Reverse Engineering Asked by Biswapriyo on July 15, 2021
I have a x86_64 ELF binary which is statically compiled. With some digging,
I have found the C library is musl. In IDA Pro 7.0, the decompiled pseudo code
shows sycalls as inline assembly code. But in latest IDA Pro 7.3.x it is shown
as an incomplete function. Take fork()
as an example:
mov eax, 57
syscall
__asm { syscall; LINUX - sys_fork }
sys_fork()
So, there is some improvement 🙂
I want IDA to automatically resolve the function parameters and return values.
In Windows world, I did something similar by creating type libraries.
Is there any way to import the whole C library (musl or glibc) in IDA without
manually editing every libc functions?
Inline syscalls are rarely used on their own even in minimal libraries like musl. Usually there are wrapper functions around the syscall which is what actually ends up in the binary. So what you can do is use the FLAIR toolkit to generate a FLIRT signature from the musl’s static library and then apply the signature to your binary. This way you should get all the wrapper functions recognized which, coupled with one of the standard type libraries, should give you names and arguments for the C library functions.
Correct answer by Igor Skochinsky on July 15, 2021
Here are the required steps using Igor Skochinsky's answer:
git clone --depth=1 git://git.musl-libc.org/musl
cd musl; ./configure; make -s -j2
pelf
(ELF parser) with the musl static
library which is compiled in above step:cd ./lib
~/flair/bin/linux/pelf libc.a
The output will be something like below:
Fatal [/mnt/c/MyFiles/libc.a] (__init_tls.lo): Unknown relocation type 42 (offset in section=0x3a).
pelf
with -r
option:./flair/bin/linux/pelf -r42:58:0 libc.a musl.pat
The -r
option is specified as -rN:O:L
where N is relocation type, mark as
variable L bytes at offset O from the relocation address. This creates a PAT file.
sigmake
to create the Flair signature file:./flair/bin/linux/sigmake -n musl musl.pat musl.sig
If the output does not show any warning then the SIG file is OK. But if there any collisions with the function signature the output will be something like below:
libc.sig: modules/leaves: 1550/1775, COLLISIONS: 41
To mitigate the error, remove comments from musl.exc
collision file. Then run
the above sigmake
command again. There will be a musl.sig
file which can be
imported in IDA Pro from File > Load File > FLIRT signature file.
FLIRT signature depends on the C/C++ compiler. For my case it is clang. I found
it in the exception handling function. There will be a static string like CLNGC++
.
The string can not be found in IDA's String Window. So, one has to find the
exception handling function first. The trick is that the function is called whenever
a error value returns.
Answered by Biswapriyo on July 15, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP