Lib file format analysis, as well as the idea and source code for extracting OBJ from LIB files

Recently I am studying Ida. Sometimes I need to extract sig from the Lib file so that we can view the function name. However, the manual method can only be extracted by OBJ one by one. Although batch processing can be used, but sometimes the wrong coff file still requires manual intervention, so I wrote such a small tool, I learned the structure of the Lib file.

The start of the Lib file, which starts with eight strings with the value "!" <Arch>/N ". Next, it consists of four different types of segments (not four segments). The first section (one), second section (one), and long Section (one) are arranged in sequence ), OBJ section (How many OBJ files are included, and how many OBJ sections are available ).

The partition header starts with such a struct.

Typedef struct
{
Char name [16]; // name
Char time [12]; // time
Char userid [6]; // user ID
Char groupid [6]; // group ID
Char mode [8]; // Mode
Char size [10]; // Length
Char endofheader [2]; // Terminator
} Sectionheader;

To extract the OBJ file from a file, we generally only need to pay attention to the second section. The following information is saved:
Typedef struct
{
Unsigned long objnum; // Number of OBJ Sec
Unsigned long objoffset [X]; // The offset of each OBJ Sec
Unsigned long symbolnum; // Number of symbols in the library
Unsigned short symbow.x [N]; // index of the symbol in the objoffset table
Char strtable [m]; // symbol name string table
} Secondsec;

But we cannot read it directly, because
Objoffset [X]; // The offset of each OBJ Sec
The length is not fixed, depending on
Objnum; // The number of OBJ Sec

In addition, the length of the first section is not fixed. What should we do?

My solution is as follows:
Both the first section and second section use
Char szsecname [16] = {'/', 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 };
In this format.

I defined a char, which is read in bytes. When '/' is encountered, I will judge whether the following is 15 0x20. If I read this structure twice, the second section is explained and the subsequent content is read immediately. This is the objnum, that is, the number of obj.

Then apply for a piece of memory to store the objoffset [X]; // The offset of each OBJ Sec
Ulong * m_offset = new ulong [objnum], and then read the OBJ offset from the file to this array.

Note that these offset values are not arranged in ascending order, so you have to arrange them once.

Subtract the first offset from the second offset to obtain the size of the first OBJ section (not the size of the OBJ file ). Because there is a sectionheader structure in front of each OBJ section, the actual offset of the OBJ file is:

The read Offset + sizeof (sectionheader) is the first address of the OBJ file.

The following is simple. Just write a little bit to each file.

From: Wuhan kerui

The code below does not use multithreading, so when there are too many OBJ files, it will be a little slow to run, hey. If you have any incorrect information or better algorithms, please kindly advise!

Http://img.jpg.name/twdwsdtjztwwthhy...wzwtrwtrrj.rar