KANAL - Krypto Analyzer for PEiD

Version 2.92

This plugin searches for known crypto algorithms, functions and libraries inside of the specified module.


Load the file into PEiD and select "Krypto ANALyzer" from the plugins menu. A new dialog will open and the detected crypto algorithms, constants, functions and libraries will be listed. The offset of the signature is displayed for every item; if the analyzed file is a PE executable, also the virtual address of the signature is displayed. So, the results look like
Crypto name :: File offset :: Virtual address

For PE executable files, KANAL searches for "reasonable" references of the detected piece of code or data. If, for example, some kind of crypto substitution table is detected, KANAL attempts to find the address where the table is referenced from. The references are displayed as subitems of the detected crypto item (so, you have to expand the item to see it). If no reference of the detected signature is found (e.g. because it's not a piece of data, but rather a constant contained inside of an assembly instruction), the text "The reference is above" is displayed.

User interface:




igNorAMUS - maintaining the source and all the detections at the moment
snaker - the original coding and detections
Maxx - detection of various functions from common crypto libraries
pusher - testing and bug reports