Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   IDA signatures question (https://forum.exetools.com/showthread.php?t=16346)

The Old Pirate 11-28-2014 20:49
IDA signatures question
 
I have a DLL and the source code of the old version of this DLL. How do I utilize this in IDA? I read about FLIRT technology but it states this is for static libraries (?)
Could someone point me in right direction?

bart 11-28-2014 21:45
It's just a byte signatures, IDA has plenty of them for most popular programming languages and their libraries.

The Old Pirate 11-28-2014 21:54
I looking to make IDA match functions in the disassembly of the new DLL with their names utilizing the old source code. There has to be a way.

sendersu 11-29-2014 04:18
Quote:
Originally Posted by The Old Pirate (Post 95928)
I looking to make IDA match functions in the disassembly of the new DLL with their names utilizing the old source code. There has to be a way.
well, you could start from here -
http://www.woodmann.com/collaborative/tools/index.php/Category:IDA_Signature_Creation_Tools

a lot of handy tools are there....


Create your own signature file simply following 2 easy steps:

../flair/bin/pcf lmgr.lib lmgr.pat
or
../flair/bin/plb lmgr.lib lmgr.pat

../flair/bin/sigmake lmgr.pat lmgr.sig


another case
sigmake.exe -n"SSL 0.98e" -a0004 -o0002 -p0 -t10 *.pat SSL98e.sig
copy *.sig "C:\IDAPro6.1\sig"

Conquest 11-29-2014 13:37
Quote:
Originally Posted by The Old Pirate (Post 95928)
I looking to make IDA match functions in the disassembly of the new DLL with their names utilizing the old source code. There has to be a way.
Flirt signatures work on the basis of binary search pattern . Since you have the source , you have already progressed 25% but there is a major issue .
the binary pattern searching only works if the over the versions compiler stays same or similar . Why? as compilers update/upgrade the code generation scheme keeps changing thus changing the byte patterns .
You will need to generate a static library out of the source maintaining same compiler options and version . What i am saying is based on my experience and i am in no way in a position to claim to know the internal sig generation methods .
The signature generation itself is rather easy and you can find lots of small tutorial about them . If its a small program , you can try to name the functions manually and create small python scripts to use as flirt signatures for naming .

good luck

CashD 12-01-2014 04:30
If flirt doesn't detect some symbols you can try use bindiff
it could show you some points you missed with flirt because maybe they changed compiler and etc...
Reminder: when you use flirt check if you using the release version and not the debug version.
In bindiff compile release with symbols and compare


All times are GMT +8. The time now is 01:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX