Navigation bar:
blue shows a conventional command function
gap between the black and section sections
silver content data
pink external import symbols represents
a dark yellow indicates an unidentified content ida
The main interface IDA:
IDA disassembly view View three kinds: text view, chart view, the view path
Hex View window hexadecimal
Imports introducing window function
Struceures window structure
Exports derivation function window
Enums enumerate Window
Strings String window
Common Functions and shortcuts:
spacebar: switching text view and graph view
ESC: a return address operation
G: search addresses and symbols
N: rename symbols
colon key: General Notes
semicolon key: Note repeat
Alt + M : add tags
Ctrl + M: View tab
Ctrl + S: See section
code data switch
C -> Code / D -> data / a -> ascii string / U -> resolves undefined content
X: cross Check application
F5: See pseudocode
Alt + T: search text
Alt + B: search hex
introduced jni.h analysis jni library functions.
Pseudo-C code window:
Right
comment- Note c pseudo code.
copy to -assembly- copy pseudo-code into assembly code c disassembly window.
IDA can modify hex so to modify so, edit, and then edit-patchrogram,
here we are recommended winhex to achieve.
1. Disassembly window
C at the current address parsing data into a code
P
2. Hex window
to edit the data and code memory
3. The register window
to modify the value of the register
4. The module window
module and an address path
5. Threads window
6. stack window
7. The window output
ID modal common features:
1. breakpoints and run
set breakpoints F2
provided Disable breakpoint breakpoint is disabled
edit Edit breakpoint breakpoint
Delete Delete breakpoint breakpoint
continue the F9
See all breakpoints currently the Alt + B + the Ctrl
2. Single step of formula
F7 single step into
a single step through F8
operation to the return address of the function of the Ctrl + F7
run to cursor the F4
3.IDC script
static main (void)
{
Auto FP, dexAddress, End, size;
dexAddress = 0x77607640;
size = 0x19E118 ;
End = dexAddress + size;
FP = the fopen ( "D: \\ classes.dex", "WB");
for (; dexAddress <End; dexAddress ++)
of fputc (Byte (dexAddress), FP);
}
4. modify memory data
5. modify registers
7.NOP function or code
NOP function mov R0, R0 (00 00 AO E1 / 00 1C)
Clear command (00 00 00/00 00 00)
function returns directly to the first PC MOV, LR (F0 A0 E1 0E / 46 is F7)
8. The change execution flow
modification register value
modified jump instruction
Note: modify the memory and timing of code changes different choices, because the modification of memory and registers, the formula must be adjusted to one place, to make the register and memory is the desired value, then modify the value of the data and the program in general has little effect, and modify the code to
be different, if it has come to a code, before going to modify the code, is to be given in advance to run it in front 1-2
to modify the code instruction.
ADD R6,PC,R6 //R6=PC+R6=847C+1840=9CBC+8? 9CC4
PC instruction pre-read
---- reading instruction