1、首先安装yara-python
进入D:softwareIDA7.0python27>目录 执行命令:python -m pip install yara-python==3.11.0
2、从github下载压缩文件解压后,把findcrypt3.py和findcrypt3.rules复制到IDA的plugins目录中
链接地址:https://github.com/polymorf/findcrypt-yara
3、可以为findcrypt3添加国密SM4算法的识别规则。打开findcrypt3.rules,在最后添加如下内容,保存。
rule SM4_FK {
meta:
author = "Basstorm"
description = "Look for SM4_FKbox constants"
date = "2020-08"
strings:
$c0 = { C6 BA B1 A3 50 33 AA 56 97 91 7D 67 DC 22 70 B2 }
condition:
$c0
}
rule SM4_CK {
meta:
author = "Basstorm"
description = "Look for SM4_CKbox constants"
date = "2020-08"
strings:
$c0 = { 15 0E 07 00 31 2A 23 1C 4D 46 3F 38 69 62 5B 54 85 7E 77 70 A1 9A 93 8C }
condition:
$c0
}
4、打开IDA->Edit->Plugins->Findcrypt,即可使用啦
参考:
https://www.cnblogs.com/heyhx/p/13777798.html
https://www.icode9.com/content-4-822773.html