Code Coverage Technique

This technique uses a code coverage tool to locate the difference between two execution paths.

Here's an example using the Lighthouse plugin in IDA:

1. Write a simple program:

#include <iostream>

int main()
{
    int a;
    std::cin >> a;
    if (a == 1) {
        std::cout << "1" << std::endl;
    } else {
        std::cout << "2\n";
    }
}

2. Run the program twice with DynamoRIO to trigger different paths.
3. Load the results into Lighthouse in IDA, and set the composer to A^B.
4. The different code executed in each run will be displayed.
5. Switch between A and B to see the location of the key code.
6. For actual reverse engineering, differentiate as precisely as possible the trigger for the functionality you want to analyze. This will quickly locate the key code, and you won't have to worry about large binary files without symbols.

For more details, visit this link.