From Collaborative RCE Tool Library

Jump to: navigation, search

Executable Diff Tools


Tool name: TurboDiff
Rating: 5.0 (1 vote)
Author: Nicol├ís Economou                        
Website: http://tinyurl.com/turbodiff
Current version: 1.01
Last updated: October 14, 2009
Direct D/L link: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=turbodiff&file=turbodiff_v1.0.1.zip
License type: GPLv2
Description: Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: patchdiff2
Rating: 4.5 (2 votes)
Author: Nicolas Pouvesle                        
Website: http://code.google.com/p/patchdiff2/
Current version: 2.0.8
Last updated: June 10, 2010
Direct D/L link: http://patchdiff2.googlecode.com/files/patchdiff2_0_8.zip
License type: GNU General Public License v2
Description: PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.6). The plugin can perform the following tasks:

- Display the list of identical functions
- Display the list of matched functions
- Display the list of unmatched functions (with the CRC)
- Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs. Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.
Also listed in: Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BinDiff
Rating: 4.0 (1 vote)
Author: zynamics GmbH                        
Website: http://www.zynamics.com/bindiff.html
Current version: 2.1
Last updated: 2009
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: A very powerful executable file diffing tool, in the form of an IDA Pro plugin.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PatchDiff
Rating: 3.0 (1 vote)
Author: Nicolas Pouvesle                        
Website: http://cgi.tenablesecurity.com/tenable/patchdiff.php
Current version: 2.0.5
Last updated: August 19, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.2).
The plugin can perform the following tasks :

* Display the list of identical functions
* Display the list of matched functions
* Display the list of unmatched functions (with the CRC)
* Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs.
Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.

Update:

08/19/2008: PatchDiff 2.0.5 released:

* Adds string references to the signature
* Fixes IPC close when option is disabled

07/22/2008:PatchDiff 2.0.4 released:

* Requires at least IDA 5.2
* Adds save backup results to IDB
* Adds Unmatch/Set match/Switch match submenus
* Adds "pipe" support to keep second IDA instance open
o menu Options/PatchDiff2 to disable/enable it per IDB
o registry HKLM\SOFTWARE\Tenable\PatchDiff2 IPC (DWORD) for the default setting
* Uses demangled function names
* Ignores duplicated names
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: eEye Binary Diffing Suite (EBDS)
Rating: 2.0 (2 votes)
Author: eEye Digital Security                        
Website: http://research.eeye.com/html/tools/RT20060801-1.html
Current version: 1.0.5
Last updated: November 3, 2006
Direct D/L link: http://research.eeye.com/html/Tools/download/DiffingSuiteSetup.exe
License type: Free / Open Source
Description: The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDACompare
Rating: 2.0 (1 vote)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version: 5.4
Last updated: March 5, 2009
Direct D/L link: https://github.com/dzzie/IDACompare/raw/master/IDACompare.exe
License type: Free
Description: Update: This tool is no longer available for download through the iDefense website. An copy of the installer has been made available by the author.

IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DarunGrim
Rating: 1.0 (1 vote)
Author: Matt Oh                        
Website: http://www.darungrim.org
Current version: 2.0
Last updated: February 7, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality.


Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers.


This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. There is a "eEye Binary Diffing Suites" released back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. Now I'm releasing DarunGrim2 which is a C++ port of original python codes. DarunGrim2 is way faster than original DarunGrim.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pynary
Rating: 1.0 (1 vote)
Author: c1de0x                        
Website: http://code.google.com/p/openrce-snippets/wiki/pynary
Current version: 0.0.1
Last updated:
Direct D/L link: N/A
License type: Open Source
Description: pynary will become a powerful platform independent framework for binary code analysis.

The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible.

Once the initial goal is achieved, a number of cool features are planned:

* stack frame analysis
* un-inliner
* exception handling parsing/analysis
* 'functionally equivalent' matching
* c++ template function matching
* meta-data transfer between IDBs
* c++ class reconstruction (with/without RTTI)
* ...

This project is still in its infancy, and looking for volunteers.
Also listed in: Deobfuscation Tools, Reverse Engineering Frameworks, Programming Libraries, Exe Analyzers, Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: asmDIFF
Rating: 0.0 (0 votes)
Author: Michael Willigens, Rene Laemmert                        
Website: http://duschkumpane.org/index.php/asmdiff
Current version: 1.1
Last updated: August 28, 2012
Direct D/L link: N/A
License type:
Description: asmDiff is an binary assembly search, diff and disassembly tool. It supports Windows PE (exe/dll) and Linux ELF binary format compiled for x86 and x68_64 architectures. It is particular useful when searching for asm functions, instructions or memory pointers in a patched, updated or otherwise modified binary.

Features:
- Single search mode, if one needs to test one or several addresses by hand.
- Supports batch mode updates. A header file (containing lots of hardcoded pointers) and two binary files (old, new) is given as input. asmDIFF can then output a "new" header file for the updated binary. Extremely helpful on reverse engineering projects that get updated.
- Can find similar functions in different programs. But this can behave very fuzzy. It was tested on related programs where it workes with moderate success.
- Full diff mode. It prints out the entry points of "new", "modified" and "removed" functions.

Currently a full featured WebBased version is available. asmDIFF is also included in mmBBQ (http://duschkumpane.org/index.php/mmbbq) version 3.X and upwards.
Also listed in: Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Relyze
Rating: 0.0 (0 votes)
Author: Relyze Software Limited                        
Website: https://www.relyze.com
Current version: 1.1.0
Last updated: June 17, 2015
Direct D/L link: N/A
License type: Commercial
Description: Relyze is an interactive software analysis application that allows the disassembling and analysis of native x86 and x64 Windows software. It presents the results of the analysis using several different views.

* Overview - The overview presents general information about the file being analysed and includes such things as embedded file version metadata, file hash values as well as information about the analysis such as the duration and the amount of code and data analysed. An interactive entropy graph is displayed to visualize the files data.

* Structure view - The Structure view displays the parsed file format of the executable file being analysed. An interactive hex viewer displays the raw bytes that compose the file format.

* Code view - The Code view displays the disassembly of the executable's files code. The disassembly is viewed through interactive graphs which represent the control flow of the disassembled functions. The user can navigate the code and annotate the results of the analysis by adding comments or renaming variables. Interactive reference graphs can be generated to visualize what code or data references other code or data.

* Diff view - The Diff view displays the results of performing a differential analysis against a second executable file in order to visually observe the changes between the two executable's at a function level. A list of all equal, modified, removed and added functions will be displayed along with a split graph view, allowing the user to see a side by side comparison of two modified functions.

Relyze supports analyzing the Portable Executable (PE) file format for either the x86 or x64 architecture. It can load debug symbol information from PDB, embedded COFF and MAP files. Relyze offers plugin support through an embedded Ruby interpreter which exposes an API allowing a user to interact with the application and access the results of the analysis.
Also listed in: Binary Diff Tools, Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Binary Diff Tools  (7)
   Image Diff Tools  (2)
   System Diff Tools  (5)
   Text Diff Tools  (6)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Needs New Category  (3)