Binary Protocol Dissector
 Justin Seitz (jms) <jms bughunter ca> |
Monday, December 10 2007 12:58.47 CST |
Well today is the last day for the ID contest, and I am interested to see what kind of competition there is out there! Unfortunately, like a dummy, I wasn't regression testing my plugin over the past few releases. Although it was done months ago, it doesn't work now :(
Soooo.... I thought I might as well share what it is and what it does, and if by some Christmas miracle I get it working by midnight tonight it will be submitted.
The whole idea of the plugin is to be able to automate the task of reverse engineering a protocol so that you can easily translate it's structure to a block-based fuzzer (like Sulley or SPIKE).
Essentially, it has two components: mike.py and boo.py (for Monsters Inc. fans of course :))
mike.py - this hooks socket calls, and when a packet arrives it begins single-stepping and trapping all state information as the packet traverses through the process space. Using some simple heuristics, it is able to determine when the packet length and packet payload is being used by the process. A lot of logic was built in to output GDL graphs of all the information it has trapped. Using a threshold for each iteration it is able to graph deeper and deeper into the protocol.
boo.py - this is responsible for sending the packets themselves, and is to be extended so that when mike reports a hit on the packet payload (during a CMP instruction for example), boo will adjust its test packet to try to meet the protocol criteria.
So, since it's busted and I can't get some of the small niceties cleaned up I figured the minimum is to post some graphs.
Here is a graph of the first iteration against the Perforce source code repository server.
A bit anti-climactic isn't it! So let's zoom in a bit further:
Now you can see some more information! Yay! (if only I could get this bloody thing working again...ok I will stop complaining). Let's see what our second iteration looks like from a high level:
You can see the blocks that were covered previously are greyed out, so that you can drill down into your newly covered area:
So yeah, I will repost if I get it working, but that's it! A
Comments
 PSUJobu |
Posted: Tuesday, December 11 2007 07:17.51 CST |
| Very intriguing! Hope you get it (or got it) working! Good work... | |
 jms |
Posted: Tuesday, December 11 2007 12:13.35 CST |
| Yeah I got it working, however I ran out of time to get some of the more advanced packet matching/replay stuff done. | |