Finding Similar Procedures

MAGIC is capable of locating procedures similar to a given procedure in a given binary. This similarity is based on shared genomic information.

The list of procedures in a binary can be retrieved using the show command.

API Endpoints

GET /search/procs/(api_key)/(binary_id)/(rva)

Get procedures similar to the procedure that occurs at relative virtual address (rva) in binary (binary_id). Reponse format documented at Similar Procedure Results

https://api.magic.cythereal.com/docs#!/search/Nn_Search_Procs_Byrva

CLI Commands

vbclient -a search [--noLibrary] sha1/0xrva1 sha1/0xrva2 ...

The search command searches procedures similar to a given one. A procedures is identified as sha1/0xrva, where sha1 is the sha1 of the binary and rva is the relative virtual address of the procedures in hex format.

The --noLibrary option removes library procedures from the search.

Similar Procedure Results

Warning

Fields not documented here should be considered deprecated. They may be removed without warning in the future.

The result returned by a similar procedure search is a dictionary containing the list of procedures found to match with the query procedure. Whether two procedures match or not is based on whether their genomic features are similar.

An example results dictionary is given below:

{
  "semantically_equivalent_procedures": [
    {
      "procName": "sub_4113A0",
      "proc_id": "e0fa6db29f00e0a0a30657aa07b2982a9f5ad5d9/0x113a0"
    },
    ...
  ]
}

The list of matching procedures are found under the key semantically_equivalent_procedures. The value for this key is a list of dictionaries containing information on the matching procedures. The key procName is the name of the procedure (this is the same as the procName in the genomic features) while the key proc_id is the ID of the matched procedure (same as _id in the genomic features).