I recently came into possession of a certain software suite that got me revisiting some thoughts on reverse engineering, binary diffing and the like. So, after a fresh install of XP SP3 and before loading up my new friend, I thought “Wouldn’t it be great to archive the system file changes as I apply patches?  That would be excellent for binary diffing security updates.”.

Then I remembered that Jeongwook Oh had presented just such a tool (SortExecutables.exe) during a talk at Blackhat ’09.  I looked around for SortExecutables.exe, but didn’t find it (*See update @ bottom).  The idea was simple enough and looking for an opportunity to write some code I decided to write my own version.  I present for your viewing pleasure…binaryeti.

Parameters are simple:

Finishing an initial run takes a few minutes, runs after initial usually complete in seconds.

This is a run after updating KB976662, an update for IE8 JSON:

Another run, after updating KB954155 regarding a Media Format Runtime bug:

Finally, after archiving several rounds we end up with a folder structure like this, containing each version of the .dlls we might want to diff:

With the help of a lightweight utility like this, it’s easy enough to archive changes so that we have them handy for later.  This is something so simple and useful, I’m sure there are more than a few researchers with their own versions.  I would be interested to hear about different features and what led to them.

Grab the Source [6kb] or Installer [337kb]

If you decide to go the source route, take note of the NDesk.Options dependency, go get that library and add a reference before compilation.

*UPDATE: So, I’m just about dense.  SortExecutables.exe is distributed with DarunGrim and can be found in the DarunGrim install folder.

Code .Net, binary, Code, reverse engineering, reversing