📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
ero
's Blog
Created: Tuesday, May 15 2007 20:43.00 CDT
Modified: Wednesday, May 16 2007 10:38.49 CDT
This is an imported entry.
View original
.
Printer Friendly ...
BinNavi: Simplifying code
Author:
ero
# Views:
2390
This in a slightly expanded example of what Halvar and I showed in the Sabre-Security trainings last October. With it I illustrate how to, in
BinNavi
, build a small dataflow analyzer in Python so that it can do some work for us.
Lets imagine that theres a basic block like the following, which is part of the
ROT13
routine in the
Mydoom
worm.
Ideally we would like to have such tool what would spare us from having to figure out what the assembly code in that block does, regardless of how simple it might be in this case. Such functionality would make analysis much less tedious and less error prone.
Given that BinNavi offers an interactive Python interpreter with access to every single function, basic block, instruction, operand and expressions within an operand, this is a problem that we could try to address with some scripting.
The dataflow reconstruction
Assembly instructions move data around and modify it by performing different operations on it. Values are fetched from registers, memory or specified explicitly and the results are stored back in registers or memory.
So, if we would like to be able to transform the operations into something more readable we could track all the assignments and operations and compose some sort of combined expression. Thats actually much easier than it might sound like.
Taking advantage of Pythons dictionaries (aka hashes, aka associative arrays, aka maps) we could proceed as follows.
We process individually each instruction. As each has different semantics, we have to deal with them individually (some groups of similar instructions can be handled somehow generically tho.).
First the instruction might push or pop something from the stack and we could emulate that behaviour with a simple list.
Second the instruction might get data from a source register/memory/immediate and, upon operating on it, assign it to a destination operand. We will just consider these two cases for the time being, this is only an exercise after all ;)
In this case we could store in our dictionary the source item using as key the destination register or memory location. That would allow us to keep the current state of the registers and memory locations. For instance:
lea eax, [edi+2]
The destination of the
lea
operation is
eax
the source/result is
[edi+2]
. Hence we could have an entry in our dictionary that maps
eax
to
edi+2
, there are no brackets here because
lea
will store the value of the addition, not its contents, so we dont need the brackets (which stand for
memory-dereference
)
If a register is accessed later on by another instruction and we know where the value comes from (because we stored the previous assignment operation in our dictionary) we could compose it together, having a combined expression that tracks all data. Following the example, imagine the instruction
mov bl, [eax+esi]
, that will put into
bl
the value pointed to by
[eax+esi]
, in our dictionary we would map
bl
to have the value
[eax+esi]
But, if we would check if we have any of the expression parts already in our dictionary (remember that
eax
maps to
edi+2
) then we can expand
[eax+esi]
into
[edi+2+esi]
. One might be able to infer now that this procedure can be taken further, composing longer expressions that would reduce the amount and complexity of the assembly code to look at.
As another illustrative example, one could assign the the
AL
key in the dictionary the nested lists representing the expression tree for the memory reference as seen in the following figure.
As just seen, operands are treated as graphs by BinNavi. That allows for a versatile manipulation of their contents. We can transform the tree to nested lists and operate on those.
The form of the nested lists is
[
root
, [
child_1
,
child_2
, ...]]
Where each children has the same form
For instance, the following two operand trees
would take the following from as nested lists:
[
b4
, [
ecx
]]
[
b4
, [
ss
, [
[
, [
+
, [
ebp
], [
4294967240
]]]]]
In short, in order to do basic reconstruction of the data flow the following operations need to be performed:
Keep track of all assigned values using a dictionary
Substituting leafs with values already in our dictionary
Perform substitutions and assign SRCs to DSTs hence updating the dictionary to the last state
In a following post, Ill show an implementation using BinNavis embedded Python interpreter.
If you wish to comment on this blog entry, please do so on the
original site
it was imported from.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}