Dailydave mailing list archives
Re: Partial Binary Diffing?
From: Jeremy Kelley <jeremy () austin ibm com>
Date: Fri, 15 Sep 2006 14:30:03 -0500
Quoting Dave Aitel (dave () immunityinc com):
One thing I'm interested in lately is partial binary diffing. I'm doing a vulnerability assessment right now, and I notice that they're running an old version of bobsftpserver.exe. So I download the version right after that, and try a diff. Unfortunately, both versions are compressed with some unknown compression utility. So I attach to them with Immunity Debugger, and I notice they uncompress nicely in memory. IDA's "universal unpacker" fails, so I decide I need to copy the executables out, and try bindiffing (with Sabre-Security Bindiff v2) the result.
Export to REML and then work with it there? You could then use the pyreml stuff to extract what you want. REML is xml, I wonder if Amara would let you parse it? Not that Ero's stuff isn't nice, but I love the object model that Amara provides for any XML document. -jeremy -- Jeremy Kelley <jeremy () austin ibm com> Threat Assessment Analyst gpg 1024D/E0DF8B2D 4BC3 B8B5 5B42 CC8E B6A9 2E85 32D3 C51C E0DF 8B2D That's the problem with science. You've got a bunch of empiricists trying to describe things of unimaginable wonder. -Bill Watterson _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Partial Binary Diffing? Dave Aitel (Sep 13)
- Re: Partial Binary Diffing? Jeremy Kelley (Sep 15)