At this point it is time to start moving beyond IDA’s more obvious capabilities and begin our exploration of what to do after “The initial autoanalysis has been finished.”[75] In this chapter we discuss techniques for recognizing standard code sequences such as the library code contained in statically linked binaries or standard initialization and helper functions inserted by compilers.
When you set out to reverse engineer any binary, the last thing that you want to do is waste time reverse engineering library functions whose behavior you could learn much more easily simply by reading a man page, reading some source code, or doing a little Internet research. The challenge presented by statically linked binaries is that they blur the distinction between application code and library code. In a statically linked binary, entire libraries are combined with application code to form a single monolithic executable file. Fortunately for us, tools are available that enable IDA to recognize and mark library code, allowing us to focus our attention on the unique code within the application.
Fast Library Identification and Recognition Technology, better known as FLIRT,[76] encompasses the set of techniques employed by IDA to identify sequences of code as library code. At the heart of FLIRT are pattern-matching algorithms that enable IDA to quickly determine whether a disassembled function matches one of the many signatures known to IDA. The <IDADIR>/sig directory contains the signature files that ship with IDA. For the most part, these are libraries that ship with common Windows compilers, though a few non-Windows signatures are also included.
Signature files utilize a custom format in which the bulk of the signature data is compressed and wrapped in an IDA-specific header. In most cases, signature filenames do not clearly indicate which library the associated signatures were generated from. Depending on how they were created, signature files may contain a library name comment that describes their contents. If we view the first few lines of extracted ASCII content from a signature file, this comment is often revealed. The following Unix-style command[77] generally reveals the comment in the second or third line of output:
# strings sigfile | head -n 3Within IDA, there are two ways to view comments associated with signature files. First, you can access the list of signatures that have been applied to a binary via View ▸ Open Subviews ▸ Signatures. Second, the list of all signature files is displayed as part of the manual signature application process, which is initiated via File ▸ Load File ▸ FLIRT Signature File.
[75] IDA generates this message in the Output window when it has finished its automated processing of a newly loaded binary.