IDA pro:在unknown_libname_x函数上应用签名?
应用签名时,IDA pro 会将一些函数命名为unknown_libname_x。这些函数反映了 IDA 没有足够详细信息的库函数。然而,通常其他签名可能有关于此类函数的更多信息,因此当在第一个签名之后应用这些签名时,我希望 IDA 也适用于所有unknown_libname_x函数 - 这可以做到吗?事实上,IDA 似乎只对之前应用的签名或您未触及的函数应用签名。
坦率地说,我不明白为什么 IDA 默认情况下不这样做 - 如果签名 y 在特定功能上比 x 拥有更多信息,那么人们希望 y 否决/添加到 x 提供的信息似乎是微不足道的。
When applying signatures IDA pro will name some functions unknown_libname_x. These functions reflect a library function that IDA doesn't have enough details on. Often, however, other signatures may have more information on such functions and thus when those signatures are applied after the first, I would like IDA to also apply on all unknown_libname_x functions - can this be done? As it is IDA seems to ONLY apply signatures on functions not touched by previously applied signatures or by you.
Frankly I do not understand why IDA doesn't do this by default - if signature y has more information than x on a specific function it seems trivial that one would like y to overrule/add to what info x provided.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以通过签名子视图[View->Open Subviews->Signatures]添加/删除运行时库的签名。
You can add/remove signatures of runtime libraries through the Signatures sub-view [View->Open Subviews->Signatures).
我注意到 IDA 经常错误地命名函数unknown_library_xxx。
您必须亲自检查它们以确定它是否确实是某个库 fn,或者确实属于应用程序代码。
i noticed that often IDA wrongly names a function unknown_library_xxx.
you have to inspect them yourself to determine if it really is some library fn, or really belongs to the application code.