To address the challenges of identifying and semantically analyzing encrypted functions in stripped binaries—namely, low generalizability, high reliance on manual effort, and poor interpretability—this paper proposes FoC, an LLM-driven two-stage framework. In Stage I, FoC-BinLLM leverages large language models to generate high-fidelity semantic summaries of binary functions, achieving a 14.61% ROUGE-L improvement over ChatGPT. In Stage II, FoC-Sim integrates binary-aware semantic modeling with change-sensitive similarity learning to enable fine-grained encrypted function retrieval, improving Recall@1 by 52% over state-of-the-art methods. FoC operates end-to-end without requiring source code or symbolic information, enabling fully automated semantic annotation. Evaluated on a novel, self-constructed encrypted binary dataset, FoC demonstrates robust effectiveness and has been successfully deployed in real-world applications, including malware behavior analysis and zero-day vulnerability detection.

Analyzing the behavior of cryptographic functions in stripped binaries is a challenging but essential task, which is crucial in software security fields such as malware analysis and legacy code inspection. However, the inherent high logical complexity of cryptographic algorithms makes their analysis more difficult than that of ordinary code, and the general absence of symbolic information in binaries exacerbates this challenge. Existing methods for cryptographic algorithm identification frequently rely on data or structural pattern matching, which limits their generality and effectiveness while requiring substantial manual effort. In response to these challenges, we present FoC ( F igure o ut the C ryptographic functions), a novel framework that leverages large language models (LLMs) to identify and analyze cryptographic functions in stripped binaries. In FoC, we first build an LLM-based generative model ( FoC-BinLLM ) to summarize the semantics of cryptographic functions in natural language form, which is intuitively readable to analysts. Subsequently, based on the semantic insights provided by FoC-BinLLM, we further develop a binary code similarity detection model ( FoC-Sim ), which allows analysts to effectively retrieve similar implementations of unknown cryptographic functions from a library of known cryptographic functions. The predictions of generative model like FoC-BinLLM are inherently difficult to reflect minor alterations in binary code, such as those introduced by vulnerability patches. In contrast, the change-sensitive representations generated by FoC-Sim compensate for the shortcomings to some extent. To support the development and evaluation of these models, and to facilitate further research in this domain, we also construct a comprehensive cryptographic binary dataset and introduce an automatic method to create semantic labels for extensive binary functions. Our evaluation results are promising. FoC-BinLLM outperforms ChatGPT by 14.61% on the ROUGE-L score, demonstrating superior capability in summarizing the semantics of cryptographic functions. FoC-Sim also surpasses previous best methods with a 52% higher Recall@1 in retrieving similar cryptographic functions. Beyond these metrics, our method has proven its practical utility in real-world scenarios, including cryptographic-related virus analysis and 1-day vulnerability detection.