This is the prototype implementation of BinUSE.

python3 (>= 3.6.5) and ida pro (7.3)

pip install angr==8.20.7.6

pip install zss

pip install tqdm

Using ida to do static analysis. Please change the path to idat64 in scripts ./collect_functions.sh and ./collect_functions_refs.sh

insert following code to angr/state_plugins/symbolic_memory.py, around line 390.

    if a is not None:
        # added by BinUSE
        if hasattr(self.state, 'memaddr'):
            self.state.memaddr.get_relative_symbol(e)
        # end BinUSE
        return a

Then run

sh ./collect_functions.sh [path/to/bin1]. If this script works, you will find a directory named with [path/to/bin1]_functions.

sh ./collect_functions_refs.sh [path/to/bin1]. If this script works, you will find a directory named with [path/to/bin1]_functions_refs

Repeat this process for bin2.

Then run

python main.py [path/to/bin1] [path/to/bin2] > test.info

After finishing the comparison, result will be printed to the stdout

assume you have the output file test.info

run python ./analysis/process_info.py test.info [dict|list], then a file test.info.pkl is saved on disk.

To understand the dumped *.plk file, please read the code in ./analysis/process_info.py.

To optimize DNN-based result, please run python ./analysis/optimize.py [use.pkl] [dnn.pkl] [path/to/dump/the/optimized/dictionary]

the sample binaries are compiled from

• gcc ver. 7.5.0
• clang ver. 4.0.1
• obfuscator-llvm (see here).

The coreutils samples could be downloaded from here.

The CVE samples could be downloaded from here.

We also provide the files being generated by IDA pro.

For the CVE samples, only the CVE functions are analyzed. To use the cached analysis result, please set the argument not_sym_exe=True.