makesig plugin overview
The makesig plugin was introduced in the IDA 8.4 release, and it is a convenient tool for generating FLIRT signatures from a current database. As you probably already know, FLIRT stands for Fast LibrarybIdentification and Recognition Technology, allowing IDA to recognize standard library functions generated by supported compilers. This technology improves the disassembly listing by making it more readable and usable. It is important to mention that it isn’t possible for IDA to cover all existing libraries, compilers, and linkers. For that reason, users can create their own signatures from known code.
Until IDA 8.4, making signatures from working database was possible but not straightforward:
- Exporting patterns from the database to a
.patfile; - Compiling a
.patinto a signature file (.sig); - Re-importing the
.sigfile into the target database.
Since the new release, this process has been significantly improved thanks to the built-in makesig plugin. You just need to:
- Export the patterns from the database into a
.sigfile; - Re-import the
.siginto the target database.
Let’s see how that would work in a real scenario. Imagine working on a long-term reversing project with frequent new versions. With the makesig plugin, we can migrate the carefully curated list of functions that we already reverse-engineered and exported as a signature file, into the current binary (given that compiler flags didn’t change too much between releases).
Let’s say we identified an interesting function In the older release (source) binary and wanted to port that information to the newer binary:
We can export a signature file for this function via the new menu item File -> Produce File -> Create SIG file
Then, in the new binary file, we can import this signature file in the Signatures window:
As we can see, IDA applies the signature and reports that it found a match in the new database! And indeed, we can find the function, labeled as a library function, because its function name came from the signature file:
