If you ends in a code **using shift rights and lefts, xors and several arithmetic operations** it's highly possible that it's the implementation of a **cryptographic algorithm**. Here it's going to be showed some ways to **identify the algorithm that it's used without needing to reverse each step**.
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
#### RtlCompressBuffer/RtlDecompressBuffer
Compresses and decompresses a given buffer of data.
#### CryptAcquireContext
The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider \(CSP\). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP.
#### CryptCreateHash
Initiates the hashing of a stream of data. If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
* **Initialization stage/**: Creates a **table of values from 0x00 to 0xFF** \(256bytes in total, 0x100\). This table is commonly call **Substitution Box** \(or SBox\).
* **Scrambling stage**: Will **loop through the table** crated before \(loop of 0x100 iterations, again\) creating modifying each value with **semi-random** bytes. In order to create this semi-random bytes, the RC4 **key is used**. RC4 **keys** can be **between 1 and 256 bytes in length**, however it is usually recommended that it is above 5 bytes. Commonly, RC4 keys are 16 bytes in length.
* **XOR stage**: Finally, the plain-text or cyphertext is **XORed with the values created before**. The function to encrypt and decrypt is the same. For this, a **loop through the created 256 bytes** will be performed as many times as necessary. This is usually recognized in a decompiled code with a **%256 \(mod 256\)**.
{% hint style="info" %}
**In order to identify a RC4 in a disassembly/decompiled code you can check for 2 loops of size 0x100 \(with the use of a key\) and then a XOR of the input data with the 256 values created before in the 2 loops probably using a %256 \(mod 256\)**
### **Initialization stage/Substitution Box:** \(Note the number 256 used as counter and how a 0 is written in each place of the 256 chars\)
### **Scrambling Stage:**
### **XOR Stage:**
## **AES**
### **Characteristics**
* Use of **substitution boxes and lookup tables**
* It's possible to **distinguish AES thanks to the use of specific lookup table values** \(constants\). _Note that the **constant** can be **stored** in the binary **or created** **dynamically**._
* The **encryption key** must be **divisible** by **16** \(usually 32B\) and usually an **IV** of 16B is used.
### SBox constants
## Serpent
### Characteristics
* It's rare to find some malware using it but there are examples \(Ursnif\)
* Simple to determine if an algorithm is Serpent or not based on it's length \(extremely long function\)
