Author:  David Zimmer <dzzie@yahoo.com>

License: Copyright (C) 2005 iDefense.com, A Verisign Company

         This program is free software; you can redistribute it and/or modify it
         under the terms of the GNU General Public License as published by the Free
         Software Foundation; either version 2 of the License, or (at your option)
         any later version.

         This program is distributed in the hope that it will be useful, but WITHOUT
         ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
         FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
         more details.

         You should have received a copy of the GNU General Public License along with
         this program; if not, write to the Free Software Foundation, Inc., 59 Temple
         Place, Suite 330, Boston, MA 02111-1307 USA

         

Download (IDA 6.9 and lower)
Updates
Video Demo


Overview:

 IDACompare is a plugin for IDA which is designed to help you
 line up functions across two separate disassemblies. IDACompare
 also contains a signature scanner, where you can save known functions
 and then scan new disassemblies against them looking for key functions.

 This plugin has been designed with Malcode analysis in mind. It should
 work equally well for patch analysis.  

Installation:
  
  The installer package will create local copies of all binaries for you. 
  
  The source is available in the following github repository:	
      https://github.com/dzzie/IDACompare
  
  The next step is to install the 3 IDA plugins. 

  IDA_Compare.plw - 32 bit IDA plugin
  IDA_Compare.p64 - 32 bit IDA Plugin for 64 bit disassemblies
  IDASrvr.plw     - 32 bit plugin for compare UI integration with IDA
    
  If you run IDA 4.9+ precompiled binaries are included. Copy the plw files to your IDA plugins directory 
  and it should be ready to use. (The ActiveX Dlls are registered by the installer)

  A plugin does not currently exist for running within 64 Bit IDA. VB6 is not capable of this.
  The IDA_Compare plugins are actually just small apps which export the disassembly from the IDB
  into an access database. All of the real logic is in the ida_compare.exe executable. If you can popuplate
  the database, you can use the compare ui. 
    
  When you start a new disassembly in IDA you should now see a plugin 
  menu item called "IDA Compare"
 
Files: 
 mydoom_example.mdb - Sample comparison database for mydoom.a/.b
 signatures.mdb     - Signature Database for function sig scanning
 blank.mdb          - database template copied when creating new databases.

 ida_compare.exe    - main compare UI, works off of Access Databases filled by plugin
 IdaCompare.dll     - ActiveX DLL plugin UI, exports IDA disasm to Access DB 
 IDA_Compare.plw    - IDA 4.9+ plugin to export disasm information from idb
 IDASrvr.plw        - IDA server plugin for integrated jump navigation and decompilation support
 wmIDACompare.dll   - WinMerge plugin for block level diffing of x86 asm
 IDAClientLib.dll   - VB6 Client Lib for IDASrvr
 
Operation:

	Note: A video walk through of the process is also available on the 
	labs.idefense.com software release page. 
	
	
	1) Disassemble target file and launch "IDA Compare" plugin
	
	

	2) Create a NEW database in plugin, and Save Snapshot 1
            - This will export all of the disasm text for each function
               into the Access database you created.

	3) Disassemble target you want to compare with first disassembly.

	4) Launch IDA Compare plugin,
	   select Access database created in step 2
	   Export functions to Snapshot 2

	5) Launch Compare UI to execute ida_compare.exe 
	
	    - The exe will be launched against the current Access database
                and its functions will be automatically compared. 
                
        

	6) Examine the automatch results.
         Make manual matches  
         View function profiles by double clicking on list entries
           
         
          
		 Use the find dialog to try to locate related functionality
           
         
         
         Trim the lower list using its right click menu
         Export Match names from one database to another.
		 
		 Clicking on a listview node will navigate IDA to that function.
		 
		 When a list item is active you can press:
		     p to launch the profile dialog, 
		     d to pull in the function decompilation results from IDA
		     x to remove the item from the list (lower list only)
		     w to launch winmerge
		 
		 Note to use the decompilation feature, you have to have IDA currently 
		 open to the target databases, and have purchased the hexrays decompiler add on.		 

		 When examining functions, you can also use WinMerge to diff the functions at
		 an asm level. A WinMerge Plugin is provided to help with this. 
		 
		 
		 
		 The Winmerge plugin will be automatically installed the first time you launch
		 it from the Tools menu but you must have WinMerge already preinstalled.
		 
		 When launched through the IDACompare interface, IDACompare will attempt to 
		 automate the menu clicks required to apply the prediffer plugin automatically
		 and will also enable Plugins for WinMerge through the registry.
		 
		 You can verify this worked, by going to Plugins->prediffer and seeing
		 if the bullet mark shows wmIDACompare as being active. Plugins->List should also
		 show Plugins Enabled box checked.
		 
		 
	7) From the IDA plugin, Import match names to update the idb with
       name updates that were set in the Access database.
            
 
ChangeLog:

 3.6.14 - added support for 64 bit disassemblies to exporter (for 32bit IDA only)

 1.25.14 - updated help file, 
		added winMerge plugin, 
		syntax highlighting, 
		ida integration 
		see github commit history for changelog.

 12.16.05 
        - fixed UI bug with exe "Break Match" button behavior
        - compatiability tweaks in plw src for 4.8 and release build config