PDA

View Full Version : IDA Pro FLAIR421 "issues"...


Wotan
March 23rd, 2005, 14:27
Hello all,

I’m trying to reverse engineer a satellite receiver based on the STMicroelectronics Sti5500 (ST20 core) using IDA Pro. I’m pretty sure that the receiver was coded using STM’s ST20 Toolbox (The toolbox has it’s own version of C for development).

Now, I’ve been able to load the receiver’s firmware into IDA Pro, but would like to use the FLAIR tools to generate SIG patterns to get a better idea of what’s going on in the code. This is where the wheels fell off… The ST20 Toolset has a library (chock full of functions), but they don’t seem to be of any “type” that the FLAIR tools recognizes.

Anybody have any ideas on how to get the FLAIR tool to recognize these library functions, or how to make to code a little more readable? …ST20 assembly is a real “bear” to work with… ...Any advice would be appreciated…

I’ve attached one of the math libraries if anyone what’s to have a look at what “type” it is…

TIA,

W

Wotan
March 29th, 2005, 15:39
Hmmm... Was the question too stupid? Or was it that no one knows? Anyone?

W

doug
March 29th, 2005, 16:45
Do you need guidance with IDA's ST20 .sigs or with creating your own sigs from an existing idb; or both?

Wotan
March 30th, 2005, 01:01
Thanks Doug,

Well, like I said, I'm assuming (from what I've read) that I can use the FLAIR tool to generate PAT/SIGs from a C library that I believe the receiver was programmed in, correct? (although I'm somewhat familiar with IDA, I've never used the FLAIR tool)

I'm trying to build a signature database for all these C functions (in the ST20 Toolbox) to reverse the firmware and make it a little more "readable"... But the problem seems to be that these libraries aren’t in any standard that the FLAIR tool can read or recognize.

It’s quite possible that I’ve misunderstood what the FLAIR tool does. Am I on the right track here? I may need guidance, lol…

Thanks,

W

Polaris
March 30th, 2005, 02:16
The signature toolkit of IDA Pro does work only with a finite type of libraries format.

If (and this is your situation ) you have libraries that are in another one, you need a workaround.

My advice is:
1)get your hands over the STxxx toolkit
2)use the libraries to produce a binary full of silly calls to most known library functions...
3)reverse it, and identify all of the functions
4)dump bytes for every function along with names
5)write a small IDC script that opens the dumps created and search for them in the IDB
6) You are done!

It seems really more complex than it is... However, I once did something like this over some Modula2 binary, and it produced really good results.

Byez

tom324
March 30th, 2005, 04:45
If you can load math.lib into IDA Pro there are two plugins which can be of help: idb2sig and idb2pat. Both of them create .pat file from chosen function(s) in IDA database, so:

1. load math.lib into IDA
2. Create .PAT file for all functions
3. create .sig file fom .pat file using flair
4. Apply .sig file to the receiver’s firmware

I have been using idb2sig for x86 only, for Sti5500 it may require some modification.

Tom

Polaris
March 30th, 2005, 06:53
Quote:
[Originally Posted by tom324]If you can load math.lib into IDA Pro there are two plugins which can be of help: idb2sig and idb2pat.


You are completely right man!
I really forgot about those two plugins.... Are they updated anymore?

Wotan
April 1st, 2005, 12:29
Gentlemen, thank-you very much for the tips! I'll give those a shot and see what I can come up with... At least it gives me a starting point...

Thanks again,

W