security research repository of nathan andrew fain / cyphunk

Bincrowd communal reverse engineering framwork

Update: link to Halvar & SP at Zynamics post and slides from CanSecWest

Bincrowd, a project I had the pleasure of co-authoring with Zynamics, from conception to co-coding back-end and front-end.. Bincrowd simplifies the collaborative option in reverse engineering and brings it en masse. Any function a user has ever submitted documentation for can be found quickly in your target. It also introduces greater flexibility and reliability by adding additional signature methods for functions. Further, server access and clients for various disassemblers are free (ida client here).

To fully understand how this could create an evolutionary step for software reverse engineering (RE) lets walk look at a typical RE session. You open your target in your favorite disassembler and find it
has several hundred functions. If you are lucky you will have a signature database that matches the OS version, library versions and compiler version your target was built with.  This will let you find the system calls quickly, fiddling down the undocumented code you need to RE to a hundred or so functions. Once you have reverse engineered a function that is missing a signature you could create one for it but until now it has been difficult to share this with others. With Bincrowd you can share this information quickly for team based RE efforts or just for posterity sake.  If 10 years from now someone runs into similar code somewhere else this information becomes useful. Further, Bincrowd goes further by adding more flexible signature routines to the mix. Signatures often used today are based on the raw bytes of a compiled function. The added signatures in Bincrowd are based on the flow of the function instead. The flexibility this introduces means you might find details and signatures for functions that were compiled with a different version compiler, different version of libraries, different compiler and libraries entirely, different hardware architectures or even different OS’s. Research from Zynamics has been the ground breaking in this field.

My efforts on Bincrowd were supported by Recurity-Labs.


Published by

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s