https://github.com/angr/angr Uses a Concolic execution engine where it can switch from running a binary concretely, break, and then define an unknown input and find what should I be to trigger a different breakpoint. - e.g. what should the “password” pointer be pointing to in order to trigger the “you’re in” branch of code.
Note: it still can’t reverse hashes. If you try to reverse md5 using this approach it’ll consume petabytes of RAM.
I think radare2 was looking into integrating with angr but I don’t know the status of the integration.
What was your journey like getting into this as a career? What have been some of the toughest challenges you’ve faced as a researcher? Why did you specialise in automated binary analysis?
I think I technically started by trying to cheat in Diablo 1 using cheat’o’matic when I was 12😅 Then I started learning programming, I got an electrical engineering bachelors which got my understanding close to the wires inside of the CPU. Then I got my PhD in engineering with concentration in cyber security. I think my toughest challenge was just she sheer amount of domain-specific research there is in binary analysis. For example preventing stack overflows, SQL injections, cross-site scripting, or unauthorized access - all completely disjoint.
One Darpa PM said that binary analysis feels like using an electron tunneling microscope scanning the whole baseball field and trying to figure out the rules of baseball based of the scans.