Hi there,

I've been trying to make signature files for ida using the flair tool kit but without much success.

I've been trying to get the signature files for the flexlm lmgr327a.dll.

When I do plb lmgr327a.lib output
Everything looks like its fine but the pat file has the following


LMGR327A.dll 0000FF25..........................................................
.. 00 0000 0006 :0000 _lp_errstring ^0002 lp_errstring
LMGR327A.dll 0000 FF25..........................................................
.. 00 0000 0006 :0000 _lp_heartbeat ^0002 lp_heartbeat


Basically everything points to the dll file.

I tried doing a plb on lmgr327a.dll and I get an error saying its not a ar/coff file.

What switches should I be using for dll files ?

1. import libraries are just that, they won't have the real code you would want to feed into pcf. instead you need a library that is used for static linking (which therefore must have all the relevant code/data). since i don't know flexlm, you have to find it out yourself, probably there aren't too many candidates ;-).

2. you can't feed a .dll into pcf, although technically one should be able to write an app that can produce the .pat file from a .dll as well. your better option would be to load the .dll into IDA and export it to a .pat file using quine's IDC script.

The Flair toolkit is applied to *.lib and *.obj files. These files are contained inside of the Flexlm SDK for the version you are working on. You can download several versions from CrackZ's website. Install the SDK and then search it for *.lib and *.obj files. Feed these files into the PCF.exe and then feed the *.pat files into sigmake.exe. Check out the readme for how to handle errors.

The lmgr327a.dll I got was from Crackz's site SDK. I couldnt find any obj files but I'll keep on looking ...

thanks for the tips.

Sailor

I tried using quine's idc script and plugin from a page I found on the web. It didnt seem to work with ida 4.04. Do you have an update url for quine's scripts or does anybody have the updated scripts ?

Thanks in advance

Sailor

Oops sorry for the double post but I forgot to list the url that I used.

http://skyscraper.fortunecity.com/epson/928/menu.htm

[/QUOTE]
I tried using quine's idc script and plugin from a page I found on the web. It didnt seem to work with ida 4.04. Do you have an update url for quine's scripts or does anybody have the updated scripts ?
[/QUOTE]

for 4.04+ find/change this line to this (AskFile() has changed a bit):

pat_name = AskFile(1,"*.pat", "Choose where to save the .pat file:";

as far as i know he never published any updated versions of neither the script nor the plugin.

The Owl (12-18-2000 19:46):

I tried using quine's idc script and plugin from a page I found on the web. It didnt seem to work with ida 4.04. Do you have an update url for quine's scripts or does anybody have the updated scripts ?
[/QUOTE]

for 4.04+ find/change this line to this (AskFile() has changed a bit):

pat_name = AskFile(1,"*.pat", "Choose where to save the .pat file:";

as far as i know he never published any updated versions of neither the script nor the plugin.[/QUOTE]

You guys are wonderful. I finally have all the functions in target dll identified.

Thanks again.

Sailor