Skip to content

Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

License

Notifications You must be signed in to change notification settings

helpsystems/turbodiff

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Turbodiff

Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Requirements

Turbodiff works with IDA versions 4.9 and 5.x.

Instructions

For the binaries: Download the plugin and store it at the directory "..\IDA\plugins".

If you want to compile it on your own: We have compiled it and tested it using Borland C. For the free version of IDA Pro (4.9) you'll need to first:

  1. Generate the ida_free.lib library. To do this execute: "implib -c ida_free.lib ida_free.def"
  2. Next, you must have the linker use this library.
  3. Compile.

Comparing two files:

  1. Open the first file to be compared with IDA and run /Option 1 (take info from this idb)/ from the plugin. Close.
  2. Open the second file to be compared with IDA and run /Option 1 (take info from this idb)/ from the plugin.
  3. Use /Option 2 (compare with...)/ from the plugin, and when prompted to select a file, select the first file. Chose if you want a log file to be genreated and run. Once finished a functions table will popup (watch Figure 1) describuing results. The results are then saved for later usage.

Accessing a comparison generated earlier:

Open one of the files with IDA. Select /Option 3 ("Compare functions with...")/ from the plugin options and choose the other file to be compared. The table will popup without executing any new tasks.

Comparing any two functions:

After comparing two files, you can compare any two functions between each by using /Option 4 ("Free comparison with...")/ and specifying the addresses of these actions.

Understanding the Output

The table

Each row represents two funct5ions that are being compared, and with 5 columns, category, address, name, address, name, where category describes the relationship between two functions, the 2nd and 3rd column describe address/name for the first function and the 4th and 5th columns describe address/name for the second function being compared. The categories can be:

  • identical:
    • Same function graph;
    • Same checksum in each basic block;
    • Same amount of instructions in each basic block;
  • suspicious+:
    • Same function graph;
    • /Different/ checksum in each basic block;
    • Same amount of instructions in each basic block;
  • suspicious++:
    • Same function graph;
    • /Different/ checksum in at least one basic block;
    • /Different/ amount of instructions in at least one basic block;
  • changed:
    • None of the above;
    • Related by an heuristic, as described in the presentation;
  • unmatched:
    • None of the above;

Colors for basic blocks when diffing functions

  • white: Same checksum and number of instructions
  • green: Same number of instructions
  • yellow: Different number of instructions
  • red: Basic block that the differ didn't match.

About

Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages