[Entyzer+ v0.6 - Orezmus Build:220214] [Advanced Entropy Analyzer] <All Rights Reserved (C) 2010-2014> _____________________________________________________________________ Mohamad Fadel Mokbel http://www.mfmokbel.com mfmokbel@live.com _____________________________________________________________________ - Description: Entropy Analyzer+ with Hex editing capabilities (-h:hex) and supports for other statistical measurements (-h & -h:stat). Entyzer+ is an Advanced Entropy Analyzer armed with various mathematical binary editing capabilities. It features many custom and known algorithms that align with the concept of information theory. Moreover, it is a command-line tool with around 30 major features. The tool can be used in the fields of Reverse Code Engineering, malware analysis (with an optimized and generalized implementation of Flame’s Worm substitution algorithm), System Forensics and other related areas. _____________________________________________________________________ Note: Input(s) and Output(s) are in decimal. In Hex if noted. Everything works at the byte level (1-gram). Otherwise, as noted. + Syntax: Entyzer -f <filename> { -b [<start_offset> <size>] } - To get the Entropy, Redundancy, A. Mean and StdDev. for any file or for a specific block. + Syntax: Entyzer -f <filename> -graph <IsValue> <Color Template> - To generate a hue visualization of the data as an HTML file. - IsValue takes either 0 or 1. 1 for having the frequency of each character displayed, 0 otherwise. - Color Template takes a value between 1 and 7 for different templates: 1:= Gray I, 2:= Gray II, 3:= Tan, 4:= Olive Green, 5:= Blue, 6:= Green + Green + Yellow, 7:= Orange + Orange + Yellow + Syntax: Entyzer -f <filename> -xml - To generate an XML report: general and Entropy information, percentage and frequency of every hex value. + Syntax: Entyzer -pe <filename> - To get the Entropy, Redundancy and StdDev. for every section of a PE binary file. + Syntax: Entyzer -elf -section -<option> <filename> - <option> = list, To list all the sections names of an elf binary file. <option> = all, To get the Entropy, Redundancy and StdDev. for every section of an elf binary file. <option> = select, Option select is followed by a <section_name> To get the Entropy, Redundancy and StdDev. for a selected section of an elf binary file. (e.g. section_name = .text) + Syntax: Entyzer -elf -SDCAlg <filename * 5> - To apply the Symbiotic Differential Comparison Algorithm on a reference elf binary file and 4 files compiled at varying levels of optimizations (in increasing order). Only the .text section is considered. - For more information about 'SDCAlg' and 'KLD', please refer to the paper "An Unobtrusive Entropy Based Compiler Optimization Comparator" + Syntax: Entyzer -elf -section -select <section_name> -KLD <filename * 2> - To apply Kullback-Leibler Divergence (KLD) measure on two elf files for a selected section. The implementation also reports the Resistor Average (RA) distance which symmetrizes KLD. + Syntax: Entyzer -f -KLD <filename * 2> - To apply KLD and RA on any file. [?] To list the hex transformation options, use the sub-option -h:hex [?] To list the distance metrics options, use the sub-option -h:stat + Syntax: Entyzer -f <filename> -hext: <operation> <operand> { -b [<start_offset> <end_offset>[ } - To apply various mathematical hex transformations (operations) on a specific file. All the operations work at the byte level. If the block (-b) option is specified, the transformation operates only on the range specified by the SO and EO, otherwise the whole file is taken. <operand> accepts a decimal value between 0 and 255. - The <operation> can take any of the following transformations: + {mod, neg, div, mult, bfmult, sub, add} (neg takes no operand) # ex. [... -hext: bfmult <Key>] This is a decoder for encoded data with the multiplication operation; since in case of an overflow, the resulting value looses the high byte value. + Binary operations: {xor, or, and, inv} (inv takes no operand) + {rxor} (Rolling XOR, takes more than one operand/key). The size of the key is limitd by the file size !(-b). Keys must be seperated with a space. # ex. [... -hext: rxor 4 1 56 90 124 250] + {xorxv} (XOR Except This Value (ETV), takes ETV) + {xorkeybf} (Brute force data XORed with 1-byte key) # ex. [... -hext: xorkeybf <data>] A brute forcer for data XORed/encrypted with 1-byte key. <data> takes the 'original plain version' to search for; minimum of 2 values are needed. If a match is found, it reports the key and the index at which the data is located in the file. + {nprxo} (Null-Preserving XOR, !XOR 0 & operand values) + {swpnb} (Swap Nibbles, swpnb takes no operand) + {sleft, sright, rotl, rotr} => Shift/Rotate Left/Right # ex. [... -hext: xor 4 -b 10 20] + {rand} (Randomize takes two operand values: Min and Max) + {xrand} (This option provides a generic implementation of encrypting data using the XOR binary operator, with keys generated using rand() function based on a chosen seed value and key selection mode. Option -b is not applicable) ** Options [... -hext: xrand <seed value> -m <r|h|l> -s <c|f>] # ex. [... -hext: xrand 222153 -m r 20 199 -s c] # ex. [... -hext: xrand 63546354 -m h -s f] seed value : <seed value> to initialize the pseudo random number generator rand(). mode option (-m) : key selector. Data will be XORed with the values of the chosen mode. Takes either of the following options: r, h, or l. r: range mode. Takes additional two arguments, a minimum and maximum values. This mode limits keys' values to values between the chosen minimum and maximum. h: