PDA

View Full Version : A question about IDA sig files


Hero
October 3rd, 2012, 14:05
Hi all

I'm here for a small question after a long while.
I sometimes make ida sigs for my ida, and as you know, you will see collisions when you use sigmake.exe a lot of times. if your collision file(.exc file) is small, it will be no problem. But in case of large libraries, specially the ones that is very organized and well developed, you may see a lot of different important functions with same signature and you need to select 1 between them.
Now what you do in these cases?
I saw this switch in plb.exe:
Code:
-p## Pattern length (default: 32)
Never use this switch, it is for debugging only.

I thought it is good to increase sig length in these cases for correct recognition, but as you see it says "Never use this switch".
What is best solution for cases like this?
For an example, I have attached collision file of OpenSSL 0.9.8x and you see a lot of i2d,d2i,PEM,... functions with same signature in it.

Regards

Hero
October 5th, 2012, 01:58
Oh, I just noticed that starting ida 6.3, you can use 64 byte patterns too.
But right now my main problem is with previous versions that supports 32 byte patterns max.

Regards

Aimless
October 5th, 2012, 02:47
Just because...

Ilfak says don't change size, it is not so. It is MEANT for debugging the sig file creation! Meaning, if everything is OK, then 32 is good. But if it's not working, and you want to debug, or find out why it's not working, then you CAN increase/decrease the length.

I'd say 48 bytes is a good one. 64 is next. 128 is final. No sense going beyond that. Try 96 also sometime.

Have Phun

Hero
October 5th, 2012, 11:36
Quote:
[Originally Posted by Aimless;93342]Just because...

Ilfak says don't change size, it is not so. It is MEANT for debugging the sig file creation! Meaning, if everything is OK, then 32 is good. But if it's not working, and you want to debug, or find out why it's not working, then you CAN increase/decrease the length.

I'd say 48 bytes is a good one. 64 is next. 128 is final. No sense going beyond that. Try 96 also sometime.

Have Phun

hm...
Then this means if I make an openssl sig file with 64 byte pattern, it will work fine on all versions of ida?

Aimless
October 6th, 2012, 01:55
Quote:
[Originally Posted by Hero;93344]hm...
Then this means if I make an openssl sig file with 64 byte pattern, it will work fine on all versions of ida?


Yes.

Have Phun

Hero
October 6th, 2012, 03:12
Quote:
[Originally Posted by Aimless;93346]Yes.

Have Phun

Hi

I tested this with flair 6.1, but it fails.
I can make 64 bit patterns, but sigmake cannot convert 64 bit pattern file to signature file.

Regards

disavowed
October 6th, 2012, 18:57
Why do you feel the need to support all versions of IDA? Supporting the most recent couple of versions should be good enough.

Hero
October 7th, 2012, 07:55
Quote:
[Originally Posted by disavowed;93353]Why do you feel the need to support all versions of IDA? Supporting the most recent couple of versions should be good enough.

It is not important to be all version, but 64 bit pattern signatures are supported starting version 6.3(even myself only have version 6.1).
In addition, I want to know how you make a signature for example for openssl when there is too much conflicts generally.