-
-
[分享]TUTORIAL-IDA_PRO
-
发表于: 2012-11-21 14:43
-
TUTORIAL-IDA_PRO 可能是意大利语,经google翻译后如下:
IDA Pro 3.8
(Tutorial version 1.1)
================================================== ===================================
What's new:
Fixed some spelling mistakes ;))
Clarified the function of the command "Code" with an example
Explained more? Detail the function of the command "undefine" with an example
Analyzed the "Struct" with various examples and more explanations? Accurate
MUCH better ;) explained the "Enum" with examples of
Clarified the use of technology FLIRT
VERY clearly explained the use and meaning of education PTR
Clearly demonstrates the operation of the pointers
Explained the use of functions "mov" and "lea"
Explained something about indirect addressing and offset
================================================== ===================================
Hello everyone, this tutorial will try? To explain more in the way? Clearly as possible the use of dissassembler best there is, what? IDA Pro 3.8x, the tutorial does not? Oriented Newbies for Newbies? Can try them too, the document does not? Be considered definitive because let myself more and more on growing? Over time.
IDA Pro can mean: Intercative Disassembler Pro, in fact? True that ida? Interactive, but we go up steps and start. We choose a file to disassemble, and maybe possibly a very small windows, click on Idaw.exe, we see appear the window of our beloved program, press ok and choose the file at this point Ida open? Up a window that says " Load of New File Format ", in the first three rows we are asked to choose the type of file you want to disassemble, what? if a Windows executable (or otherwise use the PE format), a DOS executable or binary file, checkiamo the first box: Portable Esecutable, pi? bottom we see the word "Loading Segment", where you should insert the entry point of the program, in general? 0x1000 as the default, but if you are unsure, open the file with ProcDump and see it, then let 0x1000, pi? another field appears at the bottom "Loading offset", which should include the offset of the first byte of the beginning of the first segment, but we do not care because this option should only be used if you want to disassemble a binary file, pi? checkare other boxes at the bottom we have, for now there to count it and then explain them to you:
Create segments
Load resources
Rename DLL entries
Manual load
Fill gaps segment
Make imports section
Do not align segments
Then, create segments? A useful option for binary files, it creates us the various segments, but there? Not? Necessary if you want to disassemble an executable, Load resources instead loads the resources from NE files, even this? If necessary disassemble an executable PE format, Rename DLL entries? option that if enabled allows IDA to place between the disassembled comments repeatable each imported function, Manual load we are not interested in the case of the PE file format, if for? format? different then the option can? be activated and IDA we ask? for loading the address of each object file, segment Fill gaps? himself only useful for formats other than PE, if checkata IDA does is fill all the "holes" between the various segments, Make imports section? be helpful for the PE file format, if activated tells IDA to delete the section. idata from the file and convert them all the definitions in it as external directives The guide told us that sometimes in the section. idata we can find additional information and we should disable this option, Do not align segments, as the name implies, checkiamo if this option does not allow the realignment of segments, but does not require for the PE file format. At this point we are also facing a two buttons labeled "Processor Type", as opposed to us? You might believe here will not have to specify the type of processor that you have but the type of processor for which? Wrote the program, default? 80386 and right that is so? then you can leave this option unchanged, the other button bearing the text "Analysis options", click over here and you will see two buttons and two other options, look at these first two:
Analysis enabled: if the box? Checkata then IDA will analyze? The program while we are not acting on disassembly, while leaving the priority? To our requests, this option must be enabled, if not then we may run into various problems.
Indicator enabled:? That counter which is located in the upper right and bearing the inscriptions:
AU: __idle__ AutoAnalysis is finished.
AU: disable AutoAnalysis is disabled.
FL: <address> execution flow is being traced
PR: <address> function is being created
AC: <address> the code analysis goes through the address Noted
LL: <number> a signature file is being loaded
L1: <address> the first pass of FLIRT
L2: <address> the second pass of FLIRT
L3: <address> the third pass of FLIRT
FI: <address> the final pass of autoanalysis
?: Noted <address> the address Becomes unexplored
@: Various <number> Indication of activity
depending cosasta by IDA ...? best left enabled. Then we have the two buttons, the first clickiamo "Kernel analyzer options" and appear to see in front of a mora opzioncine here they are:
Create offsets and segments using fixup info
Mark typical code sequences as code
Delete Instructions with no xrefs
Trace execution flow
Create functions if call is present
Analyse and create all xrefs
Use flirt signatures
Create function if data xref data-> code32 exists
Rename jump functions as j_ ...
Rename empty functions as nullsub_ ...
Create stack variables
Trace stack pointer
Create ascii string if data xref exists
Convert 32bit instruction operand to offset
Create offset if data xref exists to seg32
Make final analysis pass
Locate and create jump tables
Coagulated data segments in the final pass
Dhe hi hi, now we have fun, tralascerei happy to explain all these functions, but, like any self-respecting guide that I have to analyze the program from top to bottom .... I wonder? Maybe one day someone domander? To someone else "Hey, where I learn to use IDA? " and that someone else say? "Try the site Quequero, has written an excellent guide" .... hi hi DHE lascietemi dreaming ;))))))))
Taking up the thread here is the explanation:
Create offsets and segments using fixup info: IDA to make more? Pleasant disassembled makes use of relocation information and converts all objects with the details of relocation in word or doubleword, and if a statement has assigned the relocation information IDA converts data to an offset or a segment, for example, say we are given in our source code with something like this:
.386
----- Snip ----- snip
. Date
dd something 000F3785h
. Code
start:
mov eax, offset some
end start
If the file disassembliamo W32Dasm we get something like:
mov eax, 0040200
If instead the disassemblassimo with IDA and with the above option turned on, then get something like this:
mov eax, offset some
Capitoooooo!! ;)
Mark typical code sequences as code: in this author's IDA recognizes some typical sequences of code (example: push bp mov bp, sp) and when loading it found some converts in education
Instructions with no xrefs Delete: allows IDA does not define the unreferenced statements, in practice if we execute the command "undefine" (which will explain? Later) at the beginning of a function program canceller? All instructions that have lost touch with the statement just "undefinita" ... there is brightening? around more? later do not worry ;)
Trace execution flow: IDA allows you to convert all references to the bytes in the instruction
Create functions if present call is: do you create a function that IDA if the code? A call, in practice if there is a call in the code like this:
call routine
then IDA will create? a function labeled "routine", this option attempts to "pull" calls from the rest of the code to allow a visual approach, but also technically more? simple
Analyse and create all xrefs: this? Option that makes the difference between IDA and W32Dasm, without it, our program does not analyze the file and would not create any xreferences and other exclusive features of IDA.
Use flirt signatures: Allows use of technology FLIRT, do not worry you will not see IDA and IDO do the filthy on the monitor ;)))))), this technology allows us to recognize the type of compiler used to identify and standard calls in So instead of seeing this, call 00469187, see: MessageBoxA call, in case the technology fails to recognize the compilers (read: Delphi) is the can? always force the compiler to use instructions that reteniamo has been used to do that particular program by simply opening the menu "View | Signatures" and pressing "ins" to bring up the list of available compilers.
Create function if data xref data-> code32 exists: If IDA encounters a reference to a given one SEGMENT DATA SEGMENT CODE to a 32-bit controls the presence of disassembled instructions useful, if education is the brand (needless to say ;) as a statement and creates? a function
Rename jump functions as j_ ...: utility function? High, this option allows you to change EVEN a statement like:
jmp dovevuoi
in:
j_dovevuoi
But I say ... you realize you realize how the presence of this option will allow even my cousin 10 years to become a cracker ... my god what a genius the author of the program ;)))))) ))))))))))) jokes than him? was really a genius
Rename empty functions as nullsub_ ...: IDA allows you to rename the empty functions, what? Those containing only the instruction "ret" as nullsub_1 nullsub_2 ... etc ... Also this function must have been designed for decades ;) )))
Create stack variables: means that IDA automatically create stack variables and function parameters
Trace stack pointer: With this option enabled IDA traccer? The value of the Stack Pointer (SP)
Create ascii string if data xref exists: If IDA encounters a reference to an object is not defined, then look for the presence of an ASCII string, if the length of the string? IDA enough then creates an ASCII string happens ;)
Convert 32bit instruction operand to offset: funzia only 32bit segments, if an instruction has an operand that can? Be converted to a useful esepressione then converts it to offset the value of the operand must for? Be more? Large 0x10000
Create offset if data xref to seg32 exists: If IDA encounters a reference to a segment 32bit and the file contains a value that can? Be represented as an offset IDA then converts it to an offset .....
Make final analysis pass: This option allows IDA to coagulate all the bytes of data to convert scanned instruction
Locate and create jump tables: this option allows IDA to assume the size and the address of a "jump table"
Coagulated data segments in the final pass: This option is useful only if? Also activated the option "Make final analysis pass" allows IDA to convert byte array to insplorati data in the data segment. If we disable this option IDA coaguler? Only code segment.
Very good, we finished this button, leave the default settings, or if you want to disable the one that converts jump xxxx j_xxxx often? More? Inconvenient than useful and press ESC to go into the meanders of the button "Processor-specific analysis options" after the click you have only 4 options and spieghiamole as usually one by one:
Convert immediate operand of "push" to offset
Convert db 90h after "jmp" to "nop"
Convert immediate operand of "mov reg, ..." to offset
Convert immediate operand of "mov memory, ..." to offset
Convert immediate operand of "push" to offset: if ida sees a sequence like this: push segment, push gino, prover? To convert gino at an offset
Convert db 90h after "jmp" to "nop" if after a jump are "db 90h" instead of leaving it with '? Into the nop (no operation)
Convert immediate operand of "mov reg, ..." to offset: here too if ida is something like: mov ax, 258h, mov sp, eg will convert then? 258h at an offset
Convert immediate operand of "mov memory, ..." to offset: even if IDA finds instructions like: mov ax, 895h mov X, seq (X? a reference to a memory) then converts offset 895h
Great press esc twice and take a look at the panel, the only thing that c '? I? That field indicated by dll directory, l? We must enter the directory in the IDA will go? To look to find references to various DLLs, the problem? ida that does not look for DLL bens? files. ids, the directory in my case? c: \ ida \ ids \ Win if you use windows otherwise will change? only the last folder.
We are ready at this point to begin disassembling the file, choose a very small bit of advice .... 8-15 kb it takes a few seconds, I say to those who are experiencing the IDA only now, this program? Very, very more? slower W32Dasm I guarantee for? that all the time in more? you lose the regained after disassembling it, then press "OK" and wait .... Then, as soon as the indicator in the upper right Recher? says "ready "want them? IDA will have to say? finished, then you first thing in front of a page like this:
CODE: 00401000; File Name: C: \ Sample.exe
CODE: 00401000; Format: Portable executable (PE)
CODE: 00401000; Section 1. (Virtual address 00001000)
CODE: 00401000; Virtual size: 00001000 (4096.)
CODE: 00401000; Section size in file: 00000400 (1024.)
CODE: 00401000; Offset to raw data for section: 00000600
CODE: 00401000, 60000020 Flags: Readable Text Executable
CODE: 00401000; Alignment: 16 bytes?
CODE: 00401000 p386n
CODE: 00401000 Model Flat
CODE: 00401000; ---------------------------------------------- ------------------
CODE: 00401000; Segment type: Pure code
CODE: 00401000 CODE segment para public 'CODE' use32
CODE: 00401000 assume cs: CODE
CODE: 00401000 takes eg: nothing, ss: nothing ds: nothing, fs: nothing, gs: nothing
CODE: 00401000; ____________________________________________
CODE: 00401000; S ubroutine
CODE: 00401000 start public
CODE: 00401000 start proc near
In this first part we have all the headers of the original file, those in practice that we would see if we have the source and especially IDA informs us of the type of file you just disassembled if we had not known before. I want to go? To a practical example, the author tells us that we can use IDA for three purposes:
1) Learn a trick to programming in an interesting program
2) Patching the file if you do not have the source
3) Obtain from the disassembled code compilable
We will do all three things, we begin.
What I propose now? Assembly code that generates a programmillo a messagebox depending on the value assumed eax, here's the code, you'll see with the comment:
; To compile the source? Must have TASM 5.0 available on the
; My site: http://quequero.cjb.net tools section
;
; Here are instructions for compiling, just write them in a DOS prompt
; Tasm32 / ml-m5-t-q as
; Tlink32-aa-Tpe-x-c as,,, import32
.386 P
. Model flat, stdcall
extrn MessageBoxA: Proc, we define the necessary API
extrn ExitProcess: Proc
includes windows.inc
. Date
Caption db 'Example - Coded by Quequero', 0
Message db 'The EAX register has assumed a lower value of 1,771,590,911', 0
Random1 dd 12553; random values used in the algorithm
Random2 dd 2212; of Lehmer
null equ 0
. Code
start:
xor eax, eax; we reset EAX
mov ecx, 01ffffffh; These two lines are used to create a timer, Education
wait: wait loop, "loop" decrisa each time until ECX contains zero, the
; Loop in question brings up a messagebox after about
And a second since the program
random: mov eax, Random1; Lehmer algorithm for generating numbers
multi random2; random (although we should speak of pseudo-randomness?
inc eax
Random1 mov, eax; End of algorithm
cmp Random1, 699854ffh; Compare with Random1 1771590911 (699854ffh)
jae random; If Random1 contains a value greater than or equal to, first established otherwise repeat the algorithm continues in
push MB_OK OR MB_ICONQUESTION; Generate a messagebox with an OK button,
Caption push offset, the icon of the "i" information and text
Message push offset; contained in strings "Caption" and "Message"
push null
call MessageBoxA
call ExitProcess; Quit program
end start
As you can see the program sets a timer for a second and then off to the generation of a pseudo-random algorithm by Lehmer, start the timer? due to the fact that the CPU uses an infinitesimal time to generate many So that number? is less than the one proposed by us, so we delay the emergence of the messagebox.
Suppose that I am aware of the presence of Lehmer algorithm in this program, this algorithm we absolutely need, but we do not know where to find it, what do we do then? Obvious! Disassembliamo the program and try the ritrovarcelo? In half, open IDA and see what it tells us:
CODE: 00401000; File Name: C: \ TASM \ prog \ wind.EXE
CODE: 00401000; Format: Portable executable (PE)
CODE: 00401000; Section 1. (Virtual address 00001000)
CODE: 00401000; Virtual size: 00001000 (4096.)
CODE: 00401000; Section size in file: 00000200 (512.)
CODE: 00401000; Offset to raw data for section: 00000600
CODE: 00401000, 60000020 Flags: Readable Text Executable
CODE: 00401000; Alignment: 16 bytes?
CODE: 00401000 p386n
CODE: 00401000 Model Flat
CODE: 00401000; ---------------------------------------------- ------------------
CODE: 00401000; Segment type: Pure code
CODE: 00401000 CODE segment para public 'CODE' use32
CODE: 00401000 assume cs: CODE
CODE: 00401000 takes eg: nothing, ss: nothing ds: nothing, fs: nothing, gs: nothing
CODE: 00401000; ________________________________________________________________
CODE: 00401000; S u b r o u t i n e
CODE: 00401000 C0 33 public start
CODE: 00401000 start proc near
CODE: 00401000 xor eax, eax
CODE: B9 FF FF FF 01 00401002 mov ecx, 1FFFFFFh
CODE: 00401007 CODE_401007:; CODE XREF: start +7? J
CODE: 00401007 E2 FE Loop CODE_401007
CODE: 00401009 CODE_401009:; CODE XREF: start +24? J
CODE: 00401009 5E A1 20 40 00 mov eax, ds: DATA_40205E
CODE: 0040100E F7 25 62 20 40 00 mul ds: DATA_402062
CODE: 00401014 40 inc eax
CODE: 5E 20 40 00 A3 00401015 mov ds: DATA_40205E, eax
CODE: 0040101A 3D 5E 81 20 40 00 + cmp ds: DATA_40205E, 699854FFh
CODE: 00401024 73 E3 JNB short CODE_401009
CODE: 00401026 6A 20 push 20h
CODE: 00401028 68 00 20 40 00 push offset str-> Example - CodedB
CODE: 0040102D 68 1E 20 40 00 push offset str-> IlRegistroEaxHa
CODE: 00401032 6A 00 push 0
CODE: 00401034 E8 05 00 00 00 call j_MessageBoxA
CODE: 00401039 E8 06 00 00 00 call j_ExitProcess
CODE: 00401039 start endp
CODE: 0040103E; ________________________________________________________________
CODE: 0040103E, S u b r o u t i n e
CODE: 0040103E j_MessageBoxA proc near; CODE XREF: start +34? P
CODE: 0040103E FF 25 4C 30 40 00 jmp ds: MessageBoxA
CODE: 0040103E j_MessageBoxA endp
CODE: 00401044; ________________________________________________________________
CODE: 00401044; S u b r o u t i n e
CODE: 00401044 j_ExitProcess proc near; CODE XREF: start +39? P
CODE: 00401044 FF 25 54 30 40 00 jmp ds: ExitProcess
CODE: 00401044 j_ExitProcess endp
CODE: 0040104A 00 00 00 00 00 00 + align 200h
CODE: 00401200? ? ? ? ? ? + Db 0E00h dup (?)
CODE: 00401200? ? ? ? ? ? + CODE ends
DATE: 00402000; Section 2. (Virtual address 00002000)
DATE: 00402000; Virtual size: 00001000 (4096.)
DATE: 00402000; Section size in file: 00000200 (512.)
DATE: 00402000; Offset to raw data for section: 00000800
DATE: 00402000; C0000040 Flags: Readable Writable Data
DATE: 00402000; Alignment: 16 bytes?
DATE: 00402000; ---------------------------------------------- ------------------
DATE: 00402000; Segment type: Pure date
ATA: 00402000 DATE segment para public 'DATA' use32
ATA: 00402000 assume cs: DATE
ATA: 00402000 45 73 65 6D 70 69 + str-> Example - CodedB db 'Example - Coded by Quequero', 0
ATA: 00402000 6F 20 20 2D 2D 20 +, DATA XREF: start +28? Or
ATA: 0040201E 49 6C 20 72 65 67 + str-> db IlRegistroEaxHa 'The EAX register has assumed a lower value
ATA: 0040201E 69 73 74 72 6F 20 +, DATA XREF: start +2 D? Or
ATA: 0040205E * 09 31 00 00 DATA_40205E dd 3109h; DATA XREF: start +9? R
ATA: 0040205E *; +15 start? W
ATA: 0040205E *; +1 A start? R
ATA: 00402062 A4 08 00 00 dd DATA_402062 8A4h; DATA XREF: start + E? R
ATA: 00402066 00 00 00 00 00 00 + align 1000h
ATA: 00402066 00 00 00 00 00 00 + DATE ends
? Idata: 0040304C;
? Idata: 0040304C; from USER32.dll Imports
? Idata: 0040304C;
? Idata: 0040304C; Section 3. (Virtual address 00003000)
? Idata: 0040304C; Virtual size: 00001000 (4096.)
? Idata: 0040304C; Section size in file: 00000200 (512.)
? Idata: 0040304C; Offset to raw data for section: 00000A00
? Idata: 0040304C; C0000040 Flags: Readable Writable Data
? Idata: 0040304C; Alignment: 16 bytes?
? Idata: 0040304C; --------------------------------------------- -----------------
? Idata: 0040304C; Segment type: Externs
? Idata: 0040304C; _idata
? Idata: 0040304C? ? ? ? extrn MessageBoxA: dword; DATA XREF: j_MessageBoxA? r
? Idata: 00403050
? Idata: 00403054;
? Idata: 00403054; Imports from KERNEL32.dll
? Idata: 00403054;
. Idata: 00403054? ? ? ? extrn ExitProcess: dword; DATA XREF: j_ExitProcess? r
. Idata: 00403058 00 00 00 00 end start
As you can see the code? Difficult to interpret, not for the difficulty? But the mess of numbers, to decrease the brothel one thing we can do what? we know that without exception in a program code that interests us is in sections CODE (if compiled with a Borland compiler) and. text (if? been compiled with something else), as you can see, beside the virtual address c 'is the name of the section. "idata.00403054" cos? doing we cut away a good piece of code "futile", but why? do it by hand when IDA will make available a good option? Well let's use it, go to menu "View2 and click on" Segments "and choose" CODE ", doppioclickateci guradate above and a little 'what we have before? ....
CODE: 00401000 start proc near
CODE: 00401000 xor eax, eax
CODE: 00401002 mov ecx, 1FFFFFFh
CODE: 00401007 CODE_401007:; CODE XREF: start +7? J
CODE: 00401007 Loop CODE_401007
CODE: 00401009 CODE_401009:; CODE XREF: start +24? J
CODE: 00401009 mov eax, ds: DATA_40205E
CODE: 0040100E mul ds: DATA_402062
CODE: 00401014 eax inc
CODE: 00401015 mov ds: DATA_40205E, eax
CODE: 0040101A cmp ds: DATA_40205E, 699854FFh
CODE: 00401024 JNB short CODE_401009
CODE: 00401026 push 20h
CODE: 00401028 push offset str-> Example - CodedB
CODE: 0040102D push offset str-> IlRegistroEaxHa
CODE: 00401032 push 0
CODE: 00401034 call j_MessageBoxA
CODE: 00401039 call j_ExitProcess
CODE: 00401039 start endp
Tad 噜噜 噜 the sofficiniiiii Uh ..... sorry I meant .... Tad 噜噜 噜噜? The codiceeee!! A little 'changed but in the end? That, then try to figure out how I'm funzia algorithm, we can identify it immediately, 00401009 and ends at the three lines below, however, here it is:
CODE: 00401009 mov eax, ds: DATA_40205E
CODE: 0040100E mul ds: DATA_402062
CODE: 00401014 eax inc
CODE: 00401015 mov ds: DATA_40205E, eax
So, let's pretend you have not created the program and we have identified the algorithm going by exclusion, we are faced with two values that we do not know what kind they are and these are: DATA_40205E and DATA_402062, how do we know what values they contain? Simple press in IDA "G" which means "Go to address" box and write in that? Just appeared "DATE: 40205E" and hit enter, we could also click on "View | Segments", go to "DATA" and search 'address manually, but what? it's quicker, much more? seplice doppioclickare was about that name ;), but here are we? appears before us:
DATE: 0040205E DATA_40205E dd 3109h; DATA XREF: start +9? R
DATE: 0040205E *; +15 start? W
DATE: 0040205E *; +1 A start? R
DATE: 00402062 DATA_402062 dd 8A4h; DATA XREF: start + E? R
Dhe hi hi, just look up ', we have two hexadecimal values that when converted to decimal are the same ones we had used us for Random1 random2 and, if we really do not understand the Boeotians, and yet we use the algorithm of a function that I love more? what? one that allows us to rename the instructions, once on clickiamo DATA_40205E and press "N", write in the box "Random1" clickiamo DATA_402062 and then do the same thing only with "random2", we return to the piece the previous code by pressing esc and see a little 'surprise:
CODE: 00401009 mov eax, ds: Random1
CODE: 0040100E mul ds: random2
CODE: 00401014 eax inc
CODE: 00401015 mov ds: Random1, eax
let us now make a good thing, IDA selected these four lines with the mouse (click on the first line and go down to the fourth), then click on "File" then "Make output file" and again "asm Produces files .. . " Save the file with any name and go to open it with notepad, remove all the "ds", remember also that IDA has made us see that Random1 and random2 were the doubleword containing the values 3109h and 8a4h .... and here is the result:
Random1 dd 12553; this add him to you, 12553 and 2212 are the hexadecimal values
Random2 dd 2212; covertiti in decimal
mov eax, Random1
multi random2
inc eax
Random1 mov, eax
here for you guys tried the same algorithm that is identical to that of our source. We found out how to "read" a disasemblato, learn now how Patcha. IDA gives us a chance? To change the bytes of an executable program and produce a "patched" but as you can see it runs in a DOS shell and also for this reason can not? Create executable in DOS format, therefore we can not patch but we have just seen the program create a specially designed to run under DOS, here's the assembly code:
; To compile the source? Must have TASM 5.0 available on the
; My site: http://quequero.cjb.net tools section
;
; Here are instructions for compiling, just write them in a DOS prompt
; As TASM
; TLINK example
.286
. Small model
. Stack 100h
. DATE
String db 'Bravo I have successfully patched!', 0Dh, 0Ah, '$'
. CODE
start:
mov ax, @ data; Set the segment register
mov ds, ax
mov es, ax
xor ax, ax; Reset AX
cmp ax, 1; See if? equal to 1?!
je exact;? same? Show the string otherwise close the program
mov ah, 4ch; Function 'Close'
int 21h
exact:
mov dx, offset string
mov ah, 09h; visualize the string
int 21h
end start
This does nothing but clear programmillo Ax, check to see if? Equal to 1 and display a string if there? the problem? that if we reset Ax, will not be able? never be equal to one and then the program is shut? always, here is why? we bisono of patcharlo. IDA Open, select this file and disassembliamolo, the ways that we put what are essentially two? change the instruction "cmp ax, 1" so that it becomes "cmp ax, 0" or force the "exact h" making it "jmp exact", however, we'll examine both. We make a click on Education "cmp ax, 1", click the top menu "edit" and then "patch program" then we must choose whether to change a byte, word, or assemble the instruction in this case we choose "Assemble ... " and write in the box "cmp ax, 0", the program now? patched, but we also see the other method, clickiamo of "je exact" go in the menu above, clichiamo of change byte and write ...... what to write? Bh? Simple, we have to change a conditional jump into unconditional one, we know that all jumps have not put the short form "EB XX" then we should not do is replace the bytes "74 04" to "EB 04" and the game ? fact, at this point go to the menu "File" then "Make output file" and then "produces exe" file, save it with any name and click on it, you see the string? Well then you've patched as God commands.
I will not dwell further on this issue since? Very easy to patch a program, but you do not, however, ever since, IDA programs for dos there were very few. Let's look at the issue more? Important than what the IDA? how to make a compilable source from disassembled. First time not giving you the code but the disassembled so you can learn how to reconstruct a source, the code that I wrote I'll give? At the end, I wanted a program from reversare winzoz but I have not found anyone small enough to begin , were then the only small-size N, but here is the file dismembered
; File Name: C: \ TASM \ prog \ wind.EXE
; Format: Portable executable (PE)
, Section 1. (Virtual address 00001000)
; Virtual size: 00001000 (4096.)
; Section size in file: 00000200 (512.)
; Offset to raw data for section: 00000600
; 60000020 Flags: Readable Text Executable
; Alignment: 16 bytes?
p386n
model flat
;
; Segment type: Pure code
CODE segment para public 'CODE' use32
assume cs: CODE
assumes es: nothing, ss: nothing ds: nothing, fs: nothing, gs: nothing
;
; S u b r o u t i n e
public start
start proc near; CODE XREF: start +30? +45 j start? j
push 23h
push offset str-> Example 2 - Coded
push offset str-> CiauzCliccaSuUn
Push 0
call j_MessageBoxA
cmp eax, 6
jz short CODE_401032
cmp eax, 2
jz short CODE_401047
push 20h
push offset str-> Example 2 - Coded
push offset str-> HaiSceltoNo
Push 0
call j_MessageBoxA
jmp short start
CODE_401032:; CODE XREF: start +16? J
push 20h
push offset str-> Example 2 - Coded
push offset str-> BravoHaiSceltoO
Push 0
call j_MessageBoxA
jmp short start
CODE_401047:; CODE XREF: start +1 B? J
Call +5 U.S. dollars
jmp ds: ExitProcess
start endp
;
; S u b r o u t i n e
j_MessageBoxA proc near; CODE XREF: start + E? p +2 B start? p +40 start? p
jmp ds: MessageBoxA
j_MessageBoxA endp
align 200h
db 0E00h dup (?)
CODE ends
; Section 2. (Virtual address 00002000)
; Virtual size: 00001000 (4096.)
; Section size in file: 00000200 (512.)
; Offset to raw data for section: 00000800
; C0000040 Flags: Readable Writable Data
; Alignment: 16 bytes?
;
; Segment type: Pure date
DATA segment para public 'DATA' use32
assume cs: DATE
str-> Example 2 - Coded db 'Sample 2 - Coded by Quequero', 0, DATA XREF: start +2? or
; Start +1 F? +34 Or start? Or
str-> db CiauzCliccaSuUn 'Ciauz! Click on a button ', 0, DATA XREF: start +7? Or
str-> db BravoHaiSceltoO 'Bravo you chose YES!', 0, DATA XREF: start +39? or
str-> db HaiSceltoAnnull 'You chose undo!', 0
str-> db HaiSceltoTermin 'You have chosen ends', 0
str-> db HaiSceltoNo 'You chose No!', 0, DATA XREF: start +24? or
align 1000h
DATE ends
;
; Imports from KERNEL32.dll
;
; Section 3. (Virtual address 00003000)
; Virtual size: 00001000 (4096.)
; Section size in file: 00000200 (512.)
; Offset to raw data for section: 00000A00
; C0000040 Flags: Readable Writable Data
; Alignment: 16 bytes?
;
; Segment type: Externs
; _idata
extrn ExitProcess: dword; DATA XREF: start +4 C? r
;
; From USER32.dll Imports
;
extrn MessageBoxA: dword; DATA XREF: j_MessageBoxA? r
end start
Well well, the code I wrote it and not? Difficult I would say that conversion? Rather immediate, however, I recommend learning about a moment disassembled up here before you did .....? Ok let's see 'to rename some function, look at the code and I'll explain:
push 23h
push offset str-> Example 2 - Coded
push offset str-> CiauzCliccaSuUn
Push 0
call j_MessageBoxA
As you can see these 5 lines are nothing more than the routine generation of a messagebox, the structure? This:
MessageBox (
UType UINT / / messagebox style (buttons and icons)
LpCaption LPCTSTR, / / offset of the title of the message box
LpText LPCTSTR, / / offset of the text of the messagebox
HWND hWnd, / / window handle (NULL if? Absent)
);
in assembly this feature would most? or not these features:
push MB_OK OR MB_ICONQUESTION
push offset TITLE
push offset TEXT
push NULL, NULL if we do not have a parent window
call MessageBoxA
well well, but 23h cos'? Then the file windows.inc suggests these things:
MB_OK = 0000H
MB_OKCANCEL = 0001H
MB_ABORTRETRYIGNORE = 0002H
MB_YESNOCANCEL = 0003h
MB_YESNO = 0004H
MB_RETRYCANCEL = 0005H
MB_ICONHAND = 0010H
MB_ICONQUESTION = 0020H
MB_ICONEXCLAMATION = 0030H
MB_ICONASTERISK = 0040h
reveals that a simple addition 23h? 0020H +0003 h equal to what? MB_ICONQUESTION + MB_YESNOCANCEL there? means that the programmer (me) in the first row has used these parameters:
push MB_YESNOCANCEL OR MB_ICONQUESTION.
Now rename the strings in IDA in order to have something like:
push offset caption
instead of: push offset str-> Example 2 ...
Without it how do you say that you have learned before, at this point we can already? Messagebox rebuild all the routines in your code, rename all the strings like "Caption", "Text", "Text2" etc. ... . We will in this way, the original structure, but lacks one thing, if you look well after each call to a messagebox c '? a "cmp eax,?", what will? ever? Bh? we take our preferred API reference and let's see ..... It tells us that the ID of the key pressed is moved into eax, but how do we know what is the number that is the? Simple, always with our API reference! Here's the table:
IDOK = 1
IDCANCEL = 2
IDABORT = 3
IDRETRY = 4
IDIGNORE = 5
IDYES = 6
IDNO = 7
and thus the note with pleasure that after each call the program Checka EAX to see which button was pressed and open another messagebox, then we end up renaming all of the various jumps and see how? ... became our code:
public start
start proc near; CODE XREF: start +30? +45 j start? j
push or MB_ICONQUESTION MB_YESNOCANCEL
push offset Caption
push offset Message
push NULL
call MessageBoxA
cmp eax, 6
jz short SI_PREMUTO
cmp eax, 2
jz short EXIT
MB_ICONQUESTION push MB_OK or
push offset Caption
push offset No_Premuto
push NULL
call MessageBoxA
jmp short start
SI_PREMUTO; CODE XREF: start +16? J
MB_ICONQUESTION push MB_OK or
push offset Caption
push offset Message
push NULL
call MessageBoxA
jmp short start
QUIT:; CODE XREF: start +1 B? J
call ExitProcess
start endp
Very good! I'd like to give? Even advice, to tell the truth not easy to remember by heart all the ID and IDA to facilitate our work provides us with the "comments", comments are nothing more than notes on board line that puts IDA or that we put it, there are two types: recurring and non, the difference lies in the fact that if we jump on a repeatable comments like "This quits the program" IDA posizioner? the same sentence that the arrival of jumps, while if a comment is not repeatable it does not, to insert a comment just click on the repeated line that interests us and press; (is a semicolon) but if we want to insert a non-repeatable dobbiano then press: (colon) and then write in the box, we know all hours of the program, we are left only to go to read all the various strings that can be found in time and merge them done .... here's the code:
.386 P
. Model flat, stdcall
Extrn ExitProcess: PROC
Extrn MessageBoxA: PROC
INCLUDES windows.inc
. DATE
null equ 0
Caption db 'Sample 2 - Coded by Quequero', 0
Message db 'Ciauz! Click on a button ', 0
Message1 db 'Bravo occhei've chosen!', 0
Message2 db 'You chose undo!', 0
Message3 db 'You have chosen ends', 0
Messaggio4 db 'You chose No!', 0
. Code
start:
push or MB_YESNOCANCEL MB_ICONQUESTION
push offset Caption
push offset Message
push NULL
call MessageBoxA
cmp eax, 6; YES pressed?
je occhei
cmp eax, 2; CANCEL pressed?
je exit
push MB_OK or MB_ICONQUESTION
push offset Caption
push offset Messaggio4
push NULL
call MessageBoxA
jmp start
occhei:
push MB_OK OR MB_ICONQUESTION
push offset Caption
push offset Message1
push NULL
call MessageBoxA
jmp start
exit:
call ExitProcess
end start
I know that the string "You pressed ends ..." is never used, she is just there to confuse ;))))
Our dear IDA has other qualities "hidden" that are used less and I accinger? To explain. If you go the menu "File" | "Load File" you will see various options and more? Namely:
IDC files ...
Additional binary files ...
IDS file ...
Debug information file ...
FLIRT signature file ...
IDC Files: IDC files are script files that can easily be written by hand to create your own macros
Additional binary files from here we load a binary file and add the additional new information to old tail
IDS file: this is potentially not ever files. IDS sonon those containing all the information on the various functions of the office for IDA winzoz but only during the disassembling
Debug information file: bh? If IDA is a file relating to the DBG file we are disassembling then bother to load it, but if it does not find him so we can charge us
FLIRT signature file: you have this files. SIG PGP? Bh? Nothing to do with 'na stick ;) from these files IDA office functions of the standard model' will help to recognize the standard functions, IDA seeks suitable file on its own but do not always succeed, if we wanted to do by hand would find these files in the GIS, to load or download one just open the "signature" and press Ins to post one and to download one.
Let us explore the menu "Make output file ...", here are the options:
MAP files produced ... Shift-F10
Produces ASM file ... Alt-F10
Produce LST files ...
Produces EXE file ... Ctrl-F10
Produces DIF file ...
Dump database to IDC files ...
? Time to get to know them, hehehehe start.
Produces MAP files: IDA write? A file with all the information about the segments and the names sorted according to their values
Produces ASM files: gi? Met, however, produces a file. Asm asm containing the text we selected,? Very useful when creating keygenerator
Produce LST files: IDA writes a file with the current disassembled or with a piece of code we selected
EXE files produced: as already? Said recreates the executable if it had changed (only works with DOS files)
Produces DIF files: This function creates a file if I am in full text in which they recorded the original values and those that have been changed, the guidance says that the file would assume these features:
comment
nome_del_file
Offset: vecchio_valore new_value
Dump database to IDC files: This option saves the IDA database into a text file.
The menu "IDC command ..." allows us to charge a small script written specifically for IDA, the list? so long that if you need to open the menu and press F1 to vedervela ;))))
Sorry but I am starting to feel the first symptoms of fatigue, in fact I am writing 4 hours ...... Not to mention those of the previous day of course ;))
The remaining I sebrano unnecessary, we pass to the next menu, what? "Edit", a menu full of options, damn, that's what presents itself before our eyes when opened:
Code
Date
ASCII
Array ...
Undefine
Rename ...
Operand type
Comments
Segments
Structs
Enums
Functions
Patch program
Other
C'mon babe let's go explain ....... Code: very nice option for you to convert the bytes into instructions marked by IDA unexplored cone, then this statement will more often? More? You need to reach your more? obscure purposes, here I present to you a practical example of this command would otherwise be a bit 'dark.
Pu? Happen (indeed, it always happens with executable dos :) that IDA does not recognize the first shot of usable bytes of code with instructions that are important, this could happen with programs without a specified entry point or if the IDA did not find a particular path of execution , in which case the code that we would be of this type (example taken from a disasm crackme
seg000: 0100 start:
seg000: 0100 jmp short seg000_15B
seg000: 0102 nop
seg000: 0103 or ax, 610Ah
seg000: 0106 db 6Ah j
seg000: 0107 db 61H; to
seg000: 0108 db 78h; x
seg000: 0109 db 20h;
seg000: 010A db 66h; f
seg000: 010B db 88h;?
seg000: 010C db 74H; t
seg000: 010D db 65h; and
seg000: 010E db 20h;
seg000: 010F db 64h; d
seg000: 0110 db 75h; u
seg000: 0111 db 20h;
seg000: 0112 db 66h; f
seg000: 0113 db 6Ch; the
seg000: 0114 db 65h; and
seg000: 0115 db 75h; u
seg000: 0116 db 72h; r
seg000: 0117 db 20h;
seg000: 0118 db 63h; c
seg000: 0119 db 72h; r
seg000: 011A db 61H; to
seg000: 011B db 63h; c
seg000: 011C db 6Bh; k
seg000: 011d db 6DH; m
seg000: 011E db 65h; and
seg000: 011F db 2Ch;,
seg000: 0120 db 20h;
seg000: 0121 db 31h, 1
seg000: 0122 db 30h; 0
seg000: 0123 db 20h;
seg000: 0124 db 63h; c
seg000: 0125 db 68h; h
seg000: 0126 db 61H; to
seg000: 0127 db 72h; r
seg000: 0128 db 73H; s
seg000: 0129 db 2Ch;,
seg000: 012A db 20h;
seg000: 012B db 6EH; n
seg000: 012C db 6Fh; or
seg000: 012D db 20h;
seg000: 012E db 68h; h
seg000: 012F db 65h; and
seg000: 0130 db 78h; x
seg000: 0131 db 65h; and
seg000: 0132 db 64h; d
seg000: 0133 db 69h; the
seg000: 0134 db 74H; t
seg000: 0135 db 6Fh; or
seg000: 0136 db 72h; r
seg000: 0137 db 20h;
seg000: 0138 db 61H; to
seg000: 0139 db 6Ch; the
seg000: 013A db 6Ch; the
seg000: 013B db 6Fh; or
seg000: 013C db 77h; w
seg000: 013D db 65h; and
seg000: 013E db 64h; d
seg000: 013F db 3Ah;:
seg000: 0140 db 20h;
seg000: 0141 db 24h; $
seg000: 0142 db 0Dh;
seg000: 0143 db 0Ah;
seg000: 0144 db 77h; w
seg000: 0145 db 72h; r
seg000: 0146 db 6Fh; or
seg000: 0147 db 6EH; n
seg000: 0148 db 67h; g
seg000: 0149 db 24h; $
seg000: 014A db 0Dh;
seg000: 014B db 0Ah;
seg000: db 0Dh 014C;
seg000: 014D db 0Ah;
seg000: 014E db 72h; r
seg000: 014F db 69h; the
seg000: 0150 db 67h; g
seg000: 0151 db 68h; h
seg000: 0152 db 74H; t
seg000: 0153 db 24h; $
seg000: 0154 db 0Dh;
seg000: 0155 db 0Ah;
seg000: 0156 db 0Ah;
seg000: 0157 db 0;
seg000: 0158 db 0;
seg000: 0159 db 0;
seg000: 015A db 0;
seg000: 015B seg000_15B:
seg000: 015B mov ah, 9
At this point you're probably chidendo: "Miiiii but it's stuff that 梃 梃 梃 梃?!", already? fact I even asked me if we see that look better? more than an ASCII string, but why? then IDA I did not put in its characteristic shape? Why do not you understand which has the least of us ;)))) to help you understand better we can do that, select with the mouse over this length of seg000: 0106 to seg000: 015A, at this point press "C" .. . et voil? here's our ASCII string into a form more? "human"
seg000: 0106 str-> db JaxFiteDuFleurC 'jax f 阾 and fleur du crackme, 10 chars, no hexeditor allowed: $'
seg000: 0106 db '$ wrong', 0Dh, 0Ah
seg000: 0106 db 0Dh, 0Ah
seg000: 0106 db '$ right', 0Dh, 0Ah
seg000: 0106 db 0Ah, 0
seg000: 0158 db 3 dup (0)
and this helps us greatly to understand the code, bh? if it gives us a hand in the event of an ASCII string than we can imagine? help in case of a little 'code, if you had not figured this option is mostly used to convert misinterpreted the code. To recognize these pieces a little '"mad" that we can avail ourselves of the aid from the IDA with the colors, in fact, her brand of white on black background of these pieces address the what?
seg000: 014F db 69h; the
seg000: 0150 db 67h; g
seg000: 0151 db 68h; h
seg000: 0152 db 74H; t
seg000: 0153 db 24h; $
apart from the jokes before,? absolutely normal that confuses the code that receives the IDA, to help in its mission can disable the option "Make final analysis pass" which is located in the menu "Kernel options analysis", can? still be useful off in the same panel the option "coagulated Data Segments", if you happen marked a completely white does not mean that IDA does not know which has the 'na stick but it means? Statto encrypted / packato, in which case you should unzip the program, or, as good as you are reverser, reversare the encryption algorithm and create a small decode secret in IDA C.
Date: bell'opzione this also serves to convert the bytes into unexplored data conversions that applies here:
db -> DW -> dd -> float -> dq -> double -> dt -> packreal - \
^ |
\ ---------------- <---------------- <--------------- - <---------------- /
Basically converts a byte in a word, if you reapply it in a coneverte doublword and thus the following, if a file does not support that type of data, then skips to the next step
ASCII: This is used to convert bytes to strings unexplored
Array: allows us to declare the size of an array
Undefine: select text, click undefine and like magic all selected bytes will be converted to wilderness, you may be asking: "But I need to convetire explored a number of bytes?". I can assure you that I can? Serve and how, for example IDA sometimes exchanged with other types of instruction bytes and then presents them incorrectly, see for yourself:
seg000: 0157 db 20202020h;
seg000: 0158 db 20202020h;
seg000: 20202020h 0159 db;
you know what? success? You should know that 20h is equivalent to an ASCII space character, then the IDA has made the mistake of defining a possible ASCII string as 3 doubleword, how to fix it? Simple, we have to do is convert that data into ASCII characters, it would be necessary to select the three db and press "A" but we can not do that because the IDA does not consider those bytes with remote or unexplored but has them already? Marked db , we can fix the problem by selecting the three doubleword with the mouse, by pressing "U" for Undefinirle and then "A" to tell them that IDA should consider as ASCII characters, the error does not happen that I showed you the most? from version 3.82 to ? this was an example so you understand the function of this command, you will often have to use it in fact.
Rename: we have already? Used this function but we have sub-options are available, namely:
Include in list names: IDA has a range of predefined names and these are:
sub_ instruction, subroutine start
locret_ 'return' instruction
loc_ instruction
off_ date, contains offset value
seg_ date, contains segment address value
asc_ date, ascii string
byte_ date, bytes (or array of bytes)
word_ date, 16-bit (or array of words)
dword_ date, 32-bit (or array of dwords)
qword_ date, 64-bit (or array of qwords)
flt_ floating point data, 32-bit (or array of floats)
dbl_ floating point data, 64-bit (or array of doubles)
tbyte_ floating point data, 80-bit (or array of Tbytes)
stru_ structure (or array of structures)
algn_ alignment directive
unk_ unexplored bytes
Enabling this option as part of IDA in the list that is up here.
Public name: we can declare a public name, if the file supports the directive "public" then the name will be? Used by IDA will be otherwise? Shown only as a comment.
Autogenerated name: name of self-generated by the program, you appear a brownish color disappears and only if "undefiniamo" the bytes of that name
Weak name: same as public name, if the program supports the directive "weak" then the IDA user? Otherwise the names will be? Shown as a comment
Create name anyway: if for some masochistic reason we wanted to create a name in spite of it there is an identical checkare then we should allow this option for the poor IDA to add a suffix to the name pre-existing
Operand types: damn load opzioncine another menu, it elencher? Only the most? Incomprehensible:
Convert to number
Convert to hex number
Convert to decimal number
Convert to binary number
Convert octal number to
Convert to character
Mark as variable
Convert to segment
Convert to offset (DS)
Convert to offset (CS)
Convert any segment offset by
Convert offset by any user-specified base
Convert to struct offset
Convert to enum
Convert to stack variable
Change sign of operand
User-defined operand
Mark as variable <"Mark as variable #"> This option unmarka marka and the bytes selected as variables, the variables will recognize why? Begin with an asterisk "*"
Convert to offset (DS): This command converts an operand of an instruction at an offset from the current data segment (DS) Current
Convert any segment offset by: same as above except that converts an operand in an offset of any segment
Convert to struct offset: HIS command converts an operand of an instruction in a current offset within a specified structure
Then we have the "Structs" which serves to create and change structures, if you do not know what a property will do the usual example, then here is a structure in C (? An example and does not work only serves to make you understand
# Include
struct client {
char code;
Long id;
char name [32];
client * next;
};
void main (client * ptr) {
while (ptr! = NULL) {
printf ("ID:% 4LD Name:%-32s \ n", ptr-> id, ptr-> name);
ptr = ptr-> next;
}
}
a structure not? nothing but a variable that can hold more? data types, for example, if you're making a shooter and features you need to give a monster a few pictures so you could create a structure like this:
struct {Monster
char name [20];
int force;
Long bullets;
};
as defined in the comfort is the name of the monster, the strength and number of bullets that goes with it, as you can see we have added three data types (char, int and long) in a single variable, we could then adjust to taste like data during the game by simply calling this structure (see example above. Now that you know cos'? a structure you can easily guess at the convenience? for? you have a question like, "But what I want to know what are they and what are the structures? ". the facilities you need to know why? programmers make an immoderate use in their programmilli cursed, and there we find them in disasm each time, the problem would not have place if IDA had recreated themselves but, since not ago, we as usual to help us (even if it serves no purpose except to create a structure for our convenience?. Suppose we have dismantled a program that uses the facilities and the sources of which we possess, we look at it thoroughly and note that in the snippet of code where there should be central "monster" c '? just a bunch of confusing numbers ..... Do not worry, we click the menu "View | Structures" and begin to manually rebuild the structure in our source, in the window where we press "Ins" and write the name of our structure what? Monster, then press "D" to create a structure member and call it as the first member of the same source of our what? name, click with the mouse a new member to the line below and insert the other two members, once you finished something like this:
0000 Monster struc
0000 db name?
Force 0001 db?
0002 Projectiles db?
0003 Monster ends
you notice something? I think so, we made two mistakes, the first? That the State "Name" we can not define it as bytes in the source since it was defined as an array (char name [20]) we must transform "db?" in an array, to do it? simply click once on the line of the member that we are interested in and then press "A", will appear there? a while? in which we now sending prompted for the size of this array, and so enter 20? We solved the first error, the second you see too? I think so, if you take a look at the source you will see that the member was defined as long bullets (bullets long;), so in this case we must change "db?" in "dd?" Click to get it as usual on the line you want and press "D", thus "db?" will become? first "dw?" and then "dd?". We have now created the structure, but as the insert in disasm? Simple, close the window we were using, we click in the code point that interests us and go the menu "Edit | Operand types | Struct offset ...", or more? Just press "T" ;)))) and tad 噜噜 like magic if you placed it at the right time the disasm Muter? becoming a little bit 'more? readable, you basically changes like these:
first: push dword ptr [esi +1]
after: push dword ptr [esi + Mostro.Name +1]
Before concluding I would like to explain a digression on the meaning of education PTR, if you have never programmed in assembly, disassembly or debbuggato something then you have probably seen statements like these:
mov eax, dword ptr [00454898]
mov byte ptr [esi], 0
mov word ptr [something], ebx
mov word ptr something, ebx
mov ecx, word ptr [esi +71]
mov [ebp +00402588], byte ptr 95h
mov cl, byte ptr [eax]
All these instructions have one thing in common what? education PTR, but have you ever wondered what it means? Bh? If you did and you did not find an answer here is that I give you the solution, Intel will make available three reserved words for what? Byte PTR, PTR Word, Dword PTR, well, these mean, respectively: Pointer to a byte, a word to PoinTeR, PoinTeR to a doubleword, what? Pointer to a byte, a word, a doubleword and MUST be used when we Using a pointer to a constant, to explain? the concept of pointers: then do an example:
string db "+ Disease? great", 0
mov eax, 12345678h
mov eax, offset string
What c '? different between these two statements? Most will tell you? I, the first instruction moves the value 12345678h EAX, so if the window of a debugger ;) If we look at the EAX register, or write? "Eax" We now sending printed something like: 12345678 0305419896 "? Vx "There? means that the value 12345678h CONTAINS eax, the second statement instead, eax points to a string, what does tip? It means that if we write? "Eax" will not see the text string bens? A number like this: 00404F95 Mmmmm ..... but then where is the string??? Bh? The string as we said no? CONTAINED in eax but eax is offset by BET 00404F95, so if we want to see we have to do is write in the debugger "d eax" or go to comb through with the same command at that 'offset. But if instead of pointing to the string you want to move into eax eax how should I do? Simple, we must now make use of education PTR, in fact we could not write "mov eax, string" why? Would receive error, we for? Write: "mov eax, DWORD PTR string", so we move into eax a doubleword (4 bytes) and by checking the contents of eax with "? eax" we would see the letters: "+ mal" No .... no? exactly, to the way we would see our processors work written "+ lam" .... on the contrary, in practice ........ hahahahahahahaha Hahahahahahahahahahahaha Lama + + + Blade hahahahahahahahahaha .... This disease does not pardon me? ever (+ hei But I swear I had not done on purpose) for he makes me laugh hahahahahahahahaha (+ hei But think how you entertain? Xoanon time for him to say? hahahahah :) vabb? back to us, as we said eax will contain? this because only 4 letters? eax? big 4 bytes, when the processors are 64-bits would the records of 8 bytes :), but if we wanted to move into eax only one byte of the string we should write "mov eax, byte ptr string". The reason for which you use pointers? Just because? We could not even wanting to move to a record 200 words ...... If you are good guys now you should ask yourself: "What if I wanted to move the value in eax pointing another register how could I do? "... Bh? if you say that you can do so? "Mov ebx, eax" then you are mistaken for? You can write this: "mov ebx, [eax]" or "mov ebx, dword ptr [eax]," respectively mean: move in the value pointed to by eax ebx, whatever it be of any size and finch? not fill ebx, and the other, moving in the first dword ebx (so the first 4 bytes) pointed to by eax, we? means that in both cases we would have the same result, what? ebx containing "lam +" for? the first statement? more? fast. Let me give another example of using PTR education and then I explain the use of the instruction "lea".
.386 P
. Model flat, stdcall
extrn ExitProcess: Proc
. Date
string db 2Bh, 6DH, 61H, 6CH, 61H, 74H, 74H, 69H, 61H; these numbers mean in ASCII
; + Disease
. Code
start:
xor ecx, ecx
continues: mov al, byte ptr ecx + string
inc ecx
cmp ecx, 9
jne continues
call ExitProcess
end start
You know what the programmillo above? Reset ecx, and begins an account from scratch each time a byte of the charge in our string, as you can see the exact copy of a byte (byte ptr) + ecx string, so '? + Ecx that? If you look up the string you notice that I have subdivided each letter, then if you look at the program also note that with each loop incrisa ecx, then the third will contain the loop? String +3, what? 61H, capitooooooo ... If not reread this ... ;) If I had wanted to move two points in ax for each loop I had to change education in this way: mov ax, byte ptr ecx + string, but if we had wanted to move a whole doubleword then I had to write : mov eax, dword ptr ecx + string .... bh? enough about PTR, he understood my brother, I do not understand you!! ;))))))
To load a pointer in a register can also use the LEA instruction (Load Effective Address) that works like this:
"Lea eax, string," if we had used instead of lea mov compiler error but would have given us so? Because he does not? "Lea eax, string" means: charge in eax the offset of the string, the result obtained using lea and mov? but equal? got two speeds? executing very different, the first fact? much more? fast as the offset constant gi? known assembler, while the second is more? pianino ;)) for those do not know the majority of high-level compilers (read: microsoft visual c + +) replace all the instructions like "mov reg, offset xxx" with "lea reg, xxx" slowing down the execution significantly. I think I have clarified the use and function
"Enums" from here we can define an enum type, in all languages often make use of enumerations of some kind, here is an example of a list in C:
enum {Calore_t
LAMP, / * Things hot * /
SUN,
ICE, / * send * cool /
HAIL
};
enum {stagione_t Spring, Summer, Fall, Winter};
bool_t enum {FALSE, TRUE};
int 萠 una_bella_giornata (Calore_t hot season stagione_t) {
if ((Spring season == | | == Summer season) && hot LAMP == | | == hot SUN) return TRUE;
if ((Winter season == | | == Autumn season) && hot ICE == | | == HAIL hot) return TRUE;
return FALSE;
}
During disasm would be displayed on the screen of numbers and not names like "Sun, Summer, ice" then clearly it would be better for us to see written "Sun, Summer, ice" instead of 1,2,3, etc .... Go then in the menu "Options | Enumarations", will appear? a window very similar to that of the first in which you must recreate the enumeration, how? Press the "ins" and created the first thing the boolean values "False / True", then type "Boolean Value" and press enter, to enter a member in this listing go to the bottom line with the mouse and press Ctrl + N, write "False" and left as the value 0, go back on the last line and type "True" by giving 1 as a value, then created another enumeration and chimatela Heat, and thus the way up to having something like this:
? 0000000; enum Boolean_Value
? 0000000 False = 0; value True / False
? 1 0000001 = True
? 0000000; enum Season
? 0000000 Summer = 0; Seasons
? = 1 Fall 0000001
? = 0000002 Spring 2
? 0000003 Winter = 3
? 0000000; enum Heat
? 0000000 Lamp = 0; Things hot and cold things
? 0000001 Sun = 1
? Ice 0000002 = 2
? Hail 0000003 = 3
from now on baby food? always the same, find the point where you want to apply the enumeration, we clicked with the mouse, open the menu "Edit | Operand types | Enum member ..." or press "M", and placed where you need it ;)))
"Functions" from here we can add and edit the various functions, illustrate the operation there in that? Something too intuitive
"Patch program" already? Explained above
"Other" and submenus:
(Re) name any address ...: guess what '? FROM here can name / rename / delete an address
Variable: Same as "Mark as Variable"
Jump table ...: If we find an indirect jump from a table we can notify IDA of the size and address of this table so it can continue its analysis example code for converting all those addresses refer to that table
Alignment ...: This command creates an alignment directive, this directive rimpiazzer? Unnecessary number of bytes inserted by the linker to align the program code and data in a paragraph, we can try to select an area you wish to convert prover and IDA? to locate a correct alignment
Instruction manual ...: This command allows us to specify the representation of an instruction or a data element in a program
Hide / show items: This command allows you to hide and show a statement or a given
Hide / show border: If enabled hides the thin edge created by IDA to divide the instructions from the data
Menu "Browse" will explain this? Very few features the most? Less useful and understandable as usual.
Navigation stack empty: empty stack navigation using IDA
Jump to ... | Problem ...: jump to the first function that IDA states affected by problems which are:
Can not find offsets based
Can not find name
Can not find an alternative string for operand
Can not find comment
Can not find references
Indirect execution flow
Can not disassemble
Already date or code
Execution flows beyond limits
Too many lines
Attention! Probably erroneous situation
Decision to convert to instruction / data is made by IDA
Search for | next void: the void are the instructions to which we must be careful since the IDA is not? Able to recognize if it is Offser or numbers, with this command them to go look to see if we can solve the problem
Search for | text ....: let the text such as a string like "you're an asshole you were wrong password"
Search for | text in core ....: the same as above only much more? Fast
Search for | not function: look for the first byte that does not seem to function
"View" menu also will explain this? Functions pi? Important:
View | Functions: shows all functions called by the program
View | Enumeratios: This command opens the "enum" from which we can change, add, edit and enumerations.
Oki and these s? Gone now missing the menu more? Long so if you're tired of reading go to rest and continue tomorrow morning.
Options:
Text representation ...
Cross references ...
Assembler Directives ...
Name representation ...
Demangled names ...
ASCII strings style ...
ASCII strings options ...
Colors ...
Dump / normal view
Setup data types
Processor type ...
Target assembler ...
Analysis options ...
Search direction
Then allorino continuaiamo this tedious sitting talking of the "options" true regarding the configuration of the program, this step would jump gladly happy to fly to the conclusion, but "through the floor into a force that I too know how to explain" (by Yale? Keeps me on this chair to write a tutorial that most likely will be useless? read by tens of people .., (((
'Nuff said: ... Text representation: to say the least convoluted menu that presents a myriad of small opzioncine that we will now examine.
Line prefixes: we'll see if we disable the addresses before disappearing bytes
Number of opcode bytes: the opcode are the hexadecimal code for each instruction, IDA default it is 6 and if it requires more education? Then adds a "+" at the end (c '? Well fall rhyme ;)
Use segment names: enables or disables the nomenclature of the segments so? If enabled will see "Segment: 3200" instead of "3000:3200"
Segment addresses: if? Enabled to see the segment in front of an address: "segment: 3000" rather than "3000", this is not that I keep it disabled brothel
Display 'void' marks: brings up the signs of recognition before "void"
Display empty lines: if enabled brings up empty lines by decreasing the usable space on monitor
Display Borders Between the date / code: if disabled dispels the dividing line between the data and the segments
Display Instructions <BAD> bad marks: all processors have their nice features that are not documented and when one of these passes under the disasm the program says "ki kazzo and you are you?", IDA? Very sensitive from this point of view and if is a function that does not know tries to identify it but if it fails the Marchia with such ferocity as a German to a poor jew and a nice red tattoo writes sopa <BAD>
Use tabulations output: with this option disables the well-known IDA-stop tab (0x09) in its output file
These seem intuitive:
Display comments
Display repeatable comments
Car Display comments
Instructions indention: literally, spacing instructions, set this value to 2-3
Comments indention: who will? Ever??? ;)))
void's low limit: see below
void's high limit, these two values are very important in that state if an instruction? or not a "void," an object? said "void" if it has an immediate value as an operand or part of an operand and the immediate value? among those that we define in the box "low limit" and "high limit"? that the importance of the two boxes
"Cross references" here are the choices that we make available to this menu:
Display segments in xrefs here is the difference between enabled and disabled:
; CODE REF: 3000:1025 - enabled
; CODE REF: 1025 - disabled
Display type mark xref: who knows? Perhaps the xref marka
Display function offsets: bho! We will show? Offsets work? ;)))
Display xref values: on this then I do not know what to tell you, perhaps shows the values of xref ;)))
Right margin: interpretation difficult option can? Be that you measure the right margin, but who knows? The ways of the Lord are endless ;))))
Cross reference depth: this one instead? A little 'more? Serious and not to confuse you carry the example of leadership, the author supposed to have an array
A db 100 dup (0)
if some instructions are for 5-th element of the array:
mov al, A +5
with TD = 3 there are shown xrefs
with TD = 10 will be displayed instead
Number of xrefs to display: the function? Obvious, to lift up? A bit '
"Assembler Directives ...": Another small menu
ASSUME Directives: This option enables or disables the generation of some direttve such as "assume" and "origin", can leave it enabled? Be useful in reconstructing the source
. ORG Directives: the same thing as before except that? Valid for. Com
"Name ... representation": not much to say, here we are asked how they call the various segments and I think the default is the best, the other 4 options regarding the types of names will not be analyzed because the I have already? explained before
"Demangled names ..." IDA can? Replace the mangled names (the guide says its hei = mangled mangled) from C + + compilers in this menu and asks us how to do it, whether by way of comment, in the name or slaughtered ;)), the setup of names long and short leave it to you since? easy
"ASCII strings style ...": In this menu we can define the style of the strings and we can also define one when we need, here there '? Else to explain
"ASCII strings options ..." ahhhhhh! One of the menu that I do enjoy most? Aahhhhhhhh, I look like Homer ;) here's what we do:
Generate names: we want the ASCII strings? Then abilitiamola ;)
Names prefix: change the bloody string and put other's qualco
Mark as autogenerated: it marks the string as a self-generated
Serial number: it generates the exact serial ANY password-protected program, it also gets the pass for. Zip and. rar protected ;)))) hahahahaha
Serial width: asks you how long you want the serial for the program ;))))))))))
ASCII char next line: this? Great it makes you choose the word that you want to encode in the serial ;)))))) porka Vakka what I'm fucked up ;))))
"Colors ...": choose the palette you want to use but vaaaaaaaaaaaa ;)))))))
"Dump / normal view" lets you choose between the view that as a hex editor and disassembler as
"Setup data types": asks you what kind of data you want to use the command MakeData
Oki menus are gone, and I hope you did understand the workings of the IDA, see you soon
Quequero
Home Page: http://quequero.cjb.net
E-mail. UIC@mail.usa.com
P. S.
Ahhhhhhhhhh, in this latest release the document? Become 43 Kbytes more? Heavy and even today I have lost my good 4 hours to finish it, it will continue? To update this tutorial soon will become? A book and do? Publish ;) )))))))))) jokes aside I must tell you that we have to write it tuttto I just did my ass ;)))))))))) ciauuuuuuzzzzzzzz the next release that, given the weather will not be? then trope far ;))) ciauz Quequero
IDA Pro 3.8
(Tutorial version 1.1)
================================================== ===================================
What's new:
Fixed some spelling mistakes ;))
Clarified the function of the command "Code" with an example
Explained more? Detail the function of the command "undefine" with an example
Analyzed the "Struct" with various examples and more explanations? Accurate
MUCH better ;) explained the "Enum" with examples of
Clarified the use of technology FLIRT
VERY clearly explained the use and meaning of education PTR
Clearly demonstrates the operation of the pointers
Explained the use of functions "mov" and "lea"
Explained something about indirect addressing and offset
================================================== ===================================
Hello everyone, this tutorial will try? To explain more in the way? Clearly as possible the use of dissassembler best there is, what? IDA Pro 3.8x, the tutorial does not? Oriented Newbies for Newbies? Can try them too, the document does not? Be considered definitive because let myself more and more on growing? Over time.
IDA Pro can mean: Intercative Disassembler Pro, in fact? True that ida? Interactive, but we go up steps and start. We choose a file to disassemble, and maybe possibly a very small windows, click on Idaw.exe, we see appear the window of our beloved program, press ok and choose the file at this point Ida open? Up a window that says " Load of New File Format ", in the first three rows we are asked to choose the type of file you want to disassemble, what? if a Windows executable (or otherwise use the PE format), a DOS executable or binary file, checkiamo the first box: Portable Esecutable, pi? bottom we see the word "Loading Segment", where you should insert the entry point of the program, in general? 0x1000 as the default, but if you are unsure, open the file with ProcDump and see it, then let 0x1000, pi? another field appears at the bottom "Loading offset", which should include the offset of the first byte of the beginning of the first segment, but we do not care because this option should only be used if you want to disassemble a binary file, pi? checkare other boxes at the bottom we have, for now there to count it and then explain them to you:
Create segments
Load resources
Rename DLL entries
Manual load
Fill gaps segment
Make imports section
Do not align segments
Then, create segments? A useful option for binary files, it creates us the various segments, but there? Not? Necessary if you want to disassemble an executable, Load resources instead loads the resources from NE files, even this? If necessary disassemble an executable PE format, Rename DLL entries? option that if enabled allows IDA to place between the disassembled comments repeatable each imported function, Manual load we are not interested in the case of the PE file format, if for? format? different then the option can? be activated and IDA we ask? for loading the address of each object file, segment Fill gaps? himself only useful for formats other than PE, if checkata IDA does is fill all the "holes" between the various segments, Make imports section? be helpful for the PE file format, if activated tells IDA to delete the section. idata from the file and convert them all the definitions in it as external directives The guide told us that sometimes in the section. idata we can find additional information and we should disable this option, Do not align segments, as the name implies, checkiamo if this option does not allow the realignment of segments, but does not require for the PE file format. At this point we are also facing a two buttons labeled "Processor Type", as opposed to us? You might believe here will not have to specify the type of processor that you have but the type of processor for which? Wrote the program, default? 80386 and right that is so? then you can leave this option unchanged, the other button bearing the text "Analysis options", click over here and you will see two buttons and two other options, look at these first two:
Analysis enabled: if the box? Checkata then IDA will analyze? The program while we are not acting on disassembly, while leaving the priority? To our requests, this option must be enabled, if not then we may run into various problems.
Indicator enabled:? That counter which is located in the upper right and bearing the inscriptions:
AU: __idle__ AutoAnalysis is finished.
AU: disable AutoAnalysis is disabled.
FL: <address> execution flow is being traced
PR: <address> function is being created
AC: <address> the code analysis goes through the address Noted
LL: <number> a signature file is being loaded
L1: <address> the first pass of FLIRT
L2: <address> the second pass of FLIRT
L3: <address> the third pass of FLIRT
FI: <address> the final pass of autoanalysis
?: Noted <address> the address Becomes unexplored
@: Various <number> Indication of activity
depending cosasta by IDA ...? best left enabled. Then we have the two buttons, the first clickiamo "Kernel analyzer options" and appear to see in front of a mora opzioncine here they are:
Create offsets and segments using fixup info
Mark typical code sequences as code
Delete Instructions with no xrefs
Trace execution flow
Create functions if call is present
Analyse and create all xrefs
Use flirt signatures
Create function if data xref data-> code32 exists
Rename jump functions as j_ ...
Rename empty functions as nullsub_ ...
Create stack variables
Trace stack pointer
Create ascii string if data xref exists
Convert 32bit instruction operand to offset
Create offset if data xref exists to seg32
Make final analysis pass
Locate and create jump tables
Coagulated data segments in the final pass
Dhe hi hi, now we have fun, tralascerei happy to explain all these functions, but, like any self-respecting guide that I have to analyze the program from top to bottom .... I wonder? Maybe one day someone domander? To someone else "Hey, where I learn to use IDA? " and that someone else say? "Try the site Quequero, has written an excellent guide" .... hi hi DHE lascietemi dreaming ;))))))))
Taking up the thread here is the explanation:
Create offsets and segments using fixup info: IDA to make more? Pleasant disassembled makes use of relocation information and converts all objects with the details of relocation in word or doubleword, and if a statement has assigned the relocation information IDA converts data to an offset or a segment, for example, say we are given in our source code with something like this:
.386
----- Snip ----- snip
. Date
dd something 000F3785h
. Code
start:
mov eax, offset some
end start
If the file disassembliamo W32Dasm we get something like:
mov eax, 0040200
If instead the disassemblassimo with IDA and with the above option turned on, then get something like this:
mov eax, offset some
Capitoooooo!! ;)
Mark typical code sequences as code: in this author's IDA recognizes some typical sequences of code (example: push bp mov bp, sp) and when loading it found some converts in education
Instructions with no xrefs Delete: allows IDA does not define the unreferenced statements, in practice if we execute the command "undefine" (which will explain? Later) at the beginning of a function program canceller? All instructions that have lost touch with the statement just "undefinita" ... there is brightening? around more? later do not worry ;)
Trace execution flow: IDA allows you to convert all references to the bytes in the instruction
Create functions if present call is: do you create a function that IDA if the code? A call, in practice if there is a call in the code like this:
call routine
then IDA will create? a function labeled "routine", this option attempts to "pull" calls from the rest of the code to allow a visual approach, but also technically more? simple
Analyse and create all xrefs: this? Option that makes the difference between IDA and W32Dasm, without it, our program does not analyze the file and would not create any xreferences and other exclusive features of IDA.
Use flirt signatures: Allows use of technology FLIRT, do not worry you will not see IDA and IDO do the filthy on the monitor ;)))))), this technology allows us to recognize the type of compiler used to identify and standard calls in So instead of seeing this, call 00469187, see: MessageBoxA call, in case the technology fails to recognize the compilers (read: Delphi) is the can? always force the compiler to use instructions that reteniamo has been used to do that particular program by simply opening the menu "View | Signatures" and pressing "ins" to bring up the list of available compilers.
Create function if data xref data-> code32 exists: If IDA encounters a reference to a given one SEGMENT DATA SEGMENT CODE to a 32-bit controls the presence of disassembled instructions useful, if education is the brand (needless to say ;) as a statement and creates? a function
Rename jump functions as j_ ...: utility function? High, this option allows you to change EVEN a statement like:
jmp dovevuoi
in:
j_dovevuoi
But I say ... you realize you realize how the presence of this option will allow even my cousin 10 years to become a cracker ... my god what a genius the author of the program ;)))))) ))))))))))) jokes than him? was really a genius
Rename empty functions as nullsub_ ...: IDA allows you to rename the empty functions, what? Those containing only the instruction "ret" as nullsub_1 nullsub_2 ... etc ... Also this function must have been designed for decades ;) )))
Create stack variables: means that IDA automatically create stack variables and function parameters
Trace stack pointer: With this option enabled IDA traccer? The value of the Stack Pointer (SP)
Create ascii string if data xref exists: If IDA encounters a reference to an object is not defined, then look for the presence of an ASCII string, if the length of the string? IDA enough then creates an ASCII string happens ;)
Convert 32bit instruction operand to offset: funzia only 32bit segments, if an instruction has an operand that can? Be converted to a useful esepressione then converts it to offset the value of the operand must for? Be more? Large 0x10000
Create offset if data xref to seg32 exists: If IDA encounters a reference to a segment 32bit and the file contains a value that can? Be represented as an offset IDA then converts it to an offset .....
Make final analysis pass: This option allows IDA to coagulate all the bytes of data to convert scanned instruction
Locate and create jump tables: this option allows IDA to assume the size and the address of a "jump table"
Coagulated data segments in the final pass: This option is useful only if? Also activated the option "Make final analysis pass" allows IDA to convert byte array to insplorati data in the data segment. If we disable this option IDA coaguler? Only code segment.
Very good, we finished this button, leave the default settings, or if you want to disable the one that converts jump xxxx j_xxxx often? More? Inconvenient than useful and press ESC to go into the meanders of the button "Processor-specific analysis options" after the click you have only 4 options and spieghiamole as usually one by one:
Convert immediate operand of "push" to offset
Convert db 90h after "jmp" to "nop"
Convert immediate operand of "mov reg, ..." to offset
Convert immediate operand of "mov memory, ..." to offset
Convert immediate operand of "push" to offset: if ida sees a sequence like this: push segment, push gino, prover? To convert gino at an offset
Convert db 90h after "jmp" to "nop" if after a jump are "db 90h" instead of leaving it with '? Into the nop (no operation)
Convert immediate operand of "mov reg, ..." to offset: here too if ida is something like: mov ax, 258h, mov sp, eg will convert then? 258h at an offset
Convert immediate operand of "mov memory, ..." to offset: even if IDA finds instructions like: mov ax, 895h mov X, seq (X? a reference to a memory) then converts offset 895h
Great press esc twice and take a look at the panel, the only thing that c '? I? That field indicated by dll directory, l? We must enter the directory in the IDA will go? To look to find references to various DLLs, the problem? ida that does not look for DLL bens? files. ids, the directory in my case? c: \ ida \ ids \ Win if you use windows otherwise will change? only the last folder.
We are ready at this point to begin disassembling the file, choose a very small bit of advice .... 8-15 kb it takes a few seconds, I say to those who are experiencing the IDA only now, this program? Very, very more? slower W32Dasm I guarantee for? that all the time in more? you lose the regained after disassembling it, then press "OK" and wait .... Then, as soon as the indicator in the upper right Recher? says "ready "want them? IDA will have to say? finished, then you first thing in front of a page like this:
CODE: 00401000; File Name: C: \ Sample.exe
CODE: 00401000; Format: Portable executable (PE)
CODE: 00401000; Section 1. (Virtual address 00001000)
CODE: 00401000; Virtual size: 00001000 (4096.)
CODE: 00401000; Section size in file: 00000400 (1024.)
CODE: 00401000; Offset to raw data for section: 00000600
CODE: 00401000, 60000020 Flags: Readable Text Executable
CODE: 00401000; Alignment: 16 bytes?
CODE: 00401000 p386n
CODE: 00401000 Model Flat
CODE: 00401000; ---------------------------------------------- ------------------
CODE: 00401000; Segment type: Pure code
CODE: 00401000 CODE segment para public 'CODE' use32
CODE: 00401000 assume cs: CODE
CODE: 00401000 takes eg: nothing, ss: nothing ds: nothing, fs: nothing, gs: nothing
CODE: 00401000; ____________________________________________
CODE: 00401000; S ubroutine
CODE: 00401000 start public
CODE: 00401000 start proc near
In this first part we have all the headers of the original file, those in practice that we would see if we have the source and especially IDA informs us of the type of file you just disassembled if we had not known before. I want to go? To a practical example, the author tells us that we can use IDA for three purposes:
1) Learn a trick to programming in an interesting program
2) Patching the file if you do not have the source
3) Obtain from the disassembled code compilable
We will do all three things, we begin.
