Winmerge plugin


Author: David Zimmer
Date: 01.24.14 - 6:18am



I got thinking a little more about using the winmerge plugin for disasm diffing again last night and had a few simple ideas that panned out really well.

So I was aggressively cutting the asm down to just the base instruction, order, and any new lines from where labels were. With an extra 5 minutes of coding I was able to get the match with a less aggressive filter. The full logic is:
If InStr(tmp(i), "[") > 0 Then baseCmd = baseCmd & "[]"
If InStr(tmp(i), "+") > 0 Then baseCmd = baseCmd & "+"
If InStr(tmp(i), "-") > 0 Then baseCmd = baseCmd & "-"
If InStr(tmp(i), "*") > 0 Then baseCmd = baseCmd & "*"
If ExtractConstant(tmp(i), x) Then baseCmd = baseCmd & x
Ridiculously simple, but leaves enough information in for diffutils to work much better. I also added in a slightly more complex parser as well that standardizes the asm back closer to the generic assembler mnemonics for the instructions (eg reg32, reg16 etc). Both are included in the latest build. It is interesting to test how simple is sufficient. (anyone can make a complex system, elegance is in simplicity)

I also had another idea. I wanted two more things out of my Winmerge plugin. I wanted it to be able to house multiple filters, configurable externally, and I wanted it to contain a debug interface where you could watch the data transformations and edit them manually if need be.

Both of these were also really easily added. The filter selection is based on a registry key setting set in IDACompare, and for the debug UI, All i had to do is show a form modally which pauses WinMerge and displays the data letting the user view/edit the data in real time.

When they hit continue, it goes back and WinMerge continues. Super slick.

I love that WinMerge used COM for its plugins. Below is a screen shot of the debug UI showing the signature based standardization.


(click for larger image)


The resulting diff below shows the same problem section from the last post now showing the correct results.


(click for larger image)


Sometimes its amazing what 5 minutes of coding can do :)





RSS Feed
About Me
Home

Posts:
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
KeyPad Bruteforcer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation


Comments: (1)

On 01.27.14 - 12:36am Dave wrote:
Even there there is no way to automatically configure WinMerge to apply the prediffer automatically, It turned out to be pretty easy to do it externally.
AppActivate "WinMerge - [a.idacompare - b.idacompare]"
SendKeys "%p"       //send alt-p to select plugin menu
SendKeys "{DOWN 4}" //down arrow 4x
SendKeys "{RIGHT}"  //right arrow 1x
SendKeys "{DOWN 2}" //down arrow 2x
SendKeys vbCr       //enter

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 23 + 96 = ? followed by the letter: B