Want to Join Us ?

you'll be able to discuss, share and send private messages.

Release Ida Eye

Discussion in 'Plugins' started by storm shadow, Dec 15, 2014.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer


    [Entyzer+ v0.6 - Orezmus Build:220214]
    [Advanced Entropy Analyzer]
    <All Rights Reserved (C) 2010-2014>
    _____________________________________________________________________

    Mohamad Fadel Mokbel
    http://www.mfmokbel.com
    mfmokbel@live.com
    _____________________________________________________________________


    - Description: Entropy Analyzer+ with Hex editing capabilities (-h:hex)
    and supports for other statistical measurements (-h &
    -h:stat).

    Entyzer+ is an Advanced Entropy Analyzer armed with various
    mathematical binary editing capabilities. It features many
    custom and known algorithms that align with the concept of
    information theory. Moreover, it is a command-line tool with
    around 30 major features. The tool can be used in the fields
    of Reverse Code Engineering, malware analysis (with an
    optimized and generalized implementation of Flame’s Worm
    substitution algorithm), System Forensics and other related
    areas.
    _____________________________________________________________________


    Note: Input(s) and Output(s) are in decimal. In Hex if noted.
    Everything works at the byte level (1-gram). Otherwise, as noted.

    + Syntax: Entyzer -f <filename> { -b [<start_offset> <size>] }

    - To get the Entropy, Redundancy, A. Mean and StdDev. for any file
    or for a specific block.

    + Syntax: Entyzer -f <filename> -graph <IsValue> <Color Template>

    - To generate a hue visualization of the data as an HTML file.

    - IsValue takes either 0 or 1. 1 for having the frequency of each
    character displayed, 0 otherwise.

    - Color Template takes a value between 1 and 7 for different templates:
    1:= Gray I, 2:= Gray II, 3:= Tan, 4:= Olive Green, 5:= Blue,
    6:= Green + Green + Yellow, 7:= Orange + Orange + Yellow

    + Syntax: Entyzer -f <filename> -xml

    - To generate an XML report: general and Entropy information, percentage
    and frequency of every hex value.

    + Syntax: Entyzer -pe <filename>

    - To get the Entropy, Redundancy and StdDev. for every section of a
    PE binary file.

    + Syntax: Entyzer -elf -section -<option> <filename>

    - <option> = list, To list all the sections names of an elf binary file.
    <option> = all, To get the Entropy, Redundancy and StdDev.
    for every section of an elf binary file.

    <option> = select, Option select is followed by a <section_name>
    To get the Entropy, Redundancy and StdDev. for a selected
    section of an elf binary file. (e.g. section_name = .text)

    + Syntax: Entyzer -elf -SDCAlg <filename * 5>

    - To apply the Symbiotic Differential Comparison Algorithm on a reference
    elf binary file and 4 files compiled at varying levels of optimizations
    (in increasing order). Only the .text section is considered.
    - For more information about 'SDCAlg' and 'KLD', please refer to the
    paper "An Unobtrusive Entropy Based Compiler Optimization Comparator"

    + Syntax: Entyzer -elf -section -select <section_name> -KLD <filename * 2>

    - To apply Kullback-Leibler Divergence (KLD) measure on two elf files
    for a selected section. The implementation also reports the Resistor
    Average (RA) distance which symmetrizes KLD.

    + Syntax: Entyzer -f -KLD <filename * 2>

    - To apply KLD and RA on any file.

    [?] To list the hex transformation options, use the sub-option -h:hex
    [?] To list the distance metrics options, use the sub-option -h:stat

    + Syntax: Entyzer -f <filename> -hext: <operation> <operand>

    { -b [<start_offset> <end_offset>[ }

    - To apply various mathematical hex transformations (operations) on
    a specific file. All the operations work at the byte level. If the
    block (-b) option is specified, the transformation operates only on
    the range specified by the SO and EO, otherwise the whole file is
    taken. <operand> accepts a decimal value between 0 and 255.

    - The <operation> can take any of the following transformations:

    + {mod, neg, div, mult, bfmult, sub, add} (neg takes no operand)

    # ex. [... -hext: bfmult <Key>]

    This is a decoder for encoded data with the multiplication
    operation; since in case of an overflow, the resulting value looses
    the high byte value.

