Results 1 to 7 of 7

Thread: Find symbols from statically linked library

  1. #1
    rajkosto
    Guest

    Find symbols from statically linked library

    I have an application that uses the Crypto++ library for all its crypto. I am trying to figure out the network protocol of this application, however this is very hard as Crypto++ is heavily templated and in addition, in this exe, its statically linked. Since Crypto++ is open source, is there any way i could compile it myself, and import the symbols into the exe so that i could see when Crypto++ functions are being called ? This is further complicated by the fact that i would have to compile the exact version they used to make the exe, however i have no idea what they used, but it seems to be an older version (4.x). So my questions would be
    1. How do i effectively find out version of crypto++ used
    2. How do i import library symbols into IDA pro, so that i can see when they are being called in the exe ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    1. Non-trivial. You could look at a string dump for clues (sometimes certain strings are added and removed between versions). Other people on this board will probably have other suggestions as well.
    2. You can start with http://www.woodmann.com/collaborative/tools/index.php/Category:IDA_Signature_Creation_Tools

  3. #3
    rajkosto
    Guest
    well, there is one very obvious function which calls a windows function, its in osrng.h, the random number generator
    it calls cryptgenrandom, but whatever version if crypto++ i compile, the flow is different than the one in the exe... not similar at all
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Different compilers?

  5. #5
    rajkosto
    Guest
    used the same one, msvc7.1
    maybe something was stripped when it was included in exe ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    You'd be *very* lucky to generate the exact same binary by compiling from source. Especially when lots of optimizations are enabled, things get very unpredictable and could in fact depend on the rest of the program. For example, small crypto++ functions could have been inlined, others could have been changed so their parameters are passed through registers instead of the stack, etc.
    I would say compiling from source to obtain something usable for signature scanning is damn near impossible.

  7. #7
    rajkosto
    Guest
    cryptopp was first compiled as a static library (.lib)
    then linked in with this program...
    i know that it uses templates and some inline functions, and i wont be able to detect those by signatures
    but the ones which were used from the .lib linked, i should be able to recognize them
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Hack an exe linked to to a Marx crypto Usb
    By glute18 in forum The Newbie Forum
    Replies: 4
    Last Post: November 22nd, 2013, 12:43
  2. Replies: 0
    Last Post: April 23rd, 2012, 10:19
  3. Locating main in a statically linked binary
    By mail.unchk in forum The Newbie Forum
    Replies: 7
    Last Post: November 23rd, 2009, 13:43
  4. ARTeam: IDA plugin to depack aplib/lzma statically compressed data into IDA by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: October 2nd, 2008, 12:52
  5. help linux shared linked library
    By celestezhu in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 20th, 2004, 01:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •