Results 1 to 8 of 8

Thread: IDA Pro FLAIR421 "issues"...

  1. #1
    Wotan
    Guest

    IDA Pro FLAIR421 "issues"...

    Hello all,

    I’m trying to reverse engineer a satellite receiver based on the STMicroelectronics Sti5500 (ST20 core) using IDA Pro. I’m pretty sure that the receiver was coded using STM’s ST20 Toolbox (The toolbox has it’s own version of C for development).

    Now, I’ve been able to load the receiver’s firmware into IDA Pro, but would like to use the FLAIR tools to generate SIG patterns to get a better idea of what’s going on in the code. This is where the wheels fell off… The ST20 Toolset has a library (chock full of functions), but they don’t seem to be of any “type” that the FLAIR tools recognizes.

    Anybody have any ideas on how to get the FLAIR tool to recognize these library functions, or how to make to code a little more readable? …ST20 assembly is a real “bear” to work with… ...Any advice would be appreciated…

    I’ve attached one of the math libraries if anyone what’s to have a look at what “type” it is…

    TIA,

    W
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Wotan
    Guest
    Hmmm... Was the question too stupid? Or was it that no one knows? Anyone?

    W
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Do you need guidance with IDA's ST20 .sigs or with creating your own sigs from an existing idb; or both?

  4. #4
    Wotan
    Guest
    Thanks Doug,

    Well, like I said, I'm assuming (from what I've read) that I can use the FLAIR tool to generate PAT/SIGs from a C library that I believe the receiver was programmed in, correct? (although I'm somewhat familiar with IDA, I've never used the FLAIR tool)

    I'm trying to build a signature database for all these C functions (in the ST20 Toolbox) to reverse the firmware and make it a little more "readable"... But the problem seems to be that these libraries aren’t in any standard that the FLAIR tool can read or recognize.

    It’s quite possible that I’ve misunderstood what the FLAIR tool does. Am I on the right track here? I may need guidance, lol…

    Thanks,

    W
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    The signature toolkit of IDA Pro does work only with a finite type of libraries format.

    If (and this is your situation ) you have libraries that are in another one, you need a workaround.

    My advice is:
    1)get your hands over the STxxx toolkit
    2)use the libraries to produce a binary full of silly calls to most known library functions...
    3)reverse it, and identify all of the functions
    4)dump bytes for every function along with names
    5)write a small IDC script that opens the dumps created and search for them in the IDB
    6) You are done!

    It seems really more complex than it is... However, I once did something like this over some Modula2 binary, and it produced really good results.

    Byez
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  6. #6
    If you can load math.lib into IDA Pro there are two plugins which can be of help: idb2sig and idb2pat. Both of them create .pat file from chosen function(s) in IDA database, so:

    1. load math.lib into IDA
    2. Create .PAT file for all functions
    3. create .sig file fom .pat file using flair
    4. Apply .sig file to the receiver’s firmware

    I have been using idb2sig for x86 only, for Sti5500 it may require some modification.

    Tom

  7. #7
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Quote Originally Posted by tom324
    If you can load math.lib into IDA Pro there are two plugins which can be of help: idb2sig and idb2pat.
    You are completely right man!
    I really forgot about those two plugins.... Are they updated anymore?
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  8. #8
    Wotan
    Guest
    Gentlemen, thank-you very much for the tips! I'll give those a shot and see what I can come up with... At least it gives me a starting point...

    Thanks again,

    W
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Can't "Step" after "Pause
    By Lena in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 5th, 2004, 21:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •