Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   [ida plugin] WhiteBoxAesCrack by SHangwendada (https://forum.exetools.com/showthread.php?t=21285)

disauto 06-27-2025 18:44
[ida plugin] WhiteBoxAesCrack by SHangwendada
 
WhiteBox AES fault injection plug-in for IDA Pro
Project Address:https://github.com/SHangwenDada/WhiteBoxAesCrack
This plug-in can directly perform fault injection and key recovery analysis on the Whitebox AES implementation in IDA Pro, supporting two modes:

Direct Mode: Load existing TBox and TYiBox tables and inject faults at specified byte positions.
Table Generation Mode (GenTYI Mode): Derive the TYiBox table from the 3D TBox base and then inject faults.
Functional characteristics
Automatically generated and injected fault traces of AES encryption.
There are two ways to support: direct input of the table and immediate generation of the TYiBox.
Prerequisites
IDA Pro:Tested on IDA Pro 7.7 and above.
Installation
Copy the plug-in file WhiteBoxAesCrack.py to the plug-ins directory of IDA, e.g.:

Copy code Hide code
cp WhiteBoxAesCrack.py ~/.idapro/plugins/
cp -r WBModule ~/.idapro/plugins/
Restart IDA Pro

Confirm in the IDA output window that the plug-in has been initialized:

https://github.com/SHangwenDada/WhiteBoxAesCrack/raw/master/README/image-20250625100645697.png

How to use
Open the binary file containing the Whitebox AES implementation in IDA.

Press Ctrl+Shift+W shortcut key, or call the plug-in through the menu Edit → Plugins → WhiteBoxAesCrack.

Fill in the form that pops up:

TBox Base: 16×256 bytes Base address of the TBox table (only in direct mode).

TYiBox Base: 9×16×256×4 bytes Base address of the TYiBox table (only in direct mode).

3D TBox Base: 10×16×256 bytes Base address of the 3D TBox table (only in table generation mode).
https://github.com/SHangwen bada/WhiteBoxAesCrack/raw/master/README/image-20250624180244715.png

If the table generation mode is used, only fill in 3D TBox Base and leave TYiBox Base blank; if the direct mode is used, fill in both TBox Base and TYiBox Base at the same time.

Click OK:

The plug-in will read the table data from the specified address.
Generate a fault-free trace as well as 16 traces injected with faults at the byte level.
Print the hexadecimal string of each trace in the IDA output window.
Call DFA analysis, restore the last round key and print the results.
Call to restore the first round key, which is the initial key, with AESKeySchedule
Example output
Copy code Hide code
FaultData:
33e1a6...
...
# Last round key found: XXXXX
Find AES First Key: XXXXX
https://github.com/SHangwenDada/WhiteBoxAesCrack/raw/master/README/image-20250624175629972.png

Troubleshooting
Table read failed:if Failed to read TBox at 0x...occurs, please check if the address is correct and the module is loaded.
Module import error:Ensure that WBModule is in the same directory as the plugin, and sys.path the path is included.


All times are GMT +8. The time now is 13:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX