Hero
October 3rd, 2012, 14:05
Hi all
I'm here for a small question after a long while.
I sometimes make ida sigs for my ida, and as you know, you will see collisions when you use sigmake.exe a lot of times. if your collision file(.exc file) is small, it will be no problem. But in case of large libraries, specially the ones that is very organized and well developed, you may see a lot of different important functions with same signature and you need to select 1 between them.
Now what you do in these cases?
I saw this switch in plb.exe:
I thought it is good to increase sig length in these cases for correct recognition, but as you see it says "Never use this switch".
What is best solution for cases like this?
For an example, I have attached collision file of OpenSSL 0.9.8x and you see a lot of i2d,d2i,PEM,... functions with same signature in it.
Regards
I'm here for a small question after a long while.
I sometimes make ida sigs for my ida, and as you know, you will see collisions when you use sigmake.exe a lot of times. if your collision file(.exc file) is small, it will be no problem. But in case of large libraries, specially the ones that is very organized and well developed, you may see a lot of different important functions with same signature and you need to select 1 between them.
Now what you do in these cases?
I saw this switch in plb.exe:
Code:
-p## Pattern length (default: 32)
Never use this switch, it is for debugging only.
I thought it is good to increase sig length in these cases for correct recognition, but as you see it says "Never use this switch".
What is best solution for cases like this?
For an example, I have attached collision file of OpenSSL 0.9.8x and you see a lot of i2d,d2i,PEM,... functions with same signature in it.
Regards