Diaphora (διαφορά, in Greek “difference”) is a pure python plugin for IDA Pro to perform program comparison, what is often referred as “Binary Diffing”
I always found that the bindiff tools did not import enough information from database to database, if at all.
1) structures and enumerations in IDA and I always have to manually import them. 2) want to check the call graph of the malware, only Zynamics BinDiff does so. 3)many times I need to match functions from x86, x86_64 and ARM binaries interchangeably
The Zynamics plugin works “great” overall, but can fail matching many functions because the compiler used is different, naturally. 不能匹配许多函数，因为编译器使用的是不同的。
However, the Hex-Rays decompiler is not typically bothered by such changes and the pseudo-code is rather similar if not 100% equal.
那么，为什么不使用反编译器呢？ 使用AST Hex-Rays反编译器提供的和伪代码。 它允许在x86，x86_64和ARM的二进制比较中执行二进制比较，比目前的二进制比较工具或插件更先进。
I will take as example 2 different versions of the “avast” binary from Avast for Linux x86_64. The files has the following hashes: 1.ed5bdbbfaf25b065cf9ee50730334998 avast
if it’s installed (i.e., copied in the $IDA_DIR/plugins/ directory), using the Edit → Plugins → Diaphora – Export or diff option. The following dialog will open:
The nodes in yellow color, are these with only minor changes; pink ones, are these that are either new or heavily modified and the blank ones, the basic blocks that were not modified at all.
Let’s diff now the assembly in plain text: go back to the “Partial matches” tab, right click on the function “handle_scan_item” and select “Diff assembly”: