Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping

Explore a 24-minute IEEE conference talk on detecting cryptographic functions in obfuscated binaries using bit-precise symbolic loop mapping. Delve into the challenges of identifying crypto functions in malware and learn about a novel technique that captures algorithm semantics through bit-precise symbolic execution. Discover how this approach, implemented in the CryptoHunt prototype, effectively detects common cryptographic functions like TEA, AES, RC4, MD5, and RSA under various obfuscation schemes. Gain insights into the importance of crypto function detection for malware defense and forensics, and understand the limitations of existing methods when dealing with obfuscated binaries.

Intro
Cryptographic Function • Encryption and decryption procedure
Crypto Functions in Malware
Why Detect Crypto Functions? • Provide a starting point for reverse engineering
Crypto Function Attributes
Existing Detection Methods
Challenges
Our Method
Overview * Equivalence check on loop bodies in the
Loop Detection
Bit Symbolic Execution
Equivalence Checking • Replace the mapped input variables with new
Evaluation
Summary