# PatchDiff => Hex-Rays => WinDiff: the way to analyze patches faster

as a reverser working for Endeavor Security, Inc nezumi gets used to analyze zillions security patches and, like many other reversers, its hard tool is Patch-Diff (free analogue of commercial Bin-Diff). Patch-Diff is great, but… too graphical (don’t like gui stuff very much, nezumi loves cheese and console).

too hard to trace there wires

too hard to trace there wires

Patch-Diff works good if there are just a few changes, but dealing with a totally rewritten function driving me bats and takes too much time. these graphs… oh… well, nezumi has came to much better solution.

1) use Patch-Diff or Bin-Diff to find matched function(s);
2) ask Hex-Rays to decompile them into high-level C-code;
3) compare patched and un-patched C-code with WinDiff or GNU diff3;

it’s works! but… there is a problem. guess, patched function has more local vars, so the stack frame is completely different from the old one, so, Hex-Rays gives different names to the same variables!!! thus, WinDiff goes crazy and shows many false positive unmatched lines.

what we’re going to do? well… Hex-Rays is an interactive decompiler (View/Open Sub-view/Opcode or F5), so it’s possible (and not too hard!) to rename variables, I mean to synchronize them. it takes time, but it’s definitely worth what it costs!!!

this trick helped me to analyze MS09-01 patch extremely fast. of course, right now, it’s just a pure idea, but I’m going to improve it.

btw, does anybody know the best tool for smarting comparing C-sources? plz, write me back (info#re-lab.org) or leave comment here.



  1. Try CSDiff (http://www.componentsoftware.com/Products/CSDiff/) It’s not specific to C sources, but it compares them smarter than, say, Total Commander’s file compare.

  2. Slava Salnikov

    May be this one (also not specific for C):
    Did not try it myself though.

  3. try DarunGrim. :D i heard it works well.

Leave a comment

Comments are closed.