Cryptology ePrint Archive: Report 2017/1119

Detection of cryptographic algorithms with grap

Léonard Benedetti and Aurélien Thierry and Julien Francq

Abstract: The disassembled code of an executable program can be seen as a graph representing the possible sequence of instructions (Control Flow Graph). grap is a YARA-like tool, completely open-source, and able to detect graph patterns, defined by the analyst, within an executable program.

We used grap to detect cryptographic algorithms: we created patterns for AES and ChaCha20 that are based on parts of the assembly code produced by compiling popular implementations (available in LibreSSL and libsodium). Our approach is thus based on the algorithms and their structure and does not rely on constant detection.

Category / Keywords: applications / detection, control flow graph, reverse engineering, AES

Original Publication (in the same form): 5th International Symposium on Research in Grey-Hat Hacking (GreHack 2017)

Date: received 19 Nov 2017

Contact author: benedetti at mlpo fr

Available format(s): PDF | BibTeX Citation

Version: 20171124:064625 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]