how to compare 2 .exe line by line?
 

Hi, i am curious on how to automaticly compare two .exe or .dll files line by line.
Was thinking of like comparing one original .exe version and one cracked .exe and then compare those two to see the difference in code they have changed. to see how they cracked it.
i dont mean the ascii code now as this could be seen and compared with ultraedit,
i mean the code you can see in ollydbg in cpu main thread window.

thnx in advance
/JayJay

use ExamDiff Pro

I doubt, there is as automatic tool.
I used the workmanship method: comparing the binaries to get the differences, decompiling both files, looking at the adresses of the differences in the binaries. If there is a more sophisticeted method, I would be very interested....

/e.b

You can use IDA to deassembler two exe file, choose output to ASM file in File menu, and compare two asm file with WinMerge or UltraEdit...
Regards

WinHex can compare 2 files and generates a list file which list all differences with their offsets, so you can easily track to the position in Olly for further research.

Hi jayjay,
I may misunderstood you, if you mean compare the assembly , then I think if you run trace to log to file for both files and use compare it , it should do it.

Write a program in Assembly, the ARTeam has there own private patcher written in ASM that compares files (smallest patcher compared to the publicly available ones). Unfortunately ARTeam member Enforcer cannot help you as Aaron is not planning to enable new registration this year (not having a 'dig', just stating the facts).

hmmm compare two files on assembly level - sounds good

but i prefer the old way

FC /B [file1] [file2] > [log_file]

and then trace this log and in IDA see what's different :) (maybe it's slow) and some good DIFF viewer on low assembly level would be great as some CVS version diff in ECLIPSE :)

Iv always found winhex or ultraedit can show the differences between 2 files great

- Darren

In the security world, there has been a bunch of discussion about this. The need is because alot of times MS releases patches to vulns without disclosing details.

There have been a few different approaches published. Some a simple hash values for functions, others use logical flow to check for differences.

For looking at what a crack changes the simple hash functions should be fine because it is the same executable with changes. Security patches usually replace the binary and the compiler may have rearanged functions around making detecting the true changes difficult.

Some info on this is available at:
Comparing binaries with graph isomorphisms by Todd Sabin
razor.bindview.com/publish/papers/comparing-binaries.html

and
Halvar's paper from cansecwest is included in the iso image
www.cansecwest.com/resources.html

Thnx for your replies.
it seems that the only way to do this is manuall with the steps some of you described earlier.

But i dont know if it should be hard to write a plugin for it or a tool, since the procedure it does is pretty simple.

ps. Nilrem you got pm

Yes JayJay, I have replied.

Thats also my style of comparing, also i use additional to IDA Pro the oldstyle HIEW Hexviewer with Assembly View which is also for editing in the file nice.

Cheers, neogen