As the saying goes, if you want to be good at work, you must first sharpen your tools. In the study of binary security, the use of tools is particularly important. IDA is an artifact of playing with binary. When using IDA in the past, only a few of the more commonly used ones were used. Function, other functions of IDA have not been studied, so in the spirit of learning, refer to the "IDA pro Authoritative Guide" (Second Edition), write this article, record your own learning experience, the following records are in IDA pro7.0 under Windows platform
Some binary tools
In the first two chapters of the "IDA Pro Authoritative Guide", I first introduced several tools that are commonly used in binary research. I will briefly remember a few here and introduce a wave:
C++filt:
can be used to display the names of complex overloaded functions in C++
PE tools:
a set of tools used to analyze the running processes and executable files in the Windows system
string:
can be used to directly search for all the strings in the elf file. The
parameter -a means to search the entire file, the parameter -t can display the offset of each string, and the parameter -e can be used to search for more character encodings String, such as Unicode encoding
strip:
It can be used for elf to remove symbols. After removing symbols, it still maintains normal functions but increases the difficulty of reverse engineering. It is necessary for the villain to ask questions.
The genius who developed IDA is Ilfak, and his personal blog has many IDA tutorials
https://www.hexblog.com/
IDA directory structure
There are many folders under the IDA installation root directory, and each folder stores different contents
cfg: Contains various configuration files, basic IDA configuration file ida.cfg, GUI configuration file idagui.cfg, text mode user interface configuration file idatui.cfg,
idc: Contains core files required by IDA's built-in scripting language IDC.
ids: Contains some Symbol file
loaders: contains used to identify and parse PE or ELF
plugins: additional plug-in modules
procs: contains processor modules
Commonly used shortcut keys
The shortcut keys in IDA correspond to the various function options in the menu bar. Basically, as long as you can find a function on the menu bar, you can also see the corresponding shortcut keys. Here are a few commonly used ones:
a: Convert the data to a string
f5: One-click disassembly
esc: Back key, you can go back to the view of the previous operation (this function is only in the disassembly window, if you press esc in other windows, the window will be closed)
shift+f12: You can open the string window, find all the strings with one click, right-click the setup, and set the properties of the window
ctrl+w: save the ida database
ctrl+s: select a data segment and jump directly
ctrl+mouse wheel: can adjust the size of the process view
x: Press the shortcut key for a function or variable to view its cross-reference
g: Jump directly to an address
n: change the name of the variable
y: change the type of the variable
/: Write a comment in the pseudo-code interface after decompilation
\: Hide/show the type descriptions of variables and functions in the pseudo-code interface after decompilation. Sometimes when there are too many variables, hiding the type descriptions looks a lot easier
;: Write a comment in the disassembled interface
ctrl+shift+w: take IDA snapshot
u: undefine, cancel the definition of functions, codes, and data
Common settings
Take a snapshot
Since IDA does not provide the undo function, if you accidentally press a key and cause the ida database to change, you have to start again, so remember to add a snapshot when you frequently operate: file-->take database After the snapshot is
added to the snapshot, a new ida database file will be generated, which in essence is a bit like a save as operation
Shortcut key: ctrl+shift+w
Menu bar common settings
view-->open subviews: You can restore the data display window that you accidentally closed
windows-->reset desktop: You can restore the initial ida layout
option-->font: You can change the related attributes of the font
Add address offset in process view
The process view in IDA can be said to be very easy to use. It is simple and clear to see the execution process of the program, especially when looking at the if branch code and loop code, it can be very intuitive
However, we can also change it to make it easier to use. If you add an address offset in this view, it will be very convenient for us to get the address. You no longer need to press the space to switch the view to find it. Set in the menu bar: option-->general
After checking this option, you can see the effect:
Automatically add disassembly comments
This function is very friendly to Mengxin. When I was just learning to compile, I would inevitably encounter a few infrequently used snakeskin assembly instructions, so I had to check them one by one. It was very troublesome. After the automatic annotation function was turned on, IDA You can directly tell you the meaning of the assembly instructions
The same is set in the menu bar: option-->general
The effect is as follows:
Common operations
Create an array
When operating IDA, we often encounter situations where we need to create an array, especially in order to make it easier for us to read strings. Creating an array is very necessary. Below I randomly find a piece of data to create an array
First click to select an area you want to convert into an array:
Then select in the menu bar: edit-->array, the following option box will pop up
Let's explain the meaning of each parameter:
Array element size
This value represents the size of each array element (here is 1 byte), which is determined by the size of the data value you selected
Maximum possible size
This value is automatically calculated, it represents the maximum possible value of the elements in the array
Array size
Indicates the number of array elements, generally default values are automatically generated according to your selection
Items on a line
This representation specifies the number of elements displayed in each disassembly line, which can reduce the space required to display the array
Element print width
This value is used for formatting. When multiple items are displayed in a row, it controls the column width
Use “dup” construct
: Use repeating structure, this option can combine the same data values, and combine them into one item with a repeating specifier
Signed elements
Indicates whether to display the data as a signed number or an unsigned number
Display indexes
Display index, so that the array index is displayed in a regular form. If this option is selected, the Indexes option bar on the right will be activated to select the display format of the index
Create as array
Created as an array, this is generally selected by default
After it is created, it becomes like this:
You can see that these data have been folded together as an array, where 2 dup(0FFh)
this means that there are two repeated data 0xff
flow chart
Collapse the branches in the flowchart
In the process view, when there are too many branches, you can right-click on the window title and select group nodes to collapse the current block
The effect is as follows:
The branch block can be named by yourself, which is convenient for your own reverse understanding
Function call graph
Menu bar: view-->graphs-->Function calls (shortcut Ctrl+F12)
This picture can clearly see how the functions call each other
Function flow chart
Menu bar: view-->graphs-->flowt chart (shortcut key F12)
This is actually similar to the disassembly process view that comes with IDA, it can be exported as a separate picture
Create a structure:
Manually create the structure
The creation of the structure is carried out in the IDA structures window. This operation is often used in pwn questions of heap vulnerabilities
As you can see, there are already four structures here. If the program itself exists, you can right-click and select hide/unhide to see the content of the specific structure.
The shortcut key to create a structure is: insert
In the pop-up window, you can edit the name of the structure
There are three check boxes at the bottom, the first one means to display before the current structure (it will be arranged in the first position, otherwise it will be arranged in the position selected by your mouse), and the second one means whether to display the new structure in the window Body, the third indicates whether to create a consortium.
It should be noted that the size of the structure is the sum of the field sizes it contains, and the size of the union is equal to the size of the largest field.
After clicking ok, an empty structure is set:
Place the mouse on the end line and click the shortcut key D to add a structure member. The name of the member is represented by field_x by default, and x represents the offset of the member in the structure
At the same time, you can place the mouse on the row of the structure member, press D, you can switch between different byte sizes
By default, the only choices available are db, dw, dd (1, 2, 4 byte size)
If you want to add a type, you can set it in option-->setup data types (shortcut key Alt+D)
As shown in the figure, if the fifth and ninth are checked, dq and xmmword will appear (representing 8 bytes and 16 bytes)
If you want to add an array member, you can right-click and select array on the row where the member is located
As shown in the figure, what is to be created is a 4-byte array of 16 elements
If you want to delete the structure, press the delete key against the structure to delete
If you want to delete a member, press u (undefine) on the member, but it should be noted that only the name of the member is deleted here, and the space allocated by it is not deleted.
As shown in the figure, we deleted the array member of field_10 in the middle:
Will become like this:
The 20-byte space allocated by the array has not been deleted. If you want to delete these spaces, you need to press Ctrl+S in the first row of the original array members to delete the space (Edit-->shrink struct types)
You can actually delete the member
You can use the shortcut key N to rename the members of the structure
After we have created the structure in IDA, we are going to apply it
As shown in the figure, this is a typical heap problem
It can be seen that v1 is the address pointer of a newly created chunk, and the subsequent operations are to write content to different offset positions of the chunk. In order to facilitate our reverse observation, we can turn it into a structure. Through v1
v1+4
v1+0x48
such an offset, After creating the structure, change char *v1
the type to mail *v1
, (shortcut Y can change the type and parameters of functions and variables) This mail is the name of the structure we created, and the effect is as follows:
Import the structure declared by the C language
In fact, IDA provides a more convenient way to create a structure, which is to directly write code to import
In View-->Open Subviews-->Local Types, you can see the local existing structure, right click insert in the window
You can add new structures:
This imports the new structure:
But at the same time we found that there is no such structure in the structure view. We need to right-click on my_structure and select synchronize to idb
In this way, the structure view is there, as shown in the figure
Here you will find that there are two more undefined members of db. This is because ida aligns the structure uniformly by 4 bytes by default, and the size of the structure is 0x28.
IDA dynamic debugging elf:
Here I take an elf in an Ubuntu virtual machine as an example for debugging
First copy linux_server64 in the dbgsrv folder in the ida directory to the elf folder of Ubuntu. This elf is 64-bit and all uses linux_server64. If you are debugging a 32-bit program, you need to copy linux_server
Remember to give them permission and run it in the terminal. This program acts like a bridge between ida and elf in the virtual machine.
