π A diffing tool for binary files when comparing obfuscated and changed binary names between versions π οΈ
Just Another Differ (JAD) is a command-line tool for comparing two binary files. It uses fuzzy string matching and Ghidra's decompilation to analyze function similarities between binaries. A great example of using JAD is when reviewing a newer version of a binary that has stripped or obfuscated function names compared to an older version which does not - JAD will produce a map of the functions in the new binary that are the closest in similarity to the old binary.
- π¬ Function Diffing: JAD will produce an output map of function similarities between two binaries.
- π Outputs: JAD can produce a JSON, HTML, or stdout output for the mapping it produces.
- π οΈ Ghidra Enabled: JAD uses Ghidra headless to enable decompilation of functions!
JAD was inspired by anouther tool I created with the same purpose for Android APKs, see Obfu-DE-Scate! π±
JAD requires Ghidra to be installed, and for analyzeHeadless to be on your path. If
it is not on your path JAD will request on run where the binary is located. To install all other dependencies use
the requirements.txt file, with:
pip install -r requirements.txt
JAD must be provided with both a base binary (--binary-one/-b1) and a comparison binary (--binary-two/-b2). In addition to this if an output option can be chosen between --json-output for a JSON file map or --html-output for a HTML file. If no output is chosen JAD will display the map to the terminal.
JAD usage can be seen below:
usage: JAD.py [-h] --binary-one BINARY_ONE --binary-two BINARY_TWO
[--json-output JSON_OUTPUT | --html-output HTML_OUTPUT]The below output was produced when running JAD against two differently compilled stripped versions of the 7z binary found in the linux-static-binaries repository.
JAD.py -b1 "\armv7l-eabihf\7zr" -b2 "\armv8-aarch64\7zr" --html-output out.html
In a similar fashion, the below is an example of using the JSON output flag:
JAD.py -b1 "\armv7l-eabihf\7zr" -b2 "\armv8-aarch64\7zr" --json-output out.json{
"FUN_000100f4": {
"binary_two_name": "FUN_0047c3b0",
"confidence": 86
},
"FUN_00010100": {
"binary_two_name": "FUN_00400168",
"confidence": 76
},
"FUN_00010124": {
"binary_two_name": "FUN_00400304",
"confidence": 75
},
"FUN_0001014c": {
...
JAD is an open-source project and welcomes contributions from the community. If you would like to contribute to JAD, please follow these guidelines:
- Fork the repository to your own GitHub account.
- Create a new branch with a descriptive name for your contribution.
- Make your changes and test them thoroughly.
- Submit a pull request to the main repository, including a detailed description of your changes and any relevant documentation.
- Wait for feedback from the maintainers and address any comments or suggestions (if any).
- Once your changes have been reviewed and approved, they will be merged into the main repository.
JAD follows the Contributor Covenant Code of Conduct. Please make sure to review. and adhere to this code of conduct when contributing to JAD.
If you encounter a bug or have a suggestion for a new feature, please open an issue in the GitHub repository. Please provide as much detail as possible, including steps to reproduce the issue or a clear description of the proposed feature. Your feedback is valuable and will help improve JAD for everyone.