Sneed-Reactivity/yara-mikesxrs/phoul/phoul_index.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

171 lines
3.8 KiB
Text

rule BLOWFISH_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for Blowfish constants"
date = "2014-01"
version = "0.1"
strings:
$c0 = { D1310BA6 }
$c1 = { A60B31D1 }
$c2 = { 98DFB5AC }
$c3 = { ACB5DF98 }
$c4 = { 2FFD72DB }
$c5 = { DB72FD2F }
$c6 = { D01ADFB7 }
$c7 = { B7DF1AD0 }
$c8 = { 4B7A70E9 }
$c9 = { E9707A4B }
$c10 = { F64C261C }
$c11 = { 1C264CF6 }
condition:
6 of them
}
rule MD5_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for MD5 constants"
date = "2014-01"
version = "0.2"
strings:
// Init constants
$c0 = { 67452301 }
$c1 = { efcdab89 }
$c2 = { 98badcfe }
$c3 = { 10325476 }
$c4 = { 01234567 }
$c5 = { 89ABCDEF }
$c6 = { FEDCBA98 }
$c7 = { 76543210 }
// Round 2
$c8 = { F4D50d87 }
$c9 = { 78A46AD7 }
condition:
5 of them
}
rule RC6_Constants {
meta:
author = "chort (@chort0)"
description = "Look for RC6 magic constants in binary"
reference = "https://twitter.com/mikko/status/417620511397400576"
reference2 = "https://twitter.com/dyngnosis/status/418105168517804033"
date = "2013-12"
version = "0.2"
strings:
$c1 = { B7E15163 }
$c2 = { 9E3779B9 }
$c3 = { 6351E1B7 }
$c4 = { B979379E }
condition:
2 of them
}
rule RIPEMD160_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for RIPEMD-160 constants"
date = "2014-01"
version = "0.1"
strings:
$c0 = { 67452301 }
$c1 = { EFCDAB89 }
$c2 = { 98BADCFE }
$c3 = { 10325476 }
$c4 = { C3D2E1F0 }
$c5 = { 01234567 }
$c6 = { 89ABCDEF }
$c7 = { FEDCBA98 }
$c8 = { 76543210 }
$c9 = { F0E1D2C3 }
condition:
5 of them
}
rule SHA1_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for SHA1 constants"
date = "2014-01"
version = "0.1"
strings:
$c0 = { 67452301 }
$c1 = { EFCDAB89 }
$c2 = { 98BADCFE }
$c3 = { 10325476 }
$c4 = { C3D2E1F0 }
$c5 = { 01234567 }
$c6 = { 89ABCDEF }
$c7 = { FEDCBA98 }
$c8 = { 76543210 }
$c9 = { F0E1D2C3 }
condition:
5 of them
}
rule SHA256_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for SHA224/SHA256 constants"
date = "2014-01"
version = "0.1"
strings:
$c0 = { 428a2f98 }
$c1 = { 982F8A42 }
$c2 = { 71374491 }
$c3 = { 91443771 }
$c4 = { B5C0FBCF }
$c5 = { CFFBC0B5 }
$c6 = { E9B5DBA5 }
$c7 = { A5DBB5E9 }
// Exclude
$e0 = { D728AE22 }
$e1 = { 22AE28D7 }
condition:
4 of ($c0,$c1,$c2,$c3,$c4,$c5,$c6,$c7) and not ($e0 or $e1)
}
rule SHA512_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for SHA384/SHA512 constants"
date = "2014-01"
version = "0.1"
strings:
$c0 = { 428a2f98 }
$c1 = { 982F8A42 }
$c2 = { 71374491 }
$c3 = { 91443771 }
$c4 = { B5C0FBCF }
$c5 = { CFFBC0B5 }
$c6 = { E9B5DBA5 }
$c7 = { A5DBB5E9 }
$c8 = { D728AE22 }
$c9 = { 22AE28D7 }
condition:
5 of them
}
rule WHIRLPOOL_Constants {
meta:
author = "phoul (@phoul)"
description = "Look for WhirlPool constants"
date = "2014-02"
version = "0.1"
strings:
$c0 = { 18186018c07830d8 }
$c1 = { d83078c018601818 }
$c2 = { 23238c2305af4626 }
$c3 = { 2646af05238c2323 }
condition:
2 of them
}