as a reverser working for Endeavor Security, Inc ("http://www.endeavorsecurity.com") nezumi gets used to analyze zillions security patches and, like many other reversers, its hard tool is Patch-Diff ("http://cgi.tenablesecurity.com/tenable/patchdiff.php") (free analogue of commercial Bin-Diff ("http://www.zynamics.com/?page=bindiff")). Patch-Diff is great, but… too graphical (don’t like gui stuff very much, nezumi loves cheese and console).

http://nezumi-lab.org/gif/PatchDiff01.pngtoo hard to trace there wires


Patch-Diff works good if there are just a few changes, but dealing with a totally rewritten function driving me bats and takes too much time. these graphs… oh… well, nezumi has came to much better solution.

1) use Patch-Diff or Bin-Diff to find matched function(s);
2) ask Hex-Rays to decompile them into high-level C-code;
3) compare patched and un-patched C-code with WinDiff or GNU diff3;

it’s works! but… there is a problem. guess, patched function has more local vars, so the stack frame is completely different from the old one, so, Hex-Rays gives different names to the same variables!!! thus, WinDiff goes crazy and shows many false positive unmatched lines.

what we’re going to do? well… Hex-Rays is an interactive decompiler (View/Open Sub-view/Opcode or F5), so it’s possible (and not too hard!) to rename variables, I mean to synchronize them. it takes time, but it’s definitely worth what it costs!!!

this trick helped me to analyze MS09-01 patch extremely fast. of course, right now, it’s just a pure idea, but I’m going to improve it.

btw, does anybody know the best tool for smarting comparing C-sources? plz, write me back (info#re-lab.org) or leave comment here.



http://nezumi-lab.org/blog/?p=91