A utility for playing with cryptography, geared towards ransomware analysis. CryptoTester is a powerful utility designed for in-depth cryptographic analysis, with a particular focus on ransomware investigation. <\/p>\n\n\n\n
In this article, we’ll explore how CryptoTester provides a robust set of tools and features to aid in dissecting and understanding cryptographic elements, making it an invaluable asset for cybersecurity experts and researchers dealing with ransomware threats.<\/p>\n\n\n\n
A utility for playing with cryptography, geared towards ransomware analysis.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Allows for selecting a cryptographic algorithm and its parameters, if supported.<\/p>\n\n\n\n
Note:<\/strong> The The input can be selected using two different modes: “Range” and “Chunks”.<\/p>\n\n\n\n A simple range starting at The If <\/p>\n\n\n\n Takes The cryptographic algorithm is run on the resulting chunks as one sequential chunk<\/em>, with no resetting of the key\/IV\/nonce etc.<\/p>\n\n\n\n If <\/p>\n\n\n\n This section displays simple information about the The The The This panel allows for comparing an encrypted file with its original. Both views support drag-and-drop, or The The Any bytes that differ between the two views will be displayed in dark red.<\/p>\n\n\n\n <\/p>\n\n\n\n Displays basic information on the Once both views have been filled, a quick analysis is run against them.<\/p>\n\n\n\n This panel allows for primitive use of a handful of compression algorithms, and has similiar functionality to the A tool for analyzing CryptoAPI blobs and CNG blobs.<\/p>\n\n\n\n BLOBs can be imported\/exported to\/from binary, base64, PEM, XML, and ASN.1 formats, where supported.<\/p>\n\n\n\n <\/p>\n\n\n\n Additional blob-related tools which are activated only for supported blob types as applicable.<\/p>\n\n\n\n Generates a CryptoAPI blob. The <\/p>\n\n\n\n Note:<\/strong> Keys are generated internally using CryptGenRandom<\/a>, but I cannot guarantee the cryptographic security of using keys generated from this utility.<\/p>\n<\/div><\/div>\n\n\n\n A tool for analyzing\/calculating RSA keys. The seperate parameters of the key are displayed, and can be shown as decimal or hex. If enough parameters are present, the rest of the key can be calculated.<\/p>\n\n\n\n The key can be exported in various formats including a CryptoAPI blob, CNG blob, PEM, XML, and ASN.1, either to file, clipboard, or the Main Window (Encrypt\/Decrypt<\/a>). Additionally, if exporting to the Main Window, the raw integers can be exported for the Raw RSA algorithm.<\/p>\n\n\n\n <\/p>\n\n\n\n A tool that searches a file for a cryptographic key in several formats.<\/p>\n\n\n\n Examples of supported formats:<\/p>\n\n\n\n <\/p>\n\n\n\n A tool for testing various known PRNG algorithms.<\/p>\n\n\n\n <\/p>\n\n\n\n Set the starting Set the PRNG If The entropy of the produced output is also displayed for A tool for using different base encodings. Supports standard preset charsets, or supply your own custom charset.<\/p>\n\n\n\n With the exception of encoders that use a checksum (e.g. Bitcoin’s Base58Check), decoding is done without verifying the padding, so even partial or damaged encodings will be decoded raw.<\/p>\n\n\n\n <\/p>\n\n\n\n A tool for viewing text or bytes as ASCII, UTF-8, and UTF-16 simultaneously.<\/p>\n\n\n\n <\/p>\n\n\n\n A tool for validating elliptical curve points. Can import\/export from\/to an ECPoint (uncompressed or compressed forms), PEM, or CNG blob.<\/p>\n\n\n\n <\/p>\n\n\n\n Various operations to be performed based on the current panel.<\/p>\n\n\n\n Takes the Uses the algorithm information from the Displays a graphical chart of difference between pixels in the <\/p>\n\n\n\n Uses the provided key material and This tool can be used to test a list or folder of known keys against the If a key is successfully matched, the <\/p>\n\n\n\n Using the blocksize of the selected cipher, enumerates over every possible block and attempts decryption using the specified key.<\/p>\n\n\n\n Example: You have an RSA-2048 private key, and a IV Bytes<\/code> (or Nonce<\/code>, depending on algorithm) will automatically fill as 00<\/code> bytes of the appropriate length for the algorithm if it is left empty.<\/p>\n<\/div><\/div>\n\n\n\nSelection Options<\/strong><\/a><\/h2>\n\n\n\n
Range<\/strong><\/a><\/h3>\n\n\n\n
Offset<\/code>, and taking Length<\/code> bytes.<\/p>\n\n\n\nLength<\/code> will automatically update whenever Input<\/code> is changed, unless the Lock Parameters<\/code> checkbox is ticked.
If you have made some calculations in the Length<\/code> field, and wish to revert to the actual length of the Input<\/code>, you can simply press the Reset Length<\/code> button.<\/p>\n\n\n\nSplice Remaining Bytes<\/code> is ticked, then any bytes before Offset<\/code> are prepended to the Output<\/code>, and any bytes after Offset+Length<\/code> are appended.<\/p>\n\n\n\nChunks<\/strong><\/a><\/h3>\n\n\n\n
Take<\/code> bytes, then skips Skip<\/code> bytes, takes Take<\/code> bytes, skips Skip<\/code> bytes… until the end of Input<\/code>. This can be used for ciphertext that is actually “interleaved” between chunks of plaintext. <\/p>\n\n\n\nSplice Remaining Bytes<\/code> is ticked, then any bytes in the Skip<\/code> section are interleaved back into the Output<\/code>.<\/p>\n\n\n\nInput File Info<\/strong><\/a><\/h2>\n\n\n\n
Input<\/code> such as the filesize, detected MIME (if it is a file), total entropy, and whether it is divisible by 16 (a common block size).<\/p>\n\n\n\nMisc<\/strong><\/a><\/h2>\n\n\n\n
Input<\/code> and Output<\/code> views have synchronized scrolling; to disable this, uncheck the Syncronized scrolling<\/code> checkbox between them.<\/p>\n\n\n\n????<\/code> button between the Input<\/code> and Output<\/code> can be used to move the Output<\/code> to the Input<\/code> view.<\/p>\n\n\n\nInput<\/code> or Output<\/code> can be hashed using the respective dropdowns below their views. The Output<\/code> can also have a verify algorithm ran on it (limited support for ECDSA currently).<\/p>\n\n\n\nCompare<\/strong><\/a><\/h2>\n\n\n\n
File -> Open File<\/code> can be used to open Original<\/code> and Encrypted<\/code> sequentially.
The Original<\/code> view can also be filled using any of the File -> Input<\/code> options; for example, comparing against a certain length of null bytes or the Windows sample picture Chrysanthemum.jpg<\/code>.<\/p>\n\n\n\nOriginal<\/code> and Encrypted<\/code> views have synchronized scrolling; to disable this, uncheck the Syncronized scrolling<\/code> checkbox between them.<\/p>\n\n\n\n\u21c6<\/code> button between the Original<\/code> and Encrypted<\/code> views can be used to swap their contents.<\/p>\n\n\n\nOriginal File \/ Encrypted File Info<\/strong><\/a><\/h2>\n\n\n\n
Original<\/code> and Encrypted<\/code> views respectively.<\/p>\n\n\n\nAnalysis<\/strong><\/a><\/h2>\n\n\n\n
\n
Original<\/code> is present in Encrypted<\/code><\/li>\n\n\n\nEncrypted<\/code><\/li>\n\n\n\nEncrypted<\/code> (UTF-8 or UTF-16)<\/li>\n\n\n\nEncrypted<\/code> (in various forms and encodings)<\/li>\n\n\n\nEncrypted<\/code><\/li>\n<\/ul>\n\n\n\nCompress\/Decompress<\/strong><\/h2>\n\n\n\n
Encrypt\/Decrypt<\/code> panel.<\/p>\n\n\n\nTools<\/strong><\/a><\/h2>\n\n\n\n
Blob Analyzer<\/strong><\/a><\/h3>\n\n\n\n
Tools<\/strong><\/a><\/h3>\n\n\n\n
\n
Blob Generator<\/strong><\/a><\/h3>\n\n\n\n
Bit Length<\/code> is automatically updated with supported values for the selected aiKeyAlg<\/code>. Note that some combinations of bType<\/code> and aiKeyAlg<\/code> are not valid, and will throw an error from the CryptoAPI provider.<\/p>\n\n\n\nRSA Calculator<\/strong><\/a><\/h3>\n\n\n\n
Key Finder<\/strong><\/a><\/h3>\n\n\n\n
\n
RNG Tester<\/strong><\/a><\/h3>\n\n\n\n
Seed Options<\/strong><\/a><\/h3>\n\n\n\n
Seed<\/code> for the PRNG.<\/p>\n\n\n\nRNG Options<\/strong><\/a><\/h3>\n\n\n\n
Algorithm<\/code>, along with the Length<\/code> of outputs to produce, and an optional Modulus<\/code> to apply to each output. For example, a Modulus<\/code> of xFF<\/code> can be used to cast each output to a byte.<\/p>\n\n\n\nOutput<\/strong><\/a><\/h2>\n\n\n\n
\n
Alpha<\/code> is selected:<\/p>\n\n\n\n\n
Alpha<\/code> output. This is a rough estimate of entropy (or number of possibilities) for blindly bruteforcing the output (without directly attacking the PRNG).<\/p>\n\n\n\nBase Encoder<\/strong><\/a><\/h2>\n\n\n\n
String Encoder<\/strong><\/a><\/h2>\n\n\n\n
ECC Validator<\/strong><\/a><\/h2>\n\n\n\n
Operations<\/strong><\/a><\/h2>\n\n\n\n
XOR Files \/ AND Files<\/strong><\/a><\/h2>\n\n\n\n
Original<\/code> and Encrypted<\/code> from the Compare<\/code> panel, and applies the XOR or AND operation, and displays a stream.<\/p>\n\n\n\nGenerate Keystream<\/strong><\/a><\/h2>\n\n\n\n
Encrypt\/Decrypt<\/code> panel and generates a keystream of given length to save to file.<\/p>\n\n\n\nVisual Difference<\/strong><\/a><\/h2>\n\n\n\n
Compare<\/code> panel.<\/p>\n\n\n\nBruteforce Algorithm<\/strong><\/a><\/h2>\n\n\n\n
Input<\/code> from the Encrypt\/Decrypt<\/code> panel, and a given expected output, and enumerates all possible options in the Encryption Options<\/code> section to try and find a match.<\/p>\n\n\n\nBruteforce Keys<\/strong><\/a><\/h2>\n\n\n\n
Input<\/code> using the specified cipher parameters.<\/p>\n\n\n\n\n
Byte Count<\/code> bytes of the file at a time.<\/li>\n\n\n\nSelect<\/code> button will be activated to allow passing the key and its parameters to the main window.<\/p>\n\n\n\nAttempt Blind Decryption<\/strong><\/a><\/h2>\n\n\n\n
0x1000<\/code> byte blob of possible ciphertext as Input<\/code>. Using this operation will try decrypting