Static Analysis Tools in Reverse - IDA Beginners Notes

Others 2022-04-22 06:01:56 views: 0

Static Analysis Tools in Reverse - IDA Beginners Notes

//************************************************ ********************************
//IDA Beginner Notes

//************************************************ ********************************
//Author: Cai
//Date: 2011-10-18
//**** **************************************************** ************************

      As a beginner, I try to let this article also talk about some suitable content from the perspective of a beginner. For experts, the depth of value is laughable.

After IDA opens a Win32 EXE, a series of windows will appear, which are located by default to the entry function in the "IDA View" window, that is, the WinMain of the VC program.

So far, the most important and difficult decompilation work has been completed by the tool IDA, but reverse engineering is far more than that.

The next step is to trace, debug and modify, which requires learning how to use this IDA tool first, but doing it at the same time is also the best way to learn.

        Before the official start, there are 2 useful browsing shortcuts to remember, that is, forward and backward:

        Forward: Ctrl+Enter

        Back: Esc

         Of course, you can also use the toolbar buttons: ,

         or menu:

         Tip: If there is no button in the toolbar, you can tick View-Toolbars-Jump in the main menu:

 

1. Main window introduction:

       As a combined tool with a powerful core engine and flexible auxiliary plug-ins, IDA has too many places to study and be familiar with, but learning is a step-by-step,

The process from shallow to deep, therefore, this article starts from the window that is in contact with the eyes, which should be the right path.

1)IDA View

         This window can be called up via View-Open subviews-Disassembly:

         This window has two modes, one is Text View and the other is Graph View. The two are similar with minor differences. For the conversion between the two browsing modes, you can click the right-click menu.

Switch between:

  Switch from Text View to Graph View: (Note: Sometimes the right-click menu is not like this in Text View, then you can just right-click on another location with code)

 · GraphView switches to Text View:

 

The following uses the more common Text View as an example to introduce, as shown below: 

 

      There are mainly three areas: address area, OpCode area (opcode area), decompiled code area

      A. Address area

             The address here is based on the virtual address after the PE file is loaded into the memory, that is, the mirror base address + offset address. For example, the program base address of the example is 0x00400000.

As shown in the figure.text:0048FEEC location data is as follows:


 

       The address here is the base address 0x00400000 + offset address 8FEEC. If we use WinHex to open and view, we can see the data at offset address 8FEEC

as follows:

          It can be seen that the two data are the same, so modifying the data at 8FEEC in WinHex will affect the data at .text:0048FEEC in IDA.

By the way, here is the virtual memory space address table:

High 2G space (Ring0 level accessible area):

0xFFFFFFFF-0xC0000000: 1GB for VxD, memory management and file system;

0xBFFFFFFF-0x80000000: 1GB shared WIN32 DLL, memory mapped file and shared memory;

Low 2G space (Ring3 permission area)

0x7FFFFFFF-0x00400000: about 2GB is the WIN32 private address of each process;

0x003FFFFF-0x00001000: for MS-DOS system and WIN16 application;

0x00000FFF-0x00000000: 4,096 bytes to prevent the use of null pointers;

At the same time, by the way, the base address of EXE or DLL is variable, but after a DLL is loaded into EXE, the base address will be redirected, but the offset address will remain unchanged;

For PE files, the length of the PE header is not fixed. Of course, it has the same parsing standard, but it also leads to the offset address-base address in IDA not necessarily equal to the file address.

It is easy to judge the base address of the code in the file. Usually, the PE header can clearly see "This program cannot be run in DOS....." in WinHex, and then it is

Some segment names: like .text, .rdata. Then there is a small segment of 00, and then the place where the data appears is the code base address, most of which are 55 8B or 56 8B, etc.

       B.OpCode area

          This area will not be displayed by default, you need to open the menu Options-General,

           

          In the "Display Disassembly line parts" in the "Disassembly" page, set "Number of opcode bytes", in the example set 8, the default is 0 to not display.

          

         The OpCode area literally means the operation code area. Of course, this is a form that displays binary data in hexadecimal characters, so it will be more intuitive to combine the decompiled code.

But it also complicates the interface, which is a matter of opinion.

          C. Decompiled code area

          This area is the main functional area of ​​IDA and has many features, such as highlighting the same string, double-clicking the function name or referencing the variable name to adjust to the corresponding jump address, etc. There are many function shortcut keys here, which will be learned and familiarized later. Also introduce a few shortcut keys:

          ·String search: Search: Alt+T Next: Ctrl+T

          · Decompile to C code: Press F5 in the disassembled code.

          D. Jump guide area

          This area mainly displays some jump address guide arrows, and the function is simple and clear.

          

2)Hex View

        The window, as shown in the figure below, is similar to a general hex editor.

          

         The default is read-only state, you can use the shortcut key F2 to switch the data area (green character area) between read-only/editing two states, or you can use the patch program function to edit (this function will be introduced later).

 

3) Other forms

    IDA windows can be opened/closed in the main menu View-Open subviews. Others such as pseudocode are decompiled C code windows and strings are program string list windows, all of which are very useful auxiliary windows, which will be introduced later.

 

 

Attached:

1. Enable the patch program menu:

Change DISPLAY_PATCH_SUBMENU in idagui.cgf to YES, you can change the menu for modifying binary code,

Of course, the form of the modified code is still displayed in hexadecimal characters. This modification is different from Alt+F2. You can save the modified parts of the original file to a dif file. 

2. Shortcut keys:

Press F5 in IDA View to view the production C code, or you can save the whole as a C file for viewing.

Press F2 in Hex View to edit hexadecimal data directly.

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324852554&siteId=291194637
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com