Makesig

Built-in Makesig plugin is a tool for generating FLIRT signatures from a current database.

The content here was a part of the blog article

How to make signatures from working database?

Export the patterns from the database into a .sig file;
Re-import the .sig into the target database.

Example

Let’s see how that would work in a real scenario. Imagine working on a long-term reversing project with frequent new versions. With the makesig plugin, we can migrate the carefully curated list of functions that we already reverse-engineered and exported as a signature file, into the current binary (given that compiler flags didn’t change too much between releases). Let’s say we identified an interesting function In the older release (source) binary and wanted to port that information to the newer binary:

We can export a signature file for this function via menu item File -> Produce File -> Create SIG file...

Then, in the new binary file, we can import this signature file in the Signatures window:

As we can see, IDA applies the signature and reports that it found a match in the new database! And indeed, we can find the function, labeled as a library function, because its function name came from the signature file:

Last updated 1 month ago