Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-25-2004, 14:05
JayJay
 
Posts: n/a
how to compare 2 .exe line by line?

Hi, i am curious on how to automaticly compare two .exe or .dll files line by line.
Was thinking of like comparing one original .exe version and one cracked .exe and then compare those two to see the difference in code they have changed. to see how they cracked it.
i dont mean the ascii code now as this could be seen and compared with ultraedit,
i mean the code you can see in ollydbg in cpu main thread window.

thnx in advance
/JayJay
Reply With Quote
  #2  
Old 04-25-2004, 14:34
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
use ExamDiff Pro
Reply With Quote
  #3  
Old 04-25-2004, 14:53
e.b
 
Posts: n/a
I doubt, there is as automatic tool.
I used the workmanship method: comparing the binaries to get the differences, decompiling both files, looking at the adresses of the differences in the binaries. If there is a more sophisticeted method, I would be very interested....

/e.b
Reply With Quote
  #4  
Old 04-25-2004, 16:14
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 342
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
You can use IDA to deassembler two exe file, choose output to ASM file in File menu, and compare two asm file with WinMerge or UltraEdit...
Regards
Reply With Quote
  #5  
Old 04-26-2004, 12:01
SofTROOP SofTROOP is offline
Friend
 
Join Date: Jan 2002
Posts: 23
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SofTROOP Reputation: 0
WinHex can compare 2 files and generates a list file which list all differences with their offsets, so you can easily track to the position in Olly for further research.
Reply With Quote
  #6  
Old 04-26-2004, 14:15
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
Hi jayjay,
I may misunderstood you, if you mean compare the assembly , then I think if you run trace to log to file for both files and use compare it , it should do it.

Last edited by britedream; 04-26-2004 at 20:08.
Reply With Quote
  #7  
Old 04-26-2004, 19:20
Nilrem
 
Posts: n/a
Write a program in Assembly, the ARTeam has there own private patcher written in ASM that compares files (smallest patcher compared to the publicly available ones). Unfortunately ARTeam member Enforcer cannot help you as Aaron is not planning to enable new registration this year (not having a 'dig', just stating the facts).
Reply With Quote
  #8  
Old 04-26-2004, 22:18
zEr0 zEr0 is offline
Friend
 
Join Date: Mar 2002
Posts: 27
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
zEr0 Reputation: 1
hmmm compare two files on assembly level - sounds good

but i prefer the old way

FC /B [file1] [file2] > [log_file]

and then trace this log and in IDA see what's different (maybe it's slow) and some good DIFF viewer on low assembly level would be great as some CVS version diff in ECLIPSE
Reply With Quote
  #9  
Old 04-26-2004, 23:53
Darren Darren is offline
Friend
 
Join Date: May 2003
Posts: 27
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 15
Thanks Rcvd at 5 Times in 4 Posts
Darren Reputation: 0
Iv always found winhex or ultraedit can show the differences between 2 files great

- Darren
Reply With Quote
  #10  
Old 04-28-2004, 08:06
reggae
 
Posts: n/a
In the security world, there has been a bunch of discussion about this. The need is because alot of times MS releases patches to vulns without disclosing details.

There have been a few different approaches published. Some a simple hash values for functions, others use logical flow to check for differences.

For looking at what a crack changes the simple hash functions should be fine because it is the same executable with changes. Security patches usually replace the binary and the compiler may have rearanged functions around making detecting the true changes difficult.

Some info on this is available at:
Comparing binaries with graph isomorphisms by Todd Sabin
razor.bindview.com/publish/papers/comparing-binaries.html

and
Halvar's paper from cansecwest is included in the iso image
www.cansecwest.com/resources.html
Reply With Quote
  #11  
Old 04-30-2004, 18:38
JayJay
 
Posts: n/a
Thnx for your replies.
it seems that the only way to do this is manuall with the steps some of you described earlier.

But i dont know if it should be hard to write a plugin for it or a tool, since the procedure it does is pretty simple.

ps. Nilrem you got pm
Reply With Quote
  #12  
Old 05-01-2004, 19:26
Nilrem
 
Posts: n/a
Yes JayJay, I have replied.
Reply With Quote
  #13  
Old 05-02-2004, 12:03
neogen
 
Posts: n/a
Lightbulb

Quote:
Originally Posted by zEr0
hmmm compare two files on assembly level - sounds good

but i prefer the old way

FC /B [file1] [file2] > [log_file]

and then trace this log and in IDA see what's different (maybe it's slow) and some good DIFF viewer on low assembly level would be great as some CVS version diff in ECLIPSE
Thats also my style of comparing, also i use additional to IDA Pro the oldstyle HIEW Hexviewer with Assembly View which is also for editing in the file nice.

Cheers, neogen
Reply With Quote
Reply

Tags
exe compare

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:09.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )