Karta: source code assisted fast binary matching plugin for IDA

by do son · August 25, 2021

Karta

“Karta” (Russian for “Map”) is an IDA Python plugin that identifies and matches open-sourced libraries in a given binary. The plugin uses a unique technique that enables it to support huge binaries (>200,000 functions), with almost no impact over the overall performance.

The matching algorithm is location-driven. This means that it’s main focus is to locate the different compiled files, and match each of the file’s functions based on their original order within the file. This way, the matching depends on K (number of functions in the open-source) instead of N (size of the binary), gaining a significant performance boost as usually N >> K.

We believe that there are 3 main use cases for this IDA plugin:

Identifying a list of used open sources (and their versions) when searching for a useful 1-Day
Matching the symbols of supported open sources to help reverse engineer a malware
Matching the symbols of supported open sources to help reverse engineer a binary/firmware when searching for 0-Days in proprietary code

Identifier

Karta’s identifier is a smaller plugin that identifies the existence and fingerprints the versions, of the existing (supported) open-source libraries within the binary. No more need to reverse engineer the same open-source library again and again, simply run the identifier plugin and get a detailed list of the used open sources. Karta currently supports more than 10 open source libraries, including:

OpenSSL
Libpng
Libjpeg
NetSNMP
zlib
etc.

Matcher

After identifying the used open sources, one can compile a .json configuration file for a specific library (libpng version 1.2.9 for instance). Once compiled, Karta will automatically attempt to match the functions (symbols) of the open-source in the loaded binary. In addition, in case your open source used external functions (memcpy, fread, or zlib_inflate), Karta will also attempt to match those external functions as well.