OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: January 18, 2008 18:44 CST by memo5 .

Hello All
Did any one try to make IDA Signature file for Crypto++ library.
I could not make it and I dont know why.
my batch file contents:
set LIB=c:\lib\
set SIG=.

pcf %LIB%*.obj *cl41

rem pause
rem sigmake -c -f400 -o2 -a140 -p0 "-nCrypto++ v4.1 Win32" *cl41 cryptolib41
sigmake -f400 -o2 -a140 -p0 "-nCrypto++ v4.1 Win32" *cl41 cryptolib41

the problem is, the sigmake utility find many errors in the result pattern file "PAT file".
any one can help.
Thank you.

NicoDE		January 21, 2008 03:05.37 CST
You need to resolve the (name/symbol) collisions. Take a look at the generated *.exc files. In short: 1) remove the comment block in the EXCs 2) for every block of collisions write "+" before one line (that symbol will be included in your signature) 3) run sigmake again

Sirmabus		January 21, 2008 19:30.41 CST
Try Luigi Auriemma's "Signsrch". " It can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime. " Works great. Just edit your IDA cfg files to give you a "jump to file offset" since his tool outputs file, not virtual offsets: http://aluigi.altervista.org/mytoolz.htm

memo5		January 22, 2008 17:19.09 CST
Thank you NicoDE and Sirmabus. Actually the problem was a result of the deep nested path of the library source code files. The sigmake utility stopped at PAT file line 1066 and did not produce any .exc file at all. I've moved the library directory to the root and surprisingly the utility continue its work and produced the .exc file then .sig file. I think that this is a bug in sigmake utility. Unfortunately the sig file was not helpful in my case for many reasons, Crypto++ as an open source library every developer I think change the compilation settings like optimization inline functions etc and even he or she may use different compilers to generate the final binary executable code so the result sig file used by the FLAIR engine will not be helpful. I think that a good plug-in or script will do some code analyzing and search for some data used by crypto algos code and in generally some flow-control comparing, I have used the FindCrypt plug-in and it was able to identify this type of data but not the methods, and when I compared some methods from the target code and the lib file used to generate the sig file I noticed that the differences was very small but enough to cheat the FLAIR engine, but the flow-control was very identical.

dELTA		January 23, 2008 15:42.24 CST
For reference, here are two tools that are very good when creating IDA signatures, which improve upon or are better than the standard IDA tools: http://www.woodmann.com/collaborative/tools/index.php/Advanced_obj_and_lib_IDA_signature_ripper http://www.woodmann.com/collaborative/tools/index.php/Fast_IDB2Sig_and_LoadMap_IDA_plugins

memo5		January 24, 2008 02:20.10 CST
dELTA I already try it but the gain was the same as the FLAIR engine. I explaind the problems in previous post. Thank you

Note: Registration is required to post to the forums.

Active in Last 5 Minutes
	Wannabe

There are 15,865 total registered users.

Recently Created Topics
Career: Technical Pr...	Feb/04
Help needed with: ge...	Feb/04
A question regarding...	Feb/01
Compiler infector an...	Jan/29
Yahoo autoupdater vi...	Jan/27
Solidshield VM Analyse	Jan/27
Tuto about unpacking...	Jan/25
IDA Pro plugins don'...	Jan/20
Bug -- proc_peek_rec...	Jan/17
SYSTEM_INFORMATION_C...	Jan/16

Recent Forum Posts
IDA Pro plugins don'...	Cluster
RECON	hugo
A question regarding...	ronnie2...
A question regarding...	lallous
A question regarding...	detlef
RECON	hugo
Tuto about unpacking...	jumpzero
Yahoo autoupdater vi...	invisghost
Kindle for PC DRM	clarknova
Stack tracing with I...	Hanumaan

Recent Blog Entries
	mjobin	Feb/08
Malware Research Analyst Op...
	lin0xx	Feb/04
User-supplied Array Index E...
	cyphunk	Feb/03
JTAG Enumeration (tool)
	dragula	Jan/29
Reversing compiler infector...
	GynvaelColdwind	Jan/26
The tale of Syndicate Wars ...
More ...

Recent Blog Comments
	cyphunk on:	Feb/03
JTAG Enumeration (tool)
	GynvaelColdwind on:	Feb/03
JTAG Enumeration (tool)
	suirp on:	Feb/02
Administrator account VS. S...
	DelightedZuk on:	Jan/31
GDT / LDT Windows Kernel Ex...
	DelightedZuk on:	Jan/31
Administrator account VS. S...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit