They say PE Kanal plugin searches for known algorithm inside of the PE file.

Do you have any information about what above sentence means?

-Which tools are used for encryption?
-Which part of the pe file do they encrypt? And what is it for?
-If it is encrypted, then how is it decrypted? At the time of unpacking?

Posted on 2009-10-06 01:58:57 by sawer
My guess is they've looked at how well-known algorithms (AES, SHA, MD5, ...) are compiled with various compilers, taking note of either a hash or wildcard sequence of the x86 instruction sequence, or look for things like S-boxes and other data used by algorithms (would only identify the use, not give location of the functions).

AFAIK Kanal has nothing to do with unpacking, it only tries to detect crypto code in executables.
Posted on 2009-10-06 02:38:37 by f0dder
OK. I thought it was about packing, as you said that's not true.
Posted on 2009-10-08 08:24:16 by sawer