為IDA外掛findcrypt新增更多規則
阿新 • • 發佈:2020-08-07
這裡以國密SM4為例,這個演算法比較常見。
查閱SM4相關文件得知:
FK為固定值:FK0 = (A3B1BAC6), FK1 = (56AA3350), FK2 = (677D9197), FK3 = (B27022DC)
CKi為固定值:CK = [0x00070E15,0x1c232a31,0x383f464d,0x545b6269,
0x70777e85,0x8c939aa1,0xa8afb6bd,0xc4cbd2d9,
0xe0e7eef5,0xfc030a11,0x181f262d,0x343b4249,
0x50575e65,0x6c737a81,0x888f969d,0xa4abb2b9,
0xc0c7ced5,0xdce3eaf1,0xf8ff060d,0x141b2229,
0xa0a7aeb5,0xbcc3cad1,0xd8dfe6ed,0xf4fb0209,
0x10171e25,0x2c333a41,0x484f565d,0x646b7279]
所以我們可以匹配這兩個特徵來實現sm4的識別。
rule:
rule SM4_FK { meta: author = "Basstorm" description = "Look for SM4_FKbox constants" date = "2020-08" strings: $c0 = { C6 BA B1 A3 50 33 AA 56 97 91 7D 67 DC 22 70 B2 } condition: $c0 } rule SM4_CK { meta: author = "Basstorm" description = "Look for SM4_CKbox constants" date = "2020-08" strings: $c0 = { 15 0E 07 00 31 2A 23 1C 4D 46 3F 38 69 62 5B 54 85 7E 77 70 A1 9A 93 8C } condition: $c0 }
效果:
引用資料: