5aLIVE
October 27th, 2009, 14:30
I've got a DLL I'd like to take a look at.
When I load it into IDA it applies the SEH for VC7/8 FLIRT signature.
Looking at the segmentation window I see the following:
.idata 00401000
.text 00401190
.data 00416000
Thats doesn't seem right to me, the IAT begins were the code section normally begins (00401000). The .idata section is handled as code instead of data, and the code section has blocks of data double words in it.
Viewing the Functions window in IDA shows a lot of unidentified sub_xxxxxx functions which is to be expected but no recognised library functions are shown like strcpy and strlen and so on. I'm assuming this must be because a suitable FLIRT signature hasn't been applied automatically?
Loading the DLL into stud_PE and other similar tools can't detect the type of compiler used.
Can anyone tell me what steps I need to take to make IDA produce a more intelligible disassembly please?
LordPE shows that DLL has a Security Directory is registered in the PE header. I'm not sure if that is significant or not. I thought I would mention it just in case.
Thanks for any help.
Regards,
5aLIVE.
When I load it into IDA it applies the SEH for VC7/8 FLIRT signature.
Looking at the segmentation window I see the following:
.idata 00401000
.text 00401190
.data 00416000
Thats doesn't seem right to me, the IAT begins were the code section normally begins (00401000). The .idata section is handled as code instead of data, and the code section has blocks of data double words in it.
Viewing the Functions window in IDA shows a lot of unidentified sub_xxxxxx functions which is to be expected but no recognised library functions are shown like strcpy and strlen and so on. I'm assuming this must be because a suitable FLIRT signature hasn't been applied automatically?
Loading the DLL into stud_PE and other similar tools can't detect the type of compiler used.
Can anyone tell me what steps I need to take to make IDA produce a more intelligible disassembly please?
LordPE shows that DLL has a Security Directory is registered in the PE header. I'm not sure if that is significant or not. I thought I would mention it just in case.
Thanks for any help.
Regards,
5aLIVE.