Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  IDA Signature for Crypto++

Topic created on: January 18, 2008 18:44 CST by memo5 .

Hello All
Did any one try to make IDA Signature file for Crypto++ library.
I could not make it and I dont know why.
my batch file contents:
set LIB=c:\lib\
set SIG=.

pcf %LIB%*.obj *cl41

rem pause
rem sigmake -c -f400 -o2 -a140 -p0 "-nCrypto++ v4.1 Win32" *cl41  cryptolib41
sigmake -f400 -o2 -a140 -p0 "-nCrypto++ v4.1 Win32" *cl41  cryptolib41

the problem is, the sigmake utility find many errors in the result pattern file "PAT file".
any one can help.
Thank you.

  NicoDE     January 21, 2008 03:05.37 CST
You need to resolve the (name/symbol) collisions.
Take a look at the generated *.exc files.
In short:
1) remove the comment block in the EXCs
2) for every block of collisions write "+" before one line (that symbol will be included in your signature)
3) run sigmake again

  Sirmabus     January 21, 2008 19:30.41 CST
Try Luigi Auriemma's "Signsrch".

"
It can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime.
"

Works great. Just edit your IDA cfg files to give you a
"jump to file offset" since his tool outputs file, not
virtual offsets:

http://aluigi.altervista.org/mytoolz.htm

  memo5     January 22, 2008 17:19.09 CST
Thank you NicoDE and Sirmabus.
Actually the problem was a result of the deep nested path of the library source code files. The sigmake utility stopped at PAT file line 1066 and did not produce any .exc file at all.
I've moved the library directory to the root and surprisingly the utility continue its work and produced the .exc file then .sig file.
I think that this is a bug in sigmake utility.

Unfortunately the sig file was not helpful in my case for many reasons, Crypto++ as an open source library every developer I think change the compilation settings like optimization inline functions etc and even he or she may use different compilers to generate the final binary executable code so the result sig file used by the FLAIR engine will not be helpful. I think that a good plug-in or script will do some code analyzing and search for some data used by crypto algos code and in generally some flow-control comparing, I have used the FindCrypt plug-in and it was able to identify this type of data but not the methods, and when I compared some methods from the target code and the lib file used to generate the sig file I noticed that the differences was very small but enough to cheat the FLAIR engine, but the flow-control was very identical.

  dELTA     January 23, 2008 15:42.24 CST
For reference, here are two tools that are very good when creating IDA signatures, which improve upon or are better than the standard IDA tools:

http://www.woodmann.com/collaborative/tools/index.php/Advanced_obj_and_lib_IDA_signature_ripper

http://www.woodmann.com/collaborative/tools/index.php/Fast_IDB2Sig_and_LoadMap_IDA_plugins

  memo5     January 24, 2008 02:20.10 CST
dELTA
I already try it but the gain was the same as the FLAIR engine.
I explaind the problems in previous post.
Thank you

Note: Registration is required to post to the forums.

There are 31,095 total registered users.


Recently Created Topics
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15


Recent Forum Posts
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit