kweatherman / sigmakerex Goto Github PK

Please support ARM

In x64 Assembly, it is possible to use LEA to get an address that's relative to the current instruction pointer; for example:

48 8d 05 bc 32 2a 00 lea rax,[rip+0x2a32bc]

In IDA this prints as:

48 8D 05 BC 32 2A 00 lea rax, aLabel

This form of RIP relative addressing is often used to load static values, and/or constants. These are in other segments, thus not often stored at reliable offsets, and is thus unsafe. This should be wildcarded.

Edit: Applies to RIP relative MOV too

48 89 05 2a f8 49 02 mov QWORD PTR [rip+0x249f82a],rax

When trying to quickly find functions in another database, when I press Ctrl+Alt+S, I get this window:

Usually in this kind of cases, the default-selected control is Ok, or in this case it would be Continue button.

In SigMaker when I press Ctrl+Alt+S and then quickly press Enter on my mouse, instead of getting the signature, this Github repo gets opened.

I think it would make sense to make the Continue button to be the default-selected control, so when you already have set your preferred settings and you're generating multiple signatures in a row, you can quickly do it by just pressing Ctrl+Alt+S > Enter.

Looks like it's same issue as ajkhoury/SigMaker-x64#31
Also fix for this bug is present there.

Sigmaker generates correct byte pattern but the byte sequence for the instruction itself changes. In my case byte sequence for the instruction mov rdx, rcx changed from 48 89 CA to 48 8B D1:

And so when I generate a signature in the version on the left, Sigmaker generates 48 89 CA C1 E8 04 pattern, and it won't find it in the version on the right.

Don't know how often it happens in the wild.

An obvious fix would be to replace all bytes to ?? for instructions that can be represented by different byte sequences. Not sure if it's easy enough or possible to just ask some assembler "can this instruction be represented by multiple byte sequences?"

When I try to scan a function I get this error:

SigMakerEx: Finding function signature.
SigMakerEx: * InstToSig: Decode anomaly @ 0x000001401A560C! decodeSize: 9, itemSize: 52 *
 F: 20505C00, "FF_DWORD, FF_0OFF, FF_REF, FF_NAME, FF_DATA, FF_COMM"
 'mov     ds:0F3001A263E001A0Bh, eax; jump table for switch statement'

SigMakerEx: ** Gerneral C exception: run() ***

We have the PDB for this game, here is what it looks like:
void __fastcall cGcApplicationDeathState::Update(cGcApplicationDeathState *this, float lfTimeStep)

I was able to build the plugin without error, and it installs itself in the ida pro plugin directory:

Build started...
1>------ Build started: Project: SigMakerEx, Configuration: Debug x64 ------
1>Signature.cpp
1>Main.cpp
1>Search.cpp
1>Utility.cpp
1>Generating Code...
1>   Creating library C:\Users\miked\Source\repos\sigmakerex\x64\Debug\IDA_SigMaker.lib and object C:\Users\miked\Source\repos\sigmakerex\x64\Debug\IDA_SigMaker.exp
1>SigMakerEx.vcxproj -> C:\Users\miked\Source\repos\sigmakerex\x64\Debug\IDA_SigMaker.dLL
1>        1 file(s) copied.
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ==========

However, when I start ida pro, it does not appear to be loading. Let me know how I can help you debug this issue.

Please can you add "test signature" feature to check my patterns on IDA ?

I have built a 64-bit version of your plugin using ida pro 7.7, visual studio 2022, and windows 11. The attached file shows the output when I tried to generate function signature for a function I already have a signature for. In that file, you can see that I first used the ida search function to locate the existing signature. I then jumped to the function that existing signature corresponds to, selected the first instruction in the function, and ran your plugin to generate a function signature using the default settings. It then generated a LOT of output, but is seems to have ultimately failed. Let me know if there is something I am doing wrong, or if you need additional information to help me use this correctly. Thanks.

signature.txt

Hello,

I am getting this error it's completely random sometimes the sig maker plugin works and sometimes not.

SigMakerEx: Finding function signature.
SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **
SigMakerEx: * Failed to find a base or reference signature for selected function. *

Tested on IDA 7.7 and 8.3