Results 1 to 5 of 5

Thread: How to create .sig file from .cpp?

  1. #1

    How to create .sig file from .cpp?

    Hi, here is an interesting (to me) dilemma I am faced with: I have a compiled third party DLL which I wish to reverse. I also have the SDK for this particular app which includes sample source code.

    My feeling id the third party developer has used the sample DLL as a template and added there own methods to it.

    Of course IDA cannot identify these method names as there isn't a .SIG file available. Is there any way I can use the supplied .cpp files to create a library and ultimately a signature file to help me make better sense of the disassembly listing?

    PS I've searched the forum and found reference to how to do this for Delphi source but not C++. Or perhaps there is another approach I am not aware of? I hope someone can enlighten me.

    Kind regards,
    5aLive.

  2. #2

    As Above

    1. Compile the CPP files (remember, compile ONLY, do not link)
    2. See the resulting .OBJ files?
    3. Run the IDA FLIRT utilities on the .OBJ files
    4. Voila! Instant .SIG files
    5. Copy those .SIG files to the SIG folder of IDA
    6. Disassemble the app in IDA
    7. Open the "APPLY SIGNATURE" box
    8. Select your signatures and apply
    9. Have Phun!


    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    Thankyou Aimless,

    having done this, IDA will now identify the method calls in the DLL. I have one other question, can I somehow merge these object files before applying FLIRT so that I need only apply a single signature file?

    I expect you would have described this technique if it were possible.

    Thanks for you help Sir.

  4. #4

    As Above

    Simple.

    Instead of merging .OBJ files, why don't you create a SINGLE .SIG file? Its the same thing in the end.

    Check up the documentation that comes with FLIRT to see how to add multiple OBJ file signatures into a single .SIG file

    Using the parameter "-a" without the quotes comes immedately to mind.

    Have Phun
    (Any Hey, you can always call me Aimless. I'm not THAT old yet)
    Blame Microsoft, get l337 !!

  5. #5
    Perfect. Thats exactly what I want I to achieve. I'll read up on FLIRT and get started on this.

    Addressing you as "Sir" is a little regional humour of sorts, I'll call you Aimless from now on if you like. Isn't your user name a little self-depreciating? It's like me calling myself Pointless, I wouldn't much care for people calling me that.

    EDIT:Just a thought, will the IDA .SIG file still create identifiable methods regardless of the compiler and its optimizations used?

    Thankyou once again.
    Last edited by 5aLIVE; April 26th, 2005 at 04:24.

Similar Threads

  1. Unable to create signature file in IDA Pro
    By akovid in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 28th, 2014, 01:31
  2. IDA: create and apply structs
    By deepzero in forum The Newbie Forum
    Replies: 4
    Last Post: July 31st, 2013, 03:12
  3. OllyICE doesn't create .udd file for an unpacked executable
    By jayoce in forum OllyDbg Support Forums
    Replies: 5
    Last Post: December 17th, 2008, 04:19
  4. How should I create INC for NICE 4.3.1
    By Timbo in forum The Newbie Forum
    Replies: 3
    Last Post: May 19th, 2004, 14:13
  5. How to create a patcher and..
    By RevoQer in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 26th, 2001, 00:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •