Latest available version: IDA and decompilers v8.4.240527sp2 see all releases
Hex-Rays logo State-of-the-art binary code analysis tools
email icon

makesig plugin overview

The makesig plugin was introduced in the IDA 8.4 release, and it is a convenient tool for generating FLIRT signatures from a current database. As you probably already know, FLIRT stands for Fast LibrarybIdentification and Recognition Technology, allowing IDA to recognize standard library functions generated by supported compilers. This technology improves the disassembly listing by making it more readable and usable. It is important to mention that it isn’t possible for IDA to cover all existing libraries, compilers, and linkers. For that reason, users can create their own signatures from known code. 

Until IDA 8.4, making signatures from working database was possible but not straightforward:

  • Exporting patterns from the database to a .pat file;
  • Compiling a .pat into a signature file (.sig);
  • Re-importing the .sig file into the target database.

Creation of a signature before IDA 8.4

Since the new release, this process has been significantly improved thanks to the built-in makesig plugin. You just need to:

  • Export the patterns from the database into a .sig file;
  • Re-import the .sig into the target database.

Let’s see how that would work in a real scenario. Imagine working on a long-term reversing project with frequent new versions. With the makesig plugin, we can migrate the carefully curated list of functions that we already reverse-engineered and exported as a signature file, into the current binary (given that compiler flags didn’t change too much between releases).
Let’s say we identified an interesting function In the older release (source) binary and wanted to port that information to the newer binary: 

We can export a signature file for this function via the new menu item File -> Produce File -> Create SIG file 

Then, in the new binary file, we can import this signature file in the Signatures window: 

As we can see, IDA applies the signature and reports that it found a match in the new database! And indeed, we can find the function, labeled as a library function, because its function name came from the signature file: