Rizin
unix-like reverse engineering framework and cli tools
|
At the moment of writing Rizin supports loading and finding FLIRT patterns, those files can be generated with the FLIRT tools from IDA. Rizin doesn't yet supports creating those files. But it supports its own signature format which can be used to generate signatures and find them.
This document will focus on FLIRT, not the native Rizin 'Zignatures'.
You need the flair tools/ida utilities. Those tools are closed source and privative, so you should not distribute them. It is probable that it is not possible to redistribute the .pat or the .sig files. It doesn't seems to have watermarks. However it's a bit unclear what licence the file generated should have. Mentioning the files should be free of copyrighted material (the original libs bytes). That said, there's a paragraph in IDA F.L.I.R.T. Technology: In-Depth
cd flair/bin/linux ./pelf -p64 /usr/lib/x86_64-linux-gnu/libc.a libc.pat
./sigmake -n <libname> libc.pat libc.sig
There's little chance libc.sig will be compatible across systems and libc versions. If libc.exc exists, you need to resolve some functions conflicts. Prepend a '+' on the lines you're sure you want to keep (see end of flair/sigmake.txt). Then redo the sigmake command. The .sig is now ready to be used with Rizin.
rizin -c 'zF libc.sig' staticbin
refs: