1

I'm currently researching how a certain malware works and patches some stuff in a certain Android's library.

Inspecting the library -which is stripped- in IDA I was able to get the symbol for a certain function in it, but I can't get it through any other means (like objdump -T -t, nm, readelf, and executing strings on the binary doesn't throw that string). I'm quite familiar with the ELF format, and so I made a simple ELF parser just to try something else, but obviously it wasn't able to find the symbol either.

So now I just want to understand how IDA can get this symbol when it appears isn't contained in the binary. The only thing I can think of is that maybe IDA sees through other symbols the class this method belongs to and also the types of the arguments it receives, and thus can guess the symbol.

Improve this question
3
  • 2
    IDA uses FLIRT signatures to try and identify known library functions. You did not specify what the symbol is, if possible - add it, it will get you more accurate answers.
    – Yotamz
    Commented Feb 8 at 18:44
  • @Yotamz hmm, ok, that makes sense. I knew of the existence of some kind of database of routines, but also thought it would be used with a plugin or something like that... Now the question feels kind of dumb :/
    – Arget
    Commented Feb 8 at 19:07
  • what is the symbol name?
    – Igor Skochinsky
    Commented Feb 12 at 13:32

1 Answer 1

Reset to default
2

(reposting as an answer)

IDA uses FLIRT signatures to try and identify known library functions.

Functions found in this way would normally be marked as library functions and will be displayed in IDA disassembly with a different color.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.