patchdiff2-like lib for usage in a script/CLI

[Bananenbrot]

Hi,

some time ago, I took the step from hardcoded offsets to describing them in terms of pattern matches.
This works quite well, but it still sucks having to update a broken pattern every ~3 patches, so I came up with the idea of inventing a binary regex-like pattern matcher.
I don't know how well this works, but I suspect it breaks when instructions are reordered. So I did some quick google to find an equivalent to patchdiff2 as a standalone script.
I was hardly successful, I could only with DarunGrim: A Patch Analysis and Binary Diffing Tool .

Has anyone of you experience with this kind of offset automation?

[Empted]

Have nearly same idea to avoid any hardcoded function offsets. Currently trying to make some function signatures that are based on assembly analys. Like conditional jump count, hardcoded constants, number of calls, returns, type of params and so on. This should end up in more robust offset finding, but still with some global changes even this kind of searching will fail. But implementing something like match measure, can probably solve this. The process will not be completely autonomic, but with some kind of choosing the function that fits good under the signature.
P.S. the idea was born to match functions from MAC binaries with the PC versions, but it's double that hard because of different assembly styles and params passing and so on.

[boredevil]

maybe you will finde some usefull information here:
Software archaeology
System Programming: Method of Computer Virus Detection. Sad story of a patent application

[Bananenbrot]

Have nearly same idea to avoid any hardcoded function offsets. Currently trying to make some function signatures that are based on assembly analys. Like conditional jump count, hardcoded constants, number of calls, returns, type of params and so on. This should end up in more robust offset finding, but still with some global changes even this kind of searching will fail. But implementing something like match measure, can probably solve this. The process will not be completely autonomic, but with some kind of choosing the function that fits good under the signature.
P.S. the idea was born to match functions from MAC binaries with the PC versions, but it's double that hard because of different assembly styles and params passing and so on.

This sounds promising for finding correspondences between mac and PC binaries of the same version, but consider for example Spell_C_Failed, which got an additional parameter since the last patch. Although this would be much more reliable than simple pattern matching.

maybe you will finde some usefull information here:
Software archaeology
System Programming: Method of Computer Virus Detection. Sad story of a patent application

Awesome reads on that topic. I was pondering in the same direction as the blog post, although the techniques mentioned might not be generic enough to diff between patches.
We don't need exact matches, rather some way to wildcard instructions.
Perhaps one could intermingle it with some nondeterminism/optional nodes.

Meanwhile I am reconsidering pattern matching, but with a more nondeterministic notion, perhaps with a tree/graph structure, to model data flows. E.g.:

Code:

useeax = seq("mov eax, <x>", "mov eax, [eax+<y>]")
useebx = seq("mov ebx, <x>", "call [ebx]")
res = seq(all(useeax, useebx), "add eax 5")

Where the instructions are replaced with their respective byte patterns.
seq requires the matches to be in sequential order, with 0..n bytes inbetween. I figure there might be other matchers like seq_strict(...), any(...), all(...), many(m) [1..n], opt(m) [0..1].
"ab d9" is actually shorthand for seq_strict(0xab, 0xd9). I wonder if this can be realized sufficiently efficient.

Edit: I'm baffled. asmDiff works really well on Spell_C_Failed. I'll try some other samples and then probably look into I could leverage that.

[Lecht]

I've actually been researching this a bit myself. I have written a tool I'm calling ZDiff in C#, it uses BeaEngine to analyze two exes. The first pass it analyzes instructions and saves their locations for easy traversal later on while also caching cross references and the start addresses of potential procedures, on the second pass it tries to determine the end of those procedures.

It works fairly well so far, I'm wanting to evolve it into a patchdiff tool. It's not perfect as of yet (and may never be), but it finds the addresses without any pre-written patterns, just give it the addresses and go heh. I hope to get a chance to fine tune it to add some more robust methods to finding new addresses. For instance block comparison like patchdiff.

Takes about 3 minutes to analyze an exe, can analyze multiple at a time.

[Bananenbrot]

I'm currently reversing mmBBQ, which is a host for asmDIFF along with other cool inject-in-lua functionality, which I don't plan to use. Sadly asmDIFF is closed source.
I don't know if you are comfortable to upload your work to GitHub or BitBucket, but in case you are, I would be willing to contribute.