Create .sig file from .lib for IDA

Reverse Engineering Leave a comment

I like to share about how to generate a .sig file in order to help IDA to detect the function during reversing the code. It helps the reverser to understand very quick when the name of the function are known.

Lets compare the out of the decompile of small apps below

We can see that there are some function “sub_4011E0” are still not known what the exact function it is. We can compare to the one below

We can see from the above decompile result that “sub_4011E0” have been changed to something more understandable

Let’s say that I have a small static library as below

// MathLibrary.h
#pragma once

namespace MathLibrary
{
    class Arithmetic
    {
    public:
        // Returns a + b
        static double Add(double a, double b);

        // Returns a - b
        static double Subtract(double a, double b);

        // Returns a * b
        static double Multiply(double a, double b);

        // Returns a / b
        static double Divide(double a, double b);
    };
}

// MathLibrary.cpp
// compile with: cl /c /EHsc MathLibrary.cpp
// post-build command: lib MathLibrary.obj

#include "MathLibrary.h"

namespace MathLibrary
{
    double Arithmetic::Add(double a, double b)
    {
        return a + b;
    }

    double Arithmetic::Subtract(double a, double b)
    {
        return a - b;
    }

    double Arithmetic::Multiply(double a, double b)
    {
        return a * b;
    }

    double Arithmetic::Divide(double a, double b)
    {
        return a / b;
    }

When this code has been successfully compiled with debug information included then basically you can start creating the .sig file following the below steps. Before you go further, You need to have Flair tools from IDA

  1. Copy the library to the IDA Flair Tools
  2. Run the pcf.exe to convert the lib to pat file

After the .pat (pattern) file are generated then the next steps is to create .sig (signature) file using signmake.exe

Once the .sig file are generated then you need to copy the sig file into ida signature collection directory as highlighted below. Dont forget to put into the correct sub folder which for my case is pc

When the file is ready then we can load the sig file into the currect PE file that we are going to reverse which statically linked with that library. Click on the File –> Load File –> FLIRT signature file..

Select the sig file that you copied to the IDA sig collection directory and press OK

Press another OK

IDA will re-analyze the entire code and start changing the function name that initially uknown to follow the function name listed in the sig file.

When you try to decompile by pressing F5, Normaly the output will still give you unknown function name eventhough the deasembly codes have been reanalized and properly pouplated with the new function name. If you are in that situation, just double click on the function call and click back button, IDA will repopulate the function name with the correct one.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s