Log in

View Full Version : IDA FLIRT Annoyances

bilbo
April 22nd, 2005, 05:57
Hi mates,
in frequent cases, when I try to disassemble with IDA, the FLIRT engine fails to identify some functions...

For example, using MSVC:
Code:


/*

 * file pgm.c

 * WARNING: this program is not intended to be runned :-)

 */



#include <stdio.h>



void

main(void)

{

    fwrite(0, 0, 0, 0);

    fread(0, 0, 0, 0);

}


If we compile this file as "cl pgm.c" there are no problems: _fread and _fwrite are correctly identified.
But if we compile as "cl -MT pgm.c" both functions are not recognized. The reason is simple: the library used is now LIBCMT.LIB, and no more LIBC.LIB.

Furthermore, in many cases, "unknown_libname"'s are proposed to the reverser (due to signature collisions, that's true, but the position in the executable and the names of the nearest functions could help in the identification!).

Some questions arise at this point:

(1) is there some public signature repository, in order to avoid to rebuild every time the .SIG files (and to avoid to own the corresponding .LIB)? I'm afraid I already know the answer... so next question is: could someone host some public signature repository etc. etc?

(2) How IDA can automatically plan to load some signatures better than others? In the case above I want to avoid the automatic loading of VC32RTF.SIG, and use a better one, for example. And, is possible to remove already applied signatures?

(3) Is there some alternate "FLIRT" engine on the scene?
Azure, by Polaris, seems a good candidate, but I haven't see nothing at the moment. What is the input signature files format? Is it Open Source?

Best regards, bilbo
Polaris
April 22nd, 2005, 06:57
Quote:
[Originally Posted by bilbo](1) is there some public signature repository, in order to avoid to rebuild every time the .SIG files (and to avoid to own the corresponding .LIB)? I'm afraid I already know the answer... so next question is: could someone host some public signature repository etc. etc?


Well, I suppose that one can ask for hosting to the IDA Palace... I know they have already some signature stuff floating around... But I also fear they would only support registered users...

Otherwise, I have a resource section in my website that can easily host reverser-made signatures.

Quote:
[Originally Posted by bilbo](2) How IDA can automatically plan to load some signatures better than others? In the case above I want to avoid the automatic loading of VC32RTF.SIG, and use a better one, for example. And, is possible to remove already applied signatures?


AFAIK, IDA uses special (different from standard) scanning techniques over CRT to identify the compiler (these are called STARTUP SIGNS)... Then just applies signs corresponding to the identified compiler.

It is not possible to remove the applied signs, due to heavyness of the information *usually* applied with signatures: code paths, names, parameters, special cases...

In special situations, I load the input file without using FLIRT and then applying manually the signatures.

Quote:
[Originally Posted by bilbo](3) Is there some alternate "FLIRT" engine on the scene?
Azure, by Polaris, seems a good candidate, but I haven't see nothing at the moment. What is the input signature files format? Is it Open Source?

Best regards, bilbo


Well, I am currently *extemely* busy and cannot dedicate much time to AZURE (well, hopely this will change in summer ). But do not lose faith... I still master Nebulah Frost!