Researching CryptoChecker data by Aleph 🇮🇱.
- CryptoChecker (CC) 1.3 alpha 12 - bin
- CryptoChecker (CC) 1.3 alpha 11 (Oct 14, 2015) – bin / IA
- CryptoChecker (CC) 1.3 alpha 11 (Mar 31, 2015) – bin / IA
- CryptoChecker (CC) 1.3 alpha 10 – bin / IA / 52PoJie
- CryptoChecker (CC) 1.3 alpha 9 – bin / IA / GitHub
- CryptoChecker (CC) 1.3 alpha – bin / IA
- CryptoChecker (CC) 1.1 (beta 8) and CryptoChecker (CC) 1.2 (alpha) – bin / IA
CC aka CryptoChecker by Aleph
This is an amazing old tool for detecting (crypto) signatures in files. Unfortunately, no source code is available.
The tool is last updated in 2016 and made with MZ-architecture in mind (.com file format, from MS-DOS/Win9x days), and given how capable the utility is, it would be great to be able to use this utility in the future.
-*- CC 1.3 alpha 12 * Copyright (c) Aleph 2000-2016 -*-
Crypto Checker
Usage: cc.com [!command][{[+]/-}AlgoGroupName] ... [{[+]/-}AlgoGroupName] wildcards
* NOTE: use optional [+/-]AlgoGroup for include/exclude AlgoGroup search
AlgoGroupName '*' or 'NULL' if used should be first in the method list
Commands are:
noscript - suppress IDA IDC-script tags generation
quiet - naked mode: no header, no footer... stuff only
Examples:
> cc filename.ext // single file / QUICK mode - recomended
> cc *.* // some, but entire directory scan
> cc *.DLL // some, but for specified file type
> cc !noscript filename.ext
> cc * -TINY_PRIMES -SMALL_PRIMES -LOCKBOX filename.ext
complains_n_suggestions direct to [email protected]
DB Timestamp : Fri Nov 25 11:10:38 2016
DB Entries total: 4245
* Built to find everything
This is to later keep the CC tool running. The generated file is best to contain nulls (NULL-bytes), so CC minimally loads detection information.
A generated 600 MB file makes the program run for about 5-10 minutes.
Use step1_generate_busyfile.py (The generated file itself is NOT included, as it is easy to regenerate it)
- Tip: To keep it simple, it is best to generate a 'busy' file on the modern host system.
For some reason, cc.com operates most optimally in Win9x environment. There, the utility uses least RAM. Hence, a (virtualized) Win9x environment is needed.
Once the VM is ready to go, transfer,
-
The dummy file generated in step 1
Note: Older FAT32 supports up to 4GB, but it takes a long time to transfer big files -
LordPE - for future dumping.
Note: The update files are also needed to use the latest version -
CC - The executable itself.
Best to unpack first as it is packed with RAR5
execute,
cc.com busy.bin
and wait for some time to ensure that the software unpacks itself. 30 seconds should be more than enough.
Then launch LordPE and select cc.bin. Right-click → Dump full
- Pre-dumped copy available in rev/dump9x.exe
Use strings2 or other tools to extract strings.
Extracted strings are available in ./txt/