Then go to ida to configure:
Select in the menu bar: debugger-->process options
Note that application and input file are both filled in the path of the elf in the virtual machine, remember to add the file name
And directory fills in the directory where elf is located without adding the file name
hostname is the ip address of the virtual machine, port is the default connection port
Generally, parameter and password do not need to be filled in
Click ok after setting
Then you can directly click the breakpoint in the disassembly view, just click the small blue dot on the left.
At this time, press the shortcut key F9, you can directly start debugging
Press the shortcut key F4 to run directly to the breakpoint and stop
This is the introduction of the basic functional areas. The above is the common layout that I prefer. It is not the same as the ida default. If you want to customize some views, you can add them in debugger-->quick debug view
In addition, you can keep the current view layout in Windows-->save desktop, and you can load it directly in the future.
Here are some commonly used shortcut keys
F7
Step into the function code and enter the function code F8
Step through, execute the next instruction without entering the function code F4
Run to the cursor (breakpoint) F9
to continue operation CTRL+F2
Terminate a running debugging process CTRL+F7
Run to return , And will not stop until RETN (or breakpoint) is encountered.
After knowing these shortcut keys, debugging is easier. One of the more convenient parts of ida debugging is that you can directly see the real address of the function, and the breakpoint is also very intuitive and easy to operate.
IDA python
There is a humble Output Window interface at the bottom of IDA, which is actually a terminal interface. There are python terminals and IDC terminals.
The python here is the 2.7 version. Although it is a bit old, it is enough for us. In the application of IDA, we often need to calculate the address and calculate the offset, which can be directly operated on the terminal interface, which is very convenient
Of course, the above is just a very simple python usage, the real IDA-python usage is like this:
Here is an example with a simple reverse question
This program is very simple. At the beginning, a for loop will XOR all the contents of the judge function to 0xc. This will cause the judge function to be destroyed directly when the program runs.
So that it is impossible to make subsequent flag judgments
Here we need to write a script to restore the damaged content first, here IDA provides two methods for writing script operations, one is IDC script, the other is python script
Here is only a brief introduction to IDA-python
IDA-python injects python code into IDA through three python modules:
The idaapi module is responsible for accessing the core IDA API
The idc module is responsible for providing all functions in IDA
The idautils module is responsible for providing a large number of useful functions, many of which can generate python lists of various database-related objects
All IDApython scripts will automatically import idc and idautils modules, while idaapi modules have to be imported by themselves
The official function document of IDApython is posted here , all functions are included here, it is worth a look
For the above problems, we only need to make a script, specify the byte XOR 0xc in the range of 0-181 of the judg function, and it can be restored
judge=0x600B00
for i in range(182):
addr=0x600B00+i
byte=get_bytes(addr,1)#获取指定地址的指定字节数
byte=ord(byte)^0xC
patch_byte(addr,byte)#打patch修改字节
In the menu bar file-->script file, load the python script
Then undefined the original function in the judge function. After regenerating the function (shortcut key p), you can re-f5
. The functions appearing in the script are all encapsulated in the idc module. For details, please refer to the official documentation.
This is just a simple example of using IDApython. In fact, this function is very powerful, and it can make very awkward operations.
PATCH
Patching is actually patching the program, essentially modifying the program's data, instructions, etc. This is often used in the AWD competition system in CTF. Once a program vulnerability is discovered, this function will be used to patch the program to prevent Other teams attack our gamebox
Here, I use a plug-in called keypatch to operate, the patch function that comes with IDA is not very easy to use
Install keypatch
This is very simple, tutorials github there
Download Keypatch.py and copy it to the plugin directory
IDA 7.0\plugins\Keypatch.py
Download and install the keystone python module, 64-bit systems only need to install this one
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi
After installation, you will find that there is a keypatch option
Modify program instructions
What if we want to modify the instructions of the program itself
As shown in the figure, we need to modify the value of 63h
Point the mouse to change line and press the shortcut key Ctrl+Alt+K
It can be modified by directly inputting the assembly statement, and the effect after patching is shown in the figure:
A note will be generated here to tell you that the patch has been played here, which is very user-friendly
Then you have to set it in the menu bar to really make the patch take effect
In this way, the original program has been modified
Undo patch
If you accidentally type the wrong patch, you can undo the last patch operation here.
But if you have played the patch many times and it is difficult to distinguish which patch should be undone, you can open the patched bytes interface in the menu bar
See all the patches, right-click and select revert if you want to undo one
IDA export data file
In the menu bar, there is an option to generate various output files
Here is a brief introduction to the first two files. You can generate and test the purpose by yourself. I will not introduce them in detail here.
