rheax
January 14th, 2010, 14:48
Summary:
Trying to import custom .sig file into IDA and I get the warning "signature format error (file pos=1caf)", and it does not seem to apply any signature.
There was a similar post at:
t-1026.html
But like the other author, I really have no clue what the response means.
I tried making a signature for a simple library I compiled (VC6 debug) and IDA loaded it fine.
Details:
IDA: 5.2.0.908 (32 bit)
FLAIR: flair38 (sigmake: 1.35, pcf: 1.10)
I need signatures for boost for an app I'm reversing. I used the boost installer to have it download pre-compiled boost libraries, included in them filesystem-vc80-mt-s-1_40.lib, which is my best guess to what they are probably using. I run the following:
$ cd /cygdrive/c/Program Files/boost/boost_1_40/lib
$ pcf libboost_filesystem-vc80-mt-s-1_40.lib libboost_filesystem-vc80-mt-s-1_40
.pat
libboost_filesystem-vc80-mt-s-1_40.lib: skipped 44, total 895
$ sigmake libboost_filesystem-vc80-mt-s-1_40.pat libboost_filesystem-vc80-mt-s-
1_40.sig
libboost_filesystem-vc80-mt-s-1_40.sig: modules/leaves: 643/359, COLLISIONS: 48
And delete the header from the top f the exc file so as to ignore all collisions. Rerunning:
$ sigmake libboost_filesystem-vc80-mt-s-1_40.pat libboost_filesystem-vc80-mt-s-
1_40.sig
Now in IDA:
File -> Load File -> FLIRT signature file
Select libboost_filesystem-vc80-mt-s-1_40 (Unnamed sample library)
Get message saying it "has been put into queue and will be applied later"
In the background it says:
Loading signature XXX Just a moment...
But has the error box:
Warning: signature format error (file pos=1caf)
If it helps, relevant file area:
00001c90 74 65 6d 40 62 6f 6f 73 74 40 40 40 66 69 6c 65 |tem@boost@@@file|
00001ca0 73 79 73 74 65 6d 40 62 6f 6f 73 74 40 40 40 65 |system@boost@@@e|
00001cb0 78 63 65 70 74 69 6f 6e 5f 64 65 74 61 69 6c 40 |xception_detail@|
Let me know if posting any files would help.
Trying to import custom .sig file into IDA and I get the warning "signature format error (file pos=1caf)", and it does not seem to apply any signature.
There was a similar post at:
t-1026.html
But like the other author, I really have no clue what the response means.
I tried making a signature for a simple library I compiled (VC6 debug) and IDA loaded it fine.
Details:
IDA: 5.2.0.908 (32 bit)
FLAIR: flair38 (sigmake: 1.35, pcf: 1.10)
I need signatures for boost for an app I'm reversing. I used the boost installer to have it download pre-compiled boost libraries, included in them filesystem-vc80-mt-s-1_40.lib, which is my best guess to what they are probably using. I run the following:
$ cd /cygdrive/c/Program Files/boost/boost_1_40/lib
$ pcf libboost_filesystem-vc80-mt-s-1_40.lib libboost_filesystem-vc80-mt-s-1_40
.pat
libboost_filesystem-vc80-mt-s-1_40.lib: skipped 44, total 895
$ sigmake libboost_filesystem-vc80-mt-s-1_40.pat libboost_filesystem-vc80-mt-s-
1_40.sig
libboost_filesystem-vc80-mt-s-1_40.sig: modules/leaves: 643/359, COLLISIONS: 48
And delete the header from the top f the exc file so as to ignore all collisions. Rerunning:
$ sigmake libboost_filesystem-vc80-mt-s-1_40.pat libboost_filesystem-vc80-mt-s-
1_40.sig
Now in IDA:
File -> Load File -> FLIRT signature file
Select libboost_filesystem-vc80-mt-s-1_40 (Unnamed sample library)
Get message saying it "has been put into queue and will be applied later"
In the background it says:
Loading signature XXX Just a moment...
But has the error box:
Warning: signature format error (file pos=1caf)
If it helps, relevant file area:
00001c90 74 65 6d 40 62 6f 6f 73 74 40 40 40 66 69 6c 65 |tem@boost@@@file|
00001ca0 73 79 73 74 65 6d 40 62 6f 6f 73 74 40 40 40 65 |system@boost@@@e|
00001cb0 78 63 65 70 74 69 6f 6e 5f 64 65 74 61 69 6c 40 |xception_detail@|
Let me know if posting any files would help.