    + Binary operations: {xor, or, and, inv} (inv takes no operand)

    + {rxor} (Rolling XOR, takes more than one operand/key). The
    size of the key is limitd by the file size !(-b).
    Keys must be seperated with a space.

    # ex. [... -hext: rxor 4 1 56 90 124 250]

    + {xorxv} (XOR Except This Value (ETV), takes ETV)

    + {xorkeybf} (Brute force data XORed with 1-byte key)

    # ex. [... -hext: xorkeybf <data>]

    A brute forcer for data XORed/encrypted with 1-byte key.
    <data> takes the 'original plain version' to search for;
    minimum of 2 values are needed. If a match is found, it
    reports the key and the index at which the data is located
    in the file.

    + {nprxo} (Null-Preserving XOR, !XOR 0 & operand values)

    + {swpnb} (Swap Nibbles, swpnb takes no operand)

    + {sleft, sright, rotl, rotr} => Shift/Rotate Left/Right

    # ex. [... -hext: xor 4 -b 10 20]

    + {rand} (Randomize takes two operand values: Min and Max)

    + {xrand} (This option provides a generic implementation of
    encrypting data using the XOR binary operator, with keys
    generated using rand() function based on a chosen seed
    value and key selection mode. Option -b is not applicable)

    **
    Options [... -hext: xrand <seed value> -m <r|h|l> -s <c|f>]

    # ex. [... -hext: xrand 222153 -m r 20 199 -s c]

    # ex. [... -hext: xrand 63546354 -m h -s f]

    seed value : <seed value> to initialize the pseudo random
    number generator rand().
    mode option (-m) : key selector. Data will be XORed with the
    values of the chosen mode. Takes either of the
    following options: r, h, or l.

    r: range mode. Takes additional two arguments,
    a minimum and maximum values. This mode
    limits keys' values to values between the
    chosen minimum and maximum.
    h: high byte value. Takes the high byte value
    of the generated pseudo random value. Takes
    no additional arguments.
    l: low byte value. Takes the low byte value of
    the generated pseudo random value. Takes no
    additional arguments.

    save option (-s) : data output. Takes either of the following
    options: c or f

    c: displays to the console window some
    statistical information about the
    transformation process.
    Information displayed:

    - rand() : <entropy of the generated pseudo random
    values. Maximum is 14.9999>
    - High Byte : <entropy of the high byte values of the
    rand() values. Maximum is 8.0>
    - Low Byte : <entropy of the low byte values of the
    rand() values. Maximum is 8.0>
    - Original Data: <entropy of the original data. Input
    file>
    - XORed Data : <entropy of the data after
    transformation>

    f: generates a CSV file with the name of the
    input file. All generated data is in hex.
    CSV file contains original bytes, generated
    pseudo random values, mode values (depends
    on the mode), and XORed values.

    + {flame} (Apply Flame's Substitution Algorithm)

    - The implementation is inspired by the Flame/SkyWiper Worm.
    - Entyzer features an optimized and generalized implementation
    of Falme's Substitution Algorithm.
    - The command line options are the following:
    - ... -hext: flame <Substitution Table> -pm <0|1> -p <0|1>
    - The argument <Substitution Table> takes a file name (in binary
    format) of size 256 bytes. This table contains the set of
    keys. Thus, modification on the table is done via a Hex
    editor.
    - The option '-pm' represents the Parsing Mode. Two modes are
    supported.
    - If the argument is 0, it replaces the index value at the key
    position with the key value.
    - For example,

    0 1 2 3 4 5 ...
    0 EA 82 63 AE A3 8C ...
    // For every '0x00' replace it with '0xEA'

    - If the argument is 1, it replaces the key value with the
    index value.
    - For example,

    0 1 2 3 4 5 ...
    0 EA 82 63 AE A3 8C ...
    // For every '0xEA' replace it with '0x00'


    - The option '-p' outputs statistics about the transformation
    process.
    - If the argument is 0, it outputs nothing.
    - If the argument is 1, it outputs to the console window
    various statistics about the changes that have been applied
    to the original file. The values of the parameters 'Value'
    and 'Key' are in hex while the values of the parameter
    'Changes' are in decimal.

    - 'flame' transformation also supports the '-b' option.
    - For reference, three 'Substitution Tables' are included in this
    release ('Template' folder):
    - flamemode1: Is the actual table used in the Flame Worm.
    - flamemode0: Same as in flamemode1, but for pm = 0.
    - ftemplatex: Contains a raw template of size 256.

    + {t1e} (The (t1e) encryption/decryption template module)

    # Takes 3 operand values: 'x', 'y' and 'z'
    # t1e := {add x, xor y, sub z} - t1d := {add z, xor y, sub x}
    # ex. To encrypt: [... -hext: t1e x y z]
    # To decrypt: [... -hext: t1e z y x]

    + Syntax: Entyzer -f <filename> -cpp [ -b <start_offset> <end_offset> ]

    - To generate an unsigned C/C++ hex char byte array.

    + Syntax: Entyzer -f <filename> -<operation>
    { -b [<start_offset> <end_offset>] }

    - To apply various mathematical distance metrics (operations) on a
    specific file. All the operations work at the byte level (1-gram). If
    the block (-b) option is specified, the metric operates only on the
    range specified by the SO and EO, otherwise the whole file is taken.

    - The <operation> can take any of the following metrics:

    + {snr} (Signal to Noise Ratio)

    - Calculates Signal to Noise Ratio (snr). Reports "Mean" (of a
    discrete probability distribution), "Standard Deviation" (for a
    discrete random variable with different probabilities), and snr
    (Mean/StdDev). Option -b is not applicable.

    + {spsidx} (Simpson's Index)

    -
    256-Dimension (256-gram - HexBytes) - Difference/Diversity quantifier
    1 = Infinite diversity, 0 = No diversity
    for low numbers -> LSI = High Diversity, HSI = Low Diversity


    + {cbrdst} (Canberra's Distance)

    -
    1-Dimension (1-gram) - Sensitive to very minute variations

    + {srndst} (Sorensen's Distance)

    -
    Also known as Bray Curtis Distance - Measures the similarity between bytes

    + {mkskidst} (Minkowski's Distance of Order, Lambda = 3)
    + {mhtndst} (Manhattan's Distance, Lambda = 1)

    # ex. [Entyzer -f test -cbrdst]

    + Syntax: Entyzer -f -pearson <filename * 2>

    - To get Pearson's Test-Statistic (Chi-Square Test) between two files.
    First file represents the Reference data set, second file represents
    the New data set to be tested against the Reference one. This is for
    finding the similarity level between two files.

    + Syntax: Entyzer -bfent <filename> -m <1|2|3|4> -s <NPR> <MV> <PPR>

    -d <0|1> { -b [<start_offset> <end_offset>[ }

    - To Brute Force for a specific Entropy value/range. -m stands for mode
    of operation. Four modes are supported, 1, 2, 3 or 4. (NPR/PPR)
    Negative/Positive Permissible Ranges take a value between [0,1]. Main
    Value (MV) is the Entropy central value sought. -d is for dumping found
    Entropy value(s), 0 to the console window and 1 to a csv file (the name
    of the generated csv file takes the name of the original file
    <filename>).

    # ex. [Entyzer -bfent test -m 3 -s 0.3 5.8 0.7 -d 1]

    Please refer to "On the Intractability of Designing an Efficient
    Entropy Brute Forcer" for more information about
    how to use this feature.

    [----------------------------------------------------]

    + Entyzer.exe Signature:

    - 32-Bit: MD5 3B0BE2A5F5EFD5F60BAAE68A56395325
    - 64-Bit: MD5 B9023822025A66908CD70DAA6FB3FA38

    + Libraries used:

    - ELFIO library by Serge Lamikhov
    - MD5 Library by Benjamin Grüdelbach

    [----------------------------------------------------]



    https://mega.co.nz/#!ekcymZZS!6mtuAUELKg8Z6M4jI4hrDYqLhoIFgndZYlkn-wG-fhY
     
    Rip Cord likes this.
Top