IDA 7.0安装Findcrypt插件

1、首先安装yara-python

进入D:\software\IDA7.0\python27>目录
执行命令：python -m pip install yara-python==3.11.0

2、从github下载压缩文件解压后，把findcrypt3.py和findcrypt3.rules复制到IDA的plugins目录中

链接地址：https://github.com/polymorf/findcrypt-yara

3、可以为findcrypt3添加国密SM4算法的识别规则。打开findcrypt3.rules，在最后添加如下内容，保存。

rule SM4_FK {
meta:
author = "Basstorm"
description = "Look for SM4_FKbox constants"
date = "2020-08"
strings:
$c0 = { C6 BA B1 A3 50 33 AA 56 97 91 7D 67 DC 22 70 B2 }
condition:
$c0
}

rule SM4_CK {
meta:
author = "Basstorm"
description = "Look for SM4_CKbox constants"
date = "2020-08"
strings:
$c0 = { 15 0E 07 00 31 2A 23 1C 4D 46 3F 38 69 62 5B 54 85 7E 77 70 A1 9A 93 8C }
condition:
$c0
}

4、打开IDA->Edit->Plugins->Findcrypt，即可使用啦

参考：

https://www.cnblogs.com/heyhx/p/13777798.html
https://www.icode9.com/content-4-822773.html