Conversation
buherator

buherator

You diff binaries and immediately find the single change that adds the overflow check.

I diff mpengine.dll and break all reversing tools out there.

We are not the same.

https://gist.github.com/v-p-b/513a8f70a32c62f3ab7bf0d6a90e0941

#bindiff #ghidriff
2
0
9
buherator

buherator

Reply to @buherator
This one ran for more than 36 hours on my laptop with ghidriff's SimpleDiff (mostly single threaded so I don't think a bigger machine would've made much difference). I just filed a PR for an optimization that seems to make one phase run in seconds instead of hours, that sounds a bit too good to be true, so reviews are welcome:

https://github.com/clearbluejar/ghidriff/pull/107

/cc @clearbluejar
2
0
2
tmr232@mastodon.social

Tamir Bahar

Reply to @buherator

@buherator Waiting for results once this happens... https://github.com/joxeankoret/diaphora/issues/159
But it might be a while, as 11.3 isn't out yet.

1
0
0
buherator

buherator

Reply to @tmr232@mastodon.social
Edited 27 days ago
@tmr232 Part of my plan is to run comparative tests, but dealing with the tooling currently feels like this
1
0
1
tmr232@mastodon.social

Tamir Bahar

Reply to @buherator

@buherator @clearbluejar

Nothing popped out as "wrong" to me, except - can you have multiple functions with the same name?

That said, having `matcher`, `matched` and `matches` in the same piece of code is really confusing 🙃

1
0
1
joxean@mastodon.social

Joxean Koret (@matalaz)

Reply to @buherator

@buherator mpengine.dll is a monster

0
0
1
buherator

buherator

Reply to @buherator
@tmr232 Also
1
0
1
joxean@mastodon.social

Joxean Koret (@matalaz)

Reply to @buherator

@buherator @tmr232 I guess it will be released by February, hopefullu. And then I will move everything to Ghidra, not only Diaphora, but also "Magic Strings", Pigaios and other stuff.

1
0
0
buherator

buherator

Reply to @tmr232@mastodon.social
@tmr232 @clearbluejar First of all, this is not my code, so there can be hidden assumptions I don't know about.

Functions can have the same name, but 1) as I understand the point here is to create matches based on an exact name and parameter number match 2) we remember symbol objects in the end so string properties shouldn't matter aside of matching.
1
0
0
buherator

buherator

Reply to @joxean@mastodon.social
@joxean @tmr232 Let's hope for that! As I said earlier, I'd be happy to help out, and subscribed to the linked issue.
0
0
0
tmr232@mastodon.social

Tamir Bahar

Reply to @buherator

@buherator @clearbluejar

My concern is that since you key the dict using (name, param-count), duplicates will be dropped/overwritten

1
0
0
buherator

buherator

Reply to @tmr232@mastodon.social
@tmr232 Valid point, but as I see no further logic for the resolution of such a conflict we can just as well keep the last ("random") result. But let's see what @clearbluejar thinks!
1
0
0
clearbluejar@infosec.exchange

clearbluejar

Reply to @buherator

@buherator @tmr232

Hey! Just posted an update on the pull request. https://github.com/clearbluejar/ghidriff/pull/107

0
0
1
About infosec.place

Terms of Service

This is a placeholder, overwrite this by putting a file at 

$STATIC_DIR/static/terms-of-service.html

See the Static Directory docs for more info.