[System Security] III. IDA Pro disassembly tool first knowledge and reverse engineering decryption actual combat

You may have seen a similar article I wrote before, why do you have to repeat it? I just want to better help beginners understand virus reverse analysis and system security, and be more systematic without destroying the previous series. Therefore, I reopened this column to prepare systematically and in-depth study of system security, reverse analysis and malicious code detection. The "System Security" series of articles will be more focused, more systematic, and more in-depth. It is also the author's slow growth history. Changing majors is really difficult. Reverse analysis is also a hard part, but I also try to see how much I can learn from it in the next four years. The long journey is long and I tend to go to Hushan. Enjoy the process, come on together~

The author of the system security series will conduct in-depth research on malicious sample analysis, reverse analysis, offensive and defensive combat and Windows vulnerability exploitation, etc., and learn from bloggers through online notes and practical operations, hoping to make progress with you. The author of the previous article popularized the basic knowledge of reverse analysis, told everyone how to learn reverse analysis, and gave a reverse case of Lü Buchuan game. This article will explain in detail the basic usage of IDA Pro disassembly tool, and briefly explain a practical method of EXE reverse engineering decryption, hope you like it.

Without further ado, let us start a new journey! Your likes, comments, and favorites will be your greatest support to me. I am grateful to go all the way on the safe road. If there is any bad writing, you can contact me to modify it. Basic article, I hope it will be helpful to you. The author's purpose is to make progress with the safety people. Come on~

Author's github resources:

• System Security: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
• Network Security: https://github.com/eastmountyxz/NetworkSecuritySelf-study

Preamble analysis:

• [System Security] 1. What is reverse analysis, the basis of reverse analysis and the reverse of classic minesweeping games
• [System Security] 2. How to learn reverse analysis and Lü Buchuan game reverse case
• [System Security] III. IDA Pro disassembly tool first knowledge and reverse engineering decryption actual combat

Statement: I firmly oppose the use of teaching methods to commit crimes. All criminal behaviors will be severely punished. We need to maintain the green network together. It is recommended that you understand the principles behind them and better protect them. (See the references below)

---

1. Introduction and first acquaintance of IDA Pro tool

1. Introduction to IDA Pro

IDA Pro (Interactive Disassembler Professional) is abbreviated as "IDA". It is an interactive disassembler tool produced by Hex-Rays. It is currently the best static decompilation software. It is a must for many members of the 0day world and ShellCode security analysts. The missing weapon. IDA Pro has powerful functions, but the operation is more complicated and requires a lot of knowledge. At the same time, it has the characteristics of interactive, programmable, extensible, and multi-processor. It can analyze programs through Windows, Linux, and MacOS platforms, and is recognized It is one of the best reverse engineering tools.

IDA Pro has become a standard for analyzing hostile codes and has quickly become an important tool in the field of attack research. It supports dozens of CPU instruction sets including Intel x86, x64, MIPS, PowerPC, ARM, Z80, 68000, c8051, etc.

---

2. IDA Pro new project

IDA Pro is a fool-proof installation by clicking Next. After a successful installation, two running programs "IDA Pro (32bit)" and "IDA Pro (64bit)" will be displayed, corresponding to the analysis of 32-bit and 64-bit programs respectively. IDA supports common PE format, DOS, UNIX, Mac, Java, .NET and other platform file formats.

The following explains the process of opening IDA Pro for the first time.

Step 1: Open IDA Pro32 software

Double-click the exe file to pop up the "Support message" interface as shown in the figure below, click the OK button.

Step 2: Create a new file

IDA includes three ways to load files, among which "New" is to create a new dialog box to open a standard file, "GO" is to run and open a blank job, the user drags the file to be analyzed into the analysis, and "Previous" is to select the most recent use Files.

Step 3: Select an exe file to load, it will be the program we want to analyze

The author wrote a piece of code in C language and generated a "test01.exe" file locally, which is the executable file to be analyzed next.

#include<stdio.h>
int main()
{
    
    
	printf("Hello World!!!\n");
	return 0;
} 

Select the file to import.

Step 4: Load PE file
Select to load PE file in "Load a new file" window, including text (code block), data (data block), rsrc (resource block), idata (input table) and edata (output table) ) Etc., binary files can also be loaded.

IDA disassembly includes two stages. First, separate the code and data of the program, mark functions separately, analyze parameter calls, jumps, instruction relationships, etc.; then, if IDA can recognize the compilation type of the file, load the corresponding compiler feature file , Assign a name to each function. At the same time, IDA will create a database, and its components will be stored in the ".id0", ".id1", ".nam" and ".til" files.

