Binary Analysis Platform v2.3 alpha releases: reverse engineering and program analysis platform

The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a reverse engineering and program analysis platform that works with binary code and doesn’t require the source code. BAP supports multiple architectures: ARM, x86, x86-64, PowerPC, and MIPS. BAP disassembles and lifts binary code into the RISC-like BAP Instruction Language (BIL). Program analysis is performed using the BIL representation and is architecture independent in the sense that it will work equally well for all supported architectures. The platform comes with a set of tools, libraries, and plugins. The documentation and tutorial are also available. The main purpose of BAP is to provide a toolkit for implementing automated program analysis. BAP is written in OCaml and it is the preferred language to write analysis, we have bindings to C, Python, and Rust. The Primus Framework also provides a Lisp-like DSL for writing program analysis tools.

Changelog v2.3 alpha 

introduces BIL special encodings and publishes BIL CT parser (#1265)

It is now possible to (ab)use BIL special statements to encode arbitrary
semantics. The payload is still stored as a string, but it is now
specially encoded and printed. Each kind of payload is represented by
an attribute, e.g., `Bil.call` is used to encode calls, and
`Bil.intrinsic` is used to encode intrinsics.

The Core Theory BIL parser, that enables reflection of the BIL
programs into the CT terms, is moved to the library and is made
available in `Bil.Theory` module. We might later extend this module
with the actual BIL theory, though it is already could be instantiated
via the `Theory.instance` function.

Installation

wget https://github.com/BinaryAnalysisPlatform/bap/releases/download/v1.4.0/{bap,libbap,libbap-dev}_1.4.0.deb
sudo dpkg -i {bap,libbap,libbap-dev}_1.4.0.deb

Usage

Shell

The BAP main frontend is a command line utility called bap. You can use it to explore the binary, run existing analysis, plugin your own behavior, load traces, and much more.

To dump a program in various formats use the --dump option (or its short equivalent, -d), For example, let’s run bap on thex86_64-linux-gnu-echo file.

$ bap testsuite/bin/x86_64-linux-gnu-echo -d | grep 'sub print_endline' -A44
00000334: sub print_endline()
00000301:
00000302: v483 := RBP
00000303: RSP := RSP - 8
00000304: mem := mem with [RSP, el]:u64 <- v483
00000305: RBP := RSP
00000307: RSP := RSP - 0x20
0000030e: mem := mem with [RBP + 0xFFFFFFFFFFFFFFE8, el]:u64 <- RDI
0000030f: RAX := mem[RBP + 0xFFFFFFFFFFFFFFE8, el]:u64
00000310: mem := mem with [RBP + 0xFFFFFFFFFFFFFFF8, el]:u64 <- RAX
00000311: goto %00000312

00000312:
00000313: RAX := mem[RBP + 0xFFFFFFFFFFFFFFF8, el]:u64
00000314: RAX := pad:64[pad:32[mem[RAX]]]
00000315: v545 := low:8[low:32[RAX]]
0000031b: ZF := 0 = v545
0000031c: when ~ZF goto %0000032a
0000031d: goto %0000031e

0000031e:
0000031f: RDI := pad:64[0xA]
00000320: RSP := RSP - 8
00000321: mem := mem with [RSP, el]:u64 <- 0x400731
00000322: call @putchar with return %00000323

00000323:
00000324: RSP := RBP
00000325: RBP := mem[RSP, el]:u64
00000326: RSP := RSP + 8
00000327: v693 := mem[RSP, el]:u64
00000328: RSP := RSP + 8
00000329: return v693

0000032a:
0000032b: RAX := mem[RBP + 0xFFFFFFFFFFFFFFF8, el]:u64
0000032c: RDX := RAX + 1
0000032d: mem := mem with [RBP + 0xFFFFFFFFFFFFFFF8, el]:u64 <- RDX
0000032e: RAX := pad:64[pad:32[mem[RAX]]]
0000032f: RAX := pad:64[extend:32[low:8[low:32[RAX]]]]
00000330: RDI := pad:64[low:32[RAX]]
00000331: RSP := RSP - 8
00000332: mem := mem with [RSP, el]:u64 <- 0x40071C
00000333: call @putchar with return %00000312

Tutorial

Copyright (c) 2018 Carnegie Mellon University

Source: https://github.com/BinaryAnalysisPlatform