OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: January 18, 2008 18:44 CST by memo5 .

Hello All
Did any one try to make IDA Signature file for Crypto++ library.
I could not make it and I dont know why.
my batch file contents:
set LIB=c:\lib\
set SIG=.

pcf %LIB%*.obj *cl41

rem pause
rem sigmake -c -f400 -o2 -a140 -p0 "-nCrypto++ v4.1 Win32" *cl41 cryptolib41
sigmake -f400 -o2 -a140 -p0 "-nCrypto++ v4.1 Win32" *cl41 cryptolib41

the problem is, the sigmake utility find many errors in the result pattern file "PAT file".
any one can help.
Thank you.

NicoDE		January 21, 2008 03:05.37 CST
You need to resolve the (name/symbol) collisions. Take a look at the generated *.exc files. In short: 1) remove the comment block in the EXCs 2) for every block of collisions write "+" before one line (that symbol will be included in your signature) 3) run sigmake again

Sirmabus		January 21, 2008 19:30.41 CST
Try Luigi Auriemma's "Signsrch". " It can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime. " Works great. Just edit your IDA cfg files to give you a "jump to file offset" since his tool outputs file, not virtual offsets: http://aluigi.altervista.org/mytoolz.htm

memo5		January 22, 2008 17:19.09 CST
Thank you NicoDE and Sirmabus. Actually the problem was a result of the deep nested path of the library source code files. The sigmake utility stopped at PAT file line 1066 and did not produce any .exc file at all. I've moved the library directory to the root and surprisingly the utility continue its work and produced the .exc file then .sig file. I think that this is a bug in sigmake utility. Unfortunately the sig file was not helpful in my case for many reasons, Crypto++ as an open source library every developer I think change the compilation settings like optimization inline functions etc and even he or she may use different compilers to generate the final binary executable code so the result sig file used by the FLAIR engine will not be helpful. I think that a good plug-in or script will do some code analyzing and search for some data used by crypto algos code and in generally some flow-control comparing, I have used the FindCrypt plug-in and it was able to identify this type of data but not the methods, and when I compared some methods from the target code and the lib file used to generate the sig file I noticed that the differences was very small but enough to cheat the FLAIR engine, but the flow-control was very identical.

dELTA		January 23, 2008 15:42.24 CST
For reference, here are two tools that are very good when creating IDA signatures, which improve upon or are better than the standard IDA tools: http://www.woodmann.com/collaborative/tools/index.php/Advanced_obj_and_lib_IDA_signature_ripper http://www.woodmann.com/collaborative/tools/index.php/Fast_IDB2Sig_and_LoadMap_IDA_plugins

memo5		January 24, 2008 02:20.10 CST
dELTA I already try it but the gain was the same as the FLAIR engine. I explaind the problems in previous post. Thank you

Note: Registration is required to post to the forums.

There are 31,312 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit