From Collaborative RCE Tool Library

Jump to: navigation, search

IDA2PAT Reloaded

Tool name: IDA2PAT Reloaded
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11916
Current version: 1.0B
Last updated: July 19, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: An IDA Pro 5.xx plug-in to generate a pattern file.

You've probably seen or more of the different variants of this plug-in:
"ida2sig", "ida2pat", etc.
We want to create a pattern (".pat") file to assemble a FLIRT signature file (".sig"), using the FLAIR utility "sigmake.exe". This will allow one to apply these sigs to help port updats, etc.

I had preferred TQN's "ida2sig" version since it fastest (see below) I could find. But it had the same problems as the previous version. And I wanted to make a build I could updated with the latest FLAIR lib, etc.

[How to run it]
1. Invoke it using your selected IDA hot-key or from "Edit->Plugins".
2. Select the destination ".pat" file.
3. After it is done, convert your pattern file into a signature file using
"sigmake.exe",.

[Design & Outstanding issues]
There are zero options, the assumption is you want to save only, and all function names that are not autogenerated. That is for the most part, all functions that are not "sub_69B470", and "unknown_libname_228".

There are unfortunately ambiguities, and errors using function name flags like "pFunc->flags & FUNC_LIB", "is_public_name()", "dummy_name_ea()", etc., to determine what is a library, public, etc., function.

Biggest hurdle, consider this.. You go do your RE work, you rename some functions with a name that makes sense to you; or you just rename it specifically so you can come back to it later using a custom sig, etc.
Maybe all is well on the first time because IDA will see it as a user function and thus traditional IDA2PAT will create a pattern for it. But next time after update, etc., you apply the sig. It is no longer a "user function", IDA marks it as a library, or worse as autogenerated. Don't like this. We want to be able to apply a sig, work on the DB rename some functions with better fitting names as my understanding grows, etc., then create a new patterns and not have name collisions, etc.

AFAIK there is no solid way to determine what is "autogenerated", "user-generated" or otherwise, using the stock IDA SDK functions.

What "IDA2PAT Reloaded" does is solely rely on function name patterns instead. It simply rejects functions that start with ""sub_..", "unknown_libname_..", or that start with the characters '$', '@', '?', and '_', etc.

This will be a problem if you intentionally use using something like "sub_MyFunction", or "unknown_libname_MyFunction", etc., as your naming convention. This design assumes IDA is setup to display autogenerated function names as "sub_xxxxxx", etc., in the defaults.

Speed:
TQN's version was definitely faster then others, he replaced the file streaming "qfprintf()" with a very large buffer, then saved the buffer at the end. The real issue was a single "qflush()" call after each pattern create in
Quine's original code. FYI, a file "flush" causes the OS to flush it's write cache causing a file performance hit.

As a baseline, just iterating through around 100k functions (with zero processing) takes ~12seconds on my machine on average. Thus, any processing on top of that is just additive. IDA2PAT-Reloaded only adds ~3 seconds to the base line on a modern machine.
Related URLs: No related URLs have been submitted for this tool yet


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!



If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)


Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)