#1
|
|||
|
|||
IDA signatures question
I have a DLL and the source code of the old version of this DLL. How do I utilize this in IDA? I read about FLIRT technology but it states this is for static libraries (?)
Could someone point me in right direction?
__________________
http://youtu.be/H0QfVDebLFg |
#2
|
|||
|
|||
It's just a byte signatures, IDA has plenty of them for most popular programming languages and their libraries.
|
#3
|
|||
|
|||
I looking to make IDA match functions in the disassembly of the new DLL with their names utilizing the old source code. There has to be a way.
__________________
http://youtu.be/H0QfVDebLFg |
#4
|
|||
|
|||
Quote:
http://www.woodmann.com/collaborative/tools/index.php/Category:IDA_Signature_Creation_Tools a lot of handy tools are there.... Create your own signature file simply following 2 easy steps: ../flair/bin/pcf lmgr.lib lmgr.pat or ../flair/bin/plb lmgr.lib lmgr.pat ../flair/bin/sigmake lmgr.pat lmgr.sig another case sigmake.exe -n"SSL 0.98e" -a0004 -o0002 -p0 -t10 *.pat SSL98e.sig copy *.sig "C:\IDAPro6.1\sig" |
The Following User Gave Reputation+1 to sendersu For This Useful Post: | ||
The Old Pirate (12-01-2014) |
#5
|
|||
|
|||
Quote:
the binary pattern searching only works if the over the versions compiler stays same or similar . Why? as compilers update/upgrade the code generation scheme keeps changing thus changing the byte patterns . You will need to generate a static library out of the source maintaining same compiler options and version . What i am saying is based on my experience and i am in no way in a position to claim to know the internal sig generation methods . The signature generation itself is rather easy and you can find lots of small tutorial about them . If its a small program , you can try to name the functions manually and create small python scripts to use as flirt signatures for naming . good luck |
The Following User Gave Reputation+1 to Conquest For This Useful Post: | ||
The Old Pirate (12-01-2014) |
#6
|
|||
|
|||
If flirt doesn't detect some symbols you can try use bindiff
it could show you some points you missed with flirt because maybe they changed compiler and etc... Reminder: when you use flirt check if you using the release version and not the debug version. In bindiff compile release with symbols and compare |
The Following User Gave Reputation+1 to For This Useful Post: | ||
The Old Pirate (12-02-2014) |
Thread Tools | |
Display Modes | |
|
|