Reverse Engineering Asked on May 21, 2021
I have dis-assmebled binary and want to check if it contains particular sequence of opcodes(obtained from other reference binary). how to do that . i know plain byte
level comparison wont work as as memory address etc may differ.
example :
0000001806991C0 push rdi
.text:00000001806991C1 sub rsp, 30h
.text:00000001806991C5 mov [rsp+38h+var_18], 0FFFFFFFFFFFFFFFEh
.text:00000001806991CE mov [rsp+38h+arg_0], rbx
.text:00000001806991D3 mov rdi, rcx
.text:00000001806991D6 lea rbx, [rcx+60h]
.text:00000001806991DA lea rax, off_180B6BED0
.text:00000001806991E1 mov [rbx], rax
.text:00000001806991E4 xor r8d, r8d
.text:00000001806991E7 lea rdx, nullsub_1
.text:00000001806991EE mov rcx, rbx
.text:00000001806991F1 call sub_1800A4160
.text:00000001806991F6 mov rcx, rbx
.text:00000001806991F9 call sub_1800A4148
.text:00000001806991FE xchg ax, ax
.text:0000000180699200 lea rdx, sub_180259E24
.text:0000000180699207 lea rcx, [rdi+50h]
.text:000000018069920B call sub_180079CEC
.text:0000000180699210 lea rcx, [rdi+50h]
.text:0000000180699214 call sub_1800A74C4
.text:0000000180699219 lea rax, off_180BE6328
Depending on the specific instruction set encoding, regular expressions operating on the binary itself may be flexible enough to ignore the parts which would change based on address.
Piping the code through a naive disassembler and running the regular expression engine on the textual ouptut may be preferable to doing so on the binary as it's a lot easier to wire rules that ignore particular operands when they've been split out (though you would now be doing a multi-line match)
Sometimes it's not worth worrying about the right tool for the job, but just whipping up some code in your favorite language-of-convenience (today, probably python) to solve a one-time need.
It's also quite possible you could just do this with a text editor to find part of the pattern and then manually check the candidates for a complete match./
Answered by Chris Stratton on May 21, 2021
Would disassembly, split off the instruction column, then diff, followed by manually comparing using side-by-side text editors (of the disassembled output of each) be fast and simple enough for a one off use.
Otherwise you need a smart comparison that knows that registers and memory locations can be interchanged for each other as long as each is consistent throughout; resulting in the same output - and thus each section of code having an identical function, those sections would be a copy of each other.
It depends on how much code you have to check and how often you intend to do this.
One advantage of the so-called smart comparison is that it can iterate over the code, shifting by one address, and find every possible way to match; resulting in a few false positives that need to be manually identified.
A disadvantage of relying on a disassembler is that it can miss (or go out of sync) and fail to disassemble a few sections of code; leaving some possible matches (or near matches) unfound - leading to a Copyright claim.
A program capable of an exhaustive comparison may be more useful than one that only discovers low hanging fruit. It's a matter of the intended end-use and the investment in the project necessary for the results that are expected to be had.
Answered by Rob on May 21, 2021
It sounds like you just want to search a binary file for some sequence of binary values. Maybe I've misread and it's more complicated than that.
I'd start with good old grep.
cat binary.exe | xxd -p | tr -d 'n' | grep -o -e '774b'
Send your binary through xxd -p to turn it into a hex string.
Remove the new lines with tr -d 'n'
The hand it off to grep -o -e '774b' to search for hex value 774b.
The -o flag limits grep to only show the match, not the entire line (or file in this case as it's been turned into a single hex string line.
If you'd like to see some characters (bytes) before and after the match, add dots (.) for example grep -o -e '....774b....' to see 2 bytes before and 2 bytes after the match.
Answered by pythonpython on May 21, 2021
If you do not necessary want to use IDA, you could use radare2 and then do:
radare2 <your_file>
then do:
/x <youropcodes>
.
Example:
/x 900a0b0c90
.
To get examples of how to use this command on radare2 you could use:
/x?
.
If you necessary want to use IDA pro for your knowledge, you could skip my answer.
Answered by ultimate-anti-reversing on May 21, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP