Ida & Flirt
FLIRT Signatures are really helpfull during ananlysing a stripped static Binary, but using them is not that easy, at least in my mind.
To generate a Signature File of a library, we first need the library as static compiled file.
git clone https://github.com/bminor/glibc.git
../configure CFLAGS=”-static -O1” –prefix “$glibc_install”
make -j X
This will generate a static libc.a:
ldd libc.a
not a dynamic executable
For generating a Signature File from the newly build libc.a we need
the signature-tools from IDA. To create Linux Library Files we need
pelf and sigmake. Although running the pelf leads very frequently
to the following error.
pelf libc.a libc.pat
Fatal [libc.a] (init-first.o): Unknown relocation type 42 (offset in section=0x21).
We can fix this by supporting relocation types, this is achieved by the
-r switch.
pelf -r 42:0:0 libc.a libc.pat
libc.a: skipped 4, total 1567
This generates a pat-file with 1567 included signatures, before importing the pat-file we have to convert it into a signature file, readable by IDA.
sigmake libc.pat libc.sig
libc.sig: modules/leaves: 1291/1562, COLLISIONS: 18
See the documentation to learn how to resolve collisions.
pelf is generating an entry for every Function found, sometimes
functions have the same Signature, these collisions we have to fix.
All collisions are reported in a .exc file. We edit this file and insert
a + infront of every function we want to keep. We remove all the comments as
suggested and we call sigmake again.
The generated .sig file can be imported into IDA, therefore we copy it to the
C:\Program Files\IDA 7.0\sig\pc folder. We can apply it later on a binary by:
File -> Load File -> FLIRT Signature File
Automatic Generation
There is a great tool on github which is generating Signature files for all kind of Ubuntu Versions, using launchpad.net.
But using this we have to be carefull, by default it zip’s all the
signature files using the custom zipsig tool. This has to be undone
before copying into IDA.
Also all Ubuntu Versions might be too much for your need, but chaning the python script is super easy.