What I propose now? Assembly code that generates a programmillo a messagebox depending on the value assumed eax, here's the code, you'll see with the comment:
; To compile the source? Must have TASM 5.0 available on the
; My site: http://quequero.cjb.net tools section
;
; Here are instructions for compiling, just write them in a DOS prompt
; Tasm32 / ml-m5-t-q as
; Tlink32-aa-Tpe-x-c as,,, import32
.386 P
. Model flat, stdcall
extrn MessageBoxA: Proc, we define the necessary API
extrn ExitProcess: Proc
includes windows.inc
. Date
Caption db 'Example - Coded by Quequero', 0
Message db 'The EAX register has assumed a lower value of 1,771,590,911', 0
Random1 dd 12553; random values used in the algorithm
Random2 dd 2212; of Lehmer
null equ 0
. Code
start:
xor eax, eax; we reset EAX
mov ecx, 01ffffffh; These two lines are used to create a timer, Education
wait: wait loop, "loop" decrisa each time until ECX contains zero, the
; Loop in question brings up a messagebox after about
And a second since the program
random: mov eax, Random1; Lehmer algorithm for generating numbers
multi random2; random (although we should speak of pseudo-randomness?
inc eax
Random1 mov, eax; End of algorithm
cmp Random1, 699854ffh; Compare with Random1 1771590911 (699854ffh)
jae random; If Random1 contains a value greater than or equal to, first established otherwise repeat the algorithm continues in
push MB_OK OR MB_ICONQUESTION; Generate a messagebox with an OK button,
Caption push offset, the icon of the "i" information and text
Message push offset; contained in strings "Caption" and "Message"
push null
call MessageBoxA
call ExitProcess; Quit program
end start
As you can see the program sets a timer for a second and then off to the generation of a pseudo-random algorithm by Lehmer, start the timer? due to the fact that the CPU uses an infinitesimal time to generate many So that number? is less than the one proposed by us, so we delay the emergence of the messagebox.
Suppose that I am aware of the presence of Lehmer algorithm in this program, this algorithm we absolutely need, but we do not know where to find it, what do we do then? Obvious! Disassembliamo the program and try the ritrovarcelo? In half, open IDA and see what it tells us:
CODE: 00401000; File Name: C: \ TASM \ prog \ wind.EXE
CODE: 00401000; Format: Portable executable (PE)
CODE: 00401000; Section 1. (Virtual address 00001000)
CODE: 00401000; Virtual size: 00001000 (4096.)
CODE: 00401000; Section size in file: 00000200 (512.)
CODE: 00401000; Offset to raw data for section: 00000600
CODE: 00401000, 60000020 Flags: Readable Text Executable
CODE: 00401000; Alignment: 16 bytes?
CODE: 00401000 p386n
CODE: 00401000 Model Flat
CODE: 00401000; ---------------------------------------------- ------------------
CODE: 00401000; Segment type: Pure code
CODE: 00401000 CODE segment para public 'CODE' use32
CODE: 00401000 assume cs: CODE
CODE: 00401000 takes eg: nothing, ss: nothing ds: nothing, fs: nothing, gs: nothing
CODE: 00401000; ________________________________________________________________
CODE: 00401000; S u b r o u t i n e
CODE: 00401000 C0 33 public start
CODE: 00401000 start proc near
CODE: 00401000 xor eax, eax
CODE: B9 FF FF FF 01 00401002 mov ecx, 1FFFFFFh
CODE: 00401007 CODE_401007:; CODE XREF: start +7? J
CODE: 00401007 E2 FE Loop CODE_401007
CODE: 00401009 CODE_401009:; CODE XREF: start +24? J
CODE: 00401009 5E A1 20 40 00 mov eax, ds: DATA_40205E
CODE: 0040100E F7 25 62 20 40 00 mul ds: DATA_402062
CODE: 00401014 40 inc eax
CODE: 5E 20 40 00 A3 00401015 mov ds: DATA_40205E, eax
CODE: 0040101A 3D 5E 81 20 40 00 + cmp ds: DATA_40205E, 699854FFh
CODE: 00401024 73 E3 JNB short CODE_401009
CODE: 00401026 6A 20 push 20h
CODE: 00401028 68 00 20 40 00 push offset str-> Example - CodedB
CODE: 0040102D 68 1E 20 40 00 push offset str-> IlRegistroEaxHa
CODE: 00401032 6A 00 push 0
CODE: 00401034 E8 05 00 00 00 call j_MessageBoxA
CODE: 00401039 E8 06 00 00 00 call j_ExitProcess
CODE: 00401039 start endp
CODE: 0040103E; ________________________________________________________________
CODE: 0040103E, S u b r o u t i n e
CODE: 0040103E j_MessageBoxA proc near; CODE XREF: start +34? P
CODE: 0040103E FF 25 4C 30 40 00 jmp ds: MessageBoxA
CODE: 0040103E j_MessageBoxA endp
CODE: 00401044; ________________________________________________________________
CODE: 00401044; S u b r o u t i n e
CODE: 00401044 j_ExitProcess proc near; CODE XREF: start +39? P
CODE: 00401044 FF 25 54 30 40 00 jmp ds: ExitProcess
CODE: 00401044 j_ExitProcess endp
CODE: 0040104A 00 00 00 00 00 00 + align 200h
CODE: 00401200? ? ? ? ? ? + Db 0E00h dup (?)
CODE: 00401200? ? ? ? ? ? + CODE ends
DATE: 00402000; Section 2. (Virtual address 00002000)
DATE: 00402000; Virtual size: 00001000 (4096.)
DATE: 00402000; Section size in file: 00000200 (512.)
DATE: 00402000; Offset to raw data for section: 00000800
DATE: 00402000; C0000040 Flags: Readable Writable Data
DATE: 00402000; Alignment: 16 bytes?
DATE: 00402000; ---------------------------------------------- ------------------
DATE: 00402000; Segment type: Pure date
ATA: 00402000 DATE segment para public 'DATA' use32
ATA: 00402000 assume cs: DATE
ATA: 00402000 45 73 65 6D 70 69 + str-> Example - CodedB db 'Example - Coded by Quequero', 0
ATA: 00402000 6F 20 20 2D 2D 20 +, DATA XREF: start +28? Or
ATA: 0040201E 49 6C 20 72 65 67 + str-> db IlRegistroEaxHa 'The EAX register has assumed a lower value
ATA: 0040201E 69 73 74 72 6F 20 +, DATA XREF: start +2 D? Or
ATA: 0040205E * 09 31 00 00 DATA_40205E dd 3109h; DATA XREF: start +9? R
ATA: 0040205E *; +15 start? W
ATA: 0040205E *; +1 A start? R
ATA: 00402062 A4 08 00 00 dd DATA_402062 8A4h; DATA XREF: start + E? R
ATA: 00402066 00 00 00 00 00 00 + align 1000h
ATA: 00402066 00 00 00 00 00 00 + DATE ends
? Idata: 0040304C;
? Idata: 0040304C; from USER32.dll Imports
? Idata: 0040304C;
? Idata: 0040304C; Section 3. (Virtual address 00003000)
? Idata: 0040304C; Virtual size: 00001000 (4096.)
? Idata: 0040304C; Section size in file: 00000200 (512.)
? Idata: 0040304C; Offset to raw data for section: 00000A00
? Idata: 0040304C; C0000040 Flags: Readable Writable Data
? Idata: 0040304C; Alignment: 16 bytes?
? Idata: 0040304C; --------------------------------------------- -----------------
? Idata: 0040304C; Segment type: Externs
? Idata: 0040304C; _idata
? Idata: 0040304C? ? ? ? extrn MessageBoxA: dword; DATA XREF: j_MessageBoxA? r
? Idata: 00403050
? Idata: 00403054;
? Idata: 00403054; Imports from KERNEL32.dll
? Idata: 00403054;
. Idata: 00403054? ? ? ? extrn ExitProcess: dword; DATA XREF: j_ExitProcess? r
. Idata: 00403058 00 00 00 00 end start
As you can see the code? Difficult to interpret, not for the difficulty? But the mess of numbers, to decrease the brothel one thing we can do what? we know that without exception in a program code that interests us is in sections CODE (if compiled with a Borland compiler) and. text (if? been compiled with something else), as you can see, beside the virtual address c 'is the name of the section. "idata.00403054" cos? doing we cut away a good piece of code "futile", but why? do it by hand when IDA will make available a good option? Well let's use it, go to menu "View2 and click on" Segments "and choose" CODE ", doppioclickateci guradate above and a little 'what we have before? ....
CODE: 00401000 start proc near
CODE: 00401000 xor eax, eax
CODE: 00401002 mov ecx, 1FFFFFFh
CODE: 00401007 CODE_401007:; CODE XREF: start +7? J
CODE: 00401007 Loop CODE_401007
CODE: 00401009 CODE_401009:; CODE XREF: start +24? J
CODE: 00401009 mov eax, ds: DATA_40205E
CODE: 0040100E mul ds: DATA_402062
CODE: 00401014 eax inc
CODE: 00401015 mov ds: DATA_40205E, eax
CODE: 0040101A cmp ds: DATA_40205E, 699854FFh
CODE: 00401024 JNB short CODE_401009
CODE: 00401026 push 20h
CODE: 00401028 push offset str-> Example - CodedB
CODE: 0040102D push offset str-> IlRegistroEaxHa
CODE: 00401032 push 0
CODE: 00401034 call j_MessageBoxA
CODE: 00401039 call j_ExitProcess
CODE: 00401039 start endp
Tad 噜噜 噜 the sofficiniiiii Uh ..... sorry I meant .... Tad 噜噜 噜噜? The codiceeee!! A little 'changed but in the end? That, then try to figure out how I'm funzia algorithm, we can identify it immediately, 00401009 and ends at the three lines below, however, here it is:
CODE: 00401009 mov eax, ds: DATA_40205E
CODE: 0040100E mul ds: DATA_402062
CODE: 00401014 eax inc
CODE: 00401015 mov ds: DATA_40205E, eax
So, let's pretend you have not created the program and we have identified the algorithm going by exclusion, we are faced with two values that we do not know what kind they are and these are: DATA_40205E and DATA_402062, how do we know what values they contain? Simple press in IDA "G" which means "Go to address" box and write in that? Just appeared "DATE: 40205E" and hit enter, we could also click on "View | Segments", go to "DATA" and search 'address manually, but what? it's quicker, much more? seplice doppioclickare was about that name ;), but here are we? appears before us:
DATE: 0040205E DATA_40205E dd 3109h; DATA XREF: start +9? R
DATE: 0040205E *; +15 start? W
DATE: 0040205E *; +1 A start? R
DATE: 00402062 DATA_402062 dd 8A4h; DATA XREF: start + E? R
Dhe hi hi, just look up ', we have two hexadecimal values that when converted to decimal are the same ones we had used us for Random1 random2 and, if we really do not understand the Boeotians, and yet we use the algorithm of a function that I love more? what? one that allows us to rename the instructions, once on clickiamo DATA_40205E and press "N", write in the box "Random1" clickiamo DATA_402062 and then do the same thing only with "random2", we return to the piece the previous code by pressing esc and see a little 'surprise:
CODE: 00401009 mov eax, ds: Random1
CODE: 0040100E mul ds: random2
CODE: 00401014 eax inc
CODE: 00401015 mov ds: Random1, eax
let us now make a good thing, IDA selected these four lines with the mouse (click on the first line and go down to the fourth), then click on "File" then "Make output file" and again "asm Produces files .. . " Save the file with any name and go to open it with notepad, remove all the "ds", remember also that IDA has made us see that Random1 and random2 were the doubleword containing the values 3109h and 8a4h .... and here is the result:
Random1 dd 12553; this add him to you, 12553 and 2212 are the hexadecimal values
Random2 dd 2212; covertiti in decimal
mov eax, Random1
multi random2
inc eax
Random1 mov, eax
here for you guys tried the same algorithm that is identical to that of our source. We found out how to "read" a disasemblato, learn now how Patcha. IDA gives us a chance? To change the bytes of an executable program and produce a "patched" but as you can see it runs in a DOS shell and also for this reason can not? Create executable in DOS format, therefore we can not patch but we have just seen the program create a specially designed to run under DOS, here's the assembly code:
; To compile the source? Must have TASM 5.0 available on the
; My site: http://quequero.cjb.net tools section
;
; Here are instructions for compiling, just write them in a DOS prompt
; As TASM
; TLINK example
.286
. Small model
. Stack 100h
. DATE
String db 'Bravo I have successfully patched!', 0Dh, 0Ah, '$'
. CODE
start:
mov ax, @ data; Set the segment register
mov ds, ax
mov es, ax
xor ax, ax; Reset AX
cmp ax, 1; See if? equal to 1?!
je exact;? same? Show the string otherwise close the program
mov ah, 4ch; Function 'Close'
int 21h
exact:
mov dx, offset string
mov ah, 09h; visualize the string
int 21h
end start
This does nothing but clear programmillo Ax, check to see if? Equal to 1 and display a string if there? the problem? that if we reset Ax, will not be able? never be equal to one and then the program is shut? always, here is why? we bisono of patcharlo. IDA Open, select this file and disassembliamolo, the ways that we put what are essentially two? change the instruction "cmp ax, 1" so that it becomes "cmp ax, 0" or force the "exact h" making it "jmp exact", however, we'll examine both. We make a click on Education "cmp ax, 1", click the top menu "edit" and then "patch program" then we must choose whether to change a byte, word, or assemble the instruction in this case we choose "Assemble ... " and write in the box "cmp ax, 0", the program now? patched, but we also see the other method, clickiamo of "je exact" go in the menu above, clichiamo of change byte and write ...... what to write? Bh? Simple, we have to change a conditional jump into unconditional one, we know that all jumps have not put the short form "EB XX" then we should not do is replace the bytes "74 04" to "EB 04" and the game ? fact, at this point go to the menu "File" then "Make output file" and then "produces exe" file, save it with any name and click on it, you see the string? Well then you've patched as God commands.
I will not dwell further on this issue since? Very easy to patch a program, but you do not, however, ever since, IDA programs for dos there were very few. Let's look at the issue more? Important than what the IDA? how to make a compilable source from disassembled. First time not giving you the code but the disassembled so you can learn how to reconstruct a source, the code that I wrote I'll give? At the end, I wanted a program from reversare winzoz but I have not found anyone small enough to begin , were then the only small-size N, but here is the file dismembered
; File Name: C: \ TASM \ prog \ wind.EXE
; Format: Portable executable (PE)
, Section 1. (Virtual address 00001000)
; Virtual size: 00001000 (4096.)
; Section size in file: 00000200 (512.)
; Offset to raw data for section: 00000600
; 60000020 Flags: Readable Text Executable
; Alignment: 16 bytes?
p386n
model flat
;
; Segment type: Pure code
CODE segment para public 'CODE' use32
assume cs: CODE
assumes es: nothing, ss: nothing ds: nothing, fs: nothing, gs: nothing
;
; S u b r o u t i n e
public start
start proc near; CODE XREF: start +30? +45 j start? j
push 23h
push offset str-> Example 2 - Coded
push offset str-> CiauzCliccaSuUn
Push 0
call j_MessageBoxA
cmp eax, 6
jz short CODE_401032
cmp eax, 2
jz short CODE_401047
push 20h
push offset str-> Example 2 - Coded
push offset str-> HaiSceltoNo
Push 0
call j_MessageBoxA
jmp short start
CODE_401032:; CODE XREF: start +16? J
push 20h
push offset str-> Example 2 - Coded
push offset str-> BravoHaiSceltoO
Push 0
call j_MessageBoxA
jmp short start
CODE_401047:; CODE XREF: start +1 B? J
Call +5 U.S. dollars
jmp ds: ExitProcess
start endp
;
; S u b r o u t i n e
j_MessageBoxA proc near; CODE XREF: start + E? p +2 B start? p +40 start? p
jmp ds: MessageBoxA
j_MessageBoxA endp
align 200h
db 0E00h dup (?)
CODE ends
; Section 2. (Virtual address 00002000)
; Virtual size: 00001000 (4096.)
; Section size in file: 00000200 (512.)
; Offset to raw data for section: 00000800
; C0000040 Flags: Readable Writable Data
; Alignment: 16 bytes?
;
; Segment type: Pure date
DATA segment para public 'DATA' use32
assume cs: DATE
str-> Example 2 - Coded db 'Sample 2 - Coded by Quequero', 0, DATA XREF: start +2? or
; Start +1 F? +34 Or start? Or
str-> db CiauzCliccaSuUn 'Ciauz! Click on a button ', 0, DATA XREF: start +7? Or
str-> db BravoHaiSceltoO 'Bravo you chose YES!', 0, DATA XREF: start +39? or
str-> db HaiSceltoAnnull 'You chose undo!', 0
str-> db HaiSceltoTermin 'You have chosen ends', 0
str-> db HaiSceltoNo 'You chose No!', 0, DATA XREF: start +24? or
align 1000h
DATE ends
;
; Imports from KERNEL32.dll
;
; Section 3. (Virtual address 00003000)
; Virtual size: 00001000 (4096.)
; Section size in file: 00000200 (512.)
; Offset to raw data for section: 00000A00
; C0000040 Flags: Readable Writable Data
; Alignment: 16 bytes?
;
; Segment type: Externs
; _idata
extrn ExitProcess: dword; DATA XREF: start +4 C? r
;
; From USER32.dll Imports
;
extrn MessageBoxA: dword; DATA XREF: j_MessageBoxA? r
end start
Well well, the code I wrote it and not? Difficult I would say that conversion? Rather immediate, however, I recommend learning about a moment disassembled up here before you did .....? Ok let's see 'to rename some function, look at the code and I'll explain:
push 23h
push offset str-> Example 2 - Coded
push offset str-> CiauzCliccaSuUn
Push 0
call j_MessageBoxA
As you can see these 5 lines are nothing more than the routine generation of a messagebox, the structure? This:
MessageBox (
UType UINT / / messagebox style (buttons and icons)
LpCaption LPCTSTR, / / offset of the title of the message box
LpText LPCTSTR, / / offset of the text of the messagebox
HWND hWnd, / / window handle (NULL if? Absent)
);
in assembly this feature would most? or not these features:
push MB_OK OR MB_ICONQUESTION
push offset TITLE
push offset TEXT
push NULL, NULL if we do not have a parent window
call MessageBoxA
well well, but 23h cos'? Then the file windows.inc suggests these things:
MB_OK = 0000H
MB_OKCANCEL = 0001H
MB_ABORTRETRYIGNORE = 0002H
MB_YESNOCANCEL = 0003h
MB_YESNO = 0004H
MB_RETRYCANCEL = 0005H
MB_ICONHAND = 0010H
MB_ICONQUESTION = 0020H
MB_ICONEXCLAMATION = 0030H
MB_ICONASTERISK = 0040h
reveals that a simple addition 23h? 0020H +0003 h equal to what? MB_ICONQUESTION + MB_YESNOCANCEL there? means that the programmer (me) in the first row has used these parameters:
push MB_YESNOCANCEL OR MB_ICONQUESTION.
Now rename the strings in IDA in order to have something like:
push offset caption
instead of: push offset str-> Example 2 ...
Without it how do you say that you have learned before, at this point we can already? Messagebox rebuild all the routines in your code, rename all the strings like "Caption", "Text", "Text2" etc. ... . We will in this way, the original structure, but lacks one thing, if you look well after each call to a messagebox c '? a "cmp eax,?", what will? ever? Bh? we take our preferred API reference and let's see ..... It tells us that the ID of the key pressed is moved into eax, but how do we know what is the number that is the? Simple, always with our API reference! Here's the table:
IDOK = 1
IDCANCEL = 2
IDABORT = 3
IDRETRY = 4
IDIGNORE = 5
IDYES = 6
IDNO = 7
and thus the note with pleasure that after each call the program Checka EAX to see which button was pressed and open another messagebox, then we end up renaming all of the various jumps and see how? ... became our code:
public start
start proc near; CODE XREF: start +30? +45 j start? j
push or MB_ICONQUESTION MB_YESNOCANCEL
push offset Caption
push offset Message
push NULL
call MessageBoxA
cmp eax, 6
jz short SI_PREMUTO
cmp eax, 2
jz short EXIT
MB_ICONQUESTION push MB_OK or
push offset Caption
push offset No_Premuto
push NULL
call MessageBoxA
jmp short start
SI_PREMUTO; CODE XREF: start +16? J
MB_ICONQUESTION push MB_OK or
push offset Caption
push offset Message
push NULL
call MessageBoxA
jmp short start
QUIT:; CODE XREF: start +1 B? J
call ExitProcess
start endp
Very good! I'd like to give? Even advice, to tell the truth not easy to remember by heart all the ID and IDA to facilitate our work provides us with the "comments", comments are nothing more than notes on board line that puts IDA or that we put it, there are two types: recurring and non, the difference lies in the fact that if we jump on a repeatable comments like "This quits the program" IDA posizioner? the same sentence that the arrival of jumps, while if a comment is not repeatable it does not, to insert a comment just click on the repeated line that interests us and press; (is a semicolon) but if we want to insert a non-repeatable dobbiano then press: (colon) and then write in the box, we know all hours of the program, we are left only to go to read all the various strings that can be found in time and merge them done .... here's the code:
.386 P
. Model flat, stdcall
Extrn ExitProcess: PROC
Extrn MessageBoxA: PROC
INCLUDES windows.inc
. DATE
null equ 0
Caption db 'Sample 2 - Coded by Quequero', 0
Message db 'Ciauz! Click on a button ', 0
Message1 db 'Bravo occhei've chosen!', 0
Message2 db 'You chose undo!', 0
Message3 db 'You have chosen ends', 0
Messaggio4 db 'You chose No!', 0
. Code
start:
push or MB_YESNOCANCEL MB_ICONQUESTION
push offset Caption
push offset Message
push NULL
call MessageBoxA
cmp eax, 6; YES pressed?
je occhei
cmp eax, 2; CANCEL pressed?
je exit
push MB_OK or MB_ICONQUESTION
push offset Caption
push offset Messaggio4
push NULL
call MessageBoxA
jmp start
occhei:
push MB_OK OR MB_ICONQUESTION
push offset Caption
push offset Message1
push NULL
call MessageBoxA
jmp start
exit:
call ExitProcess
end start
I know that the string "You pressed ends ..." is never used, she is just there to confuse ;))))
Our dear IDA has other qualities "hidden" that are used less and I accinger? To explain. If you go the menu "File" | "Load File" you will see various options and more? Namely:
IDC files ...
Additional binary files ...
IDS file ...
Debug information file ...
FLIRT signature file ...
IDC Files: IDC files are script files that can easily be written by hand to create your own macros
Additional binary files from here we load a binary file and add the additional new information to old tail
IDS file: this is potentially not ever files. IDS sonon those containing all the information on the various functions of the office for IDA winzoz but only during the disassembling
Debug information file: bh? If IDA is a file relating to the DBG file we are disassembling then bother to load it, but if it does not find him so we can charge us
FLIRT signature file: you have this files. SIG PGP? Bh? Nothing to do with 'na stick ;) from these files IDA office functions of the standard model' will help to recognize the standard functions, IDA seeks suitable file on its own but do not always succeed, if we wanted to do by hand would find these files in the GIS, to load or download one just open the "signature" and press Ins to post one and to download one.
Let us explore the menu "Make output file ...", here are the options:
MAP files produced ... Shift-F10
Produces ASM file ... Alt-F10
Produce LST files ...
Produces EXE file ... Ctrl-F10
Produces DIF file ...
Dump database to IDC files ...
? Time to get to know them, hehehehe start.
Produces MAP files: IDA write? A file with all the information about the segments and the names sorted according to their values
Produces ASM files: gi? Met, however, produces a file. Asm asm containing the text we selected,? Very useful when creating keygenerator
Produce LST files: IDA writes a file with the current disassembled or with a piece of code we selected
EXE files produced: as already? Said recreates the executable if it had changed (only works with DOS files)
Produces DIF files: This function creates a file if I am in full text in which they recorded the original values and those that have been changed, the guidance says that the file would assume these features:
comment
nome_del_file
Offset: vecchio_valore new_value
Dump database to IDC files: This option saves the IDA database into a text file.
The menu "IDC command ..." allows us to charge a small script written specifically for IDA, the list? so long that if you need to open the menu and press F1 to vedervela ;))))
Sorry but I am starting to feel the first symptoms of fatigue, in fact I am writing 4 hours ...... Not to mention those of the previous day of course ;))
The remaining I sebrano unnecessary, we pass to the next menu, what? "Edit", a menu full of options, damn, that's what presents itself before our eyes when opened:
Code
Date
ASCII
Array ...
Undefine
Rename ...
Operand type
Comments
Segments
Structs
Enums
Functions
Patch program
Other
C'mon babe let's go explain ....... Code: very nice option for you to convert the bytes into instructions marked by IDA unexplored cone, then this statement will more often? More? You need to reach your more? obscure purposes, here I present to you a practical example of this command would otherwise be a bit 'dark.
Pu? Happen (indeed, it always happens with executable dos :) that IDA does not recognize the first shot of usable bytes of code with instructions that are important, this could happen with programs without a specified entry point or if the IDA did not find a particular path of execution , in which case the code that we would be of this type (example taken from a disasm crackme
seg000: 0100 start:
seg000: 0100 jmp short seg000_15B
seg000: 0102 nop
seg000: 0103 or ax, 610Ah
seg000: 0106 db 6Ah j
seg000: 0107 db 61H; to
seg000: 0108 db 78h; x
seg000: 0109 db 20h;
seg000: 010A db 66h; f
seg000: 010B db 88h;?
seg000: 010C db 74H; t
seg000: 010D db 65h; and
seg000: 010E db 20h;
seg000: 010F db 64h; d
seg000: 0110 db 75h; u
seg000: 0111 db 20h;
seg000: 0112 db 66h; f
seg000: 0113 db 6Ch; the
seg000: 0114 db 65h; and
seg000: 0115 db 75h; u
seg000: 0116 db 72h; r
seg000: 0117 db 20h;
seg000: 0118 db 63h; c
seg000: 0119 db 72h; r
seg000: 011A db 61H; to
seg000: 011B db 63h; c
seg000: 011C db 6Bh; k
seg000: 011d db 6DH; m
seg000: 011E db 65h; and
seg000: 011F db 2Ch;,
seg000: 0120 db 20h;
seg000: 0121 db 31h, 1
seg000: 0122 db 30h; 0
seg000: 0123 db 20h;
seg000: 0124 db 63h; c
seg000: 0125 db 68h; h
seg000: 0126 db 61H; to
seg000: 0127 db 72h; r
seg000: 0128 db 73H; s
seg000: 0129 db 2Ch;,
seg000: 012A db 20h;
seg000: 012B db 6EH; n
seg000: 012C db 6Fh; or
seg000: 012D db 20h;
seg000: 012E db 68h; h
seg000: 012F db 65h; and
seg000: 0130 db 78h; x
seg000: 0131 db 65h; and
seg000: 0132 db 64h; d
seg000: 0133 db 69h; the
seg000: 0134 db 74H; t
seg000: 0135 db 6Fh; or
seg000: 0136 db 72h; r
seg000: 0137 db 20h;
seg000: 0138 db 61H; to
seg000: 0139 db 6Ch; the
seg000: 013A db 6Ch; the
seg000: 013B db 6Fh; or
seg000: 013C db 77h; w
seg000: 013D db 65h; and
seg000: 013E db 64h; d
seg000: 013F db 3Ah;:
seg000: 0140 db 20h;
seg000: 0141 db 24h; $
seg000: 0142 db 0Dh;
seg000: 0143 db 0Ah;
seg000: 0144 db 77h; w
seg000: 0145 db 72h; r
seg000: 0146 db 6Fh; or
seg000: 0147 db 6EH; n
seg000: 0148 db 67h; g
seg000: 0149 db 24h; $
seg000: 014A db 0Dh;
seg000: 014B db 0Ah;
seg000: db 0Dh 014C;
seg000: 014D db 0Ah;
seg000: 014E db 72h; r
seg000: 014F db 69h; the
seg000: 0150 db 67h; g
seg000: 0151 db 68h; h
seg000: 0152 db 74H; t
seg000: 0153 db 24h; $
seg000: 0154 db 0Dh;
seg000: 0155 db 0Ah;
seg000: 0156 db 0Ah;
seg000: 0157 db 0;
seg000: 0158 db 0;
seg000: 0159 db 0;
seg000: 015A db 0;
seg000: 015B seg000_15B:
seg000: 015B mov ah, 9
At this point you're probably chidendo: "Miiiii but it's stuff that 梃 梃 梃 梃?!", already? fact I even asked me if we see that look better? more than an ASCII string, but why? then IDA I did not put in its characteristic shape? Why do not you understand which has the least of us ;)))) to help you understand better we can do that, select with the mouse over this length of seg000: 0106 to seg000: 015A, at this point press "C" .. . et voil? here's our ASCII string into a form more? "human"
seg000: 0106 str-> db JaxFiteDuFleurC 'jax f 阾 and fleur du crackme, 10 chars, no hexeditor allowed: $'
seg000: 0106 db '$ wrong', 0Dh, 0Ah
seg000: 0106 db 0Dh, 0Ah
seg000: 0106 db '$ right', 0Dh, 0Ah
seg000: 0106 db 0Ah, 0
seg000: 0158 db 3 dup (0)
and this helps us greatly to understand the code, bh? if it gives us a hand in the event of an ASCII string than we can imagine? help in case of a little 'code, if you had not figured this option is mostly used to convert misinterpreted the code. To recognize these pieces a little '"mad" that we can avail ourselves of the aid from the IDA with the colors, in fact, her brand of white on black background of these pieces address the what?
seg000: 014F db 69h; the
seg000: 0150 db 67h; g
seg000: 0151 db 68h; h
seg000: 0152 db 74H; t
seg000: 0153 db 24h; $
apart from the jokes before,? absolutely normal that confuses the code that receives the IDA, to help in its mission can disable the option "Make final analysis pass" which is located in the menu "Kernel options analysis", can? still be useful off in the same panel the option "coagulated Data Segments", if you happen marked a completely white does not mean that IDA does not know which has the 'na stick but it means? Statto encrypted / packato, in which case you should unzip the program, or, as good as you are reverser, reversare the encryption algorithm and create a small decode secret in IDA C.
