All geek questions in one place

Compare two binary files

How do I split two binaries?

I have two versions of the program, version 1 and version 2. I made a small number of changes between the two versions, but, unfortunately, I did not regularly backup, and therefore, although I have a source for version 2, I only have a binary version versions 1. I need to find out exactly what I changed between the two versions. I tried to create two versions of objdump and then use diff to find the changes, but this does not work because the offsets are different and therefore diff looks at almost every line that has changed.

For example, one line could be bgez v0,4074d0<daemonize+0xd4> in version 1 and bgez v0,4073d4<daemonize+0xd4> in version 2. They are copied directly from dump files - you can see that two lines do the same thing same, but diff cannot tell them apart. The files are too large for me to check each line manually; How to detect changes in functionality ignoring differences in bias?

+4
source share
5 answers

In the end, I solved this by removing the raw commands and offset markers, so I only had the assembly, and then, using sed, cut out each digit and filter the diff to ignore the changes consisting of just 1 line. I was a little surprised that it worked, but it did.

+3
source

It is possible. I am currently working on a project that is able to look up addresses of function and memory pointers from a compiled file in a new / modified binary. It supports Windows PE and ELF binaries on x86 and x86_64. There is also a document describing the approach. It works great for my reversal project, where I often update all hooks and memory addresses when creating binary updates. But there are other uses.

Check here.

The trick is that it does not rely on weak text comparisons; it disassembles binary files and compares all functions by measuring the geometric distance between them using code metrics.

+4
source

Short answer: you cannot.

Long answer: write your own diff, which can ignore one or any of the operands of the operation codes if they are a numerical immediate value.

+1
source

You can use sed or awk (or perl or ...) to write a filter to make all offsets the same before running diff. Writing such a filter remains as an exercise for the reader. :-P

0
source

Sure something like bsdiff will do the job?

0
source

Source: https://habr.com/ru/post/1336817/

More articles:


All Articles