Versioning analysis presents a unique challenge for the reverse engineering community. Reverse engineering a single binary is time-consuming enough; reverse engineering every successive version of that binary adds up to a mind-boggling amount of work, insurmountable without proper tools to aid in analysis. For this reason, SABRE BinDiff was concieved and developed, and ever since has become a mainstay in the reverse engineering sector of information security.
BinDiff works by presenting the analyst with a list of functions that were matched between the binaries, and whether or not they were changed between versions. That information is vital for isolating changes in security patches, analyzing successiv variants of malware, and detecting code theft.
In this course, participants will learn proper usage of SABRE Security's BinDiff. The material will be centered around how to get the most out of BinDiff, followed by as many examples of usage as time permits.
- Automatically cleaning up IDBs to increase the amount of functions.
- Preventing IDA from mangling your databases.
- Detecting subtle changes which don't affect the structure of a function.
- Incorporating as much debug information as possible into the disassembly.
Other topics that will be covered:
- Detecting Code theft and GPL violations using SABRE BinDiff
- Using SABRE BinDiff for malware analysis
- Cross-platform diffing
To purchase a full version of Bin-Diff directly from Sabre Security: http://www.sabre-security.com/
Software may also be purchased with the class at a discount. Black Hat price is $900. Save $140 off the full price of $1040.