Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

IDA FLIRT sigs from MSVC2010 static libraries failing w/ "not a coff" error

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
Locked
Mardok
Junior Member
Posts: 3
Joined: Fri May 04, 2012 3:05 am

IDA FLIRT sigs from MSVC2010 static libraries failing w/ "not a coff" error

Post by Mardok »

Hi guys,

I'm trying to wrap my head around a large project for which I have no source. I know that the executable was statically linked against Lua, zlib, libpng, and a large host of other software. I have no real experience with IDA, but I can see how using the FLAIR/FLIRT tools could be useful here. I started my attempt at generating sigs by compiling a static zlib library and extracting a pattern using the pcf executable packaged with the 6.1 FLAIR release. This fails with the following error:

Code: Select all

C:\>pcf -d zlib.lib
COFF parser. Copyright (c) 1997-2011 Hex-Rays. Version 1.21
Pattern length: 32
Minimal pattern defined bytes: 4
Warning [zlib.lib] (Release Library\zutil.obj): please note, not a coff module at 0x9fa
MODULE Release Library\zutil.obj
Fatal [zlib.lib] (Release Library\zutil.obj): not a coff module
press enter to exit.
Please forgive my if this question has been answered before, or it's common knowledge, but how can I get this to work? I've searched all over the internet, and I have either been unable to find the answer or possibly unable to understand it.

Thanks in advance from a long-time lurker and first-time poster!
User avatar
disavowed
Posts: 1290
Joined: Mon Apr 01, 2002 3:00 pm

Post by disavowed »

E-mail Ilfak ([email protected]). He usually responds within 24 hours.
Mardok
Junior Member
Posts: 3
Joined: Fri May 04, 2012 3:05 am

Post by Mardok »

Sadly, it's not an option at present. The free version of IDA doesn't come with the FLIRT binaries, and... I was kind of hoping someone here had first-hand experience and could share a few tips. It seems like a pretty basic operation and one necessary to using IDA successfully.
User avatar
disavowed
Posts: 1290
Joined: Mon Apr 01, 2002 3:00 pm

Post by disavowed »

pcf.exe doesn't come with the free version... are you using a pirated version of IDA?
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

As Above

Post by Aimless »

disavowed wrote:pcf.exe doesn't come with the free version... are you using a pirated version of IDA?
Oh, the humanity !!!



On the other hand, you may try to reduce or increase the minimal pattern bytes. See the "help" files Ilfak generally assembles with the Flair utils.

Have Phun
Blame Microsoft, get l337 !!
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

Aimless:

A few minutes "early" on the "Oh, the humanity !!!" quote. :devil:

Wonder how many will recognize the reference?

Regards,
JMI
Mardok
Junior Member
Posts: 3
Joined: Fri May 04, 2012 3:05 am

Post by Mardok »

I came to you guys with what I felt was a polite request for assistance. Instead, I'm feeling kind of like I'm being ridiculed. I'm not sure if you guys (disavowed, specifically) are deriving pleasure from dangling me or if you just don't know the answer to the question I posed, but it's not a very warm welcome to the board or your community. I'm not going to try to fit a round peg into a square hole, but maybe you should consider the way you treat new guests, and possibly each other. Someday, you might need to ask a stranger for advice - I hope you meet with better success than I have.

Regards,
Mark
User avatar
disavowed
Posts: 1290
Joined: Mon Apr 01, 2002 3:00 pm

Post by disavowed »

Mardok wrote:maybe you should consider the way you treat new guests
Maybe you should consider the way you treat software developers whose software you're pirating.
mr.exodia
Junior Member
Posts: 1
Joined: Thu Aug 22, 2013 7:19 pm

Post by mr.exodia »

Hi,

I know it's kinda late to reply to the topic, but compiling without the /GL option solved the problem. Hope this is useful for future readers of this topic.

Greetings,

Mr. eXoDia
Locked