high byte value. Takes the high byte value of the generated pseudo random value. Takes no additional arguments. l: low byte value. Takes the low byte value of the generated pseudo random value. Takes no additional arguments. save option (-s) : data output. Takes either of the following options: c or f c: displays to the console window some statistical information about the transformation process. Information displayed: - rand() : <entropy of the generated pseudo random values. Maximum is 14.9999> - High Byte : <entropy of the high byte values of the rand() values. Maximum is 8.0> - Low Byte : <entropy of the low byte values of the rand() values. Maximum is 8.0> - Original Data: <entropy of the original data. Input file> - XORed Data : <entropy of the data after transformation> f: generates a CSV file with the name of the input file. All generated data is in hex. CSV file contains original bytes, generated pseudo random values, mode values (depends on the mode), and XORed values. + {flame} (Apply Flame's Substitution Algorithm) - The implementation is inspired by the Flame/SkyWiper Worm. - Entyzer features an optimized and generalized implementation of Falme's Substitution Algorithm. - The command line options are the following: - ... -hext: flame <Substitution Table> -pm <0|1> -p <0|1> - The argument <Substitution Table> takes a file name (in binary format) of size 256 bytes. This table contains the set of keys. Thus, modification on the table is done via a Hex editor. - The option '-pm' represents the Parsing Mode. Two modes are supported. - If the argument is 0, it replaces the index value at the key position with the key value. - For example, 0 1 2 3 4 5 ... 0 EA 82 63 AE A3 8C ... // For every '0x00' replace it with '0xEA' - If the argument is 1, it replaces the key value with the index value. - For example, 0 1 2 3 4 5 ... 0 EA 82 63 AE A3 8C ... // For every '0xEA' replace it with '0x00' - The option '-p' outputs statistics about the transformation process. - If the argument is 0, it outputs nothing. - If the argument is 1, it outputs to the console window various statistics about the changes that have been applied to the original file. The values of the parameters 'Value' and 'Key' are in hex while the values of the parameter 'Changes' are in decimal. - 'flame' transformation also supports the '-b' option. - For reference, three 'Substitution Tables' are included in this release ('Template' folder): - flamemode1: Is the actual table used in the Flame Worm. - flamemode0: Same as in flamemode1, but for pm = 0. - ftemplatex: Contains a raw template of size 256. + {t1e} (The (t1e) encryption/decryption template module) # Takes 3 operand values: 'x', 'y' and 'z' # t1e := {add x, xor y, sub z} - t1d := {add z, xor y, sub x} # ex. To encrypt: [... -hext: t1e x y z] # To decrypt: [... -hext: t1e z y x] + Syntax: Entyzer -f <filename> -cpp [ -b <start_offset> <end_offset> ] - To generate an unsigned C/C++ hex char byte array. + Syntax: Entyzer -f <filename> -<operation> { -b [<start_offset> <end_offset>] } - To apply various mathematical distance metrics (operations) on a specific file. All the operations work at the byte level (1-gram). If the block (-b) option is specified, the metric operates only on the range specified by the SO and EO, otherwise the whole file is taken. - The <operation> can take any of the following metrics: + {snr} (Signal to Noise Ratio) - Calculates Signal to Noise Ratio (snr). Reports "Mean" (of a discrete probability distribution), "Standard Deviation" (for a discrete random variable with different probabilities), and snr (Mean/StdDev). Option -b is not applicable. + {spsidx} (Simpson's Index) - 256-Dimension (256-gram - HexBytes) - Difference/Diversity quantifier 1 = Infinite diversity, 0 = No diversity for low numbers -> LSI = High Diversity, HSI = Low Diversity + {cbrdst} (Canberra's Distance) - 1-Dimension (1-gram) - Sensitive to very minute variations + {srndst} (Sorensen's Distance) - Also known as Bray Curtis Distance - Measures the similarity between bytes + {mkskidst} (Minkowski's Distance of Order, Lambda = 3) + {mhtndst} (Manhattan's Distance, Lambda = 1) # ex. [Entyzer -f test -cbrdst] + Syntax: Entyzer -f -pearson <filename * 2> - To get Pearson's Test-Statistic (Chi-Square Test) between two files. First file represents the Reference data set, second file represents the New data set to be tested against the Reference one. This is for finding the similarity level between two files. + Syntax: Entyzer -bfent <filename> -m <1|2|3|4> -s <NPR> <MV> <PPR> -d <0|1> { -b [<start_offset> <end_offset>[ } - To Brute Force for a specific Entropy value/range. -m stands for mode of operation. Four modes are supported, 1, 2, 3 or 4. (NPR/PPR) Negative/Positive Permissible Ranges take a value between [0,1]. Main Value (MV) is the Entropy central value sought. -d is for dumping found Entropy value(s), 0 to the console window and 1 to a csv file (the name of the generated csv file takes the name of the original file <filename>). # ex. [Entyzer -bfent test -m 3 -s 0.3 5.8 0.7 -d 1] Please refer to "On the Intractability of Designing an Efficient Entropy Brute Forcer" for more information about how to use this feature. [----------------------------------------------------] + Entyzer.exe Signature: - 32-Bit: MD5 3B0BE2A5F5EFD5F60BAAE68A56395325 - 64-Bit: MD5 B9023822025A66908CD70DAA6FB3FA38 + Libraries used: - ELFIO library by Serge Lamikhov - MD5 Library by Benjamin Grüdelbach [----------------------------------------------------] https://mega.co.nz/#!ekcymZZS!6mtuAUELKg8Z6M4jI4hrDYqLhoIFgndZYlkn-wG-fhY