5

I'm trying to analyze a GCC static library which is a part of a commercial software.

First, I used IDA Pro to analyze entire Lib file, but it could find only object files and was unable to disassemble objects.

So, I extracted all of the inside objects by ar -x. Next, I used binwalk, It shows multiple Zlib Compressed regions next to the 64-bytes header (EFI x64). Is this ordinary in static libraries (existence of several zlib region)? Is it a protection method?

Anyway, I used zlib-flate -uncompress to extract sections in one of the objects after separating its zlib regions (by dd), and used IDA Pro to disassemble the output. Although, some of the sections contain some valid strings (Unix Path), IDA Pro shows invalid codes.

Thanks in advance.

Viktor
  • 461
  • 1
  • 3
  • 19
HamidReza
  • 151
  • 5

1 Answers1

1

Hard to tell without a look at the library in question, but my guess would be that the contained object files contain zlib-compressed debug information.

Have a look here and look for "zlib" or -gz regarding the relevant GCC options.

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
  • 1
    Thanks. I checked it. But It seems these aren't Debug sections. I tried readelf -e file.obj. it shows each Zlib-Compressed region is an elf section which has been determined in the sections header (Because offsets of sections are equal to offsets of binwalk zlib regions). Their name is like a function's name. A weird point is that all main sections (e.g. .text, .data,...) are zero-sized. – HamidReza Jan 01 '23 at 11:33
  • 1
    @HamidReza as mentioned, I think we won't get much further than that without an actual sample and some more details of what (object) files you ran the respective tools on. – 0xC0000022L Jan 01 '23 at 20:52
  • 1
    Thank you for your time and consideration. I'll ask my employer to let me share one of the obj files. – HamidReza Jan 02 '23 at 09:14
  • 1
    @HamidReza one more thing. Technically object files can wrap any sort of data. So depending on the kind of library you are looking at, chances are you are literally looking at data blobs, especially with those curious details about .data and .text sections. – 0xC0000022L Jan 02 '23 at 14:35