FLAIR -- Fast Library Acquisition for Identification and Recognition ==================================================================== FLAIR utilities allow you to create your own signature files from OBJECT or LIBRARY files for IDA Pro v3.8 or higher. FLAIR consists of the following executables: plb parselib processes OMF libraries and creates PAT file pcf parsecoff processes COFF libraries and creates PAT file pelf parseelf processes ELF libraries and creates PAT file ppsx parsepsx processes PSX libraries and creates PAT file (Sony Playstation) ptmobj parsetobj processes Trimedia libraries .... .... .... pomf166 Keil C166 object files (old format) sigmake sigmake takes PAT files as input and creates SIG file zipsig zipsig compresses and uncompresses SIG files dumpsig dumpsig dumps contents of SIG file in a text form. Typical scenario of a signature creation is: - run a parser and create pattern (PAT) files - run sigmake and get EXC file with collisions - edit EXC file and resolve collisions - run sigmake again and get SIG file - repeat the above 2 steps till collisions exist - run zipsig and get compressed SIG file A SIMPLE EXAMPLE ================ Suppose we have got a library named SAMPLE.LIB and want to make a signature from it. If SAMPLE.LIB is an OMF library, the following will do the job. Only two commands: >PLB SAMPLE.LIB SAMPLE.PAT >SIGMAKE SAMPLE.PAT SAMPLE.SIG Yes, that's all! After these two commands we get either a signature file either a collision file. If we get a signature file - great, that's what we wanted. Otherwise we need to deal with collisions. The collision file will be named SAMPLE.EXC. If we do not want to examine collisions then the quickest method is to delete the comments at the start of the collisions file and run sigmake again. After the second run of sigmake we will get a signature file. We can compress the resulting signature file with zipsig to save the disk space. If SAMPLE.LIB is an AR/COFF library, then we need to run PCF instead of PLB. If you are not sure about the format of your library, just try to run both utilities (plb/pcf). If the input library has a wrong format, they will clearly indicate it. Of course this method of resolving collisions is not the best method. If you want to get a truly good signature file, you need to go through the collisions file and examine each collision closely, deciding what to do with it. More about collisions is in SIGMAKE.TXT file. HOW TO USE THE CREATED SIGNATURE ================================ First of all, copy your signature file into SIG subdirectory of IDA. If your signature is for a processor different from IBM PC, then create a special subdirectory for your signature. The name of the subdirectory should be equal to the name of the processor module file. For example, all signature files for the C166 processor should be in SIG\C166. Launch IDA. In IDA, open the signatures window and press Insert. Select your signature from the list and press Enter. IDA will eventually apply your signature to the input file. ADDING COMMENTS TO FUNCTIONS ============================ If you want to add comments to library functions, you can do that. All you need is to create a special file with the comments to the functions. This file will have an IDS format. So you will need to download the utilities to work with IDS files. Just put the IDS file into IDS\FLIRT subdirectory of IDA and IDA will automatically use it. STARTUP SIGNATURES ================== If you want your signature to be applied automatically then you need to create a startup signature. Creation of startup signature files is slightly different. You need to have all pattern files for all compilers in order to create startup signature files. I've put all files needed to create startup signatures in STARTUP directory. To make your signature to apply automatically you need to create startup patterns then copy them to STARTUP directory and run startup.bat Please note the naming convention of startup patterns: EXE file patterns have EXE*.PAT names etc. PASCAL AND DELPHI SUPPORT ========================= Nick Pisanov courteusly provided us with the utilities to create signatures from TPU files. See PASCAL subdirectory for the details. MISC ==== About ZIPSIG utility: this utility allows you to compress the signature files. The compressed signature files occupy less disk space and it gets more time to load them into IDA. This utility understands wildcards in the input file names. I've put some examples of command files and EXC files in EXAMPLE directory. For information about utilities please read files PLB.TXT PCF.TXT SIGMAKE.TXT For questions: