i am searching for information about the *.sig file format used in IDA. also i am looking for information about the tool "dumpsig.exe", which can dump a txt file from a sig file.

i took a look at the help file "...\flair\pat.txt", but i dont understand this pattern format. also the examples in this file look different as the dumped txt file from dumpsig.

i couldnt find any help about the tool dumpsig. maybe someone here in this forum has any experience with it?

my idea is that i want make applying signatures in ollydbg easier. there are many sig files which belongs to one programming language. i hate it to select them all one by one. so i want make a popup dialog which ask you which programming language is used. i know ida applys some signatures atomaticly, but just a few standard sig and not the crypto sigs.

godup plugin for ollydbg is a little slow (coded in delphi). if i could find more information about those sig files, i would like to code a faster plugin.

I know this thread is *old*, replying to this seemed to be better than starting a new thread. Anyway, as a way to learn more about IDA and annoyed for the same reasons as the above, I decided to learn more about the .sig format. Attached is a simple program that dumps a signature file in a similar manner to dumpsig. Its only been tested against version 7 sigs, but should work with minor tweaking against other versions. I've also found GoDup to be buggy to the point of being unusable. Maybe now someone (maybe me...) will code a better sig loader for Olly.

oh very old thread

i coded this ollydbg plugin. its called "ida_sigs". Just google for it.

It can detect some more signature than "godup".

2328