Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Christopher Domas on dynamic binary visualization

All-in-one reversing related discussions
Post Reply
TBone
Senior Member
Posts: 139
Joined: Tue Mar 02, 2004 3:15 pm
Location: maze of twisty little passages, all alike

Christopher Domas on dynamic binary visualization

Post by TBone »

This is just something I stumbled on a while back, but I thought it was really cool:

https://www.youtube.com/watch?v=4bM3Gut1hIk

Basically, he's come up with a bunch of ways to visualize binary data that makes it much more intuitive to recognize what kind of data you're looking at without actually analyzing it. Certain kinds of data have patterns that are invariant, even across different "flavors". For example, machine code tends to look like machine code no matter what the architecture. x86, MIPS, Java bytecode, etc. all have a characteristic banding in diagraph and trigraph relations (and probably higher-order n-graphs as well), which is instantly recognizable when you plot them in space.

Honestly, all of his presentations are pretty mind-blowing. His work on figuring out how to find hidden instructions on a CPU is a wild ride:

https://www.youtube.com/watch?v=KrksBdWcZgQ
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Re: Christopher Domas on dynamic binary visualization

Post by WaxfordSqueers »

TBone wrote: Mon May 03, 2021 12:51 pmThis is just something I stumbled on a while back, but I thought it was really cool:
@TBone ...thanks for links. Have not had time to view them yet but good to see an 'old-timer' back. :) We joined about the same time in 2004. Hope a few more of the guys drop back, this was a mind-blowing site with the brain-power available for reversing. Still is, with the guys still here, excluding me. :D
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Re: Christopher Domas on dynamic binary visualization

Post by Kayaker »

That is interesting TBone. It looks like it takes the idea of file entropy visualization to a whole new level. The video is from 2012 but I googled CantorDust and it seems there is now a Ghidra plugin as of 2020 available on GitHub

Battelle Publishes Open Source Binary Visualization Tool
https://inside.battelle.org/blog-detail ... ation-tool

https://github.com/Battelle/cantordust

It looks to be quite user friendly and fun to play with, besides being a very useful reversing tool. I'm going to try to give it a shot. Thanks for mentioning it.
TBone
Senior Member
Posts: 139
Joined: Tue Mar 02, 2004 3:15 pm
Location: maze of twisty little passages, all alike

Re: Christopher Domas on dynamic binary visualization

Post by TBone »

That's neat. I'll have to take a look at it.

I've been out of the reversing loop for quite a while, but I just started playing with Ghidra a little while ago. I don't know for sure yet how it stacks up against Ida, but it sure looks like a pretty complete open source replacement so far. It's nice to finally have some good, non-commercial tools.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Re: Christopher Domas on dynamic binary visualization

Post by WaxfordSqueers »

TBone wrote: Sat May 08, 2021 4:22 pmI've been out of the reversing loop for quite a while...
Same here, on and off. It's a new game these days with 64 bit systems and newer chipsets that won't allow XP and W7 to run natively. Spending time on another blog where they are trying to get XP running on newer hardware and with good success. My interest is in trying to get softice running on the x86 XP on newer systems but first I need to get XP stable so I can connect to it in kernel mode with windbg using a W7 host. Plan to trace through softice as much as windbg will permit, from the early boot loader, ntldr. Want to see why XP won't run via a COM port on my particular mobo, an Asus B360C/CSM using the Intel 300-series B360 chipset.

Just d/l'd Ghidra from Kayaker's link to have a look. I noted how Christopher Domas used IDA concurrently with his visual apps to locate the meaning of the graphic representation.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Re: Christopher Domas on dynamic binary visualization

Post by Kayaker »

Note that CantorDust will not run on the latest 9.2x version of Ghidra, you need to d/l an earlier 9.1x version for that. This was mentioned as an issue on GitHub but hasn't been fixed yet.

There is no problem running multiple versions of Ghidra however. Ghidra is definitely worth playing with, a fine IDA alternative IMO, but as for CantorDust...

At the moment the CantorDust plugin is not functioning correctly for me, file offsets for a disassembled exe file make no sense. The left hand sliders do not show the full range of the file nor accurately track min/max ranges when adjusted. Also, when you click in the Metric Map it is supposed to set the current location in Ghidra to that address, but that is also incorrect, they never match.

I've been playing a bit with printf statements to try to understand the java script code and why the address conversions are so screwed up, but haven't figured anything out yet.

I can't see them releasing the plugin with such a basic problem as file offsets being incorrect, but for whatever reason on my system it's a bit useless as it stands since the correlation between the file and the visual map isn't accurate at all.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Re: Christopher Domas on dynamic binary visualization

Post by Kayaker »

I realize now that the discrepancy between the offset chosen in the CantorDust map window and the PE address jumped to in Ghidra isn't a problem with CantorDust, but with my expectation of how it would behave.

By its nature CantorDust treats everything as a strict binary file, PE file, ROM, bitmap, etc. It knows nothing about PE file sections and virtual address conversions, whereas the disassembly in Ghidra does, and that's where the discrepancy seems to occur. While it appears that the offset chosen in the map window doesn't jump to the correct address in Ghidra, it in fact does if you ignore the fact that the two numbers don't match.

It's a little confusing at first because the CantorDust map window highlights wherever you click and gives you an offset that *looks* like a PE address, because the PE file image base is added as well. So instead of indicating that you are simply pointing at raw file offset 415, it shows 400415, though in reality that is not a valid address for the disassembled PE file, but is instead 401415 once you do the RVA conversion.

Once you realize this little quirk with a PE file it can be dealt with. Now I need to try to understand the significance of the various visual outputs, metric map, 1-tuple, 2-tuple, byte cloud and linear bitmap, and how they might be used in a practical way for PE analysis. There must be more to this than just pretty pictures.
Post Reply