Unveiling IDA Pro 9.0: Introducing the FLIRT Manager And Thousands Of New Signatures

FLIRT technology has been around for quite some time. It was first introduced in IDA 3.6 in 1996, and since then, it has saved analysts long hours of manual work. We believe most of you already know what FLIRT is, but we’ll say a few words for those just starting with IDA. The Fast Library Identification and Recognition Technology (FLIRT) allows IDA to recognize standard library functions generated by supported compilers. It dramatically improves the disassembly listing by making it more readable. 

You might have noticed that we recently incorporated a convenient tool for generating FLIRT signatures from a current database – the makesig plugin. With this extension, users can migrate a list of functions that had already been reverse-engineered and exported as a signature file into the current binary. This tool was just the beginning of more exciting developments. 

In IDA 9.0, we’ve launched a new tool called FLIRT Manager. We will discuss this feature in a separate blog post, but in a few words, it lists all available signatures and allows the user to apply them tentatively (see the screenshots below). Perhaps one of the most valuable features of the FLIRT Manager is the ability to perform a multi-core analysis. Within the blink of an eye, you can analyze thousands of signatures if idalib is set up correctly. We also say goodbye to the singular double-clicking of all signature suggestions. Just bulk-select and the FLIRT Manager will do the hard part! 

flirt-manager-1

flirt-manager-2

On top of that, we’ve supercharged FLIRT by adding thousands of signatures as separate downloads! You can decide which one to use for your project and load it into IDA. Now, take a moment to explore the signatures we’ve built in the new release:

  • Golang:
    • Versions: stable versions from 1.10.0 to 1.23
    • Windows: x86, x64, arm, arm64
    • Linux: i386, amd64, arm, arm64
    • Darwin: amd64, arm64
  • C/C++
    • Windows (MSVC):
      • Architectures: arm, arm64, i386, amd64
      • Packages: ATL, CTL, MFC, Windows SDK 10, Windows SDK 11
    • Linux:
      • Distribution: Ubuntu & Debian
      • Architectures: i386, amd64, arm64, armhf, armel, arm, s390x, mips64el, mipsel, mips, ppc64el
      • Packages: libc6, libselinux1, libpcre2, libidn2, libssl, zlib1g, lib32z1, libunistring, libcurl4-gnutls, libcurl4-nss, libcurl4-openssl, libnghttp2, libidn2, librtmp, libssh, libssh-gcrypt, libpsl, libldap, libzstd, libbrotli, libgnutls28, nettle, libgmp, comerr, libsasl2, libbrotli, libtasn1-6, libkeyutils, libffi, uuid, libprotobuf, heimdal-multidev, musl, libplib, libsdl1.2-bundle (libsdl-console, libsdl-sge, libsdl1.2, libsdl-ocaml, libsdl-image1.2, libsdl-kitchensink, libsdl-mixer1.2, libsdl-net1.2, libsdl-sound1.2, libsdl-ttf2.0, libsdl1.2-compat, libsdl-gfx1.2, libsdl-pango), libsdl2-bundle (libsdl2, libsdl2-gfx, libsdl2-image, libsdl2-mixer, libsdl2-net, libsdl2-ttf)
  • Rust
    • Versions 1.77 to 1.81
    • Windows, 
    • Linux
    • macOS
      • Architectures: arm64, arm, x86, x86-64
      • Operating Systems: Linux, Windows, Macos
      • Compilers: GCC, LLVM, MSVC

This massive improvement means you can now tackle complex binaries faster than before and allows you to save time by focusing on the unknown parts of the code. Perhaps, one of the greatest enhancements in IDA 9.0 is that we are going to maintain and update the databases with signatures. Yes, you will not have to worry about that. The signature updates happen automatically whenever the upstream program changes. This means your signatures stay up-to-date without manual intervention, ensuring you’re always working with the latest, most accurate information.