mirror of
https://github.com/radareorg/radare2.git
synced 2025-01-21 05:05:48 +00:00
50 lines
1.5 KiB
Plaintext
50 lines
1.5 KiB
Plaintext
FLIRT
|
|
=====
|
|
At the moment of writing r2 supports loading and finding FLIRT
|
|
patterns, those files can be generated with the FLIRT tools from IDA.
|
|
R2 doesn't yet supports creating those files. But it supports its
|
|
own signature format which can be used to generate signatures and
|
|
find them.
|
|
|
|
This document will focus on FLIRT, not the native r2 'Zignatures'.
|
|
|
|
You need the flair tools/ida utilities. Those tools are closed source
|
|
and privative, so you should not distribute them. It is probable that
|
|
it is not possible to redistribute the .pat or the .sig files. It
|
|
doesn't seems to have watermarks. However it's a bit unclear what
|
|
licence the file generated should have. Mentioning the files should
|
|
be free of copyrighted material (the original libs bytes). That said,
|
|
there's a paragraph in the flirt paper:
|
|
|
|
https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml
|
|
|
|
|
|
Create the .pat file
|
|
--------------------
|
|
|
|
cd flair/bin/linux
|
|
./pelf -p64 /usr/lib/x86_64-linux-gnu/libc.a libc.pat
|
|
|
|
Create the .sig file (possible collisions):
|
|
--------------------
|
|
|
|
./sigmake -n <libname> libc.pat libc.sig
|
|
|
|
There's little chance libc.sig will be compatible across systems and
|
|
libc versions. If libc.exc exists, you need to resolve some functions
|
|
conflicts. Prepend a '+' on the lines you're sure you want to keep
|
|
(see end of flair/sigmake.txt). Then redo the sigmake command. The
|
|
.sig is now ready to be used with r2.
|
|
|
|
Using it with r2:
|
|
-----------------
|
|
|
|
$ r2 -c 'zF libc.sig' staticbin
|
|
|
|
PROFIT.
|
|
|
|
refs:
|
|
flair/sigmake.txt
|
|
flair/pat.txt
|
|
|