The .map file describes the overall structure of the binary file, including information about the sections that make up the binary file, and the location of the symbols in each section.
The .asm file, which is compiled, can directly export the result of disassembly in ida. This is very practical. Sometimes in reverse engineering, we often encounter a large amount of data encryption and decryption. If you slowly copy from IDA one by one, you can It's too inefficient, export directly to generate asm, and copy data in it is much faster
IDA common naming meaning
IDA often automatically generates fake names. They are used to represent sub-functions, program addresses and data. Fake names have different prefixes according to different types and values
The sub instruction and the starting point of the sub function locret return instruction off data of instruction
loc , including offset seg data, including segment address value asc data, ASCII string byte data, byte (or byte array) word data, 16-bit data (or number of words) Group) dword data, 32-bit data (or double-word array) qword data, 64-bit data (or 4-word array) flt floating-point data, 32-bit (or floating-point array) dbl floating-point number, 64-bit (or double-precision array) ) Tbyte floating point number, 80-bit (or extended precision floating point number) stru structure (or structure array) algn alignment indicates unk unprocessed bytes
There are common descriptive symbols in IDA, such as db, dw, and dd respectively represent 1 byte, 2 bytes, and 4 bytes
IDA decompilation error
At present, there are generally two kinds of decompilation errors that I have encountered
-
One is that due to the dynamic encryption of the program, some code segments of the program are modified, resulting in an error in the decompilation. In this case, you need to use IDA-python to decrypt a wave, and then perform F5 disassembly.
-
Second, due to some metaphysical problems, something went wrong directly. Generally speaking, follow the IDA prompts to make changes.
For example, the following error occurs:
Then we go to the address of 413238, the prompt is that the value of the sp pointer has not been found, indicating that there is an error here, then go to modify the value of sp, the modification method is as follows:
You can also use the shortcut key Alt+K
Sometimes, this kind of error encountered
Just try to change the assembly statement of the address where the error is reported, and change it to nop, and the problem can be solved
At present, I don’t encounter many errors. Generally, I can solve them by the above methods.
Placement IDA
The cfg folder in the root directory of ida is dedicated to storing configuration files
The main configuration file of ida is ida.cfg, and the other two configuration files, idagui.cfg and idatui.cfg, correspond to the GUI configuration and text mode version of IDA.
One, ida.cfg
This file contains the configuration of all options in option-->general. You can find the corresponding option in the configuration file through the description in the option
Here are a few examples:
SHOW_AUTOCOMMENTS
Indicates whether to automatically generate a comment for assembly instructions
GRAPH_SHOW_LINEPREFIXES
Indicates whether to display the address in the process control view
VPAGESIZE
Indicates the memory adjustment parameter. When processing a very large input file, IDA may report that there is insufficient memory and cannot create a new database. In this case, increase the parameter and reopen the input file to solve the problem
OPCODE_BYTES
Indicates the default value of the number of opcode bytes to be displayed
INDENTATION
Indicates the distance the instruction is indented
NameChars
Indicates the character set used by the variable commands supported by IDA. The default is numbers + letters and several special symbols. If you need to add it, change this parameter
Second, idagui.cfg
This file mainly configures the default GUI behavior, keyboard shortcuts, etc., this rarely needs to be modified, and will not be introduced too much. Those who are interested can open the file and observe it by themselves. It is not difficult to understand, and it is easy to change the shortcut keys.
Third, idatui.cfg
This seems to be less commonly used. . . Not much to say
It should be noted that the above three files are the default configuration, that is, every time you open and create a new ida database, it will be created with the settings of these three configuration files, and the previous settings in the menu bar will disappear. To permanently set the configuration of ida, change these three files
However, there are exceptions in all cases. The two options in option-->font and option-->colors are global options. Modifications will take effect permanently. You do not need to modify them in the above three configuration files
At last
After learning IDA systematically this time, I found that this software is really powerful. I just simply recorded the more commonly used functions and operations above. IDA also has many advanced development skills, and you can even customize modules. And loaders, etc., you can also make your own ida plug-ins. In this process, I found that reading is really important. Reading books by yourself is completely different from reading other people’s summaries on the Internet. You must lay a solid foundation for binary development. Tall buildings rise from the ground. I used to think that it’s very tiring to do this with the computer every day, and it’s hard to make progress and slow. But after this dark winter vacation, I realized that these things are harder than life, and there is a quiet, stable and stable life to engage in technology and technology. Isn't it a kind of luck?
If other big guys have other IDA tricks, you can leave a message to communicate.