The following summarizes the enhancements made to FLAIR utilities
maximal number of virsegs is 1024
LIBNAM record stops processing
-m switch accepts number of module
maximal number of virseg
Version 6.1 from 24-03-2011
1.0 - first release
2.0 - a bug in the PE DLL parser is fixed
3.0 - standard zip lib is used to compress ids files
ar2idt utility is added
5.1 - Exit keyword is added
6.1 - Linux/Mac versions have been
S I G M A K E
Sigmake takes pattern files as the input and creates a signature file.
It can take several pattern files at once.
sigmake [-sw] pattern-file(s) sig-file
switches (-sw) may be kept in indirect file '@file'
(one switch per
P A R S E C O F F
PCF stands for parsecoff.
It has the same purpose and the same switches as parselib (plb) so please
look at plb.txt for information. The only additional switch is
which changes the COFF magic number.
The COFF magic number appea
P A R S E L I B
PLB stands for parselib.
It processes OMF object and library files and produces a pattern file.
parselib [-sw or @file] input-file pattern-file
The command line switches may be placed in an indirect file - one switch pe
#define POLY 0x8408
/ this is the CCITT CRC 16 polynomial X + X + X + 1.
/ This works out to be 0x1021, but the way the algorithm works
/ lets us use 0x8408 (the reverse of the bit pattern). The high
/ bit is always assumed to be set, thus we
FLAIR - Fast Library Acquisition for Identification and Recognition
FLAIR utilities allow you to create your own signature files from
OBJECT or LIBRARY files for IDA Pro v3.8 or higher.
FLAIR consists of the following executables:
plb parselib proce
FORMAT OF A PATTERN FILE USED BY IDA FLAIR
What is a pattern file
A PAT contains information about object modules from a library.
Usually this file is generated by PLB or PCF utilities.
PLB stands for "parse library" and processes OMF object librari