Then a confirmation window pops up, and you can select the "Don't show this message again" option.

Step 5: Click "OK" in "Check for Hex-Rays product updates".
After the Hex-Rays message box that pops up and click OK, you will be asked to set the update options. Click OK here, and the default is OK.

Step 6: Display the running result
At this point, the running result is shown in the figure below, and then we can start our reverse analysis.

IDA View displays as shown below:

The hexadecimal display of Hex View is as shown in the figure below:

You can see the "hello world!!!\n" in the code below.

Step 7: View the source code
Press F5 to view the corresponding source code.

Step 8: Close IDA Pro and save the database file.
Save the IDB database file locally. It records the working status of the program analysis with IDA Pro, including disassembly analysis, section scanning, user-defined structure, and user-defined Name, comment and other information. Click the close button in the upper right corner to pop up the IDA Pro Save Database window (Save Database), use the default option, directly click OK to save the generated database (.idb) file.

Next time you load, you can load the database file directly to get the status of the previous analysis.

---

2. Basic usage of IDA Pro tool

The main interface opened by IDA Pro is shown in the figure below:

IDA View window

The window is displayed as shown in the figure below:

It is called by clicking "Open subviews" -> "Disaassembly" in "View".

IDA View includes two browsing modes, one is Text View and the other is Graph View. Right click can jump to each other.

As shown in the figure below, change to another mode.

IDA View mainly includes three areas:

• Address area: The virtual address after the PE file is loaded into the memory shall prevail, the mirror address + offset address, such as 0x00401000
• OpCode operation area: This part is by default. Therefore, you need Options->General->Set Number of opcode bytes to 8 to display it, which is a hexadecimal number
• Decompiled code area: IDA main function area, can be highlighted, double-click the function or variable name to jump to the corresponding address.

---

Hex View window

Display hexadecimal system, the default is read-only state, you can use the shortcut key F2 to switch the data area (green character area) between read-only and edit states.

Strings window

IDA's View has several buttons that are important for positioning code, as shown in the following figure:

• Open exports window Open exports window
• Open import window Open import window
• Open names window Named list of functions and parameters
• Open functions window All function windows called by the program
• Open strings window Open strings display window

Here the author clicks on Strings to display all the strings in the program. This window helps you to find out the corresponding code fragments through the program's running output reversely, such as the string and the corresponding Address in the following figure.

Double-click String to jump to the IAD View page, the address shown in the figure below, click it to highlight.

Other windows:

• Export/import window: The export window lists the entry points of the file, and the import window lists all functions imported from the analyzed binary file
• Function window: function name, area, starting position, length, mark describing the function
• Structure window: analyze the data structure, double-click the data structure name to expand, view the detailed layout
• Enumeration window: enums can be enumerated, define enumeration type
• Segmentation window segmentation: simple list of segments

file type

IDA will create a database called IDB file, which consists of four files.

• id0: database in the form of a binary tree
• id1: program byte identification
• nam: Index information of the Named window
• til: Information about the local type definition of a given database

---

3. IDA Pro reverse engineering actual combat

1. Code encryption

In front of the first to blog to explain music files usually XOR encryption followed by the C language author to write a simple piece of encrypted code, as follows:

#include<stdio.h>
#include<string.h>

int main()
{
    
    
	int i;
	int len;
	char key[20];
	char res[20];
	char *num = "eastmount";     //密钥 
	char *right = "123456789";   //正确值 
	
	//请输入正确的密码
	printf("please input the key:");
	scanf("%s", &key);
	
	//判断
	len = strlen(key);
	if(len<6 || len>10) {
    
    
		printf("Error, The length of the key is 6~10\n");
	} 
	else {
    
    
		//加密
		for(i=0; i<len; i++) {
    
    
			res[i] = (key[i]^num[i]); //异或加密 
		}	 
		//printf("%s\n", res);
		if(strcmp(res, right)==0) {
    
    
			printf("You are right, Success.\n");
		} else {
    
    
			printf("Error, please input the right key.\n");
		}
	}
	
	return 0;
}

If the input length is not between 6-10, the error "Error, The length of the key is 6~10" will be feedback, and the input error will be "Error, please input the right key.". The correct key will display the correct message "You are right, Success.".

Next, we use IDA Pro tool to decrypt the EXE file and try to get the Key value.

---

2. Reverse decryption

Step 1: Follow the steps in the first part to import files into IDA Pro. The
displayed calling program is shown in the figure below.

The tree diagram clearly shows the conditional branch, and there is a thumbnail of the IDA view in the lower left corner. Click on it to quickly locate the specified position of the view, and each part has detailed code information, such as the defined two variables and the offset position.

Step 2: View the string display window
. There are several buttons in the View in the menu bar of the IDA Pro tool that are important to locate the code, as shown in the following figure:

• Open exports window Open exports window
• Open import window Open import window
• Open names window Named list of functions and parameters
• Open functions window All function windows called by the program
• Open strings window Open strings display window

Here the author clicks on Strings to display all the strings in the program. This window helps you to find out the corresponding code fragments through the program's running output reversely, such as the string and the corresponding Address in the following figure.

Double-click String to jump to the address shown in the figure below, and click to highlight it.

Step 3: View the source code
Press F5 in the interface as shown below to display the source code.

The source code shown is as follows:

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
    
  char Str1[32]; // [esp+38h] [ebp-50h]
  char Str[40]; // [esp+58h] [ebp-30h]
  int v6; // [esp+80h] [ebp-8h]
  int i; // [esp+84h] [ebp-4h]

  __main();
  printf("please input the key:");
  scanf("%s", Str);
  v6 = strlen(Str);
  if ( v6 > 5 && v6 <= 10 )
  {
    
    
    for ( i = 0; i < v6; ++i )
      Str1[i] = gcc2_compiled_[i] ^ Str[i];
    if ( !strcmp(Str1, "123456789") )
      printf("You are right, Success.\n");
    else
      printf("Error, please input the right key.\n");
  }
  else
  {
    
    
    printf("Error, The length of the key is 6~10\n");
  }
  return 0;
}

Note that this part of the code is slightly different from the previously written C language code. For example, if the length of the previous judgment if (len<6 || len>10) prompts an error, and here is if (v6> 5 && v6 <= 10) is executed correctly , Else shows an error.

The basic logic of this code is to input the string Str, then cyclically XOR encryption with the gcc2_compiled_ variable, and output as the Str1 variable. When the encrypted Str1 variable value is "123456789", the decryption is successful, otherwise it fails.
So, what is the value of the gcc2_compiled_ variable?

Step 4: Locate the core code
Then select the gcc2_compiled_ variable, when it becomes highlighted, double-click it will jump to the corresponding page.

It turns out that its key is "eastmount" and the encryption result is "123456789".

Step 5: Reverse decryption
Finally, write the decryption code to realize reverse decryption. Enter the code Str for "eastmount" XOR, and the value is equal to 123456789, then it can be displayed successfully.

#include<stdio.h>
#include<string.h>

int main()
{
    
    
	int i;
	int len;
	char res[9];
	char *num = "eastmount";     //密钥 
	char *right = "123456789";   //正确值 
	
	
	//判断 TS@@XYBVM
	len = strlen(num);
	for(i=0; i<len; i++) {
    
    
		res[i] = (right[i]^num[i]); //异或加密
	}
	res[i] = 0;
	printf("The right key is: %s\n", res);
	return 0;
}

The decryption result is shown in the figure below:

Note that the files created locally by IDA Pro are shown in the figure below.

---

Four. Summary

At this point, this basic article is finished. There is really a lot of knowledge to learn about security, covering a wide range of areas, including assembly, network, operating system, encryption and decryption, C/C++, Python, etc. I hope I can make progress slowly and pay equal attention to research and practice. I also hope that readers like this series of summary notes. If you don’t like it, don’t spray, walk with you~

Three years ago, you wrote "Zhangna" before sunrise in Dunhuang, but today I wrote a love letter as a gift. Three pieces of thin paper can't express countless loves. Wuhan is beautiful and Wuhan University is more beautiful, but I know that the purpose of this trip is to seek knowledge and recharge. My family has young girls, and I belong to early learning and reunion. I wrote a blog late at night to record the learning experience of IDA Pro today. Let's cheer together.

Today just broke through 100,000 CSDN fans, I sincerely thank you all for your company and support over the years, I am grateful to know you, and I hope that in the future I can continue to share higher-quality articles, help more people get started and solve the problem, entertaining and encouraging !

The newly opened "Nazhang AI Security Home" on August 18, 2020 mainly focuses on Python big data analysis, cyberspace security, artificial intelligence, Web penetration, and offensive and defense technology to explain, while sharing the algorithm implementation of the paper. Nazhang’s House will be more systematic, and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I really want to share what I have learned and felt. I would also like to invite you to give me your advice and sincerely invite your attention! Thank you.

(By: Eastmount 2020-12-17 Written in Wuhan on Thursday at 10pm https://blog.csdn.net/Eastmoun )

---