IDA Signsrch

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
Source Macromonkey

IDA Signsrch
=========================================================
IDA Pro plug-in conversion of Luigi Auriemma's signsrch signature matching tool.

Version 1.03, January 2013
By Sirmabus

----- [Description] -----------------------------------------------------------

From Luigi's original signsrch description:
"Tool for searching signatures inside files, extremely useful as help in
reversing jobs like figuring or having an initial idea of what encryption/-
compression algorithm is used for a proprietary protocol or file.
It can recognize tons of compression, multimedia and encryption algorithms and
many other things like known strings and anti-debugging code which can be also
manually added since it's all based on a text signature file read at runtime
and easy to modify."

I've used his tool in the past to help find various bits of crypto sections
and what not. For example the log-in sections of some online game clients.
To use the tool in IDA I would have to run signsrch output piped to a text
file, like this: "signsrch -b Target.exe >Temp.txt".
And then tediously take these address of each match offset and look them up
manually.
Plus facilitated by a plug-in I added an automatic label commenting feature.

Not be confused with IDA FLIRT "sig" technology, these signatures are direct
binary patterns. Currently there are about 1400 of these signatures from the
source text database "signsrch.sig".
-------------------------------------------------------------------------------





Dialog: The "Arco della Pace" (Arch of Peace) in Milan, Italy.
xIDASignsrchDialog.png.pagespeed.ic.2C6xBQddCz.png



Example output showing 96 found matches:
xIDASignsrchSampleOutput.png.pagespeed.ic.9KRJfVVzUU.png



Example placed comment with the <$ignsrch> tag:


History:
1.03:
1) Fixed bad standard/CRT mixed with custom allocator method bug.
2) Updated and fixed custom UI elements.

1.02:
1. Minor clean up of GUI customizations.
2. Full sources now included.

IDA_Signsrch.plw - MD5: 33E6D1B527CA92AD7D3F2F33A2E41E44

http://www.putlocker.com/file/B6908550023A2A9D
 
Top