PatchDiff2 – A patch analysis plugin for IDA
News :
02/12/2009: PatchDiff 2.0.6 released:
* Switchs to graph call for checksum instead of instruction frequency
* Removes invalid C++ classes/structs flagged as functions
08/19/2008: PatchDiff 2.0.5 released:
* Adds string references to the signature
* Fixes IPC close when option is disabled
07/22/2008:PatchDiff 2.0.4 released:
* Requires at least IDA 5.2
* Adds save backup results to IDB
* Adds Unmatch/Set match/Switch match submenus
* Adds “pipe” support to keep second IDA instance open
o menu Options/PatchDiff2 to disable/enable it per IDB
o registry HKLM\SOFTWARE\Tenable\PatchDiff2 IPC (DWORD) for the default setting
* Uses demangled function names
* Ignores duplicated names
07/07/2008:PatchDiff 2.0.3 released:
* Adds support for C++ classes in the signature engine (improves results against c++ targets)
* No longer relies on IDA code refs (due to bad references)
* x86: merges inc reg and dec reg to one instruction
* x86: handles jmp $2/$5
* x86: stops block tracing on int3
* Bugfix: Does not try to display graphs that IDA can’t handle
07/02/2008:PatchDiff 2.0.2 released – now supports IDA 5.1 and 5.2
06/27/2008:PatchDiff 2.0.1 released
Description
PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.2).
The plugin can perform the following tasks :
* Display the list of identical functions
* Display the list of matched functions
* Display the list of unmatched functions (with the CRC)
* Display a flow graph for identical and matched functions
The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs.
Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.
patchdiff2 is freely distributed to the community by Tenable Network Security in the hope it will be useful to you and help research engineers to better analyze different patches. However, Tenable does not provide support for this tool and offers no garantee regarding its use or output. Please read the end-user license agreement before using this program.
Demo
View here :
How to use it
PatchDiff2 can be launched through the plugins menu or by the keyboard shortcut ‘CTRL+8’. When the analysis is done, Identical, unmatched and matched functions are displayed in separate lists.
Flow graphs of matched and identical functions can be displayed by doing a rigth click on the given functions and by clicking on ‘Display graphs’.
Graph nodes can be synchronized by double clicking on a given node. Graphs use the following colors:
* white: identical nodes
* grey: unmatched nodes
* red: matched nodes
* tan: identical nodes (different crc)
Installation
Copy the files “patchdiff2.plw” and “patchdiff2.p64” into the IDA plugins directory (usually C:\Program Files\IDA\plugins) and restart IDA.
Download
You can download PatchDiff2 2.0.6 : http://cgi.tenablesecurity.com/tenable/dl.php?p=patchdiff2-2.0.6.zip
0day in {REA_TEAM} 