of www.rsdsoft.com)


1.01

   ! A bit improved

   + CAST-256
   + MARS
   + RIJNDAEL (AES)
   + TWOFISH
   + WAKE
   + PKZIP


1.0

   Initial realize.  Incredible stupid & slow !

   + CRC32/ICRC32 (Poly = 0EDB88320h)
   + MD4, MD5
   + SHA-160
   + SHA-256
   + HAVAL
   + RIPEMD-160
   + SNEFRU 2.x
   + TIGER
   + RC5, RC6
   + BLOWFISH