how can I diff two x86 binaries at assembly code level?

Question

I'm looking for a tool like Beyond Compare, meld, kdiff, etc. which can be used to compare two disassembled binaries. I know that there's binary (hex) comparison, which shows difference by hex values, but I'm looking for something that shows op-codes and arguments.

Anyone knows something that can help ?

Answer 1

Unless I'm mistaken, it sounds like you are looking for a binary diffing tool. Some good options are below. These all require IDA Pro.

1. DarunGrim (open-source)

2. BinDiff (commercial)

3. eEye Binary Diffing Suite (use archive.org to download the installer)

Answer 2

You can also try radiff2 (Which doesn't require IDA ;)), which is a tool from the radare toolsuite. It supports delta diffing (-d), graphdiff (-g), and lots of related goodies.

Answer 3

There are various great alternatives here. However, all of them seem to be unmaintained. The tool I recommend you is Diaphora https://github.com/joxeankoret/diaphora (Disclaimer: I'm the author). Is a pure Python plugin for IDA Pro for doing program diffing, is the only one that can import/export structures, enumerations, etc..., the only one that makes use of the Hex-Rays decompiler and, which is more interesting, it's maintained: the last time I committed a change was last week.

Some screenshots:

Diffing MS015-034:

Diffing pseudo-code (MS015-050):

Diffing MS015-050:

Answer 4

Also, there is Turbodiff, it's an IDA pro plugin. Haven't used it yet, though so I can't say anything about the quality of the tool.

Answer 5

I'd recommend PatchDiff2 too, if you're using IDA Pro.

Here is a description:

PatchDiff2 is a plugin for the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (6.1) on Windows and Linux. The plugin can perform the following tasks :

• Display the list of identical functions
• Display the list of matched functions
• Display the list of unmatched functions (with the CRC)
• Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs. Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.

To use all you need to do is:

Unzip the two patch2diff zip and in it will be two folders holding two files for Linux and Windows just copy the patchdiff2.p64 and patchdiff2.plw to your plugins directory located in C:\Program Files\IDA Pro Directory\plugins\

• Open your executables you want to be diffed and save them as .idb(default).
• Open the .idb of the file (I noticed it fails when just diffing an exe) and in the IDA View-A tab go to Edit down to plugins and you should see PatchDiff2 just click on it and choose the secondary .idb you want to compare.

Warning this takes a while and IDA will become unresponsive. In the end you'll have a few tabs, Matched functions, Unmatched Functions, Identical Functions.

Answer 6

I'm a big fan of the kdiff route because it's quick and clean . Note: I use diffing for writing signatures on malware. Most of the time I need a simple visual of the different instructions. If you need to dig deeper go the BinDiff or DarunGrim route as mentioned by Mick.

In order to use kdiff to diff the binaries you will need the disassembly output generate by IDA. The following script can be used to create the assembly output for all executables in the working directory.

import os 
import subprocess
import glob
paths = glob.glob("*.exe")
ida_path = os.path.join(os.environ['PROGRAMFILES'], "IDA", "idaw.exe")

for file_path in paths:
    subprocess.call([ida_path, "-B", file_path])

Execute the script.

C:\Documents and Settings\Administrator\Desktop\diff\python make-asm.py

Thank you for using IDA. Have a nice day!

C:\Documents and Settings\Administrator\Desktop\diff>dir
 Directory of C:\Documents and Settings\Administrator\Desktop\diff

10/25/2013  11:16 AM    <DIR>          .
10/25/2013  11:16 AM    <DIR>          ..
10/25/2013  11:16 AM            40,604 a.asm
10/24/2013  08:35 AM             9,938 a.exe
10/25/2013  11:16 AM           368,957 a.idb
10/25/2013  11:16 AM            40,657 b.asm
10/24/2013  08:35 AM             9,969 b.exe
10/25/2013  11:16 AM           368,957 b.idb
10/25/2013  11:15 AM               218 make-asm.py

Select the two .asm files, right click, Kdiff, Compare. Nice and simple output.

Answer 7

Another option you could try is Relyze (Commercial, Standalone Windows desktop application) which supports binary diffing. It matches functions between two Windows binaries and gives you a list of all equal, modified, removed and added functions, along with a percentage difference value so you can see how heavily modified any two matched functions are.

The GUI displays the matched functions via interactive graphs so you can navigate them and see the changes. The two graphs can be synced as you navigate so clicking on an instruction in one graph will select the matched instruction, if any, in the other graph.

Answer 8

As an open source alternative there's elf_diff which compares elf-files and generates html or pdf reports. It's available as a Python package.