Reputation: 18512
IDA not identifying statically compiled functions
I'm currently reverse engineering a file that appears to be statically compiled, however IDA Pro isn't picking up on any of the signatures! I feel like I am spending a lot of time stepping through functions that should be recognized by IDA, but they're not.
Anyway, maybe I am wrong... does anyone have any ideas? Has anyone run into this before?
Upvotes: 0
Views: 2764
Answers (3)
Reputation: 129
This question is very broad, but I will try to give my opinion.
If the problem is that IDA is not correctly identifying Delphi, then you should try another software. There is a good tool called IDR (Interactive Delphi Reconstructor), however keep in mind that it runs the software before disassembling it and you should not run any not trustworthy programs on your PC (try virtual machine insted)
Otherwise, if the question is about IDA itself, then... IDA is not perfect at all, so it needs a reverse engineer to run it good, this will mean you have to statically identify some code, stack pointers, variables and etc. If it comes to Hex-Rays decompiler there are even more things to look for. For example it can identify not proper convention for a function and you will have to correct it or it can create too many variables that should be mapped by hand.
Also there are some databases for IDA's Flirt functions that could be useful to you. https://github.com/Maktm/FLIRTDB
Upvotes: 0
Reputation: 25288
If the compiler is not recognized by IDA (e.g. there were some changes in startup code), signatures won't be applied automatically. And if IDA doesn't know this compiler at all, it won't have any signatures. So:
if it has signatures but the compiler was not recognized automatically, apply them manually. For Delphi/C++ Builder, try b32vcl or bds.
if it doesn't have signatures for this compiler/library, you can create them yourself using FLAIR tools (assuming you have access to the original libraries)
Upvotes: 0
Reputation: 596672
IDA is a great disassembler, but it is not perfect. Some code, especially unlined/optimized code, simply cannot be disassembled into coherent functions in an automated fashion. This is what happens during compiling - coherent code is translated into instructions that the machine understands, not humans. IDA can make guesses and estimates, but it can't do everything. Reverse engineering will always involve some amount of manual interpretation to fill in the gaps.
Upvotes: 1
Related Questions
- fgets exploit - reverse engineering with IDA
- Debugging malicious program
- msvcp60.dll imported function names on idapro and ollydbg
- Unable to analyze the nature of the function in a given memory location
- How can I find a statically linked function in a DLL with IDA Pro?
- How to determine memory address of non-exported function in windows executable process?
- (Ida Pro) Find out which functions use the import symbol
- Internal structure of executables compiled with Delphi
- IDA pro: apply signatures on unknown_libname_x functions?
- Confusing function