Re: Partial Binary Diffing?

[Jeremy Kelley <jeremy () austin ibm com>]

Quoting Dave Aitel (dave () immunityinc com):
> One thing I'm interested in lately is partial binary diffing. I'm doing 
> a vulnerability assessment right now, and I notice that they're running 
> an old version of bobsftpserver.exe. So I download the version right 
> after that, and try a diff. Unfortunately, both versions are compressed 
> with some unknown compression utility. So I attach to them with Immunity 
> Debugger, and I notice they uncompress nicely in memory. IDA's 
> "universal unpacker" fails, so I decide I need to copy the executables 
> out, and try bindiffing (with Sabre-Security Bindiff v2) the result.

Export to REML and then work with it there?    You could then use the
pyreml stuff to extract what you want.

REML is xml, I wonder if Amara would let you parse it?  Not that Ero's
stuff isn't nice, but I love the object model that Amara provides for
any XML document.

-jeremy

-- 
Jeremy Kelley <jeremy () austin ibm com>        Threat Assessment Analyst
gpg  1024D/E0DF8B2D  4BC3 B8B5 5B42 CC8E B6A9 2E85 32D3 C51C E0DF 8B2D
That's the problem with science.  You've got a bunch of empiricists
trying to describe things of unimaginable wonder.      -Bill Watterson
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave