为IDA插件findcrypt添加更多规则

这里以国密SM4为例，这个算法比较常见。

查阅SM4相关文档得知：

FK为固定值：FK0 = (A3B1BAC6), FK1 = (56AA3350), FK2 = (677D9197), FK3 = (B27022DC)

CKi为固定值：CK = [0x00070E15,0x1c232a31,0x383f464d,0x545b6269,
0x70777e85,0x8c939aa1,0xa8afb6bd,0xc4cbd2d9,
0xe0e7eef5,0xfc030a11,0x181f262d,0x343b4249,
0x50575e65,0x6c737a81,0x888f969d,0xa4abb2b9,
0xc0c7ced5,0xdce3eaf1,0xf8ff060d,0x141b2229,
0x30373e45,0x4c535a61,0x686f767d,0x848b9299,
0xa0a7aeb5,0xbcc3cad1,0xd8dfe6ed,0xf4fb0209,
0x10171e25,0x2c333a41,0x484f565d,0x646b7279]

所以我们可以匹配这两个特征来实现sm4的识别。

rule：

rule SM4_FK {
	meta:
		author = "Basstorm"
		description = "Look for SM4_FKbox constants"
		date = "2020-08"
	strings:
		$c0 = { C6 BA B1 A3 50 33 AA 56 97 91 7D 67 DC 22 70 B2 }
	condition:
		$c0
}

rule SM4_CK {
	meta:
		author = "Basstorm"
		description = "Look for SM4_CKbox constants"
		date = "2020-08"
	strings:
		$c0 = { 15 0E 07 00 31 2A 23 1C 4D 46 3F 38 69 62 5B 54 85 7E 77 70 A1 9A 93 8C }
	condition:
		$c0
}

效果：

 引用资料：

https://www.codeleading.com/article/61182502939/