Differences in object code?

NTDEV
1

This is going to sound like I’m a hacker trying to reverse-engineer some
Microsoft hotfix, but I’m not…

I have version 1 of a large-ish driver for which I have source. Someone
here developed version 2 of a driver, which should have only a few
localized changes. But, he didn’t check in the source (only the .sys),
and has long left the company (and his computer is wiped). It was
compiled with some debug information, so I can get a decent .pdb/.dbg
from it with the function names.

I can read assembly fairly well, so if I can figure out approximately
where the changes are, I can take it from there and reconstruct the
source.

But it’s fairly large, and since the addresses are all changed, it’s not
helpful to do a byte comparison since there’s a lot that is different.

I tried using IDA (Interactive DisAssembler, which is pretty cool), but
it really wasn’t of much use for this purpose.

So, I’m sure people have done this sort of thing before, so I’m asking
for advice as to methods and tools to use?

Thanks in advance!

2

Why isn’t comparing the nice output from IDA useful?

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
Sent: Thursday, December 16, 2004 8:57 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Differences in object code?

This is going to sound like I’m a hacker trying to reverse-engineer some
Microsoft hotfix, but I’m not.

I have version 1 of a large-ish driver for which I have source. Someone
here developed version 2 of a driver, which should have only a few localized
changes. But, he didn’t check in the source (only the .sys), and has long
left the company (and his computer is wiped). It was compiled with some
debug information, so I can get a decent .pdb/.dbg from it with the function
names.

I can read assembly fairly well, so if I can figure out approximately where
the changes are, I can take it from there and reconstruct the source.

But it’s fairly large, and since the addresses are all changed, it’s not
helpful to do a byte comparison since there’s a lot that is different.

I tried using IDA (Interactive DisAssembler, which is pretty cool), but it
really wasn’t of much use for this purpose.

So, I’m sure people have done this sort of thing before, so I’m asking for
advice as to methods and tools to use?

Thanks in advance!

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Interesting problem. You can probably forget about binary comparison because even very small code change can lead to many differences in binary. I’d use IDA to make disassembly of both versions, save them and then use intelligent file comparison tool to see differences. For example Beyond Compare (http://www.scootersoftware.com/) where you can define important and unimportant differences. Corrent configuration probably won’t be easy and it may need several iterations with IDA but finally you should be able to identify changed routines. The rest is handy work with sources recreating.

Note you need to use the same build environment and settings for both driver versions to be successful. It shouldn’t be a big problem if DDK build was used for version 2 and you’re able to find which one. With different compiler or settings you can get very different assembly (optimization etc.). The easiest situation would be if you have checked build of version 2.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Taed Wynnell[SMTP:xxxxx@vertical.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, December 17, 2004 2:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Differences in object code?

This is going to sound like I’m a hacker trying to reverse-engineer some Microsoft hotfix, but I’m not> …>

I have version 1 of a large-ish driver for which I have source. Someone here developed version 2 of a driver, which should have only a few localized changes. But, he didn’t check in the source (only the .sys), and has long left the company (and his computer is wiped). It was compiled with some debug information, so I can get a decent .pdb/.dbg from it with the function names.

I can read assembly fairly well, so if I can figure out approximately where the changes are, I can take it from there and reconstruct the source.

But it’s fairly large, and since the addresses are all changed, it’s not helpful to do a byte comparison since there’s a lot that is different.

I tried using IDA (Interactive DisAssembler, which is pretty cool), but it really wasn’t of much use for this purpose.

So, I’m sure people have done this sort of thing before, so I’m asking for advice as to methods and tools to use?

Thanks in advance!

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com