├── 1.jpg ├── 2.jpg ├── 3.jpg ├── IDASignMaker.bat ├── IDASignMakerSimple.bat ├── ReadMe.md ├── SigDB └── pc │ ├── vc6libc.sig │ └── zlib1.28Stactic.sig ├── Test.bat ├── Test.exe ├── bin ├── dumpsig.exe ├── lib2sig.bat ├── pelf.exe ├── plb.exe ├── sigmake.exe ├── sigmake1.bak ├── sigmake1.exe └── sigmake5.exe ├── crc16.cpp ├── ida签名制造工具资源库 ├── SigMaker │ ├── Release │ │ └── SigMaker.exe │ ├── SigMaker.sln │ └── SigMaker │ │ ├── SigMaker.cpp │ │ ├── SigMaker.h │ │ ├── SigMaker.vcxproj │ │ ├── SigMaker.vcxproj.filters │ │ ├── SigMaker.vcxproj.user │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ └── targetver.h ├── readme.txt ├── sig_win_exe │ ├── dumpsig.exe │ ├── pcf.exe │ ├── pelf.exe │ ├── pelf.rtb │ ├── plb.exe │ ├── pmacho.exe │ ├── pomf166.exe │ ├── ppsx.exe │ ├── ptmobj.exe │ ├── sigmake.exe │ └── zipsig.exe ├── sigmake说明书注释版 │ ├── pat.txt │ ├── plb.txt │ └── sigmake.txt ├── 内核开发常用库(貌似没啥用 只是一些声明 不是函数实现细节 不能用来制造sig).zip ├── 制造sig批处理(fix有点问题) │ ├── lib2sig.bat │ └── lib2sig_fix.bat └── 视频.exe ├── lib2sig.bat ├── libc_objs └── LIBC.LIB ├── news ├── pat.rus ├── pat.txt ├── pcf.exe ├── pcf.txt ├── plb.txt ├── readme ├── sigmake.txt ├── vc6libc.jpg └── vc_tools ├── LIB.EXE ├── LINK.EXE └── MSPDB60.DLL /1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/1.jpg -------------------------------------------------------------------------------- /2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/2.jpg -------------------------------------------------------------------------------- /3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/3.jpg -------------------------------------------------------------------------------- /IDASignMaker.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/IDASignMaker.bat -------------------------------------------------------------------------------- /IDASignMakerSimple.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/IDASignMakerSimple.bat -------------------------------------------------------------------------------- /ReadMe.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ### IDASigMaker 4 | 5 | 该技术使IDA能够识别由受支持的编译器生成的标准库函数, 并大大提高了所生成的汇编的可用性和可读性。 6 | 7 | ##### 原帖子 8 | 9 | [逆向技术之熟悉IDA工具](https://bbs.pediy.com/thread-224499.htm) 10 | 11 | 工具版本 sigmake.exe v1.4.5 dumpsig.exe v1.20 12 | 13 | #### 使用方法 14 | 15 | 以 D:\Program Files\Microsoft Visual Studio\VC98\Lib\LIBC.LIB 为例子 16 | 17 | cmd下运行 lib2sig.bat 参数lib的名字 18 | 19 | ``` 20 | lib2sig.bat libc 21 | ``` 22 | 23 | ``` 24 | 自动创建对应lib名字的文件夹libc_objs,将LIBC.LIB拷入,按任意键继续执行。 25 | 26 | 中间有提示按回车的,按回车 27 | 28 | 生成 libc.sig,改名为vc6libc.sig(已经存在一个),拷贝到IDA的sig/pc下,有目录限制的。 29 | 30 | 在IDA shift+F5 --> 右键 Apply new signature...,搜索vc6lib,应用。 31 | 32 | 就可以识别了 33 | ``` 34 | 35 | 36 | ##### 贴图说明 37 | 38 | ida原生显示 39 | 40 | ![IDA原生显示](./1.jpg) 41 | 42 | 43 | 方法1:导入整个lib的sig 44 | 45 | ![vc6libc.jpg](vc6libc.jpg) 46 | 47 | 48 | 方法2:导入单个api的sig 49 | 50 | ![导入的sig](./2.jpg) 51 | 52 | 53 | 导入sig的效果 54 | 55 | ![sig导入后的效果](3.jpg) 56 | 57 | 58 | ##### ida签名制造工具资源库 by killpy 59 | 60 | [ida签名制造工具资源库](ida签名制造工具资源库) 61 | 62 | sigmake.exe v1.4.8 dumpsig.exe v1.22 63 | 64 | ##### 参考资料 65 | 66 | [https://www.hex-rays.com/products/ida/tech/flirt/index.shtml](https://www.hex-rays.com/products/ida/tech/flirt/) 67 | 68 | 69 | [IDA pro Flair 制作静态库文件签名 (图文教程)](https://blog.csdn.net/cwg2552298/article/details/81749521) 70 | 71 | 72 | [游戏开源库ida签名制造工具 by killpy](https://bbs.pediy.com/thread-248815.htm) 73 | 74 | 75 | 76 | ##### 一些制作好sig文件 77 | 78 | [FLIRT Signature File Database](https://github.com/Maktm/FLIRTDB) 79 | 80 | 81 | [IDA FLIRT Signature Database](https://github.com/push0ebp/sig-database) 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /SigDB/pc/vc6libc.sig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/SigDB/pc/vc6libc.sig -------------------------------------------------------------------------------- /SigDB/pc/zlib1.28Stactic.sig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/SigDB/pc/zlib1.28Stactic.sig -------------------------------------------------------------------------------- /Test.bat: -------------------------------------------------------------------------------- 1 | ::@ECHO OFF & CD /D %~DP0 & TITLE IDA API 特征码生成工具_测试脚本 2 | lib2sig.bat libc -------------------------------------------------------------------------------- /Test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/Test.exe -------------------------------------------------------------------------------- /bin/dumpsig.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/dumpsig.exe -------------------------------------------------------------------------------- /bin/lib2sig.bat: -------------------------------------------------------------------------------- 1 | md %1_objs 2 | cd %1_objs 3 | for /f %%i in ('link -lib /list %1.lib') do link -lib /extract:%%i %1.lib 4 | for %%i in (*.obj) do upcf %%i 5 | sigmake -n"%1.lib" *.pat %1.sig 6 | pause 7 | if exist %1.exc for %%i in (%1.exc) do find /v ";" %%i > abc.exc 8 | if exist %1.exc for %%i in (%1.exc) do > abc.exc more +2 "%%i" 9 | copy abc.exc %1.exc 10 | del abc.exc 11 | sigmake -n"%1.lib" *.pat %1.sig 12 | copy %1.sig ..\%1.sig 13 | cd .. 14 | del %1_objs /s /q 15 | rd %1_objs -------------------------------------------------------------------------------- /bin/pelf.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/pelf.exe -------------------------------------------------------------------------------- /bin/plb.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/plb.exe -------------------------------------------------------------------------------- /bin/sigmake.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/sigmake.exe -------------------------------------------------------------------------------- /bin/sigmake1.bak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/sigmake1.bak -------------------------------------------------------------------------------- /bin/sigmake1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/sigmake1.exe -------------------------------------------------------------------------------- /bin/sigmake5.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/bin/sigmake5.exe -------------------------------------------------------------------------------- /crc16.cpp: -------------------------------------------------------------------------------- 1 | #define POLY 0x8408 2 | /* 3 | // 16 12 5 4 | // this is the CCITT CRC 16 polynomial X + X + X + 1. 5 | // This works out to be 0x1021, but the way the algorithm works 6 | // lets us use 0x8408 (the reverse of the bit pattern). The high 7 | // bit is always assumed to be set, thus we only use 16 bits to 8 | // represent the 17 bit value. 9 | */ 10 | 11 | unsigned short crc16(unsigned char *data_p, size_t length) 12 | { 13 | unsigned char i; 14 | unsigned int data; 15 | 16 | if ( length == 0 ) return 0; 17 | unsigned int crc = 0xFFFF; 18 | do 19 | { 20 | data = *data_p++; 21 | for ( i=0; i < 8; i++ ) 22 | { 23 | if ( (crc ^ data) & 1 ) 24 | crc = (crc >> 1) ^ POLY; 25 | else 26 | crc >>= 1; 27 | data >>= 1; 28 | } 29 | } while ( --length != 0 ); 30 | 31 | crc = ~crc; 32 | data = crc; 33 | crc = (crc << 8) | ((data >> 8) & 0xff); 34 | return (unsigned short)(crc); 35 | } 36 | 37 | -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/Release/SigMaker.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/SigMaker/Release/SigMaker.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.30501.