In this example, if we choose to keep htons, we
must prefix the htons line with a ???+??? character telling sigmake to treat any function with
the same signature as if it were htons rather than ntohs. More detailed instructions on
how to resolve collisions can be found in FLAIR??™s sigmake.txt file. Once you have edited
the exclusions file, simply rerun sigmake with the same options. A successful run will
result in no error or warning messages and the creation of the requested sig file.
Installing the newly created signature file is simply a matter of copying it to the sig subdirectory
under your main IDA program directory. The installed signatures will now be
available for use as shown in Figure 13-2.
Applying the new signatures to the following code:
.text:0804872C push ebp
.text:0804872D mov ebp, esp
.text:0804872F sub esp, 18h
.text:08048732 call sub_80593B0
.text:08048737 mov [ebp+var_4], eax
.text:0804873A call sub_805939C
.text:0804873F mov [ebp+var_8], eax
.text:08048742 sub esp, 8
.text:08048745 mov eax, [ebp+arg_0]
.text:08048748 push dword ptr [eax+0Ch]
Chapter 13: Advanced Static Analysis with IDA Pro
317
PART IV
Figure 13-2 Selecting appropriate signatures
.text:0804874B mov eax, [ebp+arg_0]
.
Pages:
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571