Binary compilation differences

26 Jan 2014

Summary

I compiled the same code with a bunch of different compilers and have made those binaries available. I also verified that the putty.exe 0.63 that can be downloaded matches what can be built from source code for it. This post is just for my archive, nothing cool is introduced and I do not identify what any of the differences are between compilers.

Introduction

Given the post a while back on binary verification of the TrueCrypt binaries, I decided to match some binaries myself and I was interested in what differences do exist between different versions of compilers.

Compiler output

I decided to compile the same code with different compilers to see what the differences would be. I've made those binaries available at: compilations_with_different_compilers.zip (2.82MB)

The included README.txt explains much of what was done. I compiled very simple binaries as my primary interest was on what the PE headers are that are generated. The projects used the following source codes:

int main(int argc, char** argv) {
  return 42;
}

int factorial(int a) {
  if (a == 1) return a;
  return a * factorial(a - 1);
}

int main(int argc, char** argv) {
  return factorial(argc);
}

I compiled debug and release builds where possible with the following compilers using all defaults settings:

  1. Watcom 1.9 DOS
  2. Borland C++ Compiler 5.5.1
  3. Dev-C++ 5 beta release (4.9.9.2)
  4. Intel Composer XE Evaluation 2013 SP1
  5. lcc-win32 3.8
  6. MinGW using gcc, cpp, and g++ which all appear to be links to gcc 4.8.1
  7. Cygwin using gcc, cpp, and g++ which all appear to be links to gcc 4.8.2
  8. Visual Studio 6
  9. Visual Studio 2003 Pro
  10. Visual Studio 2003 Pro SP1
  11. Visual Studio 2005 Pro
  12. Visual C++ 2008 Express
  13. Visual Studio 2010 Express
  14. Visual Studio 2012 Express
  15. Visual Studio 2013 Express

For each project there are 35 binaries. I also have a few builds of putty in there. Builds were done on Windows XP SP3 and Windows 7.

If you want to write signatures for compilations like HBGary's Fingerprint tool once sort of did to try to group malware, you should use IDA FLIRT signatures. These binaries are just there for those interested as they did take a stupid amount of time to generate (download and install the compiler and figure out how to use it in some cases).

Putty 0.63 binary compilation verified

I verified that you can compile the source code for putty.exe 0.63 to obtain the same binary. This confirms there is no trojaned functionality in that binary outside of whatever might be in the source code, which I did not review.

Procedure

  1. Install "Visual Studio .NET 2003 Professional - Full Install (English)" from the MSDN on a vanilla Windows XP SP3 system. Do not download or install any updates to Visual Studio.
  2. Download the putty source. (MD5: 21dadf391eed109dd89c1befe96cac88)
  3. Download the putty binaries. (MD5: 2af64c860af7af67a25d639e2fcba006)
  4. These MD5's are listed on putty's page here. Ensure you are getting the release code and binaries, not the development versions.
  5. Extract the files
  6. Modify putty-src/WINDOWS/PUTTY.MFT to change the line endings from '\r\n' to '\n'. I don't know why this was this was this way. This can be done with cygwin via: sed -i 's/^M$//' PUTTY.MFT
  7. Bring up the Visual Studio command prompt, cd to putty-src/WINDOWS, and run nmake -f MAKEFILE.VC VER=/DRELEASE=0.63
  8. Compare your new putty.exe against the downloaded putty.exe and you should see only a 3 or 4 byte difference at 0x100 for the link time.