Is this RSA algorithm?

[Storm Shadow]

make a file called Rsa.yar
remember to add it to the index file

Code:

rule Rsa
{
	strings:
		$a = {30 82 ?? ?? 30 82 ?? ??} // x509 OpenSSL 1024 Cert public key
		$b = {30 82 ?? ?? 02 01 00} // pkcs OpenSSL 1024 bit RSA Private Key

	condition:
		$a or $b
}

it is fully possible to find rsa signatures from memory http://www.trapkit.de/research/sslke...0_20060205.pdf

Bridge found the public rsa key that way in post 16
http://forum.exetools.com/showpost.p...7&postcount=16

but offcause it could be ofuscated and embedded in other files these days, and very hard to find

https://b161268c3bf5a87bc67309e7c870...ARA-Manual.pdf

Yara is almost a own script langueg by itself.

[Kerlingen]

Quote:

Originally Posted by Storm Shadow

it is fully possible to find rsa signatures from memory

No, it is not. It is possible to find SSL signatures from memory, since SSL certificates have a known layout.

If you find a SSL certificate, you know where to look for the RSA modulus. But since SSL certificates are - like the name suggests - used for HTTPS connections over SSL/TLS, you will never use one for keygenning or software protection.

In software protection or keygenning you might use RSA, but then you will only use RSA, never SSL, therefore you will never have any SSL certificates involved, so it's not possible to find them by some signature matching algorithm.

[bridgeic]

Quote:

Originally Posted by Kerlingen

In software protection or keygenning you might use RSA, but then you will only use RSA, never SSL, therefore you will never have any SSL certificates involved, so it's not possible to find them by some signature matching algorithm.

Yes, I guess the public key is just fixed strings with base64 format without other information(I still haven't checked details how the software give the public key, but I guess it should use this way), software owner keep the private key that is not in the software, so we may can't get the private key from public key for it's 2048 bit long.