This is the prototype implementation of BinUSE.
python3 (>= 3.6.5)
and ida pro (7.3)
pip install angr==8.20.7.6
pip install zss
pip install tqdm
Using ida to do static analysis. Please change the path to idat64
in scripts ./collect_functions.sh
and ./collect_functions_refs.sh
insert following code to angr/state_plugins/symbolic_memory.py
, around line 390.
if a is not None:
# added by BinUSE
if hasattr(self.state, 'memaddr'):
self.state.memaddr.get_relative_symbol(e)
# end BinUSE
return a
Then run
sh ./collect_functions.sh [path/to/bin1]
. If this script works, you will find a directory named with [path/to/bin1]_functions
.
sh ./collect_functions_refs.sh [path/to/bin1]
. If this script works, you will find a directory named with [path/to/bin1]_functions_refs
Repeat this process for bin2
.
Then run
python main.py [path/to/bin1] [path/to/bin2] > test.info
After finishing the comparison, result will be printed to the stdout
assume you have the output file test.info
run python ./analysis/process_info.py test.info [dict|list]
, then a file test.info.pkl
is saved on disk.
To understand the dumped *.plk
file, please read the code in ./analysis/process_info.py
.
To optimize DNN-based result, please run python ./analysis/optimize.py [use.pkl] [dnn.pkl] [path/to/dump/the/optimized/dictionary]
the sample binaries are compiled from
gcc ver. 7.5.0
clang ver. 4.0.1
obfuscator-llvm
(see here).
The coreutils samples could be downloaded from here.
The CVE samples could be downloaded from here.
We also provide the files being generated by IDA pro.
For the CVE samples, only the CVE functions are analyzed. To use the cached analysis result, please set the argument not_sym_exe=True
.