Enhancing IDA disassembler listings with FLIRT

The F.L.I.R.T. technology of IDA will allow you to enhance your disassembly with signatures for standard functions calls. This will improve the readability, especially for architectures you're less familiar with. I've created for example the flirt signatures for eCos the following manner:

First you need to install and compile eCos:

Download from here:

You can see the supported eCos platforms using:

ecosconfig list 

Next build eCos for the atlas mips32 platform.

ecosconfig new atlas_mips32_4kc all
ecosconfig tree

The ecosconfig new command will create the configuration, ecosconfig tree will setup the buildtree. Make will build eCos.

Create signature

Change to the flair66/bin/linux path.

find /opt/ecos2/ -name "*.o" -exec ./pelf -a -f {} /vagrant/ecos2.pat \;

This will find all ".o" files and extract the signatures. The -a signature will append the output. The -f will get the found file. You'll see output like this:

/opt/ecos2/language/c/libc/stdlib/v2_0/src/language_c_libc_stdlib_strtod.o: skipped 0, total 2
/opt/ecos2/language/c/libc/stdlib/v2_0/src/language_c_libc_stdlib_atox.o: skipped 0, total 3
/opt/ecos2/language/c/libc/stdlib/v2_0/src/language_c_libc_stdlib_system.o: skipped 0, total 1
/opt/ecos2/language/c/libc/stdlib/v2_0/src/language_c_libc_stdlib_abs.o: skipped 0, total 2
/opt/ecos2/language/c/libc/stdlib/v2_0/src/language_c_libc_stdlib_rand.o: skipped 0, total 3
/opt/ecos2/language/c/libc/stdlib/v2_0/src/language_c_libc_stdlib_getenv.o: skipped 0, total 1
---- truncated ----

The file /vagrant/ecos2.pat contains the patterns extracted from the ELF files. The patterns consist of a methodname, and signature. These are combined per module.

When the signature is too small to make a difference, the file /vagrant/ecos2.exc will contain the grouped signatures. It is a good practice to skip signatures too small, because these will give false positives.

You need to indicate that you are ready with the exception list by removing the commented lines at the top.

Now you can make the actual signature file:

root@packer-vmware-iso:/vagrant/flair66/bin/linux# ./sigmake -vvv /vagrant/ecos2.pat /vagrant/ecos2.sig

This will give the following output:

Signature file maker (c) 1997-2014 Hex-Rays. Version 1.48
Reading file /vagrant/ecos2.pat
Total leaves in tree now=2070; total dropped=3906
Resolving collisions...
Number of modules/leaves: 1823/2029

Copy the signature file to the sig folder of IDA (on OSX this will be /Applications/IDA Pro 6.6/idaq.app/Contents/MacOS/sig/mips/ecos.sig

Now you can apply the signature file in IDA, using File, Load File, FLIRT Signature File.