Reverse Engineering Asked by Daniel Näslund on April 26, 2021
So this is a question not strictly about reverse engineering, but since there are many people using Ghidra and Bindiff here I’ll try asking anyway.
I have an embedded ARM cortex-M C++ project and I want to compare the generated ELF file for two different compilers.
I used these instructions for exported data from Ghidra to Bindiff: https://reverseengineering.stackexchange.com/a/24636/34300
I built the ELF files with debuginfo. I was hoping that Ghidra and Bindiff would use the debuginfo for identifying functions, but it looks like that’s not the case. For roughly 100 out of 700 functions the tools were not able to match the old and new functions.
I did some experiments on my own where I wrote some simple implementations for strcat and strcpy and then switched names, but then Ghidra and Bindiff was able to see that the assembly has changed, i.e. it did not just try to match functions based on the content. So it’s not the case that Ghidra + Bindiff always ignores the function names.
Is what I’m seeing the expected behavior? That Bindiff does uses its own heuristics rather than trusting the debuginfo when finding functions for comparisons?
If so: Is there a way to force Ghidra and Bindiff to trust the dwarf information when finding functions?
Update: The Bindiff manual lists a number of algorithms that are used for function matching. There is a configuration files .bindiff/bindiff.xml where you can modify the confidence levels between 0.0 and 1.0.
It looks like name hash matching is what I want and that I probably want to lower confidence in the other algorithms.
Though I guess just looking at each function in isolation is kind of naive given that compilers can change their inline choices between releases:
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP