bincat
play

BinCAT Purrfecting binary static analysis June 16th 2017 - REcon - PowerPoint PPT Presentation

Jun 05, 2023 •279 likes •956 views

BinCAT Purrfecting binary static analysis June 16th 2017 - REcon Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger Plan Introduction Demo Under the hood Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT Plan

  1. BinCAT Purrfecting binary static analysis June 16th 2017 - REcon Philippe Biondi, Raphaël Rigo, Sarah Zennou, Xavier Mehrenberger

  2. Plan Introduction Demo Under the hood Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  3. Plan Introduction Demo Under the hood Conclusion 3 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  4. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 4 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  5. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 5 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  6. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 6 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  7. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 7 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  8. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 8 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  9. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 9 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  10. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 10 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  11. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 11 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  12. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . inter- indirect computed mediate jumps properties language . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 12 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  13. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . inter- indirect computed mediate jumps properties language . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 13 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  14. Plan Introduction Demo Under the hood Conclusion 14 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  15. Example: keygenme $ ./get_key Usage: ./get_key company department name licence 15 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  16. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial 16 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  17. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial 17 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  18. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial $ ./get_key company department name 025E60CB0[...] 18 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  19. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial $ ./get_key company department name 025E60CB0[...] Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Thank you for registering ! 19 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  20. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC 20 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  21. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul 21 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  22. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf 22 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  23. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf 23 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  24. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf SHA-1 24 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  25. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf SHA-1 hex encode 25 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  26. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf SHA-1 hex encode license 26 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  27. Demo 1: BinCAT usage 27 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  28. Demo 2: Tainting 28 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  29. Plan Introduction Demo Under the hood Conclusion 29 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  30. Architecture IDA IDA plugin 30 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  31. Architecture IDA IDA plugin bincat binary 31 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  32. Architecture IDA config, binary... IDA plugin bincat binary 32 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  33. Architecture local mode IDA config, binary... IDA plugin bincat binary results, logs 33 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  34. Architecture remote mode IDA REST IDA plugin Web server bincat binary REST 34 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  35. Architecture remote mode IDA REST IDA plugin Web server bincat binary REST 35 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  36. Control flow graph reconstruction state 1 IP=0x08041236 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|323130| state 3 state 2 IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 EIP=0x0804123C IP=0x0804123A EAX=0x12345678 EAX=0x0007FFFF EBX=0x87654321 ZF=1 mem[0x1000]=|303132| mem[0x1000]=|303132| 36 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  37. Control flow graph reconstruction state 4 state 1 IP=0x08041236 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|323130| state 3 state 2 IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 IP=0x0804123A EIP=0x0804123C EAX=0x0007FFFF EAX=0x12345678 ZF=1 EBX=0x87654321 mem[0x1000]=|303132| mem[0x1000]=|303132| IP=0x0804123A EIP=0x0804123C EAX=0x12345678 EAX=0x0007FFFF EBX=0x87654321 ZF=1 mem[0x1000]=|303132| mem[0x1000]=|303132| 37 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  38. Control flow graph reconstruction Decoder s t n e m g state 1 e s , t IP=0x08041236 EAX=0x00000000 x EBX=0x87654321 mem[0x1000]=|323130| e t n o c state 3 , C state 2 P IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 EIP=0x0804123C IP=0x0804123A EAX=0x12345678 EAX=0x0007FFFF ZF=1 EBX=0x87654321 mem[0x1000]=|303132| mem[0x1000]=|303132| 38 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  39. Control flow graph reconstruction Decoder inc eax state 1 IP=0x08041236 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|323130| intermediate language eax ← (eax + 0x1); zf ← eax=0 ? 1: 0; sf ← (eax >> 0x1f)=1 ? 1: 0; . . . state 3 state 2 IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 EIP=0x0804123C IP=0x0804123A EAX=0x12345678 EAX=0x0007FFFF ZF=1 EBX=0x87654321 mem[0x1000]=|303132| mem[0x1000]=|303132| 39 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

More recommend