[Full-Disclosure] ABfrag - *yawn*

From: silvio@big.net.au
Date: 10/19/02 

From: silvio@big.net.au (silvio@big.net.au)
Date: Sat, 19 Oct 2002 04:02:04 -0700

BUT.. OTOH.

i've had fun graphing it so far with my bin analysis code. work in progress,
and wasn't really meant to be used on real life binaries at this point, but the
graphs look pretty neat anyway.

i did have to add a reasonable amount of new features in the past couple days
to get some decentish graphs, and it only graphs the plaintext code in the
binary. though the version i've been graphing has a vx attached, and isnt
actually a functional executable, presumably due to corruption on
infection *shrug*.

the graphs show the vx nicely though.. you can see 2 distinct objects within
the binary (i have the main callgraph seperated into disjoint graphs to
indicate different "sections"). these are presumably the vx, and the
burneye decryptor stubs.

i have not tried at this point to go further into the burneye encryption,
since it means i have to probably add BE specific code - something i'd like to
hold off for a short time. its not automatic at this point to say
that which parts that were not analysed, but should have been - thus
indicating our ciphertext (or data etc) - so this is obviously bad for
people not looking at the binary manually in conjunction.

the graphs are at www.securityhacker.org which is a temp domain setup by some
nice folks so i can display some content without the www.big.net.au quota
restrictions (the data generated is about 15M). its all auto generated to
html hyperlinked content with .gif's .html and .txt etc. you can click
on nodes, link to callgraphs etc.

the entire content is created completely automatically. no post editing
was done or hand linking the html or .txt etc. the code to generate the last
set of graphs (TAKE3) is present on my www.big.net.au/~silvio site.

OFCOURSE.. alot is to come in the graphing and bin analysis, and this ABFrag
business pre-empted actual live testing of my code by a signficant
time frame - but the analsysi appears to work reasonably well anyway from
its current implementation and missing alot of things (there is not
really any dataflow analysis at this point, and many things can be done with
the controflow analysis that i havent yet implemented etc).

i added a small thing not 15 minutes ago to allow importing custom symbol
tables as ascii. this helps when you do manaual analysis also, and want
to use symbolic names instead of addresses etc in the callgraph (since this
binary did not have any symbolic information immediately present in .symtab
or .dynsym if it was dynamically linked etc). 

--
Silvio

Relevant Pages

  • Re: Is it possible to create Graphs and Charts?
    ... can create graphs like that then I need to know how. ... Publisher is not a graphing tool. ... Ed Bennett - MVP Microsoft Publisher ...
    (microsoft.public.publisher)
  • Re: Custom Error Bars in Excel 2008: Where did they go?
    ... The absence of real error bars in graphs has now forced me to look elsewhere for graphing even the simplest of data. ...
    (microsoft.public.mac.office.excel)
  • sessions variables not changing in a for loop
    ... I am working on a small graphing application. ... graphing I use 3 seperate scripts for getting the job done. ... to be able to see all three graphs on one page as the result. ... is changing on each loop iteration, ...
    (comp.lang.php)
  • Re: good software for creating statistical graphs
    ... I am preparing a paper which contains several graphs. ... But I know of two different programming languages whose BASIC ... capabilities in graphing statistical data and results of analysis make ... etc. but I'm looking more for something like excel because it gives me ...
    (sci.stat.consult)
  • Re: Graphing/plotting with embedded webserver?
    ... >>>You could write an HTML page on your server with directives such as ... > Which then hits the age old "This page is designed to work at ... > graphs You can also write a script in Javascript, ... JavaScript approaches. ...
    (comp.arch.embedded)