4

I'm trying to recreate some of the 2D capabilities that were demonstrated in cantor.dust, I was wondering if anyone knows how they translate a large file(executable) into a number of different images / a large image that shows different patterns based on the content at different locations of the file

link to cantor.dust post

currently I have created single 256x256 bitmaps based on hex dumps from files which conform to the same patterns shown in the cantor.dust Derbycon presentation, but I am unsure how to make one large file into several bitmaps that show the pattern at different parts of the file, e.g. An executable that contains some ascii text would have portions that look like an executable and others that look like ascii text (via the patterns demonstrated in cantor.dust [2D])

ascii

Any help would be appreciated

perror
  • 19,083
  • 29
  • 87
  • 150
user2601
  • 41
  • 2
  • The best person to ask would probably be the author of cantor.dust as it seems you are asking for a new feature for the software. The author provided his email address in the reddit thread ([email protected]), did you try emailing him? – ekse Aug 06 '13 at 19:58

1 Answers1

5

Three dimensional visualisation was recently added to Binwalk.

My implementation is fairly rudamentary: every three bytes in a file is treated as an x, y, z coordinate for a data point in a 3D plane where each axis extends from 0 through 255. This means that if the file has data that contains a certain range of byte values (e.g., printable ASCII characters), those bytes will generate coordinates in the same general area of the 3D plot.

This is how AVR32 code looks like:

Visualisation of AVR32 code

To get this, use the --3D option:

$ binwalk --3D yourfile.exe
jvoisin
  • 2,516
  • 16
  • 23
  • For an input consisting of random ASCII triplets I would expect three flat planes, not two. It seems this shows lots of pairs 2 characters occur, but no more than that? – Jongware Dec 03 '13 at 23:35
  • For an input of random bytes, you get a random distribution of points inside a 3 dimensional cube. If your input consists of a random distribution of some restricted set of characters (say, only printable ASCII characters), then you'd have a smaller cube of points inside the larger 3D cube (see the red cube in the GIF above - that's ASCII data). The flat vertical and horizontal red & yellow planes you see are executable code. – devttys0 Dec 12 '13 at 19:58