After several months of silence due to our team moving, finding a new home, and generally working really hard, we are happy to announce today that a new version of BinDiff is available! While the underlying comparison engine has only changed slightly, we have some significant improvements on the UI, and some improvements that are particularly useful for porting symbolic information from FOSS libraries into your disassemblies. In the following, I will highlight my favourite new features:
Call graph difference visualisation
With more complex differences between two executables, it is sometimes easy to miss the big picture by drilling down too much on changes to individual functions. With BinDiff 4.0, I now have the ability to not only examine changes on the level of the individual function, but also on the call graph. As with most UI improvements, an image is much more useful than a long diatribe; I will let the following screenshot speak for itself:
Combined visualization of two flowgraphs
Ever since the very first version of BinDiff, the only way to examine a change in a flowgraph was by using our split-screen approach: One function on each side, laid out in a similar manner, with colors indicating changes. While this works pretty well (and is still my favorite way of looking at changes), it is sometimes a bit cumbersome. In the new UI, we added an additional way of examining changes: We merge the two graphs into one, and have a vertical split on the basic block / node level. This allows full-screen examination of changes without the need for splitting the screen.
Iterative diffing
Over the last years, symbol porting has eclipsed patch analysis as my primary use for BinDiff. In many situations, I need to pull information from a FOSS project into an existing disassembly. I usually compile the FOSS project with symbols, attempting to approximate the build settings of the executable I am analyzing. I then BinDiff the disassembly against the compiled FOSS library and selectively import symbols and names for the functions that were recognized properly. While BinDiff often produces pretty good results, only a fraction of the functions will be recognized properly. In such situations, I often wished I could assist BinDiff infer further matches. With BinDiff 4.0, I can do just that: I can confirm that a pair of functions are matched correctly, and then tell BinDiff to re-run with the confirmed functions as starting points for further inference. This iterative approach allows me to match more and more functions while porting my symbols, yielding a much larger percentage of symbols in my disassembly than what would have been achieved in a single round of comparison.
More Pie Charts
When comparing two pieces of related code, it is often useful to obtain a quick overview of the degree of code overlap between two files. What fraction of the functions in an executable could be mapped to the other executable? How similar were these functions? While all this information is available to BinDiff, up until the new version we never visualized this information in a central location. This has changed with the new UI – we now generate pretty pie charts, almost instantly usable in your favorite presentation software.
There are other new features in the UI – just give it a spin. After all, BinDiff is now directly available from our website and the price has been lowered to just 200 USD!
So when I can buy it from Russia?
Hi Ivan,
we’re working on making BinNavi and BinDiff available to Russia as well, but unfortunately the legal situation for such tools is complicated. So for now, we cannot legally sell to customers outside of the Americas and Europe. So in essence, if you have a US credit card and billing address, you’ll be able to buy BinDiff and get support.
—
Christian Blichmann
Hey Ivan,
from what I understand of the situation, Google’s legal department needs to assure there are no potential liabilities arising from selling the tools. The tools fall under local jurisdictions and laws, and the legal team here is working on clarifying where the tools can be sold without risk. This is different for every jurisdiction, and the situation is more complex in some areas than in others (which will then take longer).
I am sorry for this inconvenience :-/
Cheers,
Thomas
Guys, in the store you still have version 3… I bought it yesterday night after seeing this blog post and got the links for version 3. Any idea?
Thank you
Sorry for the inconvenience. I have send you a new download link.
I have the same issue.
New download link sent.
I purchased BinDiff a few months ago. How do I upgrade to 4.0? Is there a new download link, or do I have to buy a new copy?
Is there an academic or student version available?
Unfortunately not.
Does it come with an OSX version?
BinDiff is available for OS X 10.5 or higher (x86), Debian-based Linux (i386/AMD64) and Windows XP/7 (x86).
The “Combined visualization of two flowgraphs” feature seems to be the same that I implemented for turbodiff. I presented it at HackLu 2010.
I am very happy that you took the idea, but I feel that it visualization would be better if instead of showing the old and new basic blocks side by side, they would be shown merged.
See http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=aureliax for an example and http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Showing_differences_between_disassembled_functions if you want to read the actual paper and the reasons behind the same graph visualization.
Hey Aure,
ah cool. We weren’t aware of the 2010 Hacklu presentation, thanks for pointing us there ! 🙂 Nice work 🙂
We don’t merge the blocks as it gets too messy for my taste once the build environments start diverging a bit further than your standard patch analysis.
Cheers,
Thomas
Combined visualization of two flowgraphs … isn’t the same idea that the Aureliax project ?(http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=aureliax)
I purchased BinDiff a few months ago. How do I upgrade to 4.0? Is there a new download link, or do I have to buy a new copy?
You’re eligible for a free update. I’ve sent you a new download link.
Just contact support@ with a copy of your key file 🙂
That’s a pretty deal at $200 but I have to say $400 for BinNavi is one of best values around…
I purchased BinDiff two months ago. How do I upgrade to 4.0? Thanks!
Please send an e-mail with your license file to support@zynamics.com
I’m using bindiff4. How can i use the text view (assembly view) ?
We discontinued the assembly view in BinDiff 4.0. The next version may feature a similar view again.
I find “Compare binary files for x86, MIPS, ARM, PowerPC, and other architectures supported by IDA Pro” in the description of “Use Cases”.
Does BinDiff support C166(Infineon)? Does it have all the same features as for x86/ARM/PowerPC/MIPS?
In short: “partially” and “no”. We do support generic CPUs like those found in IDA, but the results will be sub-optimal. The reason for this is that while IDA processor modules are implemented against the same API, they differ significantly in their use of flags and the representation of code flow. For x86/ARM/PPC/MIPS/Dalvik, we have extra code to handle the these pecularites.
For a C166, expect that BinDiff will only support rudimentary matching based on the mnemonics and the (limited) information that IDA returns.
Video: Automatically resolving dynamic function calls (13 MB Flash Video)
Call Resovler:
2.Find indirect calls
Found 0 indirect calls
No indirect function calls found: The resolving process is complete
+1 for the return of assembly view.
Hello,
When I am running BinDiff 4.0 I want to save my results (such as that in the Matched Functions Window) into a text file. I know there was a similar function in BinDiff 3.0 (the “save to log” button) however I can’t seem to find this functionality within version 4. Is there a way to save the BinDiff results to anything besides the .BinExport and .BinDiff filetypes?
No, we disabled the “Save to log” functionality in 4.0, since it was originally intended as an aid in debugging.
Having said that, however, the .BinDiff file format is really just a SQLite database, so you should be able to access its data easily.
Thank you for your quick reply. I did do the .BinDiff file format, and tried running it through an SQLite database client (Sqliteman), however it seemed to not put any of the same data that I had in the “matched functions” window. The similarity and confidence levels appeared to be altered from the transition. Do you reccomend a way or program in which I could keep the most consistancy with the data I am seeing in the ida GUI? Thank you.
Reblogged this on depth269.
I’m examining the SQLite database but I can’t find any information regarding whether a basic block or instructions has been modified or inserted. Do you not store that information?