Luca1991 · November 4, 2024 23:36
diff --git a/Practical and Small Guide to Signature Generation in Binary Ninja.txt b/Practical and Small Guide to Signature Generation in Binary Ninja.txt
 # Practical and Small Guide to Signature Generation in Binary Ninja

 ## Motivation

 I recently purchased Binary Ninja, and while reversing a very old executable (created about 24 years ago), I realized that it wasn't properly detecting some common MSVC functions.
 For example, this is the output in IDA Free:

 ```call    ??2@YAPAXI@Z```

 The same line of disassembly is presented by Binary Ninja as:

 ```call    sub_4021db```

 As you can see, Binary Ninja was unable to recognize this function, which is the 'operator new' (or ??2@YAPAXI@Z, mangled), from MSVC.
 Missing the detection of such common functions can cause a lot of wasted time while reversing binaries, as you have to read and recognize these functions by yourself, taking time away from the more interesting parts of the analysis.
 Luckily, Binary Ninja features a very cool plugin to generate signatures!

 ## Requirements

 You will need:
 - Binary Ninja Personal + Signature Kit Plugin.
 - A way to detect the compiler used (I used DiE).
 - LIB.EXE (included in Visual Studio).
 - The target .LIB file.

 ## Generating Signatures

 This executable was built using VC6, so we need to obtain it. I don't know if it can be considered abandoware now, but luckily I still have the installation disc (Microsoft Visual C++ 6.0 Standard Edition).
 We need LIBCMT.LIB file, which is located (from the root of the disc) in `VC98/LIB/LIBCMT.LIB`.
 Now, we need the corresponding .obj file where the 'operator new' in located.
 To get a list of all the .obj files stored in the LIB and save the result in a txt, we can use the following command:

 ```LIB.EXE /LIST LIBCMT.LIB > libcmt_objects.txt```

 Looking for "new" in this list, we find "build\intel\mt_obj\new.obj". This is the .obj we need.
 We can extract this file using the following command:

 ```LIB.EXE /EXTRACT:build\intel\mt_obj\new.obj LIBCMT.LIB```

 It is time to fire up Binary Ninja and load `new.obj`.
 Generating signatures is super easy: once our .obj is loaded, click "Plugins->Signature Library->Generate Signature Library" and proceed to save the .sig file.
 Finally, move this file to the user signature directory (on Windows, it's "%APPDATA%\Binary Ninja\signatures") in the windows-x86 folder.
 Now, reload the target executable in Binary Ninja a check if the function is correctly identified.
 We now get:

 ```call    operator new```

 Mission accomplished :)

 ## Credits

 I'd like to thank the Vector35 team for this awesome reverse engineering tool and Stephen Tong for the Signature Kit Plugin :)

 Happy reverse engineering,
 Luca (https://www.lucadamico.dev/)
	# Practical and Small Guide to Signature Generation in Binary Ninja

	## Motivation

	I recently purchased Binary Ninja, and while reversing a very old executable (created about 24 years ago), I realized that it wasn't properly detecting some common MSVC functions.
	For example, this is the output in IDA Free:

	```call ??2@YAPAXI@Z```

	The same line of disassembly is presented by Binary Ninja as:

	```call sub_4021db```

	As you can see, Binary Ninja was unable to recognize this function, which is the 'operator new' (or ??2@YAPAXI@Z, mangled), from MSVC.
	Missing the detection of such common functions can cause a lot of wasted time while reversing binaries, as you have to read and recognize these functions by yourself, taking time away from the more interesting parts of the analysis.
	Luckily, Binary Ninja features a very cool plugin to generate signatures!

	## Requirements

	You will need:
	- Binary Ninja Personal + Signature Kit Plugin.
	- A way to detect the compiler used (I used DiE).
	- LIB.EXE (included in Visual Studio).
	- The target .LIB file.

	## Generating Signatures

	This executable was built using VC6, so we need to obtain it. I don't know if it can be considered abandoware now, but luckily I still have the installation disc (Microsoft Visual C++ 6.0 Standard Edition).
	We need LIBCMT.LIB file, which is located (from the root of the disc) in `VC98/LIB/LIBCMT.LIB`.
	Now, we need the corresponding .obj file where the 'operator new' in located.
	To get a list of all the .obj files stored in the LIB and save the result in a txt, we can use the following command:

	```LIB.EXE /LIST LIBCMT.LIB > libcmt_objects.txt```

	Looking for "new" in this list, we find "build\intel\mt_obj\new.obj". This is the .obj we need.
	We can extract this file using the following command:

	```LIB.EXE /EXTRACT:build\intel\mt_obj\new.obj LIBCMT.LIB```

	It is time to fire up Binary Ninja and load `new.obj`.
	Generating signatures is super easy: once our .obj is loaded, click "Plugins->Signature Library->Generate Signature Library" and proceed to save the .sig file.
	Finally, move this file to the user signature directory (on Windows, it's "%APPDATA%\Binary Ninja\signatures") in the windows-x86 folder.
	Now, reload the target executable in Binary Ninja a check if the function is correctly identified.
	We now get:

	```call operator new```

	Mission accomplished :)

	## Credits

	I'd like to thank the Vector35 team for this awesome reverse engineering tool and Stephen Tong for the Signature Kit Plugin :)

	Happy reverse engineering,
	Luca (https://www.lucadamico.dev/)