[Cryptographic Function Identification in Obfuscated Binary Programs] presented at Hackito Ergo Sum 2012

by Joan Calvet,

Tags: Reverse Engineering Cryptography

URL : http://2012.hackitoergosum.org/blog/wp-content/uploads/2012/04/HES-2012-jcalvet-CryptoFunctionIdentification.pdf

Summary : Therefore we will discuss in this talk the way we implemented a cryptographic function identification technique based on the input-output relationship comparison for obfuscated binary programs. We will insist on the building process leading to the final tool, as we believe it is a generic way of tackling such identification problems, whereas the tool itself is suitable for *some* hard-to-detect cryptographic functions in *some* obfuscated binary programs. Among several examples we will show how we automatically identified algorithms such as RC4 very often missed by existing tools and XTEA in heavily obfuscated binary programs, with the appreciable side-effect of knowing precisely their arguments. Finally we will show that our technique allows the recognition of modified versions of well-known cryptographic algorithms.