這裡以國密SM4為例，這個演算法比較常見。

查閱SM4相關文件得知：

FK為固定值：FK0 = (A3B1BAC6), FK1 = (56AA3350), FK2 = (677D9197), FK3 = (B27022DC)

CKi為固定值：CK = [0x00070E15,0x1c232a31,0x383f464d,0x545b6269,
0x70777e85,0x8c939aa1,0xa8afb6bd,0xc4cbd2d9,
0xe0e7eef5,0xfc030a11,0x181f262d,0x343b4249,
0x50575e65,0x6c737a81,0x888f969d,0xa4abb2b9,
0xc0c7ced5,0xdce3eaf1,0xf8ff060d,0x141b2229,

所以我們可以匹配這兩個特徵來實現sm4的識別。

rule：

rule SM4_FK {
	meta:
		author = "Basstorm"
		description = "Look for SM4_FKbox constants"
		date = "2020-08"
	strings:
		$c0 = { C6 BA B1 A3 50 33 AA 56 97 91 7D 67 DC 22 70 B2 }
	condition:
		$c0
}

rule SM4_CK {
	meta:
		author = "Basstorm"
		description = "Look for SM4_CKbox constants"
		date = "2020-08"
	strings:
		$c0 = { 15 0E 07 00 31 2A 23 1C 4D 46 3F 38 69 62 5B 54 85 7E 77 70 A1 9A 93 8C }
	condition:
		$c0
}

效果：

引用資料：

https://www.codeleading.com/article/61182502939/