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SigMaker", "SigMaker\SigMaker.vcxproj", "{705D1481-58EE-4D4B-A409-6F6E6390602F}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {705D1481-58EE-4D4B-A409-6F6E6390602F}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {705D1481-58EE-4D4B-A409-6F6E6390602F}.Debug|Win32.Build.0 = Debug|Win32 16 | {705D1481-58EE-4D4B-A409-6F6E6390602F}.Release|Win32.ActiveCfg = Release|Win32 17 | {705D1481-58EE-4D4B-A409-6F6E6390602F}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.cpp -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.h -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {705D1481-58EE-4D4B-A409-6F6E6390602F} 15 | Win32Proj 16 | SigMaker 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | MultiByte 24 | 25 | 26 | Application 27 | false 28 | v120 29 | true 30 | MultiByte 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | 45 | 46 | false 47 | 48 | 49 | 50 | 51 | 52 | Level3 53 | Disabled 54 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 55 | true 56 | Default 57 | 58 | 59 | Console 60 | true 61 | shell32.lib;%(AdditionalDependencies) 62 | 63 | 64 | 65 | 66 | Level3 67 | 68 | 69 | Disabled 70 | true 71 | true 72 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 73 | true 74 | 75 | 76 | false 77 | 78 | 79 | Console 80 | true 81 | true 82 | true 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 头文件 23 | 24 | 25 | 头文件 26 | 27 | 28 | 头文件 29 | 30 | 31 | 32 | 33 | 源文件 34 | 35 | 36 | 源文件 37 | 38 | 39 | -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/SigMaker.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/SigMaker/SigMaker/stdafx.cpp -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/SigMaker/SigMaker/stdafx.h -------------------------------------------------------------------------------- /ida签名制造工具资源库/SigMaker/SigMaker/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/SigMaker/SigMaker/targetver.h -------------------------------------------------------------------------------- /ida签名制造工具资源库/readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/readme.txt -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/dumpsig.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/dumpsig.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/pcf.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/pcf.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/pelf.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/pelf.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/pelf.rtb: -------------------------------------------------------------------------------- 1 | 2 | /* ====================================================================================== */ 3 | /* This file contains information about ELF relocations, for */ 4 | /* use by the 'pelf' utility. */ 5 | /* */ 6 | /* Since 'pelf' is in charge of creating a '.pat' pattern file, */ 7 | /* that contains sequences of bytes representing code to be later */ 8 | /* matched in binaries, it is important that portions of that */ 9 | /* code that is [link|run]time-dependent be ignored when trying to */ 10 | /* match patterns. */ 11 | /* */ 12 | /* For example, if pelf is processing a relocatable ELF file, which */ 13 | /* contains the following Intel x86 code: */ 14 | /* >> call some_function */ 15 | /* or, in binary form: */ 16 | /* >> 0xE8 0x00 0x00 0x00 0x00 */ 17 | /* and since the final address of 'some_function' is not known at */ 18 | /* this time (i.e., it will be determined at link-time. For the moment, */ 19 | /* it is filled with zeroes), the bytes for the address of 'some_function' */ 20 | /* that immediately follow the byte for the call opcode itself, */ 21 | /* (thus, the zeroes) must be ignored and not present in the resulting .pat */ 22 | /* file. */ 23 | /* */ 24 | /* This is an easy scenario, as this relocation is simple. But, every */ 25 | /* machine has its own set of relocations and, while in the example above, */ 26 | /* the relocation touches 4 full consecutive bytes, it's not always the */ 27 | /* case. */ 28 | /* */ 29 | /* The tables contained in this file hold enough information for pelf to know */ 30 | /* what bytes to ignore when a given relocation is encountered. */ 31 | /* Here is the format for those tables: */ 32 | /* ---- */ 33 | /* TABLE [...]: */ 34 | /* , , , */ 35 | /* ... */ 36 | /* */ 37 | /* proc: The 'machine number', as specified in the ELF */ 38 | /* specification: http://www.sco.com/developers/gabi/latest/ch4.eheader.html */ 39 | /* Note that you can have more than 1 machine number to which */ 40 | /* the table of relocation informations applies. */ 41 | /* reloc-nr: The relocation number (machine-dependent). */ 42 | /* E.g., if is 3 (i.e., EM_386), and is 2, */ 43 | /* then this line in the table contains relocation information */ 44 | /* for the relocation "R_386_PC32" */ 45 | /* offset-lsb: The offset, in bytes, starting at the beginning of the */ 46 | /* relocation field, where the data will be modified at */ 47 | /* relocation-time. */ 48 | /* offset-msb: The same thing, but when the processor is big-endian. */ 49 | /* size: The number of bytes that will be modified at relocation-time. */ 50 | /* ---- */ 51 | /* */ 52 | /* Take, for example, the ARM relocation ARM_THM_JUMP19: its bits are spread */ 53 | /* across 3 bytes, and that relocation is set to start at the beginning of the */ 54 | /* instruction. */ 55 | /* In this situation, we will define that relocation as follows: */ 56 | /* 51, 0, 1, 3 */ 57 | /* ^ ^ ^ ^ */ 58 | /* | | | `----- Spans on 3 bytes. I.e., 3 bytes to ignore. */ 59 | /* | | `---------- For big-endian CPUs: starts at byte #1. */ 60 | /* | `--------------- For little-endian CPUs: starts at byte #0. */ 61 | /* `--------------------- Relocation nr. */ 62 | /* */ 63 | /* _________________________________________________ */ 64 | /* */ 65 | /* As an exercice, let's try adding the following relocations for the ARM machine: */ 66 | /* - /*R_ARM_THM_MOVW_PREL_NC*/49 */ 67 | /* - /*R_ARM_THM_MOVT_PREL*/50 */ 68 | /* - /*R_ARM_THM_PC12*/54 */ 69 | /* */ 70 | /* The documentation states that their numbers are: */ 71 | /* - /*R_ARM_THM_MOVW_PREL_NC*/49: 49 */ 72 | /* - /*R_ARM_THM_MOVT_PREL*/50: 50 */ 73 | /* - /*R_ARM_THM_PC12*/54: 54 */ 74 | /* */ 75 | /* Looking at binutils' "elf32-arm.c" file lets us see their masks: */ 76 | /* - /*R_ARM_THM_MOVW_PREL_NC*/49: 0x040f70ff */ 77 | /* - /*R_ARM_THM_MOVT_PREL*/50: 0x040f70ff */ 78 | /* - /*R_ARM_THM_PC12*/54: 0x040070ff */ 79 | /* */ 80 | /* Thus, we can see that for the first two relocations, the variable bits are */ 81 | /* scattered all over the 4 bytes of the instruction. */ 82 | /* We can't rely on any of the bytes to remain constant, so we'll have to mark */ 83 | /* all 4 of them as variable. */ 84 | /* Additionally, since 4 bytes in a 4-byte instruction start at offset 0 regardless */ 85 | /* of whether it's little or big endian, we need to use offset 0 in both cases. */ 86 | /* Thus: */ 87 | /* 49, 0, 0, 4 */ 88 | /* 50, 0, 0, 4 */ 89 | /* */ 90 | /* The third relocation does have a fixed byte (00 in the mask), but unfortunately */ 91 | /* it's in the middle of the instruction, a variation which is not supported by */ 92 | /* pelf. So we'll have to mark all 4 bytes as well: */ 93 | /* 54, 0, 0, 4 */ 94 | /* */ 95 | /* Note: it is not always easy to find the documentation pertaining to the relocations */ 96 | /* you want to add support for in pelf. A notoriously helpful way to determine the way */ 97 | /* relocations are laid out is, as we just did in the example above, to take a peek into */ 98 | /* binutils' source files for the relevant architecture. */ 99 | /* ====================================================================================== */ 100 | 101 | 102 | /* Note: Keeping the x86 on top, as it's probably the most often used */ 103 | /* To understand negative offsets in this table see binutils, elf32-i386.c */ 104 | TABLE 3 6: /*EM_386*/ /*EM_486*/ 105 | 0, 0, 0, 0 /*R_386_NONE*/ 106 | 5, 0, 0, 0 /*R_386_COPY*/ 107 | 7, 0, 0, 4 /*R_386_JMP_SLOT*/ 108 | 9, 0, 0, 4 /*R_386_GOTOFF*/ 109 | 10, 0, 0, 4 /*R_386_GOTPC*/ 110 | 8, 0, 0, 4 /*R_386_RELATIVE*/ 111 | 4, 0, 0, 4 /*R_386_PLT32*/ 112 | 3, 0, 0, 4 /*R_386_GOT32*/ 113 | 2, 0, 0, 4 /*R_386_PC32*/ 114 | 1, 0, 0, 4 /*R_386_32*/ 115 | 6, 0, 0, 4 /*R_386_GLOB_DAT*/ 116 | 14, 0, 0, 4 /*R_386_TLS_TPOFF*/ 117 | 15, -2, -2, 6 /*R_386_TLS_IE*/ 118 | 16, -2, -2, 6 /*R_386_TLS_GOTIE*/ 119 | 17, 0, 0, 4 /*R_386_TLS_LE*/ 120 | 18, -3, -3, 12 /*R_386_TLS_GD*/ /* this is not quite correct */ 121 | 19, 0, 0, 4 /*R_386_TLS_LDM*/ 122 | 32, 0, 0, 4 /*R_386_TLS_LDO_32*/ 123 | 33, -2, -2, 6 /*R_386_TLS_IE_32*/ 124 | 34, -2, -2, 11 /*R_386_TLS_LE_32*/ 125 | 35, 0, 0, 4 /*R_386_TLS_DTPMOD32*/ 126 | 36, 0, 0, 4 /*R_386_TLS_DTPOFF32*/ 127 | 37, 0, 0, 4 /*R_386_TLS_TPOFF32*/ 128 | 39, -1, -1, 5 /*R_386_TLS_GOTDESC*/ 129 | 40, 0, 0, 2 /*R_386_TLS_DESC_CALL*/ /* call *(%eax) => xchg %ax,%ax */ 130 | 20, 0, 0, 2 /*R_386_16*/ 131 | 21, 0, 0, 2 /*R_386_PC16*/ 132 | 22, 0, 0, 1 /*R_386_8*/ 133 | 23, 0, 0, 1 /*R_386_PC8*/ 134 | 135 | TABLE 62: /*EM_X86_64*/ 136 | 10, 0, 0, 4 /*R_X86_64_32*/ 137 | 11, 0, 0, 4 /*R_X86_64_32S*/ 138 | 2, 0, 0, 4 /*R_X86_64_PC32*/ 139 | /* http://www.x86-64.org/documentation/abi.pdf $4.4 */ 140 | /* http://people.redhat.com/drepper/tls.pdf */ 141 | 22, 0, 0, 4 /*R_X86_64_GOTTPOFF*/ 142 | 23, 0, 0, 4 /*R_X86_64_TPOFF32*/ 143 | 4, 0, 0, 4 /*R_X86_64_PLT32*/ 144 | 9, 0, 0, 4 /*R_X86_64_GOTPCREL*/ 145 | 1, 0, 0, 8 /*R_X86_64_64*/ 146 | 19, 0, 0, 4 /*R_X86_64_TLSGD*/ 147 | 20, 0, 0, 4 /*R_X86_64_TLSLD*/ 148 | 21, 0, 0, 4 /*R_X86_64_DTPOFF32*/ 149 | 150 | TABLE 8: /*EM_MIPS*/ 151 | 2, 0, 0, 4 /*R_MIPS_32*/ 152 | 3, 0, 0, 4 /*R_MIPS_REL*/ 153 | 12, 0, 0, 4 /*R_MIPS_GPREL32*/ 154 | 4, 0, 0, 4 /*R_MIPS_26*/ 155 | 37, 0, 0, 4 /*R_MIPS_JALR*/ 156 | 5, 0, 2, 2 /*R_MIPS_HI16*/ 157 | 11, 0, 2, 2 /*R_MIPS_CALL*/ 158 | 9, 0, 2, 2 /*R_MIPS_GOT*/ 159 | 6, 0, 2, 2 /*R_MIPS_LO16*/ 160 | 7, 0, 2, 2 /*R_MIPS_GPREL*/ 161 | 19, 0, 2, 2 /*R_MIPS_GOT_DISP*/ 162 | 20, 0, 2, 2 /*R_MIPS_GOT_PAGE*/ 163 | 21, 0, 2, 2 /*R_MIPS_GOT_OFST*/ 164 | 22, 0, 2, 2 /*R_MIPS_GOT_HI16*/ 165 | 23, 0, 2, 2 /*R_MIPS_GOT_LO16*/ 166 | 24, 0, 2, 2 /*R_MIPS_SUB*/ 167 | 168 | TABLE 19: /*EM_I960*/ 169 | 0, 0, 0, 0 /*R_960_NONE*/ 170 | 2, 0, 0, 4 /*R_960_32*/ 171 | 4, 0, 0, 4 /*R_960_SUB*/ 172 | 3, 0, 1, 3 /*R_960_IP24*/ 173 | 5, 0, 1, 3 /*R_960_OPTCALL*/ 174 | 6, 4, 4, 4 /*R_960_OPTCALLX*/ 175 | 7, 4, 4, 4 /*R_960_OPTCALLXA*/ 176 | 177 | /* It is highly recommended to have a look at binutil's bfd/elf32-arm.c's */ 178 | /* src_mask & dst_mask information to determine fixups sizes. */ 179 | TABLE 40: /*EM_ARM*/ 180 | 0, 0, 0, 0 /*R_ARM_NONE*/ 181 | 40, 0, 0, 0 /*R_ARM_V4BX*/ 182 | 8, 0, 0, 1 /*R_ARM_ABS8*/ /* Data */ 183 | 7, 0, 0, 2 /*R_ARM_THM_ABS5*/ /* Thumb16 */ 184 | 103, 0, 1, 1 /*R_ARM_THM_PC9*/ 185 | 11, 0, 1, 1 /*R_ARM_THM_PC8*/ /* Thumb16 */ 186 | 6, 0, 2, 2 /*R_ARM_ABS12*/ /* ARM */ 187 | 5, 0, 0, 2 /*R_ARM_ABS16*/ /* Data */ 188 | 102, 0, 0, 2 /*R_ARM_THM_PC11*/ /* Thumb16? */ 189 | 9, 0, 0, 4 /*R_ARM_SBREL32*/ /* Data */ 190 | 2, 0, 0, 4 /*R_ARM_ABS32*/ /* Data */ 191 | 253, 0, 0, 4 /*R_ARM_RABS32*/ /* Data */ 192 | 3, 0, 0, 4 /*R_ARM_REL32*/ /* Data */ 193 | 252, 0, 0, 4 /*R_ARM_RREL32*/ /* Data */ 194 | 96, 0, 0, 4 /*R_ARM_GOT_PREL*/ 195 | 27, 0, 0, 4 /*R_ARM_PLT32*/ 196 | 26, 0, 0, 4 /*R_ARM_GOT32*/ 197 | 25, 0, 0, 4 /*R_ARM_GOTPC*/ 198 | 24, 0, 0, 4 /*R_ARM_GOTOFF*/ 199 | 21, 0, 0, 4 /*R_ARM_GLOB_DAT*/ 200 | 22, 0, 0, 4 /*R_ARM_JUMP_SLOT*/ 201 | 18, 0, 0, 4 /*R_ARM_TLS_DTPOFF32*/ 202 | 19, 0, 0, 4 /*R_ARM_TLS_TPOFF32*/ 203 | 17, 0, 0, 4 /*R_ARM_TLS_DTPMOD32*/ 204 | 10, 0, 0, 4 /*R_ARM_THM_PC22*/ /* == R_ARM_THM_CALL. See "ARM IHI 0044D", 4.7.1.6 */ 205 | 1, 0, 1, 3 /*R_ARM_PC24*/ 206 | 4, 0, 1, 3 /*R_ARM_PC13*/ 207 | 28, 0, 1, 3 /*R_ARM_CALL*/ 208 | 29, 0, 1, 3 /*R_ARM_JUMP24*/ 209 | 51, 0, 1, 3 /*R_ARM_THM_JUMP19*/ 210 | 30, 0, 0, 4 /*R_ARM_THM_JUMP24*/ 211 | 15, 0, 1, 3 /*R_ARM_XPC25*/ 212 | 16, 0, 0, 4 /*R_ARM_THM_XPC22*/ 213 | 47, 0, 0, 4 /*R_ARM_THM_MOVW_ABS_NC*/ 214 | 48, 0, 0, 4 /*R_ARM_THM_MOVT_ABS*/ 215 | 107, 0, 0, 4 /*R_ARM_TLS_IE32*/ 216 | 108, 0, 0, 4 /*R_ARM_TLS_LE32*/ 217 | 49, 0, 0, 4 /*R_ARM_THM_MOVW_PREL_NC*/ 218 | 50, 0, 0, 4 /*R_ARM_THM_MOVT_PREL*/ 219 | 54, 0, 0, 4 /*R_ARM_THM_PC12*/ 220 | 44, 0, 1, 3 /*R_ARM_MOVT_ABS*/ 221 | 43, 0, 1, 3 /*R_ARM_MOVW_ABS_NC*/ 222 | 223 | TABLE 93: /*EM_ARCOMPACT*/ 224 | 0, 0, 0, 0 /*R_ARC_NONE*/ 225 | 52, 0, 0, 4 /*R_ARC_PLT32*/ 226 | 59, 0, 0, 4 /*R_ARC_GOT32*/ 227 | 58, 0, 0, 4 /*R_ARC_GOTPC*/ 228 | 57, 0, 0, 4 /*R_ARC_GOTOFF*/ 229 | 54, 0, 0, 4 /*R_ARC_GLOB_DAT*/ 230 | 55, 0, 0, 4 /*R_ARC_JMP_SLOT*/ 231 | 56, 0, 0, 4 /*R_ARC_RELATIVE*/ 232 | 16, 0, 0, 4 /*R_ARC_S25H_PCREL*/ 233 | 17, 0, 0, 4 /*R_ARC_S25W_PCREL*/ 234 | 27, 0, 0, 4 /*R_ARC_32_ME*/ 235 | 4, 0, 0, 4 /*R_ARC_32*/ 236 | 29, 0, 0, 4 /*R_ARC_SECTOFF_ME*/ 237 | 238 | TABLE 20: /*EM_PPC*/ 239 | 0, 0, 0, 0 /*R_PPC_NONE*/ 240 | 19, 0, 0, 0 /*R_PPC_COPY*/ 241 | 21, 0, 0, 4 /*R_PPC_JMP_SLOT*/ 242 | 22, 0, 0, 4 /*R_PPC_RELATIVE*/ 243 | 20, 0, 0, 4 /*R_PPC_GLOB_DAT*/ 244 | 1, 0, 0, 4 /*R_PPC_ADDR32*/ 245 | 26, 0, 0, 4 /*R_PPC_REL32*/ 246 | 3, 0, 0, 2 /*R_PPC_ADDR16*/ 247 | 5, 0, 0, 2 /*R_PPC_ADDR16_HI*/ 248 | 6, 0, 0, 2 /*R_PPC_ADDR16_HA*/ 249 | 4, 0, 0, 2 /*R_PPC_ADDR16_LO*/ 250 | 14, 0, 0, 2 /*R_PPC_GOT16*/ 251 | 15, 0, 0, 2 /*R_PPC_GOT16_LO*/ 252 | 16, 0, 0, 2 /*R_PPC_GOT16_HI*/ 253 | 17, 0, 0, 2 /*R_PPC_GOT16_HA*/ 254 | 29, 0, 0, 2 /*R_PPC_PLT16_LO*/ 255 | 30, 0, 0, 2 /*R_PPC_PLT16_HI*/ 256 | 31, 0, 0, 2 /*R_PPC_PLT16_HA*/ 257 | 25, 0, 0, 2 /*R_PPC_UADDR16*/ 258 | 32, 0, 0, 2 /*R_PPC_SDAREL16*/ 259 | 33, 0, 0, 2 /*R_PPC_SECTOFF*/ 260 | 34, 0, 0, 2 /*R_PPC_SECTOFF_LO*/ 261 | 35, 0, 0, 2 /*R_PPC_SECTOFF_HI*/ 262 | 36, 0, 0, 2 /*R_PPC_SECTOFF_HA*/ 263 | 109, 0, 2, 2 /*R_PPC_EMB_SDA21*/ 264 | 11, 0, 2, 2 /*R_PPC_REL14*/ 265 | 18, 0, 1, 3 /*R_PPC_PLTREL24*/ 266 | 23, 0, 1, 3 /*R_PPC_LOCAL24PC*/ 267 | 10, 0, 1, 3 /*R_PPC_REL24*/ 268 | 2, 0, 0, 4 /*R_PPC_ADDR24*/ 269 | 270 | TABLE 21: /*EM_PPC64*/ 271 | 10, 0, 0, 3 /*R_PPC64_REL24*/ 272 | 38, 0, 0, 8 /*R_PPC64_ADDR64*/ 273 | 51, 0, 0, 8 /*R_PPC64_TOC*/ 274 | 47, 0, 0, 2 /*R_PPC64_TOC16*/ 275 | 63, 0, 0, 2 /*R_PPC64_TOC16_DS*/ 276 | 70, 0, 0, 2 /*R_PPC64_TPREL16_LO*/ 277 | 71, 0, 0, 2 /*R_PPC64_TPREL16_HI*/ 278 | 72, 0, 0, 2 /*R_PPC64_TPREL16_HA*/ 279 | 87, 0, 0, 2 /*R_PPC64_GOT_TPREL16_DS*/ 280 | 67, 0, 0, 8 /*R_PPC64_TLS*/ 281 | 282 | TABLE 53: /*EM_6812*/ 283 | 0, 0, 0, 0 /*R_M68HC11_NONE*/ 284 | 1, 0, 0, 1 /*R_M68HC11_8*/ 285 | 3, 0, 0, 1 /*R_M68HC11_LO8*/ 286 | 2, 0, 0, 1 /*R_M68HC11_HI8*/ 287 | 4, 0, 0, 1 /*R_M68HC11_PCREL_8*/ 288 | 7, 0, 0, 1 /*R_M68HC11_3B*/ 289 | 5, -1, -1, 2 /*R_M68HC11_16*/ /* !!! quite strange but seems to be right */ 290 | 8, -1, -1, 2 /*R_M68HC11_PCREL_16*/ 291 | 292 | TABLE 42: /*EM_SH*/ 293 | 0, 0, 0, 0 /*R_SH_NONE*/ 294 | 162, 0, 0, 4 /*R_SH_COPY*/ 295 | 163, 0, 0, 4 /*R_SH_GLOB_DAT*/ 296 | 164, 0, 0, 4 /*R_SH_JMP_SLOT*/ 297 | 165, 0, 0, 4 /*R_SH_RELATIVE*/ 298 | 1, 0, 0, 4 /*R_SH_DIR32*/ 299 | 33, 0, 0, 2 /*R_SH_DIR16*/ 300 | 34, 0, 0, 1 /*R_SH_DIR8*/ 301 | 39, 0, 0, 1 /*R_SH_DIR8S*/ 302 | 160, 0, 0, 4 /*R_SH_GOT32*/ 303 | 161, 0, 0, 4 /*R_SH_PLT32*/ 304 | 165, 0, 0, 4 /*R_SH_RELATIVE*/ 305 | 166, 0, 0, 4 /*R_SH_GOTOFF*/ 306 | 167, 0, 0, 4 /*R_SH_GOTPC*/ 307 | 168, 0, 0, 4 /*R_SH_GOTPLT32*/ 308 | -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/plb.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/plb.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/pmacho.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/pmacho.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/pomf166.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/pomf166.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/ppsx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/ppsx.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/ptmobj.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/ptmobj.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/sigmake.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/sigmake.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sig_win_exe/zipsig.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sig_win_exe/zipsig.exe -------------------------------------------------------------------------------- /ida签名制造工具资源库/sigmake说明书注释版/pat.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sigmake说明书注释版/pat.txt -------------------------------------------------------------------------------- /ida签名制造工具资源库/sigmake说明书注释版/plb.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sigmake说明书注释版/plb.txt -------------------------------------------------------------------------------- /ida签名制造工具资源库/sigmake说明书注释版/sigmake.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/sigmake说明书注释版/sigmake.txt -------------------------------------------------------------------------------- /ida签名制造工具资源库/内核开发常用库(貌似没啥用 只是一些声明 不是函数实现细节 不能用来制造sig).zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/内核开发常用库(貌似没啥用 只是一些声明 不是函数实现细节 不能用来制造sig).zip -------------------------------------------------------------------------------- /ida签名制造工具资源库/制造sig批处理(fix有点问题)/lib2sig.bat: -------------------------------------------------------------------------------- 1 | for %%i in (*.lib) do call:sigmake %%~ni 2 | echo.&pause&goto:eof 3 | :sigmake 4 | md %1_objs 5 | md sig 6 | md error_lib 7 | copy %1.lib %1_objs 8 | cd %1_objs 9 | for /F %%i in ('link -lib /list %1.lib') do link -lib /extract:%%i %1.lib 10 | for %%i in (*.obj) do pcf %%i 11 | sigmake -n"%1.lib" *.pat %1.sig 12 | if exist %1.exc for %%i in (%1.exc) do find /v ";" %%i > abc.exc 13 | if exist %1.exc for %%i in (%1.exc) do > abc.exc more +2 "%%i" 14 | copy abc.exc %1.exc 15 | del abc.exc 16 | sigmake -n"%1.lib" *.pat %1.sig 17 | copy %1.sig ..\sig 18 | if not exist %1.sig (copy %1.lib ..\error_lib) 19 | if not exist %1.sig (del ..\%1.lib) 20 | cd .. 21 | del %1_objs /s /q 22 | rd %1_objs 23 | goto:eof -------------------------------------------------------------------------------- /ida签名制造工具资源库/制造sig批处理(fix有点问题)/lib2sig_fix.bat: -------------------------------------------------------------------------------- 1 | @echo off&setlocal enabledelayedexpansion 2 | if exist %1.exc for /f "delims=" %%i in (%1.exc) do set "line=%%i"&set "next_line="&call :process_perline !line! !next_line! %1.exc 3 | pause 4 | :process_perline 5 | if %1 == "\n" echo -%1>>%3 6 | goto :eof -------------------------------------------------------------------------------- /ida签名制造工具资源库/视频.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/ida签名制造工具资源库/视频.exe -------------------------------------------------------------------------------- /lib2sig.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/lib2sig.bat -------------------------------------------------------------------------------- /libc_objs/LIBC.LIB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/libc_objs/LIBC.LIB -------------------------------------------------------------------------------- /news: -------------------------------------------------------------------------------- 1 | 2 | 3 | The following summarizes the enhancements made to FLAIR utilities 4 | 5 | 6 | plb 7 | --- 8 | 9 | 1.42 maximal number of virsegs is 1024 10 | 1.43 LIBNAM record stops processing 11 | 1.44 -m switch accepts number of module 12 | 1.45 maximal number of virsegs is 4096 13 | maximal number of comsegs is 4096 14 | maximal number of names is 16384 15 | 1.46 negative offsets of public names are allowed 16 | 1.47 a bug with VIRDEF segments is fixed 17 | 1.48 don't throw away long (>=0x8000) segments, 18 | just truncate them 19 | -x switch is added 20 | 1.49 bad external references are not fatal anymore 21 | 1.50 allow "" in the command line switches 22 | 1.51 -s switch is added 23 | 1.52 wildcards are supported 24 | 25 | pcf 26 | --- 27 | 28 | 1.07 TMS320C6 COFF support is added 29 | -Z switch is added 30 | 1.08 pcf could issue an erroneous fatal error message 31 | about unknown relocation type 32 | 1.09 33 | 1.10 negative offsets of public names are allowed 34 | 1.11 Windows CE support for ARM, SH3, SH4 35 | Wildcards in the command line are supported 36 | The output file name may be omitted 37 | 1.12 H8/300 support 38 | 1.13 AR archive member names could miss the first letter 39 | sometimes 40 | 1.14 fixed a bug with the coff file detection 41 | 1.15 fixed a bug with the coff file symbol tables 42 | 1.16 added AMD64 support 43 | 1.17 added -M switch 44 | 1.18 added more relocation types for x86 45 | 46 | pelf 47 | ---- 48 | 49 | 1.0 created 50 | 1.01 ELF AR libraries are supported 51 | 1.02 ARM processor is supported 52 | 1.03 IBM PC processor is supported 53 | 1.04 AR module names separated by '\n' are supported 54 | 1.05 R_ARM_PC13 relocation type is added 55 | 1.06 added the -M switch 56 | 57 | 58 | pomf166 59 | ------- 60 | 61 | 1.00 first version 62 | 63 | 64 | ppsx 65 | ---- 66 | 67 | 1.0 created 68 | 69 | 70 | ptmobj 71 | ------ 72 | 73 | 1.0 created 74 | 75 | 76 | 77 | sigmake 78 | ------- 79 | 80 | 1.31 keep collisioned modules as unnamed modules 81 | 1.32 fixed bug with directory names in input files 82 | 1.33 don't keep collisions in startup signatures 83 | 1.34 maximum number of excluded names is 16000 84 | 1.35 negative offsets of public names are allowed 85 | small_func_threshold is 8 but it counts only 86 | defined bytes now 87 | better handling of collisions 88 | 1.36 -t switch works now 89 | better error message about missing "---" marker 90 | at the end of pat file 91 | 1.37 maximum number of excluded names is 32000 92 | 1.38 maximum number of leaves is 8192 93 | 1.39 -P switch is added 94 | 1.40 V6 signature files are supported 95 | (number_of_modules is 32bit) 96 | 1.41 fixed bug with startup sigs: references by 97 | functions names are not allowed there 98 | 1.42 refer to the docs in the collisions message 99 | 1.43 added new processor codes to -hp help page 100 | 1.44 V7 signature files are created (standard zip lib) 101 | 1.45 global name have priority over local names 102 | if we have several of them on the same address 103 | 104 | 105 | zipsig 106 | ------ 107 | 108 | 1.00 created 109 | 1.01 don't stop processing after errors 110 | 1.02 new zip return codes 111 | 1.04 V6 signature files are supported (number_of_modules is 32bit) 112 | 1.05 V7 signature files are supported (standard zip lib) 113 | 114 | dumpsig 115 | ------- 116 | 117 | 1.12 -s switch is deleted. Allow running with 1 parameter 118 | 1.13 fixed a bug in signature loading 119 | 1.14 CTYPE_ALT is added 120 | 1.15 fixed a bug in free_tree() 121 | 1.16 dumpsig failed if too many choices/leaves 122 | 1.17 LFF_COLL is added. checkmem() is added. 123 | 1.18 negative offsets of public names are allowed 124 | 1.19 V6 signature files are supported 125 | 1.20 V7 signature files are supported; more processor codes 126 | 127 | 128 | -------------------------------------------------------------------------------- /pat.rus: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/pat.rus -------------------------------------------------------------------------------- /pat.txt: -------------------------------------------------------------------------------- 1 | FORMAT OF A PATTERN FILE USED BY IDA FLAIR 2 | ========================================== 3 | 4 | What is a pattern file 5 | ---------------------- 6 | 7 | A PAT contains information about object modules from a library. 8 | Usually this file is generated by PLB or PCF utilities. 9 | PLB stands for "parse library" and processes OMF object libraries. 10 | PCF stands for "parse COFF" and processes AR object libraries. 11 | A collection of PAT files is processed by the "sigmake" utility 12 | which produces a signature file. So, a normal flow of data is: 13 | 14 | 15 | PLB or PCF Sigmake 16 | Library --------------> PatternFile ------------> SignatureFile 17 | 18 | Sigmake can take one or more pattern files and produce one signature file. 19 | If you want to make signature files for a library you have, 20 | you may take PLB or PCF and try to generate a pattern file. 21 | But if your libraries are not in OMF or AR format, they will fail. 22 | In this case you need to write your own preprocessor of libraries. 23 | 24 | How you write this preproccesor, what programming language you use, 25 | on what platform, etc - is not important. The only requirement for the 26 | preprocessor is to produce a correct PAT file. 27 | Below is a detailed description of the format. 28 | 29 | Format of PAT file 30 | ------------------ 31 | 32 | A PAT file is a text file. 33 | Each object module from a library is represented as a separate line. 34 | Length of a line is not limited. 35 | Let's look at an example (the first line is an example, 36 | the second is a ruler to make explanations): 37 | 38 | 558BEC8B5E04D1E3F787....02007406B8050050EB141EB43F8B5E048B4E0AC5 0B B56E 002F :0000 __read ^000B __openfd ^002C __IOERROR ....5DC3 39 | pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp ll ssss LLLL gggggggggggg rrrrrrrrrrrrrrrrrrrrrrrrrrrrrr tttttttt 40 | 41 | This line describes one module from a library. The module starts with a 42 | sequence of bytes 558BEC8B5E04D1E3F787, then there are 2 variable bytes, 43 | then bytes 02007406B8050050EB141EB43F8B5E048B4E0AC5. 44 | If we calculate CRC16 on the following 0B bytes, it will be equal to B56E. 45 | The length of the module is 002F bytes. The module defines one global name 46 | "__read", it is located at the start of the module (offset 0000). 47 | Also the module refers to two names: __openfd (from offset 000B) 48 | and __IOERROR (from offset 002C). 49 | All the remaining bytes of the module are written at the end of the line 50 | (this is why a line might be veery long; however, in this particular case 51 | the module is short): ....5DC3 52 | 53 | Format of each line: 54 | p - PATTERN BYTES (64 positions) 55 | space 56 | l - 2 positions contain ALEN (example:12) 57 | space 58 | s - 4 positions contain ASUM (example:1234) 59 | space 60 | L - 4 positions contain TOTAL LENGTH OF MODULE IN BYTES (example:1234) 61 | space 62 | g - LIST OF PUBLIC NAMES 63 | r - LIST OF REFERENCED NAMES 64 | t - TAIL BYTES 65 | 66 | where 67 | 68 | PATTERN BYTES: 69 | first 64 characters represent first 32 bytes of module. 70 | If value of a byte is variable, it is represented as ".." 71 | Otherwise a byte is represented by 2 hexadecimal digits (XX) 72 | 73 | ALEN is length of block starting at 32th byte of the module 74 | used to calculate CRC16. This block can't contain variable 75 | bytes. Maximal length of this block is 255 bytes. 76 | 77 | ASUM is CRC16 of the aforementioned block. 78 | 79 | TOTAL LENGTH OF MODULE IN BYTES - contains what it says 80 | Total length of a module should be < 0x8000. 81 | 82 | LIST OF PUBLIC NAMES: 83 | Each public name is represented as 84 | :XXXX name 85 | where XXXX is offset of the name from the module start. 86 | There must be at least one public name. If a module has no 87 | public names, parselib should create a name ":0000 ?" 88 | If the offest is negative, it is represented like this: 89 | :-XXXX name 90 | If a name is local, it is represented as 91 | :XXXX@ name 92 | i.e. there is '@' after the offset. 93 | Elements of this list are separated by spaces. 94 | 95 | LIST OF REFERENCED NAMES: 96 | Each referenced name is represented as 97 | ^XXXX name 98 | where XXXX is offset of the location refering to the name. 99 | Obviously, bytes at this location are variable. 100 | Special for 80x86 processors: some linkers convert far calls 101 | to near calls in 16bit segments: 102 | 103 | 0000: 9A........ call far ptr xxx 104 | 105 | is converted to 106 | 107 | 0000: 90 nop 108 | 0001: 0E push cs 109 | 0002: E8.... call near ptr xxx 110 | 111 | Therefore, parselib should mark byte 9A as variable and 112 | set location offset of the fixup to 0002, not 0001. 113 | 114 | TAIL BYTES: 115 | Have the same format as the first 32 bytes. 116 | Tail of the module starts at the end of the CRC16 block. 117 | 118 | All numbers in a PAT file are hexadecimal. 119 | A PAT file should be ended with a special line with 3 minus signs: 120 | --- 121 | 122 | Limitations: 123 | Total length of a module should be < 0x8000. 124 | Too short modules (less than 4 constant bytes) should not be 125 | included in the PAT file. However, if a module have a referenced 126 | name, it can be included in the PAT file. 127 | 128 | Examples: 129 | 130 | 558BEC8B4604C706....0000A3....5DC38B0E....8B1E....BA5A01B8354EE8 00 0000 0037 :0000 _srand :0011 _rand ^0021 N_LXMUL@ ....05010083D2008916....A3....A1....9925FF7FC3 131 | 558BEC8B5E04D1E3F787....02007406B8050050EB141EB43F8B5E048B4E0AC5 0B B56E 002F :0000 __read ^000B __openfd ^002C __IOERROR ....5DC3 132 | 133 | 1111111111111111111111111111111111111111111111111111111111111111 22 3333 4444 555555555555 66666666 134 | 135 | 1 - pattern bytes 136 | 2 - ALEN 137 | 3 - ASUM 138 | 4 - MODLEN 139 | 5 - PUBLIC NAME 140 | 6 - TAIL BYTES 141 | 142 | __read refers to __openfd and __IOERROR 143 | _srand and _rand refer to N_LXMUL@ 144 | 145 | ============================================================================ 146 | -------------------------------------------------------------------------------- /pcf.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/pcf.exe -------------------------------------------------------------------------------- /pcf.txt: -------------------------------------------------------------------------------- 1 | 2 | P A R S E C O F F 3 | ----------------- 4 | 5 | PCF stands for parsecoff. 6 | 7 | It has the same purpose and the same switches as parselib (plb) so please 8 | look at plb.txt for information. The only additional switch is 9 | 10 | -g... 11 | 12 | which changes the COFF magic number. 13 | The COFF magic number appears at the start of a COFF file, the first 2 bytes. 14 | By default the magic number is 0514 octal which corresponds to IBM PC COFF files. 15 | Parsecoff will recognize file as a COFF file if it starts with the specified magic or with 0. 16 | 17 | Parsecoff can handle separate COFF files and AR libraries. 18 | -------------------------------------------------------------------------------- /plb.txt: -------------------------------------------------------------------------------- 1 | 2 | P A R S E L I B 3 | --------------- 4 | 5 | PLB stands for parselib. 6 | It processes OMF object and library files and produces a pattern file. 7 | Command line: 8 | 9 | parselib [-sw or @file] input-file pattern-file 10 | 11 | The command line switches may be placed in an indirect file - one switch per line. 12 | The input file is an object file or a library file. If the extension is omitted, 13 | "LIB" extension is assumed. 14 | The output file is a pattern file. Its default extension is "PAT". 15 | A pattern file is a simple text file. Each function is represented by one 16 | line (warning: the lines may be very-very long, tens of kilobytes, so don't 17 | edit pattern files with a text editor). Format of this file is described 18 | in the PAT.TXT file. 19 | 20 | Usually plb is launched without switches: 21 | 22 | plb cl1 borland 23 | 24 | will take "cl2.lib" as input and produce "borland.pat" file. 25 | 26 | You may use the -a switch to append to the output file: 27 | 28 | plb -a cl2 borland 29 | 30 | will append patterns of functions from "cl2.lib" to "borland.pat" 31 | The output file must exist if the -a switch is used. 32 | 33 | Description of switches 34 | ----------------------- 35 | 36 | -a Append to the output file. The output file must exist and 37 | its last line must be '---' 38 | 39 | -c... If the input file contains the "ctype" array, you may use 40 | this switch to allow parselib to detect the "ctype" array and 41 | produce a special record in the pattern file for it. 42 | "Ctype" array requires special handling because it resides 43 | in data segment and normally would be skipped by parselib. 44 | You should specify ctype array name: 45 | 46 | -cctype_name 47 | 48 | Use this switch only if you are processing a non-standard C 49 | library. 50 | 51 | -d Turn on debugging. Displays lots of debugging information. 52 | 53 | -e Skip unnamed functions. Experimental switch. I don't recommend 54 | to use it - it is better to recognize even unnamed functions 55 | rather than silently skip them. 56 | 57 | -i The input file is an IBM OMF file. 58 | By default parselib assumes the input file to be a MS OMF file. 59 | 60 | -l... This switch is required only for startup object modules. 61 | It should not be specified for regular libraries. 62 | This switch contains information how to proceed if the 63 | startup module is found in the executable file. 64 | It allows you to specify names of signature files to be 65 | applied automatically. Signature file names are separated by 66 | ':'. Optional signature files are specified as l=signame 67 | Also, you may specify the OS type and the application type. 68 | Format of this switch is signature names and directives 69 | spearated by colons ':', for example: 70 | 71 | o=type:a=type:l=lib1/lib2/lib3:m=hints:s=off/signame 72 | 73 | o=type 74 | specifies OS type if the startup module is found. 75 | Valid values (sigmake -ho displays them): 76 | 1 MS DOS 77 | 2 MS Windows 78 | 4 OS/2 79 | 8 Netware 80 | 81 | a=type 82 | specifies application type if the startup module is 83 | found in the executable file. 84 | Valid values are combination of the following 85 | bits (sigmake -ha displays them): 86 | 0001 console 87 | 0002 graphics 88 | 0004 program (EXE) 89 | 0008 library (DLL) 90 | 0010 driver (VxD) 91 | 0020 Single-threaded 92 | 0040 Multi-threaded 93 | 0080 16bit 94 | 0100 32bit 95 | When in question, don't specify a bit. 96 | 97 | l=lib1/lib2/lib3... 98 | Optional signatures. This directive may be omitted. 99 | An optional signature file is not applied 100 | automatically, but it will be marked with an asterisk 101 | in the list of signature files. 102 | 103 | m=hints 104 | A simple program to find main() function. Format of 105 | hints is decribed below. This directive may be omitted. 106 | 107 | s=off/signame 108 | Reference to secondary startup signature. Presence of 109 | this directive means that IDA can't make decision 110 | based on the recognition of one startup module. 111 | IDA needs to make additional checks to select 112 | proper signature file: these additional checks are 113 | in the secondary signature file. The secondary 114 | signature file will be applied to an address referenced 115 | by an instruction at start+off (off is hexadecimal). 116 | This directive must be the last item in the -l switch. 117 | This directive may be omitted. 118 | S=off/signame 119 | Almost the same thing as lowercase 's'. The difference 120 | between these switches is that the uppercase 'S' uses the 121 | start+off address as it is while 122 | the lowecase 's' tries to get the address referenced by the 123 | instruction. The start address mentioned in this switches 124 | is either the address where the signature was applied to 125 | (usually the entry point of the program) or the address 126 | after applying the main() hints (if they were specified 127 | before) 128 | i=idcfile 129 | An IDC file to invoke. The IDC file will be searched 130 | in the IDC subdirectory of IDA. 131 | 132 | -m... The name of the library module. If this switch is specified, 133 | parselib will process only the specified module, not the whole 134 | library. This switch is mainly used for startup modules. 135 | 136 | -n... The name of the startup function. If this switch is specified, 137 | parselib will start pattern at the specified function, 138 | not at the module start. Signatures are applied to 139 | the entry point of an executable file and therefore 140 | the patterns should start at entry point too. 141 | 142 | -o... The offset of the startup entry point (hex). The pattern will start at it. 143 | This is an alternative way to specify the start of a startup 144 | pattern. Sometimes the entry point has no name and in this 145 | case we are forced to use offsets instead of names. 146 | 147 | -p## Pattern length (default: 32) 148 | Never use this switch, it is for debugging only. 149 | 150 | -v Verbose output 151 | 152 | -w... This switch has the same meaning as -c switch. 153 | The only difference is that ctype array has 2-byte elements. 154 | 155 | -z Loosen input file format checks. Some library modules have 156 | erroneous structure. This switch allows parselib to handle 157 | them. 158 | 159 | 160 | Format of hints used to find main() function 161 | -------------------------------------------- 162 | 163 | Hints are arranged as a simple program encoded in a text string. 164 | The string is processed from the left to the right. For the ease of explanation, let's 165 | imagine a virtual machine with the following registers: 166 | PTR - contains a pointer to hints string. 167 | initialized with the start of the hints string. 168 | ADR - contains the current linear address. 169 | initialized with the executable program entry point address. 170 | MAIN - contains a possible main() address. initialized with 171 | a bad address (i.e. the main() address in not known) 172 | MAINNAME- contains a possible main() function name. 173 | SAFE - contains a 'safe' address. not initialized. 174 | FLAG - contains 1/0. Initialized with 0. 175 | 176 | The virtual machine takes a symbol at PTR, interprets it accordingly and 177 | moves PTR to the next symbol. The execution is stopped when one of the 178 | following conditions reached: 179 | - the end of the string is reached. The address of the main() 180 | function is in MAIN (unless it still contains the bad address) 181 | - PTR points to a '/' symbol. It means that the main() function is found at ADR. 182 | - illegal symbol at PTR is encountered. 183 | 184 | 185 | Elements of hints string (spaces are inserted for readibility only. they 186 | should not be present in the program string): 187 | 188 | + ADR <- ADR + off. 189 | off is a hexadecimal number 190 | 191 | - ADR <- ADR - off. 192 | off is a hexadecimal number 193 | 194 | ! make instruction at ADR. 195 | stop execution if not possible to create instruction (or rollback safe execution) 196 | 197 | #2 make 2-byte data item at ADR 198 | stop execution if not possible to create instruction (or rollback safe execution) 199 | 200 | #4 make 4-byte data item at ADR 201 | stop execution if not possible to create instruction (or rollback safe execution) 202 | 203 | & follow data reference (ADR <- dref(ADR)) 204 | For example, if instruction at ADR is 205 | 206 | ADR: push offset somedata 207 | 208 | then ADR <- address of somedata 209 | if the current instruction at ADR doesn't refer to data, 210 | then stop execution or rollback safe execution. 211 | 212 | ^ follow code reference (ADR <- cref(ADR)) 213 | For example, if instruction at ADR is 214 | 215 | ADR: call somefunc 216 | 217 | then ADR <- address of somefunc 218 | if the current instruction at ADR doesn't refer to code, 219 | then stop execution or rollback safe execution. 220 | 221 | *0c 222 | *0d 223 | *1c 224 | *1d 225 | make offset at ADR. general format is 226 | * 227 | where opnum (operand number) is '0' or '1', 228 | type is 'c' for cs or 'd' for ds. 229 | 230 | / stop execution - we have found main() function. It is at ADR. 231 | Its name follows '/' sign. If the name is not specified, 232 | its taken as '_main'. 233 | 234 | ? ... ; 235 | Conditional. 236 | Test a byte at ADR. If it is equal to (hexadecimal), 237 | then continue execution. Otherwise skip ... part and jump 238 | to position after ';'. 239 | The ellipsis ... represents a sequence of any other symbols 240 | here. Conditionals can't be included in each other. 241 | 242 | ~ / <+off> ~ ... ; 243 | Apply a signature file at ADR-. 244 | If the specified is found at ADR, then continue 245 | execution. Otherwise jump to execution position after ';'. 246 | 247 | sigfile - name of signature file to apply. 248 | default: first signature file specified in -l switch 249 | if sigfile == "-" then no signature file is applied, 250 | only the is tested. 251 | 252 | off - offset from ADR. Must be hexadecimal 4-digit number 253 | preceded by + sign. 254 | default: 0 255 | 256 | funcname - name of function to compare. 257 | default: WINMAIN 258 | 259 | For example, the shortest form is: 260 | 261 | ~/~ ... ; 262 | 263 | This will apply the first signature to ADR and test a name 264 | appeared at ADR - it should be equal to WINMAIN. 265 | 266 | [mainname] MAIN <- ADR 267 | MAINNAME <- mainname 268 | Remember possible main() function address and name. 269 | Default main() name is WINMAIN. 270 | 271 | ( ... ) Switch to safe mode of execution. In this mode the execution 272 | is not stopped if something went wrong (can't convert to 273 | instruction, for example). In this case we jump to symbol 274 | after ')' and set FLAG to 0. 275 | Otherwise (if everything went ok), set FLAG to 1 when PTR is 276 | at ')'. 