bindiff icon indicating copy to clipboard operation
bindiff copied to clipboard
Published 2 months ago verified publisher icon google

skip show as difference a basicblock if has only NOP instructions

Open marakew opened this issue 1 year ago • 2 comments

look at the pics

many variants

bindiff_skip_nop1

bindiff_skip_nop2

bindiff_skip_nop3

marakew avatar Apr 11 '24 12:04 marakew

BinDiff, just shows whatever is different in the underlying BinExport files. It has no knowledge about the instruction types.

Implementing such a feature would mean that we need to make BinExport aware of the instruction types as well and mark them somehow.
And then it remains an open question of wether we still want to include the nop-style instructions in the BinDiff similarity score.

There are also use cases where I as an analyst would be legitimately interested in extra nop bytes. If a basic block changes in a way that includes multi-byte nops, then that might be an indicator that something was patched out, or that it should serve as a placeholder for other code/exploits to overwrite it.

cblichmann avatar Apr 11 '24 12:04 cblichmann

compiler can emit nop/s to align the block

as you can see the picture

there no interests to both blocks if sums of instructions whithout nop the same for it

may be this can be under some addition options, "skip check nops"

i see already exist the function

https://github.com/google/binexport/blob/main/x86_nop.cc

so may be with some addition options it can be enable for this for comparing blocks by instructions ?

marakew avatar Apr 11 '24 13:04 marakew