runtime libs linked in to exe, IDA question.

[Wannabe]

I am currently reversing an exe file which has the standard c-libs linked into it.
The problem is that IDA don't recognize basic calls like strcpy, printf and suchs, you have to realize it the hard way by going through the disassembly, or by debugging it ;-)
Is there a way to make IDA realize those calls for what they are? It would really help understanding the real stuff instead of realizing you're fooling around in printf

[Polaris]

Come on... Just read the manual!

Quote:

Originally Posted by Wannabe

The problem is that IDA don't recognize basic calls like strcpy, printf...

it seems that sometimes ida can't automaticaly detect compiller that was used to make your application...

If you are sure that you know the compiller, you may load flirt signatures for it manualy "File -> Load file -> Flirt signature file"

[Wannabe]

Using PEID I identified the EXE as a Visual C++ application, and loaded FLIRT signatures for Visual C++ runtime libraries. IDA then correctly identified some low-level funtions like GlobalAlloc, ReadFile and such. But no printfs, strcpy and alike. Am I missing something here? Didn't find FLIRTS for the standard libraries. Are you supposed to have the compiler in question and make your own FLIRTS? The help file included, which is the only documentation I have, seemed a bit rudimentary for me.
Grateful for any help, just recently got hold of this IDA and haven't had much time learning all the features yet. Guess I was so eager to reverse this puppy

Does IDA detect Visual C runtime automaticaly or not? What does it write to log?...IDA have very good Flirt signatures to VisualC.... if it does'nt recognize some runtime functions it seems that application is not maded by VisualC... May be it something similar... like MS Fortran Powerstation or IntelC...
How old your application is?
If you have a bit old machine (like P-III) you may try to redetect runtime by
http://protools.anticrack.de/files/utilities/fi.zip.....

You may have overlooked one important thing about compiler, the for optimization purpose some "functions" are in fact macros rather than subroutines, especially the str*() series, e.g., strlen() is 90% implemented in macro on i86 target, but 50% subroutine on ARM. You may notice also the if you IDA your own code, the debug version always has the subroutine but the release one not because of optimization ...

A little knowledge about printf(...), it is in most situation a macro of fprintf(STDOUT,...) ...

I dont think it is easy to make signature for macros on i86 target, since the registers may not always the same except EAX ...

Quote:

Originally Posted by Wannabe

I am currently reversing an exe file which has the standard c-libs linked into it.
The problem is that IDA don't recognize basic calls like strcpy, printf and suchs, you have to realize it the hard way by going through the disassembly, or by debugging it ;-)
Is there a way to make IDA realize those calls for what they are? It would really help understanding the real stuff instead of realizing you're fooling around in printf

[Wannabe]

The exe file is rather new, at least it's dated 2004-02-20.
I tried making my own FLIRTs for Visual C++ 6.0 (libcxx) but had no luck.
And no, IDA is not identifying the correct compiler at startup.
If it is a Visual C++ .NET exe where can I find FLIRTs for it's library?
Think I read another thread here about FLIRTs for VC 7.1, but I don't have access to attachments yet.
Is there a better tool than PEID for finding this kind of info?
The FI utility which I was recommended seemed to have to old registration key, so I was unable to get it working
If macros are the case, then at least would I find some incarnation of printf, like fprintf, vprintf or such, right?

If IDA can't detect runtime and PeID can't
it seems that it is time to use lastest top secret solution -
to look on your application by eyes
Can you send me your exe by email?
May I look inside it?
May be I will say you an answer on
"What compiller was used to make it?"

PS. You may PM me...

Wannabe just PMed me that he found a right signatures for his application
it is SymantecC V72... so congratulations to him...
he caught a really rare animal