Log in

View Full Version : Ida signature and unpacked program


Foreigner
October 7th, 2004, 03:52
I am working on a target and I have some problems to apply an ida signature.
The file was packed, I unpacked the target and I used imprec to rebuild the iat. After that, I opened the file with ida and when the autoanalysis is finished I tried to apply miracl signature but Ida is not able to recognize a single reference. This is strange because I can see all miracle's functions inside the exe, I mean mirvar, powmod, ...
Is it possible that Ida is not able to apply signature on unpacked programs? Do I have to change something in the unpacked file, or is it my unpacked file wrong (even if it runs fine)?

Thanks in advance.
foreigner

reverser
October 7th, 2004, 04:32
IDA applies signatures only to sections with an executable flag set. Your unpacked code section is probably marked just RW.

Foreigner
October 7th, 2004, 13:00
No, it's also executable...

TQN
October 8th, 2004, 00:14
It can be the incorrect version between the miracl lib used to create signature file and the miracl lib used in your program.

Foreigner
October 8th, 2004, 04:53
TQN: could it be but how can I know which is the version used?

TQN
October 9th, 2004, 04:16
No way to know, but you can search in the exe to find the hard code version of miracl if it have, and some signature file have the version info in the description which the author of that signature added.
If you know exactly a function of miracl in IDA, try extract the obj file from the lib file of multiple version of miracle, and open it with IDA and compare the code.
Hope it will help you.
Best regards,
TQN