Diaphora (διαφορά, Greek for 'difference') version 3.0 is the most advanced program diffing tool (working as an IDA plugin) available as of today (2023). It was released first during SyScan 2015 and has been actively maintained since this year: it has been ported to every single minor version of IDA since 6.8 to 8.3.
Diaphora supports versions of IDA >= 7.4 because the code only runs in Python 3.X (Python 3.11 was the last version being tested).
Unique Features
Diaphora has many of the most common program diffing (bindiffing) features you might expect, like:
- Diffing assembler.
- Diffing control flow graphs.
- Porting symbol names and comments.
- Adding manual matches.
- Similarity ratio calculation.
- Batch automation.
- Call graph matching calculation.
- Dozens of heuristics based on graph theory, assembler, bytes, functions' features, etc...
However, Diaphora has also many features that are unique, not available in any other public tool. The following is a non extensive list of unique features:
- Ability to port structs, enums, unions and typedefs.
- Support for compilation units (finding and diffing compilation units).
- Microcode support.
- Parallel diffing.
- Pseudo-code based heuristics.
- Pseudo-code patches generation.
- Diffing pseudo-codes (with syntax highlighting!).
- Scripting support (for both the exporting and diffing processes).
- ...
Donations
You can help (or thank) the author of Diaphora by making a donation, if you feel like doing so:
License
Versions of Diaphora prior to 1.2.4, including version 1.2.4, are licensed under the GNU GPL version 3. Since version 2.0, Diaphora is now licensed under the GNU Affero GPL version 3 license. The license has been changed so companies wanting to modify and adapt Diaphora cannot offer web services based on these modified versions without contributing back the changes.
For 99.99% of users, the license change doesn't affect them at all. If your company needs a different licensing model, check the next section...
Licensing
Commercial licenses of Diaphora are available. Please contact [email protected] for more details.
Documentation
You can check the tutorial https://github.com/joxeankoret/diaphora/blob/master/doc/diaphora_help.pdf
Screenshots
Diaphora finding the exact function where a vulnerability was patched in CVE-2020-1350:
Diaphora, again, finding the exact function where CVE-2023-28231 was fixed:
CVE-2023-28231. As explained in a blog from ZDI, the vulnerability was fixed by checking that the number of relay forward messages in "ProcessRelayForwardMessage()" is not bigger or equal than 32 (0x20), as shown in the following pseudo-code diffing:
Diaphora doing Hex-Ray's microcode diffing:
Diffing assembly, pseudo-code and microcode:
Diffing CVE-2023-21768 with Diaphora 3.0:
This is a screenshot of Diaphora diffing the PEGASUS iOS kernel Vulnerability fixed in iOS 9.3.5:
And this is an old screenshot of Diaphora diffing the Microsoft bulletin MS15-034:
These are some screenshots of Diaphora diffing the Microsoft bulletin MS15-050, extracted from the blog post Analyzing MS15-050 With Diaphora from Alex Ionescu.
Here is a screenshot of Diaphora diffing iBoot from iOS 10.3.3 against iOS 11.0: