Closed JillCrungus closed 5 years ago
JillCrungus
commented
5 years ago I believe this is an issue of PEBKAC. SigMaker only works with x86 binaries. Looking at the error from the source code, it’s thrown from a failure scenario for an IDA function.
The binary is x86, seems like it IS a problem with this specific binary though because I quickly tested it on something else and it worked fine. I don't know what the problem would be though.
ajkhoury
commented
5 years ago Can you please provide the region of bytes you are trying to generate a signature for? This error will occur if you try to automatically generate a signature on any bytes that are not encoded as x86 instructions. E.g. if the region of code has been virtualized, or if you try to generate a signature on the data segment of an executable.
JillCrungus
commented
5 years ago Can you please provide the region of bytes you are trying to generate a signature for? This error will occur if you try to automatically generate a signature on any bytes that are not encoded as x86 instructions. E.g. if the region of code has been virtualized, or if you try to generate a signature on the data segment of an executable.
What's the best way for me to provide it?
ajkhoury
commented
5 years ago Can you please provide the region of bytes you are trying to generate a signature for? This error will occur if you try to automatically generate a signature on any bytes that are not encoded as x86 instructions. E.g. if the region of code has been virtualized, or if you try to generate a signature on the data segment of an executable.
What's the best way for me to provide it?
Go to Options > General and then set the "Number of opcode bytes (non-graph)" to something like 10.
Then you'll see the disassembly output look like this:
Just take a picture of the region you're trying to auto generate a signature for, or just paste the bytes in your reply.
JillCrungus
commented
5 years ago Just take a picture of the region you're trying to auto generate a signature for, or just paste the bytes in your reply.
Here's a picture of one of the smaller functions.
I can't tell myself if there's anything really wrong with it, just looks like any other disassembly to me. Maybe there is something wrong with it like you said. I seem to get the error no matter where I try to generate a signature for in this executable.
ajkhoury
commented
5 years ago Could you upload the executable? I'd like to check it myself and see if I can reproduce. I don't see a reason why this should be throwing this error.
JillCrungus
commented
5 years ago Could you upload the executable? I'd like to check it myself and see if I can reproduce. I don't see a reason why this should be throwing this error.
Sure thing. Damn sure this thing is cursed.
ajkhoury
commented
5 years ago At the same function in your screenshot I can generate a signature without problems 🤔
added a total of 83 references.
direct reference: [actual address in first opcode] E8 ? ? ? ? 8B 43 48At the same function in your screenshot I can generate a signature without problems
added a total of 83 references. direct reference: [actual address in first opcode] E8 ? ? ? ? 8B 43 48
Huh, that means it's something on my end then. Strange because I can generate signatures for other binaries with no problems, only this one is giving me trouble.
ajkhoury
commented
5 years ago At the same function in your screenshot I can generate a signature without problems
added a total of 83 references. direct reference: [actual address in first opcode] E8 ? ? ? ? 8B 43 48Huh, that means it's something on my end then. Strange because I can generate signatures for other binaries with no problems, only this one is giving me trouble.
One thing I noticed in your screenshot is that your binary is loaded at address 00C20000, which is not a standard image base for a win32 executable to be loaded at. What options did you choose when first disassembling the file?
I am referring to these options:
JillCrungus
commented
5 years ago At the same function in your screenshot I can generate a signature without problems
added a total of 83 references. direct reference: [actual address in first opcode] E8 ? ? ? ? 8B 43 48Huh, that means it's something on my end then. Strange because I can generate signatures for other binaries with no problems, only this one is giving me trouble.
One thing I noticed in your screenshot is that your binary is loaded at address 00C20000, which is not a standard image base for a win32 executable to be loaded at. What options did you choose when first disassembling the file?
I am referring to these options: ... I just left everything at the defaults, no changes.
Maybe something was screwed up with the IDA database, I just regenerated it and everything is working fine now. The simplest solution is always the easiest one I guess.
Sorry for taking up your time, I probably should have thought of that at first. Thank you for the help though, since seeing that it was on my end prompted me to regenerate the database.
Hi. I've not really worked with this kind of thing before and I'm having an issue where I can't seem to generate any signatures at all. It was just giving me a fail message but upon turning up the logger level I found that every attempt failed with the message: "dropped a sig due to decompilation failure."
I'm not sure if this is normal, if I'm doing something wrong or if something is actually broken with the plugin. It'd be great to get some help. This seems to happen with any and every function I try to generate a sig for which is what makes me think this isn't normal.