TransWikia.com

How to help IDA to auto complete libc functions?

Reverse Engineering Asked by Biswapriyo on July 15, 2021

I have a x86_64 ELF binary which is statically compiled. With some digging,
I have found the C library is musl. In IDA Pro 7.0, the decompiled pseudo code
shows sycalls as inline assembly code. But in latest IDA Pro 7.3.x it is shown
as an incomplete function. Take fork() as an example:

  • In assembly:
mov eax, 57
syscall
  • In IDA Pro 7.0:
__asm { syscall; LINUX - sys_fork }
  • In IDA Pro 7.3.x:
sys_fork()

So, there is some improvement 🙂

I want IDA to automatically resolve the function parameters and return values.
In Windows world, I did something similar by creating type libraries.
Is there any way to import the whole C library (musl or glibc) in IDA without
manually editing every libc functions?

2 Answers

Inline syscalls are rarely used on their own even in minimal libraries like musl. Usually there are wrapper functions around the syscall which is what actually ends up in the binary. So what you can do is use the FLAIR toolkit to generate a FLIRT signature from the musl’s static library and then apply the signature to your binary. This way you should get all the wrapper functions recognized which, coupled with one of the standard type libraries, should give you names and arguments for the C library functions.

Correct answer by Igor Skochinsky on July 15, 2021

Here are the required steps using Igor Skochinsky's answer:

  • Clone musl git repository:
git clone --depth=1 git://git.musl-libc.org/musl
  • Compile the code:
cd musl; ./configure; make -s -j2
  • Extract Flair tool from IDA SDK. Run pelf (ELF parser) with the musl static library which is compiled in above step:
cd ./lib
~/flair/bin/linux/pelf libc.a

The output will be something like below:

Fatal [/mnt/c/MyFiles/libc.a] (__init_tls.lo): Unknown relocation type 42 (offset in section=0x3a).
  • To fix the unsupported relocation error, run pelf with -r option:
./flair/bin/linux/pelf -r42:58:0 libc.a musl.pat

The -r option is specified as -rN:O:L where N is relocation type, mark as variable L bytes at offset O from the relocation address. This creates a PAT file.

  • Now run sigmake to create the Flair signature file:
./flair/bin/linux/sigmake -n musl musl.pat musl.sig

If the output does not show any warning then the SIG file is OK. But if there any collisions with the function signature the output will be something like below:

libc.sig: modules/leaves: 1550/1775, COLLISIONS: 41

To mitigate the error, remove comments from musl.exc collision file. Then run the above sigmake command again. There will be a musl.sig file which can be imported in IDA Pro from File > Load File > FLIRT signature file.

FLIRT signature depends on the C/C++ compiler. For my case it is clang. I found it in the exception handling function. There will be a static string like CLNGC++. The string can not be found in IDA's String Window. So, one has to find the exception handling function first. The trick is that the function is called whenever a error value returns.

Answered by Biswapriyo on July 15, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP