Thread: In IDA, how to know the lib function belongs to which lib file?
View Single Post
  #7  
Old 04-03-2013, 13:09
bridgeic bridgeic is offline
Friend
  
Join Date: Jun 2012
Posts: 91
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 1
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Av0id View Post
you need to know lib specific parameters like it's name, version, compiler flags and so on, and then you can make a flair-signature manually and apply it to target, there is no other way to get this info

functions like alloca_probe are guessed from autoanalysis, debug-info and built-in signatures for CRT
Hi Av0id,

Sorry I'm not familiar with this.

I found there is a function _tolower in IDA like this.

.text:004653A8 _tolower proc near ; CODE XREF: sub_401046+F55p
.text:004653A8 ; _movein_date+7Ep ...
.text:004653A8
.text:004653A8 CharType = word ptr 4
.text:004653A8
.text:004653A8 call __getptd
.text:004653AD mov eax, [eax+64h]
.text:004653B0 cmp eax, off_53407C
.text:004653B6 jz short loc_4653BD
.text:004653B8 call ___updatetlocinfo
.text:004653BD
.text:004653BD loc_4653BD: ; CODE XREF: _tolower+Ej
.text:004653BD push dword ptr [esp+CharType] ; CharType
.text:004653C1 push eax ; MultiByteStr
.text:004653C2 call ___tolower_mt
.text:004653C7 pop ecx
.text:004653C8 pop ecx
.text:004653C9 retn
.text:004653C9 _tolower endp

I claim it as extern proc in asm as: EXTRN tolower:PROC

And when do LINK with VC, the "_tolower" function included in the generated new .exe file seems be different with original one

.text:00467BF9 _tolower proc near ; CODE XREF: sub_4B481B+7Ep
.text:00467BF9 ; sub_4B481B+9Fp ...
.text:00467BF9
.text:00467BF9 C = dword ptr 8
.text:00467BF9
.text:00467BF9 mov edi, edi
.text:00467BFB push ebp
.text:00467BFC mov ebp, esp
.text:00467BFE cmp dword_5911CC, 0
.text:00467C05 jnz short loc_467C17
.text:00467C07 mov eax, [ebp+C]
.text:00467C0A lea ecx, [eax-41h]
.text:00467C0D cmp ecx, 19h
.text:00467C10 ja short loc_467C23
.text:00467C12 add eax, 20h
.text:00467C15 pop ebp
.text:00467C16 retn
.text:00467C17 ; ---------------------------------------------------------------------------
.text:00467C17
.text:00467C17 loc_467C17: ; CODE XREF: _tolower+Cj
.text:00467C17 push 0 ; Locale
.text:00467C19 push [ebp+C] ; C
.text:00467C1C call __tolower_l
.text:00467C21 pop ecx
.text:00467C22 pop ecx
.text:00467C23
.text:00467C23 loc_467C23: ; CODE XREF: _tolower+17j
.text:00467C23 pop ebp
.text:00467C24 retn
.text:00467C24 _tolower endp

So, my question is:

Although IDA shows _tolower is a library function, but it is possible not a stardard library function, am I right?

Thanks,
bridgeic
Reply With Quote