SIG applications in IDA

SIG is equivalent to a symbolic file in Ida. If it is a self-written pe program, there will be an OBJ file after compilation. You can use the tool to convert it into a Sig for viewing in Ida. To apply the Sig, copy the SIG file to the SIG folder under the IDA directory, and then right-click SHIFT + F5 in IDA to add the corresponding project, the function name in the disassembly will be changed to the original function name, which facilitates viewing. If it is a third-party Lib, you can also convert a Sig. The tools required for conversion include pcf.exe link.exe sigmake.exe, which can be obtained from the book-related files in C ++ disassembly and reverse analysis. three files can be copied to system32 for ease of use.

1. Convert OBJ to sig

PCF test. objsigmake test. Pat test. Sig get the Pat file Step 1 generate the SIG File

2. Convert lib to sig

Because there are a lot of OBJ in Lib, we use batch text to write it here. The following code is obtained from "C ++ disassembly and Reverse Analysis ":

md %1_objscd %1_objsfor /F %%i in ('link -lib /list %1.lib') do link -lib /extract:%%i %1.libfor %%i in (*.obj) do pcf %%isigmake -n"%1.lib" *.pat %1.sigif exist %1.exc for %%i in (%1.exc) do find /v ";" %%i > abc.exc if exist %1.exc for %%i in (%1.exc) do > abc.exc more +2 "%%i"copy abc.exc %1.excdel abc.excsigmake -n"%1.lib" *.pat %1.sigcopy %1.sig ..\%1.sigcd ..del %1_objs /s /qrd %1_objs

Save it as a. BAT file and run it.

Summary:

To create a signature, follow these steps:

1. Obtain a static library for which you want to create a signature file.

2. Use a flair parser to create a mode file for the database.

3.run sigmake.exe to process the generated mode file and generate a signature file.

4. Copy the new signature file to the <idadir>/sig directory and install the file.