Thursday, July 19, 2007

eEye's BinDiffing Suite for IDA Pro 5.1

It's been a while since I've posted anything, mostly because I've been very busy changing jobs, starting a penetration testing group from the ground up. That plus all the initial new employee training have eaten up a lot of my time.

One thing we'll be doing is Binary Diffing. I fully believe every good penetration tester should be able to understand assembly, research new vulnerabilities and reverse engineer in some capacity. A good binary diffing program helps a LOT!

While I was waiting for our purchasing department to order Sabre's BinDiff I took a look at eEye's BinDiffingSuite. With my copy of IDA 5.1 installed I downloaded the tool and started the installation. I'm soon greeted with a message saying:

...requires requires IDA Pro Standard v5.0 or IDA Pro Advanced v5.0

During this month's eEye vulnerability forum I asked if there were any plans to update the tool to support IDA 5.1. Hackers take note - Alex's response is "We all use 5.0 here and it works well." Uh, aren't there are known vulnerabilities against IDA 5.0? Are you guys running out-dated software?!

Flame baiting aside, the MSI file is doing a very simple check for installed IDA versions. Here's how you can get it installed and running with the latest (and more secure.. ahem) version of IDA. The IDA SDK has been pretty stable since v4.9 so the suite works with v5.1 without hassle:
  1. Open RegEdit and go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDA Pro_is1
  2. Change the DisplayName to say "IDA Pro Standard v5.0" or "IDA Pro Professional v5.0"
  3. Re-rerun BinDiffSuite.exe and install
  4. Change it back to what it was previously (if you want)
  5. Have fun!
This really is a nice suite of tools. Big kudos to eEye for releasing it and including source code!

6 comments:

Bow Sineath said...

I wish I could say that I had the same great experiences with it :/

In some cases it works great, but I was doing a diff of a few MS Tuesday patches last week and the number of false positives was astonishing. It doesn't handle large binaries very well unfortunately. I can't rant on it too much though since its free, which is nice considering BinDiff is $1,080, and it does do a fairly decent job.

Since you are lucky enough to get a BinDiff license (*sniff*), take a look at the 2.0 beta. I posted a video of it below[1] and it looks to be VERY promising.

[1]http://www.sabre-security.com/files/schannel.swf

Kurt Grutzmacher said...

Some of the more complex diffs will be a problem no matter what you use. Compilers can do some strange things in the name of optimization. These tools are great to help direct you to where the changes are, you'll still have to make additional decisions.

The more I keep using IDA the more I really do love it. I just wish it was a better debugger but OllyDbg does a great job. I can't wait to see what Immunity has in order for their Debugger release at Blackhat/Defcon.

Bow Sineath said...

IDA is a work of art ;) I only started reversing recently and so I pretty much learned on it, but the more I use it, the more I fall in love with it. I am always finding fun new things it does to make life a little easier. I found some new feature on Thursday while reversing one of the MS patches and freaked out, all my coworkers were staring, but it cut my analysis time down significantly and I was thrilled :p

I am hoping to get my hands on a BinDiff license soon, I'll be curious to hear your opinions of it. I've heard that it is pretty much the best for diffing, but I'll be curious to see what your opinion of it vs. EEDS is, especially before I drop $1k on it.

Zibri said...

Am I the only one to have this problem ?

IDA PRO 5.0 when starting up says it detected (?) another copy of IDA and to change my license.

But 5.0 is the only copy of IDA on my pc..
I installed and uninstalled many different versions and trials..

How can I clean my pc for ida 5.0 not to complain ?

Kurt Grutzmacher said...

zibri: IDA Pro has its own key file that is placed in the directory you run it from. Best bet is to completely uninstall the versions you have, look for any other IDA folders and backup/delete them, then reinstall the latest.

If that doesn't work then go ask IDA - they support the software you bought, I just play with it. :)

Anonymous said...

I can't rant on it too much though since its free, which is nice considering BinDiff is $1,080, and it does do a fairly decent job.