Is it possible to find the modifications between a original DLL file and a modified one using x64dbg?
And, if I can't do it with x64dbg, what tool would be better than a debugger to find the modifications done on assembly code between the two files?
- Do you want to compare two DLL files or do you want to see run-time patches on a DLL file?Kerim Can Kalıpcıoğlu– Kerim Can Kalıpcıoğlu2018-08-08 11:32:24 +00:00Commented Aug 8, 2018 at 11:32
- i have original DLL file and the patched version of it and i want to know which line been patchedpharaon– pharaon2018-08-08 12:29:53 +00:00Commented Aug 8, 2018 at 12:29
Add a comment |
2 Answers
You shouldn't use a debugger to search for differences. You should use a diff tool. Of course, most diff tools work on ASCII text, but there are some that deal with binary files.
Some examples:
There are more and you probably will find one that matches exactly your need. If you would like to see your modifications in a nice visual manner with already bytes being presented as opcodes there are some options too. I haven't used them (so can't give you my recommendations) but there are at least two that I know of:
- how am i suppose to install patchdiff 2 with IDA and use it,there is no installation or using guidepharaon– pharaon2018-08-08 12:42:52 +00:00Commented Aug 8, 2018 at 12:42
- Compile and then put in plugins folder as you would do with any other pluginPaweł Łukasik– Paweł Łukasik2018-08-08 12:48:05 +00:00Commented Aug 8, 2018 at 12:48
- i tried that already but got too many errors and undefined variables, is there a compiled one?pharaon– pharaon2018-08-08 22:16:08 +00:00Commented Aug 8, 2018 at 22:16
- I’ll try to see if I can get that compilingPaweł Łukasik– Paweł Łukasik2018-08-09 11:03:12 +00:00Commented Aug 9, 2018 at 11:03
- would be really great helppharaon– pharaon2018-08-09 16:34:01 +00:00Commented Aug 9, 2018 at 16:34
In Windows, perhaps the simplest possibility is the built-in File Compare command with its /B (binary) switch, to be used from the command-line. It lists all different bytes together with their file offset.
Usage:
fc /B filepath1 filepath2
- i want to see the opcode different not the binarrypharaon– pharaon2018-08-08 22:18:13 +00:00Commented Aug 8, 2018 at 22:18
- The file compare gives you the file offsets of the differences in your binaries. From these you can easily get the opcode diffs in a debugger. Should be no problem at all.josh– josh2018-08-09 08:24:23 +00:00Commented Aug 9, 2018 at 8:24
- always give me this error, FC: cannot open C:\PROGRAM - No such file or folderpharaon– pharaon2018-08-09 09:52:17 +00:00Commented Aug 9, 2018 at 9:52
- quote your path like fc /b "c:\prxxx\yyy ddd" "d:\xx xx xx\yyy yyy" spaces are treated as delimiters for most of the console apps so it cant find your file that has a space in the pathblabb– blabb2018-08-09 10:18:18 +00:00Commented Aug 9, 2018 at 10:18
- hundred lines of binaries and last line is FC: "c:\prxxx\yyy ddd" longer than "d:\xx xx xx\yyy yyy"pharaon– pharaon2018-08-09 16:33:33 +00:00Commented Aug 9, 2018 at 16:33