FLIRT, FLAIR, IDA, OH MY!

Tue, 04 Dec 2007 11:21

I was recently tasked with a reverse engineering project where I was provided with a random binary and was supposed to determine everything that this binary did. Straight forward RE project. The binary turned out to be an ELF binary that was statically compiled and stripped of all symbols. OK, so that makes things quite a bit more tedious, but still doable. I did a bit of dynamic analysis and then fired up IDA and began the disassembly process. It quickly became apparent that I'm far to lazy to go through every single static library function and identify it and sadly IDA does not have a signature file for the particular version of libc that was compiled into the binary. So I had to automate the identification steps and here's what I did.. (Thanks to the Uniformed/Nologin folks for helping me learn this process).

The first step in the process is to download the FLAIR package from Datarescue. Once you've uncompressed the package you will find a bin directory that contains a few binary programs. The ones we are interested in are "pelf" and "sigmake". The first step in the process is to locate the libc.a that was used during the compilation of your binary. This is not always an easy process and I won't go into detail on how to do it here. Suffice it to say that strings is usually the quickest method to figure out which system/GCC version your binary was compiled against. From there it's a matter of probability to determine the most likely libc.a candidates.

Once you've got the correct libc.a you execute the following command: "pelf libc.a libc.pat". This will produce a pattern file based on signatures of the functions from the libc.a file. You then run the libc.pat file through the sigmake program by executing "sigmake libc.pat". The results of this execution will be a list of signature collisions saved in a .ecx file. The pattern generation program, pelf, looks through libc.a and generates a fingerprint (pattern) for each function in the library. If there are functions that have identical fingerprints it is up to you to determine which ones you would like to use in the identification of your functions. Go through the .ecx file and mark which signature is correct by hand analyzing the libc.a in IDA and resolving any conflicts. Alternatively you can just tell the .ecx file to not label ANY conflicts and you can do those by hand as you find necessary.

Once you have ironed out your conflicts, re-run sigmake and a libc.sig file will be generated. I highly advise you to rename this file to something other than libc.sig as it will conflict with the already existing (and not proper for our binary) libc.sig file that is deployed with IDA.

Open up IDA and load the binary. Go under the "windows" menu of IDA and choose "List of applied library modules". Press the insert key and select your SIG file. This should apply the sig to the binary and should identify a vast majority of the libc functions that have been statically linked into the binary.

Continue to RE your binary and have fun!

Home | Tags: IDA, RE, FLIRT | Category: /infosec | Link

About:

Tyler Shields
Creator/Philosopher/Slacker

Personal:

Homepage ~txs
Twitter Feed
txs_ Twitter RSS Feed

Tweet Tweet:

Calendar:

Categories:

/ (143)
  book_reviews/ (7)
  generic/ (35)
  humor/ (22)
  infosec/ (69)
  poker/ (3)
  programming/ (6)
  rants/ (1)

Book List:

05/2010::100% Done
Run for Your Life, by James Patterson and Michael Ledwidge

05/2010::100% Done
Chelsea Chelsea Bang Bang, by Chelsea Handler

04/2010::100% Done
My Horizontal Life A Collection of One-Night Stands, by Chelsea Handler

01/2010::100% Done
The Girl Who Played with Fire, by Steig Larrson

10/2009::100% Done
The Lost Symbol, by Dan Brown

more...

Pimping: