This tutorial gradually demonstrates BinCAT features, by analyzing a provided keygen-me-style program, which takes a few arguments as command-line parameters, then generates a hash depending on these parameters, and compares it to an expected license value.
This program expects a few arguments:
$ ./get_key
Usage: ./get_key company department name licence
It returns an error message if an incorrect license key is entered:
$ ./get_key company department name wrong_serial
Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7]
Invalid serial wrong_serial
The program indicates if the correct license key is entered:
$ ./get_key company department name 025E60CB08F00A1A23F236CC78FC819CE6590DD7
Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7]
Thank you for registering !
- Load the BinCAT plugin by using the Ctrl + Shift + b shortcut
- Open the get_key executable in IDA
- From the IDA View-A view, go to address
0x93Busing the g shortcut - Use the Ctrl-Shift-A shortcut to open the analysis start window (see section Start an analysis of the manual)
- Ensure that the Analyzer configuration dropdown is set to (new)
- Check the Save configuration to IDB option
- Check the Remap binary option
- Click the Edit analyzer config button
- Paste the following lines at the end of the
[state]section. This defines a value forargc, creates 5 pointers to strings, and initializes 5 null-terminated strings, and also initialized a stack to TOP (unknown value)
stack[0x2004] = 5
stack[0x2008] = 0x200000
mem[0x200000] = 0x300100
mem[0x200004] = 0x300140
mem[0x200008] = 0x300180
mem[0x20000C] = 0x3001C0
mem[0x200010] = 0x300200
mem[0x300100] = |6c6f6c3300|
mem[0x300140] = |636f6d70616e7900|
mem[0x300180] = |64657000|
mem[0x3001C0] = |6c6f6c3100|
mem[0x300200] = |6c6f6c2100|
- Click Save
- Click Start
- Choose a location where the remapped binary should be saved. This will only be requested the first time an analysis is run on this binary
- Enter a name under which this configuration should be saved
- Notice that after a few seconds, the analysis has finished running, and the background for some of the instructions in the IDA View-A view has become gray
- Go to address
0x807using the g shortcut. This instruction is located directly before a call to_sprintf(buffer, "Company = %s\n");. Observe the value of theespregister in the BinCAT Tainting view (it should be0x1D50). At this address, you can observe the contents of thebufferpointer (char *) wheresprintfresults will be output (the value should be0x1DEC) - Advance to the next instruction at address
0x80C, and observe the value of thebufferthat has been formatted bysprintfat address0x1DEC - Hover your mouse over addresses
0x1D50,0x1D54,0x1D58in the stack, and observe the inferred types for the call tosprintf - Go to address
0xA93, which contains a call to a location that is stored on the stack. Notice that IDA cannot resolve the destination address. In the BinCAT Tainting view, use the goto next node (1) drop down menu to jump to the destination
This tutorial shows how to taint a register, and observe taint propagation.
- Go back to address
0x93B - Override the value of every byte at addresses
0x300140-0x300147which contains the null-terminatedcompanystring (see section Override taint of the manual), and set it to0xFF - Advance to the next instruction at address
0x93F, and observe that this memory range is indeed tainted: both the ascii and hexadecimal representations of this string are displayed as green text - In the IDA View-A view, notice that some instructions are displayed against a green background, since they manipulate tainted data
- Go to address
0x9E6(push eax). Observe thateaxis partially tainted - Advance to the next instruction at address
0x9E7. Notice thateaxhas been pushed to the stack, where its taint and value have been copied
- Use the tainting feature to show that the result of the CRC computation on
the
departmentargument does not influence the computed license key