Skip to Main content Skip to Navigation
New interface
Conference papers

Aligot: cryptographic function identification in obfuscated binary programs

Joan Calvet 1 José Fernandez 2 Jean-Yves Marion 1 
1 CARTE - Theoretical adverse computations, and safety
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : Analyzing cryptographic implementations has important ap- plications, especially for malware analysis where they are an integral part both of the malware payload and the unpacking code that decrypts this payload. These implementations are often based on well-known cryptographic functions, whose description is publicly available. While potentially very use- ful for malware analysis, the identification of such crypto- graphic primitives is made difficult by the fact that they are usually obfuscated. Current state-of-the-art identification tools are ineffective due to the absence of easily identifiable static features in obfuscated code. However, these imple- mentations still maintain the input-output (I/O) relation- ship of the original function. In this paper, we present a tool that leverages this fact to identify cryptographic functions in obfuscated programs, by retrieving their I/O parameters in an implementation-independent fashion, and comparing them with those of known cryptographic functions. In ex- perimental evaluation, we successfully identified the crypto- graphic functions TEA, RC4, AES and MD5 in obfuscated programs. In addition, our tool was able to recognize basic operations done in asymmetric ciphers such as RSA.
Document type :
Conference papers
Complete list of metadata

Cited literature [32 references]  Display  Hide  Download
Contributor : Jean-Yves Marion Connect in order to contact the contributor
Submitted on : Sunday, December 9, 2012 - 12:47:57 PM
Last modification on : Friday, December 9, 2022 - 12:20:09 PM
Long-term archiving on: : Monday, March 11, 2013 - 12:07:36 PM


Publisher files allowed on an open archive


  • HAL Id : hal-00762924, version 1



Joan Calvet, José Fernandez, Jean-Yves Marion. Aligot: cryptographic function identification in obfuscated binary programs. ACM Conference on Computer and Communications Security, Oct 2012, Raleigh, United States. pp.169-182. ⟨hal-00762924⟩



Record views


Files downloads