BinDiff is a tool to diff to binary executables and finds differences and similarities, respectively. Originally, Zynamics developed BinDiff but a couple of years ago it was bought by Google. Even though there are alternatives like Diaphora, I still prefer
BinDiff. It is the tool I utilize when analyzing a new version of a malware family.
BinDiff saves me a lot of time since it detects most of the functionality in the new binary and lets me transfer annotations. Unfortunately, there are only
.deb packages (Debian / Ubuntu) for Linux. Therefore, Fedora users must rebuild the
.deb package to a
.rpm package in order to install
BinDiff on Fedora
I know that there is an article by 0x90 on how to install
BinDiff on Fedora. However, it does not work out of the box anymore. Furthermore, the article is not reachable (as of time of writing). Therefore, I’ve decided to write a quick tip on how to install
BinDiff on Fedora. The following was tested with
BinDiff 6.1 and
IDA Pro 7.5 on Fedora 32 / 33.
Building a rpm package
First, we get the latest
.deb package from Zynamics’ download page. Next, we need to convert the
.deb package to a
.rpm package. We’ll use
alien for this. Its
man page gives the following description for it:
alien is a program that converts between Red Hat rpm, Debian deb, Stampede slp, Slackware tgz, and Solaris pkg file formats. If you want to use a package from another linux distribution than the one you have installed on your system, you can use alien to convert it to your preferred package format and install it. It also supports LSB packages.man page of alien
The following command converts the
.deb package to a
alien -v -k --to-rpm bindiff_6_amd64.deb
This is the output that I get on my system:
Warning: alien is not running as root! Warning: Ownerships of files in the generated packages will probably be wrong. dpkg-deb --info 'bindiff_6_amd64.deb' control 2>/dev/null dpkg-deb --info 'bindiff_6_amd64.deb' control 2>/dev/null dpkg-deb --info 'bindiff_6_amd64.deb' conffiles 2>/dev/null dpkg-deb --fsys-tarfile 'bindiff_6_amd64.deb' | tar tf - dpkg-deb --info 'bindiff_6_amd64.deb' postinst 2>/dev/null dpkg-deb --info 'bindiff_6_amd64.deb' postrm 2>/dev/null dpkg-deb --info 'bindiff_6_amd64.deb' preinst 2>/dev/null dpkg-deb --info 'bindiff_6_amd64.deb' prerm 2>/dev/null Warning: Skipping conversion of scripts in package bindiff: postinst postrm preinst Warning: Use the --scripts parameter to include the scripts. mkdir bindiff-6 chmod 755 bindiff-6 dpkg-deb -x bindiff_6_amd64.deb bindiff-6 rpm --showrc cd bindiff-6; rpmbuild --buildroot='~/ida_bins/bindiff-6' -bb --target x86_64 'bindiff-6-1.spec' 2>&1 bindiff-6-1.x86_64.rpm generated
We’re not yet there. If you try to install it with
dnf right now, you will get an error.
dnf install ./bindiff-6-1.x86_64.rpm Package Architecture Version Repository Size Installing: bindiff x86_64 6-1 @commandline 27 M Transaction Summary Install 1 Package Total size: 27 M Installed size: 53 M Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Error: Transaction test error: file /usr/bin from install of bindiff-6-1.x86_64 conflicts with file from package filesystem-3.14-2.fc32.x86_64
We have to rebuild the archive with
rpmrebuild. It’s man page gives the following description:
rpmrebuild is a tool to build easily rpm package. it can be used to build an rpm file from an installed package (lost rpm) or to quickly make change to a package: just have your change on installed files and call rpmrebuild.man page of rpmrebuild
rpmrebuild as follows:
rpmrebuild -pe bindiff-6-1.x86_64.rpm
This command will drop you in your default text editor. Here, you have to locate the following entries and delete them:
%dir %attr(0755, root, root) "/" %dir %attr(0755, root, root) "/usr/bin"
Exit the editor and answer the question
Do you want to continue? (y/N) with yes. The fixed archive will be in
Now, we can proceed to install
Bindiff 6.1 with
dnf install ./bindiff-6-1.x86_64.rpm Dependencies resolved. Package Architecture Version Repository Size Installing: bindiff x86_64 6-1 @commandline 27 M Transaction Summary Install 1 Package Total size: 27 M Installed size: 53 M Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : bindiff-6-1.x86_64 1/1 Running scriptlet: bindiff-6-1.x86_64 1/1 Verifying : bindiff-6-1.x86_64 1/1 Installed: bindiff-6-1.x86_64 Complete!
Install the Bindiff plugin in IDA Pro 7.5
Bindiff installation will be at
/opt/bindiff. To use
IDA Pro 7.5, you have to copy the precompiled
Bindiff plugins (
/opt/bindiff/plugins to your IDA Pro plugin directory
The next time you start IDA Pro 7.5, it should have loaded the BinExport and BinDiff plugins. Just press
ctrl + 6 to open the BinDiff plugin.
Happy diffing 🙂