Ponce is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.
Symbolic execution is not a new concept in the security community. It has been around for years but it is not until the last couple of years that open source projects like Triton and Angr have been created to address this need. Despite the availability of these projects, end users are often left to implement specific use cases themselves.
We addressed these needs by creating Ponce, an IDA plugin that implements symbolic execution and taint analysis within the most used disassembler/debugger for reverse engineers.
Installation
Ponce works with both x86 and x64 binaries in IDA 6.8 and IDA 6.9x. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\
folder in your IDA installation directory.
Ponce has initial support of IDA 7.0 for both x86 and x64 binaries in Windows. The plugin named Ponce64.dll
should be copied from the latest_builds to the plugins\
folder in your IDA installation directory. Starting from version 7.0, IDA64 should be used to work with both x86 and x64 binaries.
Don’t forget to register Ponce in plugins.cfg
located in the same folder by adding the following line:
Ponce Ponce Ctrl+Shift+Z 0 WIN
Ponce works on Windows, Linux and OSX natively!
The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won’t have to worry about the config window again.
Also Read – Tourmaline : Telegram Bot Framework For Crystal
Use Symbolic Execution To Solve A CrackMe
Here we can see the use of the symbolic engine and how we can solve constrains:
aaaaa
as argument.aaaaa
)Negate and inject a condition
In the next gif we can see the use of automatic tainting and how we can negate a condition and inject it in memory while debugging:
argv
.elite
that has been injected in memory and therefore reach the Win
code.Using the tainting engine to track user controlled input
In this example we can see the use of the tainting engine with cmake. We are:
Use Negate, Inject & Restore
In the next example we are using the snapshot engine:
Usage
In this section we will list the different Ponce options as well as keyboard shortcuts:
Building
We provide compiled binaries for Ponce, but if you want to build your own plugin you can do so using Visual Studio 2013. We tried to make the building process as easy as possible:
git clone –recursive https://github.com/illera88/PonceProject.git
Build\PonceBuild\Ponce.sln
: The project configuration is ready to use the includes and libraries shipped with the project that reside in external-libs\
.Post-Build Event
that will move the created binary plugin to the IDA plugin folder for you. copy /Y $(TargetPath) "C:\Program Files (x86)\IDA 6.9\plugins"
. NOTE: use your IDA installation path.
The project has 4 build configurations:
The static version of z3.lib
is ~ 1.1Gb and the linking time is considerable. That’s the main reason why we have a building version that uses z3 dynamically (as a dll). If you are using z3 dynamically don’t forget to copy the libz3.dll file into the IDA’s directory.
Credit: Alberto Garcia Illera & Francisco Oca
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…