Author: David Zimmer <david@idefense.com, dzzie@yahoo.com>
License: Copyright (C) 2005 iDefense.com, A Verisign Company
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your option)
any later version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more details.
You should have received a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation, Inc., 59 Temple
Place, Suite 330, Boston, MA 02111-1307 USA
Overview:
IDACompare is a plugin for IDA which is designed to help you
line up functions across two separate disassemblies. IDACompare
also contains a signature scanner, where you can save known functions
and then scan new disassemblies against them looking for key functions.
This plugin has been designed with Malcode analysis in mind. It should
work equally well for patch analysis. Typical target sizes this has
has been designed for is binaries around 500k in size.
You are welcome to try it on larger files, however performance may not
be ideal.
Installation:
The installer package will create local copies of all binaries and
source for you.
The next step is to install the IDA plugin. If you run IDA 4.7, 4.8, or 4.9
precompiled binaries are directly available.
If you do not use one of these versions, you will have to compile the VC stub
yourself from the source which can be found in the "vc src" sub directory.
Once you have a plw file that matches your version of IDA, just copy
it to your IDA plugins directory and it should be ready to use.
When you start a new disassembly in IDA you should now see a plugin
menu item called "IDA Compare"
Note that users on older systems may also have to install the VB 6 Runtimes (1 mb)
Files:
vb src\ - Source to the vb6 ActiveX DLL which is the plugin User Interface
vc src\ - Source to the VC6 IDA plugin Stub which launchs the VB plugin UI
compare\ - Source to the standalone VB6 ida_compare.exe - main compare code
ida4.7\ - compiled plw plugin for IDA 4.7
ida4.8\ - compiled plw plugin for IDA 4.8
ida4.9\ - compiled plw plugin for IDA 4.9
mydoom_example.mdb - Sample comparison database for mydoom.a/.b
signatures.mdb - Signature Database for function sig scanning
blank.mdb - database template copied when creating new databases.
ida_compare.exe - main compare UI, works off of Access Databases filled by plugin
IdaCompare.dll - ActiveX DLL plugin UI, exports IDA disasm to Access DB
Operation:
Note: A video walk through of the process is also available on the
labs.idefense.com software release page.
1) Disassemble target file and launch "IDA Compare" plugin
2) Create a NEW database in plugin, and Save Snapshot 1
- This will export all of the disasm text for each function
into the Access database you created.
3) Disassemble target you want to compare with first disassembly.
4) Launch IDA Compare plugin,
select Access database created in step 2
Export functions to Snapshot 2
5) Launch Compare UI to execute ida_compare.exe
- The exe will be launched against the current Access database
and its functions will be automatically compared.
6) Examine the automatch results.
Make manual matches
View function profiles by double clicking on list entries
Use the find dialog to try to locate related functionality
Trim the lower list using its right click menu
Export Match names from one database to another.
7) From the IDA plugin, Import match names to update the idb with
name updates that were set in the Access database.
ChangeLog:
- 12.16.05
- fixed UI bug with exe "Break Match" button behavior
- compatiability tweaks in plw src for 4.8 and release build config
|