277 | 278 | ?? ... ; Test FLAG. If it is set (equal to 1), then continue exeuction. 279 | Otherwise jump to symbol after ';'. 280 | Conditionals can't be included in each other. 281 | 282 | @sigfile@ plan to apply a signature file 283 | 284 | Conditional semicolons (';') may be omitted. 285 | 286 | Examples 287 | -------- 288 | 289 | Please note that I give examples of most sophisticated usage of 290 | -l switch. Usually you don't need it. 291 | 292 | ------------------------- 293 | plb -a -lo=1:a=84:l=bc31tvd/bc31cls:bc31rtd:m=+EF^/ bcc\1.01\C0C.OBJ exe_bc31 294 | 295 | input file: bcc\1.01\C0C.OBJ 296 | output file: exe_bc31.pat 297 | the output file should exist. 298 | we will append to it. 299 | -l switch: 300 | OS type is MS DOS (o=1) 301 | Application: 16 bit program (a=84) 302 | Optional signatures: bc31tvd.sig 303 | bc31cls.sig 304 | Automatically apply: bc31rtd.sig 305 | main() hints: 306 | add 0xEF to entry point of executable 307 | follow code reference (there is 'call' instruction there) 308 | main() function is here, its name is _main 309 | 310 | 311 | ------------------------- 312 | echo -lo=2:a=84:bh16rwin:l=bh16cls/bh16owl/bh16ocf/bh16dbe>bh.tmp 313 | plb -a @bh.tmp -lm=+AF^[]~/~+16^/ C0WC.OBJ ne_bh.pat 314 | 315 | 316 | input file: C0WC.OBJ 317 | output file: ne_bh.pat 318 | the output file should exist. 319 | we will append to it. 320 | -l switch: 321 | OS type is MS Windows (o=2) 322 | Application: 16 bit program (a=84) 323 | Automatically apply: bh16rwin 324 | Optional signatures: bh16cls 325 | bh16owl 326 | bh16ocf 327 | bh16dbe 328 | main() hints: 329 | +AF add 0xAF to entry point of executable 330 | ^ follow code reference (there is 'call' instruction there) 331 | [] remember the current address as possible WINMAIN address 332 | ~/~ apply bc16rwin.sig to the current address. Test for WINMAIN 333 | name. If don't match, then stop - WINMAIN is here (because 334 | we saved it with [] operator). If name matches, then continue. 335 | (it is likely that EasyWin program is here) 336 | +16 add 16 to the current address (ADR) 337 | ^ follow the code reference (there is a 'call' instruction there) 338 | / main() function is here, its name is _main 339 | 340 | ------------------------- 341 | -------------------------------------------------------------------------------- /readme: -------------------------------------------------------------------------------- 1 | 2 | FLAIR -- Fast Library Acquisition for Identification and Recognition 3 | ==================================================================== 4 | 5 | FLAIR utilities allow you to create your own signature files from 6 | OBJECT or LIBRARY files for IDA Pro v3.8 or higher. 7 | 8 | FLAIR consists of the following executables: 9 | 10 | plb parselib processes OMF libraries and creates PAT file 11 | pcf parsecoff processes COFF libraries and creates PAT file 12 | pelf parseelf processes ELF libraries and creates PAT file 13 | ppsx parsepsx processes PSX libraries and creates PAT file (Sony Playstation) 14 | ptmobj parsetobj processes Trimedia libraries .... .... .... 15 | pomf166 Keil C166 object files (old format) 16 | sigmake sigmake takes PAT files as input and creates SIG file 17 | zipsig zipsig compresses and uncompresses SIG files 18 | dumpsig dumpsig dumps contents of SIG file in a text form. 19 | 20 | Typical scenario of a signature creation is: 21 | - run a parser and create pattern (PAT) files 22 | - run sigmake and get EXC file with collisions 23 | - edit EXC file and resolve collisions 24 | - run sigmake again and get SIG file 25 | - repeat the above 2 steps till collisions exist 26 | - run zipsig and get compressed SIG file 27 | 28 | A SIMPLE EXAMPLE 29 | ================ 30 | 31 | Suppose we have got a library named SAMPLE.LIB and want to make a 32 | signature from it. If SAMPLE.LIB is an OMF library, the following will 33 | do the job. 34 | 35 | Only two commands: 36 | 37 | >PLB SAMPLE.LIB SAMPLE.PAT 38 | >SIGMAKE SAMPLE.PAT SAMPLE.SIG 39 | 40 | Yes, that's all! 41 | 42 | After these two commands we get either a signature file either a 43 | collision file. If we get a signature file - great, that's what we 44 | wanted. Otherwise we need to deal with collisions. The collision 45 | file will be named SAMPLE.EXC. If we do not want to examine 46 | collisions then the quickest method is to delete the comments at the 47 | start of the collisions file and run sigmake again. After the second 48 | run of sigmake we will get a signature file. We can compress the 49 | resulting signature file with zipsig to save the disk space. 50 | 51 | If SAMPLE.LIB is an AR/COFF library, then we need to run PCF instead 52 | of PLB. If you are not sure about the format of your library, just 53 | try to run both utilities (plb/pcf). If the input library has a wrong 54 | format, they will clearly indicate it. 55 | 56 | Of course this method of resolving collisions is not the best method. 57 | If you want to get a truly good signature file, you need to go 58 | through the collisions file and examine each collision closely, 59 | deciding what to do with it. More about collisions is in SIGMAKE.TXT 60 | file. 61 | 62 | HOW TO USE THE CREATED SIGNATURE 63 | ================================ 64 | 65 | First of all, copy your signature file into SIG subdirectory of IDA. 66 | If your signature is for a processor different from IBM PC, then create 67 | a special subdirectory for your signature. The name of the subdirectory 68 | should be equal to the name of the processor module file. For example, 69 | all signature files for the C166 processor should be in SIG\C166. 70 | Launch IDA. 71 | In IDA, open the signatures window and press Insert. Select your 72 | signature from the list and press Enter. IDA will eventually apply 73 | your signature to the input file. 74 | 75 | 76 | ADDING COMMENTS TO FUNCTIONS 77 | ============================ 78 | 79 | If you want to add comments to library functions, you can do that. 80 | All you need is to create a special file with the comments to 81 | the functions. This file will have an IDS format. So you will need 82 | to download the utilities to work with IDS files. 83 | Just put the IDS file into IDS\FLIRT subdirectory of IDA and IDA 84 | will automatically use it. 85 | 86 | 87 | STARTUP SIGNATURES 88 | ================== 89 | 90 | If you want your signature to be applied automatically then you need to 91 | create a startup signature. 92 | Creation of startup signature files is slightly different. 93 | You need to have all pattern files for all compilers in order to create 94 | startup signature files. I've put all files needed to create startup 95 | signatures in STARTUP directory. 96 | 97 | To make your signature to apply automatically you need to create startup 98 | patterns then copy them to STARTUP directory and run startup.bat 99 | Please note the naming convention of startup patterns: EXE file patterns 100 | have EXE*.PAT names etc. 101 | 102 | 103 | PASCAL AND DELPHI SUPPORT 104 | ========================= 105 | 106 | Nick Pisanov courteusly provided us with the utilities to create 107 | signatures from TPU files. See PASCAL subdirectory for the details. 108 | 109 | MISC 110 | ==== 111 | 112 | About ZIPSIG utility: this utility allows you to compress the signature 113 | files. The compressed signature files occupy less disk space and it gets 114 | more time to load them into IDA. This utility understands wildcards in 115 | the input file names. 116 | 117 | I've put some examples of command files and EXC files in EXAMPLE directory. 118 | 119 | For information about utilities please read files 120 | PLB.TXT 121 | PCF.TXT 122 | SIGMAKE.TXT 123 | 124 | For questions: 125 | -------------------------------------------------------------------------------- /sigmake.txt: -------------------------------------------------------------------------------- 1 | 2 | S I G M A K E 3 | ------------- 4 | 5 | Sigmake takes pattern files as the input and creates a signature file. 6 | It can take several pattern files at once. 7 | Usage: 8 | 9 | sigmake [-sw] pattern-file(s) sig-file 10 | 11 | where 12 | switches (-sw) may be kept in indirect file '@file' 13 | (one switch per line) 14 | 15 | input pattern files are file1+file2+file3... 16 | wildcard input file names are allowed too. 17 | the default extension of the input files is .PAT 18 | the default extension of the output file is .SIG 19 | The name of the output file should be no more than 8 symbols for compatibility. 20 | 21 | collision resolving 22 | ------------------- 23 | Sigmake looks for and takes as the input file .exc ( is name of 24 | output signature file). This file contains a list of excluded function names 25 | and other directives for sigmake. EXC file is a text file. Sigmake will 26 | automatically create an EXC file if it doesn't exist. It an EXC file exists, sigmake 27 | will append information to it. 28 | 29 | If sigmake creates an EXC file, then you must edit it and re-run sigmake. 30 | 31 | NOTE: although sigmake uses all information from pat files, it doesn't 32 | write everything into sig file. Some information during this process 33 | is lost and therefore the process is not reversible. 34 | 35 | Decription of switches 36 | ---------------------- 37 | 38 | -x... name of file with excluded function names 39 | default is .exc 40 | 41 | -c Check presence of ctype directive. If this switch is specified, 42 | the input pattern files must be prepared with -c switch of 43 | parselib. 44 | 45 | -d... debugging output file (default: .err) 46 | This file contains dump of output signature file. 47 | 48 | -n... signature file title for IDA. 49 | If not specified, "Unnamed sample library" is taken by default. 50 | This title will appear in the window of signatures in IDA. 51 | 52 | 53 | -D... name is data name, not code name 54 | Not recommended to use, because the same effect may be achieved 55 | by the directive in EXC file. 56 | 57 | -a... application types the signature may be applied to. 58 | Combination of bits. When in doubt, set a bit. 59 | (list of bits can be displayed by -ha switch) 60 | 0001 console 61 | 0002 graphics 62 | 0004 program (EXE) 63 | 0008 library (DLL) 64 | 0010 driver (VxD) 65 | 0020 Single-threaded 66 | 0040 Multi-threaded 67 | 0080 16bit 68 | 0100 32bit 69 | GUI version of IDA does not use this information 70 | TXT version: The signature file will appear in the abridged list of 71 | signatures if bit is set. 72 | 73 | -o... os types the signature may be applied to. 74 | Combination of bits. When in doubt, set a bit. 75 | (list of bits can be displayed by -ho switch) 76 | 0001 MS DOS 77 | 0002 MS Windows 78 | 0004 OS/2 79 | 0008 Netware 80 | GUI version of IDA does not use this information 81 | TXT version: The signature file will appear in the abridged list of 82 | signatures if bit is set. 83 | 84 | -f... file format types the signature may be applied to. 85 | Combination of bits. When in doubt, set a bit. 86 | (list of bits can be displayed by -hf switch) 87 | 00000001 MS DOS EXE File 88 | 00000002 MS DOS COM File 89 | 00000004 Binary File 90 | 00000008 MS DOS Driver 91 | 00000010 New Executable (NE) 92 | 00000020 Intel Hex Object File 93 | 00000040 MOS Technology Hex Object File 94 | 00000080 Linear Executable (LX) 95 | 00000100 Linear Executable (LE) 96 | 00000200 Netware Loadable Module (NLM) 97 | 00000400 Common Object File Format (COFF) 98 | 00000800 Portable Executable (PE) 99 | 00001000 Used-defined format 100 | 00002000 Object Module Format (OMF) 101 | 00004000 S-record format 102 | 00008000 ZIP archive 103 | GUI version of IDA does not use this information 104 | TXT version: The signature file will appear in the abridged list of 105 | signatures if bit is set. 106 | 107 | -p... processor id 108 | (list of ids can be displayed by -hp switch or taken 109 | from idp.hpp in IDA SDK) 110 | GUI version of IDA does not use processor ids 111 | TXT version: the signature file will appear in the abridged list of 112 | signatures if the id is set correctly. 113 | Default is 0 (IBM PC). 114 | 115 | -s make startup signature. 116 | This switch must be specified for startup signatures. 117 | Sigmake produces slightly different signature file if this 118 | switch is specified. For example, references to functions can't 119 | be used in startup signatures because a startup signature is 120 | applied at the start of disassembling and no function names 121 | are present yet. 122 | 123 | -t... minimal length of normal function. if function is smaller 124 | then a fixup reference is generated. default: 16(decimal) 125 | 126 | -h# help (#:a-apptype,o-ostype,f-formats,p-processor) 127 | 128 | 129 | Format of EXC file 130 | ------------------ 131 | 132 | EXC file is a text file. 133 | Lines starting with a semicolon are comment lines. 134 | Sigmake stops reading EXC file when it encounters a line starting with 135 | 136 | ;------ 137 | 138 | and will append information from that file position. Since this line 139 | is generated each time sigmake creates an EXC file, don't forget to 140 | remove them. Otherwise sigmake will ignore your modifications in the 141 | EXC file. 142 | Sigmake automatically creates EXC file if it is not present. 143 | It starts EXC file with the following lines: 144 | 145 | ;--------- (delete these lines to allow sigmake to read this file) 146 | ; add '+' at the start of a line to select a module 147 | ; add '-' if you are not sure about the selection 148 | ; do nothing if you want to exclude all modules 149 | 150 | EXC file contains names of functions to be excluded from the signature file. 151 | Sigmake writes names in groups. Each group represents one or more collisions. 152 | Each module is represented with one line, for example: 153 | 154 | _remove 00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................ 155 | _unlink 00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................ 156 | 157 | At the start of the line there are function names. The rest of the line contains 158 | information about the module (checksums, pattern and other) needed to 159 | distinguish one module from another with the same name). 160 | Your task is to insert '+' or '-' sign at the start of the lines to resolve 161 | collisions. 162 | + means that you are sure about your selection, 163 | - means that the name will appear as a comment in IDA. 164 | 165 | For example, if we decide to exclude _remove from the signature and leave 166 | _unlink, then we insert a '+' sign: 167 | 168 | _remove 00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................ 169 | +_unlink 00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................ 170 | 171 | 172 | This way we order to exclude the _remove() function and keep the _unlink() function in the 173 | signature. 174 | 175 | 176 | Two directives may appear in the EXC file: 177 | 178 | DATA=name 179 | 180 | note that the first character is a space character - this is common to all 181 | directives in the EXC file. This directive means 182 | that the specified name is a data name, not code name and IDA will not 183 | convert bytes at this name to an instruction. 184 | 185 | LIBNAME=library name 186 | 187 | has the same meaning as -n switch: specifies the name of the signature file which appears 188 | in the window of signatures. 189 | 190 | -------------------------------------------------------------------------------- /vc6libc.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/vc6libc.jpg -------------------------------------------------------------------------------- /vc_tools/LIB.EXE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/vc_tools/LIB.EXE -------------------------------------------------------------------------------- /vc_tools/LINK.EXE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/vc_tools/LINK.EXE -------------------------------------------------------------------------------- /vc_tools/MSPDB60.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wanttobeno/IDASignMaker/f562c4078078fcd7bd2e1870002206a09cf061b5/vc_tools/MSPDB60.DLL --------------------------------------------------------------------------------