Results 1 to 9 of 9

Thread: IDA FLIRT sigs from MSVC2010 static libraries failing w/ "not a coff" error

  1. #1

    Question IDA FLIRT sigs from MSVC2010 static libraries failing w/ "not a coff" error

    Hi guys,

    I'm trying to wrap my head around a large project for which I have no source. I know that the executable was statically linked against Lua, zlib, libpng, and a large host of other software. I have no real experience with IDA, but I can see how using the FLAIR/FLIRT tools could be useful here. I started my attempt at generating sigs by compiling a static zlib library and extracting a pattern using the pcf executable packaged with the 6.1 FLAIR release. This fails with the following error:
    Code:
    C:\>pcf -d zlib.lib
    COFF parser. Copyright (c) 1997-2011 Hex-Rays. Version 1.21
    Pattern length: 32
    Minimal pattern defined bytes: 4
    Warning [zlib.lib] (Release Library\zutil.obj): please note, not a coff module at 0x9fa
    MODULE Release Library\zutil.obj
    Fatal [zlib.lib] (Release Library\zutil.obj): not a coff module
    press enter to exit.
    Please forgive my if this question has been answered before, or it's common knowledge, but how can I get this to work? I've searched all over the internet, and I have either been unable to find the answer or possibly unable to understand it.

    Thanks in advance from a long-time lurker and first-time poster!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    E-mail Ilfak (support@hex-rays.com). He usually responds within 24 hours.

  3. #3
    Sadly, it's not an option at present. The free version of IDA doesn't come with the FLIRT binaries, and... I was kind of hoping someone here had first-hand experience and could share a few tips. It seems like a pretty basic operation and one necessary to using IDA successfully.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    pcf.exe doesn't come with the free version... are you using a pirated version of IDA?

  5. #5

    As Above

    Quote Originally Posted by disavowed View Post
    pcf.exe doesn't come with the free version... are you using a pirated version of IDA?
    Oh, the humanity !!!



    On the other hand, you may try to reduce or increase the minimal pattern bytes. See the "help" files Ilfak generally assembles with the Flair utils.

    Have Phun
    Blame Microsoft, get l337 !!

  6. #6
    Aimless:

    A few minutes "early" on the "Oh, the humanity !!!" quote.

    Wonder how many will recognize the reference?

    Regards,
    JMI

  7. #7
    I came to you guys with what I felt was a polite request for assistance. Instead, I'm feeling kind of like I'm being ridiculed. I'm not sure if you guys (disavowed, specifically) are deriving pleasure from dangling me or if you just don't know the answer to the question I posed, but it's not a very warm welcome to the board or your community. I'm not going to try to fit a round peg into a square hole, but maybe you should consider the way you treat new guests, and possibly each other. Someday, you might need to ask a stranger for advice - I hope you meet with better success than I have.

    Regards,
    Mark
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Mardok View Post
    maybe you should consider the way you treat new guests
    Maybe you should consider the way you treat software developers whose software you're pirating.

  9. #9
    Hi,

    I know it's kinda late to reply to the topic, but compiling without the /GL option solved the problem. Hope this is useful for future readers of this topic.

    Greetings,

    Mr. eXoDia
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Sentinel LM (sproRead) "pplication error." ?
    By Dahle77 in forum The Newbie Forum
    Replies: 15
    Last Post: April 16th, 2008, 11:25
  2. Replies: 1
    Last Post: December 14th, 2007, 13:35
  3. "General extraction error", the hidden face of armadillo?
    By Elftor in forum Malware Analysis and Unpacking Forum
    Replies: 17
    Last Post: August 28th, 2004, 12:35
  4. Wdasm patch for "out of memory error" ??
    By Mr Smith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: February 8th, 2001, 17:59
  5. Why does imp_list say "error read MZ-header" ?
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: November 11th, 2000, 11:30

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •