OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, December 10 2007 12:58.47 CST

Printer Friendly ...

Binary Protocol Dissector

Author: jms

# Views: 3544

Well today is the last day for the ID contest, and I am interested to see what kind of competition there is out there! Unfortunately, like a dummy, I wasn't regression testing my plugin over the past few releases. Although it was done months ago, it doesn't work now :(

Soooo.... I thought I might as well share what it is and what it does, and if by some Christmas miracle I get it working by midnight tonight it will be submitted.

The whole idea of the plugin is to be able to automate the task of reverse engineering a protocol so that you can easily translate it's structure to a block-based fuzzer (like Sulley or SPIKE).

Essentially, it has two components: mike.py and boo.py (for Monsters Inc. fans of course :))

mike.py - this hooks socket calls, and when a packet arrives it begins single-stepping and trapping all state information as the packet traverses through the process space. Using some simple heuristics, it is able to determine when the packet length and packet payload is being used by the process. A lot of logic was built in to output GDL graphs of all the information it has trapped. Using a threshold for each iteration it is able to graph deeper and deeper into the protocol.

boo.py - this is responsible for sending the packets themselves, and is to be extended so that when mike reports a hit on the packet payload (during a CMP instruction for example), boo will adjust its test packet to try to meet the protocol criteria.

So, since it's busted and I can't get some of the small niceties cleaned up I figured the minimum is to post some graphs.

Here is a graph of the first iteration against the Perforce source code repository server.

A bit anti-climactic isn't it! So let's zoom in a bit further:

Now you can see some more information! Yay! (if only I could get this bloody thing working again...ok I will stop complaining). Let's see what our second iteration looks like from a high level:

You can see the blocks that were covered previously are greyed out, so that you can drill down into your newly covered area:

So yeah, I will repost if I get it working, but that's it! A

Blog Comments

PSUJobu	Posted: Tuesday, December 11 2007 07:17.51 CST
Very intriguing! Hope you get it (or got it) working! Good work...

jms	Posted: Tuesday, December 11 2007 12:13.35 CST
Yeah I got it working, however I ran out of time to get some of the more advanced packet matching/replay stuff done.

qaysel	Posted: Tuesday, February 9 2010 17:39.57 CST
Will you make this available to the common public? I am intrigued.

There are 28,229 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	cmathieu	Feb/07
Hacker Carnival
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
More ...

Recent Blog Comments
	waleedassar on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit