bincat v0.9 release: Binary code static analyser, with IDA integration
What is BinCAT?
A static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA.
- value analysis (registers and memory)
- taint analysis
- type reconstruction and propagation
- backward and forward analysis
- shades of greens to different taint sources in IDA
- coredump loader
- skip/nop options for analyzer
- x86: MMX decoding
- merge c2newspeak in BinCAT
- support OCaml 4.06
- lots of bugfixes
You can check BinCAT in action here:
Check the tutorial out to see the corresponding tasks.
Supported host platforms:
- IDA plugin: all, version 6.9 or later
- analyzer (local or remote): Linux, Windows, macOS (maybe)
Supported CPU for analysis (for now):
The analyzer can be used locally or through a Web service.
On Windows, the binary distribution includes the analyzer.
Only IDA v6.9 or later (7 included) are supported
Install for Windows
- Unzip BinCAT
- In IDA, click on “File -> Script File…” menu (or type ALT-F7)
- BinCAT is now installed in your IDA user dir
Or install manually.
BinCAT should work with IDA on Wine, once pip is installed:
- download https://bootstrap.pypa.io/get-pip.py (verify it’s good 😉
- ~/.wine/drive_c/Python27/python.exe get-pip.py
- Load the plugin by using the Ctrl-Shift-B shortcut, or using the Edit -> Plugins -> BinCAT menu
- Select an instruction in any IDA view, then use the Ctrl-Shift-A shortcut, or the BinCAT -> Analyze from here context menu
Global options can be configured through the Edit/BinCAT/Options menu.
Default config and options are stored in $IDAUSR/idabincat/conf.
- Use remote bincat: select if you are running docker in a Docker container
- Remote URL: http://localhost:5000 (or the URL of a remote BinCAT server)
- Autostart: autoload BinCAT at IDA startup
- Save to IDB: default state for the save to idb checkbox
Analyzer configuration files
Default config for the analyzer.
This tutorial gradually demonstrates BinCAT features, by analyzing a provided keygen-me-style program, which takes a few arguments as command-line parameters, then generates a hash depending on these parameters, and compares it to an expected license value.
This program expects a few arguments:
Usage: ./get_key company department name licence
It returns an error message if an incorrect license key is entered:
$ ./get_key_x86 company department name wrong_serial
Invalid serial wrong_serial
The program indicates if the correct license key is entered:
$ ./get_key_x86 company department name 025E60CB08F00A1A23F236CC78FC819CE6590DD7
Thank you for registering !
This tutorial relates to the get_key_x86 binary, targetting the x86 CPU architecture. Binaries and configuration files are also provided for the following architectures:
1. Run an analysis and observe results
- Load the BinCAT plugin by using the Ctrl + Shift + b shortcut
- Open the get_key_x86 executable in IDA
- From the IDA View-A view, go to address 0x93B using the g shortcut
- Use the Ctrl-Shift-A shortcut to open the analysis start window (see section Start an analysis of the manual)
- Ensure that the Analyzer configuration drop-down is set to (new)
- Check the Save configuration to IDB option
- Check the Remap binary option
- Click the Edit analyzer config button
- Paste the following lines at the end of the [state] section, overwriting the existing stack initialization(stack[0x1000*8192]…). This defines a value for argc, creates 5 pointers to strings, and initializes 5 null-terminated strings, and also initialized a stack to TOP (unknown value)
- Click Save
- Click Start
- Choose a location where the remapped binary should be saved. This will only be requested the first time an analysis is run on this binary
- Enter a name under which this configuration should be saved
- Notice that after a few seconds, the analysis has finished running, and the background for some of the instructions in the IDA View-A view has become gray
- Go to address 0x807 using the g shortcut. This instruction is located directly before a call to _sprintf(buffer, “Company = %s\n”);. Observe the value of the esp register in the BinCAT Registers view (it should be 0x1D50). Open the BinCAT Memory view at this address, to observe the contents of the buffer pointer (char *) where sprintf results will be output (the value should be 0x1DEC)
- Advance to the next instruction at address 0x80C, and observe the value of the buffer that has been formatted by sprintf at address 0x1DEC
- Hover your mouse over addresses 0x1D50, 0x1D54, 0x1D58 in the stack, and observe the inferred types for the call to sprintf
- Go to address 0xA93, which contains a call to a location that is stored on the stack. Notice that IDA cannot resolve the destination address. In the BinCAT Registers view, use the goto next node (1) drop-down menu to jump to the destination
A manual is provided.
- basic info
- more info
- advanced debug
- SSTIC 2017, Rennes, France: article (English), slides (French), video of the presentation (French)
- REcon 2017, Montreal, Canada: slides