Date: bell'opzione this also serves to convert the bytes into unexplored data conversions that applies here:
db -> DW -> dd -> float -> dq -> double -> dt -> packreal - \
^ |
\ ---------------- <---------------- <--------------- - <---------------- /
Basically converts a byte in a word, if you reapply it in a coneverte doublword and thus the following, if a file does not support that type of data, then skips to the next step
ASCII: This is used to convert bytes to strings unexplored
Array: allows us to declare the size of an array
Undefine: select text, click undefine and like magic all selected bytes will be converted to wilderness, you may be asking: "But I need to convetire explored a number of bytes?". I can assure you that I can? Serve and how, for example IDA sometimes exchanged with other types of instruction bytes and then presents them incorrectly, see for yourself:
seg000: 0157 db 20202020h;
seg000: 0158 db 20202020h;
seg000: 20202020h 0159 db;
you know what? success? You should know that 20h is equivalent to an ASCII space character, then the IDA has made the mistake of defining a possible ASCII string as 3 doubleword, how to fix it? Simple, we have to do is convert that data into ASCII characters, it would be necessary to select the three db and press "A" but we can not do that because the IDA does not consider those bytes with remote or unexplored but has them already? Marked db , we can fix the problem by selecting the three doubleword with the mouse, by pressing "U" for Undefinirle and then "A" to tell them that IDA should consider as ASCII characters, the error does not happen that I showed you the most? from version 3.82 to ? this was an example so you understand the function of this command, you will often have to use it in fact.
Rename: we have already? Used this function but we have sub-options are available, namely:
Include in list names: IDA has a range of predefined names and these are:
sub_ instruction, subroutine start
locret_ 'return' instruction
loc_ instruction
off_ date, contains offset value
seg_ date, contains segment address value
asc_ date, ascii string
byte_ date, bytes (or array of bytes)
word_ date, 16-bit (or array of words)
dword_ date, 32-bit (or array of dwords)
qword_ date, 64-bit (or array of qwords)
flt_ floating point data, 32-bit (or array of floats)
dbl_ floating point data, 64-bit (or array of doubles)
tbyte_ floating point data, 80-bit (or array of Tbytes)
stru_ structure (or array of structures)
algn_ alignment directive
unk_ unexplored bytes
Enabling this option as part of IDA in the list that is up here.
Public name: we can declare a public name, if the file supports the directive "public" then the name will be? Used by IDA will be otherwise? Shown only as a comment.
Autogenerated name: name of self-generated by the program, you appear a brownish color disappears and only if "undefiniamo" the bytes of that name
Weak name: same as public name, if the program supports the directive "weak" then the IDA user? Otherwise the names will be? Shown as a comment
Create name anyway: if for some masochistic reason we wanted to create a name in spite of it there is an identical checkare then we should allow this option for the poor IDA to add a suffix to the name pre-existing
Operand types: damn load opzioncine another menu, it elencher? Only the most? Incomprehensible:
Convert to number
Convert to hex number
Convert to decimal number
Convert to binary number
Convert octal number to
Convert to character
Mark as variable
Convert to segment
Convert to offset (DS)
Convert to offset (CS)
Convert any segment offset by
Convert offset by any user-specified base
Convert to struct offset
Convert to enum
Convert to stack variable
Change sign of operand
User-defined operand
Mark as variable <"Mark as variable #"> This option unmarka marka and the bytes selected as variables, the variables will recognize why? Begin with an asterisk "*"
Convert to offset (DS): This command converts an operand of an instruction at an offset from the current data segment (DS) Current
Convert any segment offset by: same as above except that converts an operand in an offset of any segment
Convert to struct offset: HIS command converts an operand of an instruction in a current offset within a specified structure
Then we have the "Structs" which serves to create and change structures, if you do not know what a property will do the usual example, then here is a structure in C (? An example and does not work only serves to make you understand
# Include
struct client {
char code;
Long id;
char name [32];
client * next;
};
void main (client * ptr) {
while (ptr! = NULL) {
printf ("ID:% 4LD Name:%-32s \ n", ptr-> id, ptr-> name);
ptr = ptr-> next;
}
}
a structure not? nothing but a variable that can hold more? data types, for example, if you're making a shooter and features you need to give a monster a few pictures so you could create a structure like this:
struct {Monster
char name [20];
int force;
Long bullets;
};
as defined in the comfort is the name of the monster, the strength and number of bullets that goes with it, as you can see we have added three data types (char, int and long) in a single variable, we could then adjust to taste like data during the game by simply calling this structure (see example above. Now that you know cos'? a structure you can easily guess at the convenience? for? you have a question like, "But what I want to know what are they and what are the structures? ". the facilities you need to know why? programmers make an immoderate use in their programmilli cursed, and there we find them in disasm each time, the problem would not have place if IDA had recreated themselves but, since not ago, we as usual to help us (even if it serves no purpose except to create a structure for our convenience?. Suppose we have dismantled a program that uses the facilities and the sources of which we possess, we look at it thoroughly and note that in the snippet of code where there should be central "monster" c '? just a bunch of confusing numbers ..... Do not worry, we click the menu "View | Structures" and begin to manually rebuild the structure in our source, in the window where we press "Ins" and write the name of our structure what? Monster, then press "D" to create a structure member and call it as the first member of the same source of our what? name, click with the mouse a new member to the line below and insert the other two members, once you finished something like this:
0000 Monster struc
0000 db name?
Force 0001 db?
0002 Projectiles db?
0003 Monster ends
you notice something? I think so, we made two mistakes, the first? That the State "Name" we can not define it as bytes in the source since it was defined as an array (char name [20]) we must transform "db?" in an array, to do it? simply click once on the line of the member that we are interested in and then press "A", will appear there? a while? in which we now sending prompted for the size of this array, and so enter 20? We solved the first error, the second you see too? I think so, if you take a look at the source you will see that the member was defined as long bullets (bullets long;), so in this case we must change "db?" in "dd?" Click to get it as usual on the line you want and press "D", thus "db?" will become? first "dw?" and then "dd?". We have now created the structure, but as the insert in disasm? Simple, close the window we were using, we click in the code point that interests us and go the menu "Edit | Operand types | Struct offset ...", or more? Just press "T" ;)))) and tad 噜噜 like magic if you placed it at the right time the disasm Muter? becoming a little bit 'more? readable, you basically changes like these:
first: push dword ptr [esi +1]
after: push dword ptr [esi + Mostro.Name +1]
Before concluding I would like to explain a digression on the meaning of education PTR, if you have never programmed in assembly, disassembly or debbuggato something then you have probably seen statements like these:
mov eax, dword ptr [00454898]
mov byte ptr [esi], 0
mov word ptr [something], ebx
mov word ptr something, ebx
mov ecx, word ptr [esi +71]
mov [ebp +00402588], byte ptr 95h
mov cl, byte ptr [eax]
All these instructions have one thing in common what? education PTR, but have you ever wondered what it means? Bh? If you did and you did not find an answer here is that I give you the solution, Intel will make available three reserved words for what? Byte PTR, PTR Word, Dword PTR, well, these mean, respectively: Pointer to a byte, a word to PoinTeR, PoinTeR to a doubleword, what? Pointer to a byte, a word, a doubleword and MUST be used when we Using a pointer to a constant, to explain? the concept of pointers: then do an example:
string db "+ Disease? great", 0
mov eax, 12345678h
mov eax, offset string
What c '? different between these two statements? Most will tell you? I, the first instruction moves the value 12345678h EAX, so if the window of a debugger ;) If we look at the EAX register, or write? "Eax" We now sending printed something like: 12345678 0305419896 "? Vx "There? means that the value 12345678h CONTAINS eax, the second statement instead, eax points to a string, what does tip? It means that if we write? "Eax" will not see the text string bens? A number like this: 00404F95 Mmmmm ..... but then where is the string??? Bh? The string as we said no? CONTAINED in eax but eax is offset by BET 00404F95, so if we want to see we have to do is write in the debugger "d eax" or go to comb through with the same command at that 'offset. But if instead of pointing to the string you want to move into eax eax how should I do? Simple, we must now make use of education PTR, in fact we could not write "mov eax, string" why? Would receive error, we for? Write: "mov eax, DWORD PTR string", so we move into eax a doubleword (4 bytes) and by checking the contents of eax with "? eax" we would see the letters: "+ mal" No .... no? exactly, to the way we would see our processors work written "+ lam" .... on the contrary, in practice ........ hahahahahahahaha Hahahahahahahahahahahaha Lama + + + Blade hahahahahahahahahaha .... This disease does not pardon me? ever (+ hei But I swear I had not done on purpose) for he makes me laugh hahahahahahahahaha (+ hei But think how you entertain? Xoanon time for him to say? hahahahah :) vabb? back to us, as we said eax will contain? this because only 4 letters? eax? big 4 bytes, when the processors are 64-bits would the records of 8 bytes :), but if we wanted to move into eax only one byte of the string we should write "mov eax, byte ptr string". The reason for which you use pointers? Just because? We could not even wanting to move to a record 200 words ...... If you are good guys now you should ask yourself: "What if I wanted to move the value in eax pointing another register how could I do? "... Bh? if you say that you can do so? "Mov ebx, eax" then you are mistaken for? You can write this: "mov ebx, [eax]" or "mov ebx, dword ptr [eax]," respectively mean: move in the value pointed to by eax ebx, whatever it be of any size and finch? not fill ebx, and the other, moving in the first dword ebx (so the first 4 bytes) pointed to by eax, we? means that in both cases we would have the same result, what? ebx containing "lam +" for? the first statement? more? fast. Let me give another example of using PTR education and then I explain the use of the instruction "lea".
.386 P
. Model flat, stdcall
extrn ExitProcess: Proc
. Date
string db 2Bh, 6DH, 61H, 6CH, 61H, 74H, 74H, 69H, 61H; these numbers mean in ASCII
; + Disease
. Code
start:
xor ecx, ecx
continues: mov al, byte ptr ecx + string
inc ecx
cmp ecx, 9
jne continues
call ExitProcess
end start
You know what the programmillo above? Reset ecx, and begins an account from scratch each time a byte of the charge in our string, as you can see the exact copy of a byte (byte ptr) + ecx string, so '? + Ecx that? If you look up the string you notice that I have subdivided each letter, then if you look at the program also note that with each loop incrisa ecx, then the third will contain the loop? String +3, what? 61H, capitooooooo ... If not reread this ... ;) If I had wanted to move two points in ax for each loop I had to change education in this way: mov ax, byte ptr ecx + string, but if we had wanted to move a whole doubleword then I had to write : mov eax, dword ptr ecx + string .... bh? enough about PTR, he understood my brother, I do not understand you!! ;))))))
To load a pointer in a register can also use the LEA instruction (Load Effective Address) that works like this:
"Lea eax, string," if we had used instead of lea mov compiler error but would have given us so? Because he does not? "Lea eax, string" means: charge in eax the offset of the string, the result obtained using lea and mov? but equal? got two speeds? executing very different, the first fact? much more? fast as the offset constant gi? known assembler, while the second is more? pianino ;)) for those do not know the majority of high-level compilers (read: microsoft visual c + +) replace all the instructions like "mov reg, offset xxx" with "lea reg, xxx" slowing down the execution significantly. I think I have clarified the use and function
"Enums" from here we can define an enum type, in all languages often make use of enumerations of some kind, here is an example of a list in C:
enum {Calore_t
LAMP, / * Things hot * /
SUN,
ICE, / * send * cool /
HAIL
};
enum {stagione_t Spring, Summer, Fall, Winter};
bool_t enum {FALSE, TRUE};
int 萠 una_bella_giornata (Calore_t hot season stagione_t) {
if ((Spring season == | | == Summer season) && hot LAMP == | | == hot SUN) return TRUE;
if ((Winter season == | | == Autumn season) && hot ICE == | | == HAIL hot) return TRUE;
return FALSE;
}
During disasm would be displayed on the screen of numbers and not names like "Sun, Summer, ice" then clearly it would be better for us to see written "Sun, Summer, ice" instead of 1,2,3, etc .... Go then in the menu "Options | Enumarations", will appear? a window very similar to that of the first in which you must recreate the enumeration, how? Press the "ins" and created the first thing the boolean values "False / True", then type "Boolean Value" and press enter, to enter a member in this listing go to the bottom line with the mouse and press Ctrl + N, write "False" and left as the value 0, go back on the last line and type "True" by giving 1 as a value, then created another enumeration and chimatela Heat, and thus the way up to having something like this:
? 0000000; enum Boolean_Value
? 0000000 False = 0; value True / False
? 1 0000001 = True
? 0000000; enum Season
? 0000000 Summer = 0; Seasons
? = 1 Fall 0000001
? = 0000002 Spring 2
? 0000003 Winter = 3
? 0000000; enum Heat
? 0000000 Lamp = 0; Things hot and cold things
? 0000001 Sun = 1
? Ice 0000002 = 2
? Hail 0000003 = 3
from now on baby food? always the same, find the point where you want to apply the enumeration, we clicked with the mouse, open the menu "Edit | Operand types | Enum member ..." or press "M", and placed where you need it ;)))
"Functions" from here we can add and edit the various functions, illustrate the operation there in that? Something too intuitive
"Patch program" already? Explained above
"Other" and submenus:
(Re) name any address ...: guess what '? FROM here can name / rename / delete an address
Variable: Same as "Mark as Variable"
Jump table ...: If we find an indirect jump from a table we can notify IDA of the size and address of this table so it can continue its analysis example code for converting all those addresses refer to that table
Alignment ...: This command creates an alignment directive, this directive rimpiazzer? Unnecessary number of bytes inserted by the linker to align the program code and data in a paragraph, we can try to select an area you wish to convert prover and IDA? to locate a correct alignment
Instruction manual ...: This command allows us to specify the representation of an instruction or a data element in a program
Hide / show items: This command allows you to hide and show a statement or a given
Hide / show border: If enabled hides the thin edge created by IDA to divide the instructions from the data
Menu "Browse" will explain this? Very few features the most? Less useful and understandable as usual.
Navigation stack empty: empty stack navigation using IDA
Jump to ... | Problem ...: jump to the first function that IDA states affected by problems which are:
Can not find offsets based
Can not find name
Can not find an alternative string for operand
Can not find comment
Can not find references
Indirect execution flow
Can not disassemble
Already date or code
Execution flows beyond limits
Too many lines
Attention! Probably erroneous situation
Decision to convert to instruction / data is made by IDA
Search for | next void: the void are the instructions to which we must be careful since the IDA is not? Able to recognize if it is Offser or numbers, with this command them to go look to see if we can solve the problem
Search for | text ....: let the text such as a string like "you're an asshole you were wrong password"
Search for | text in core ....: the same as above only much more? Fast
Search for | not function: look for the first byte that does not seem to function
"View" menu also will explain this? Functions pi? Important:
View | Functions: shows all functions called by the program
View | Enumeratios: This command opens the "enum" from which we can change, add, edit and enumerations.
Oki and these s? Gone now missing the menu more? Long so if you're tired of reading go to rest and continue tomorrow morning.
Options:
Text representation ...
Cross references ...
Assembler Directives ...
Name representation ...
Demangled names ...
ASCII strings style ...
ASCII strings options ...
Colors ...
Dump / normal view
Setup data types
Processor type ...
Target assembler ...
Analysis options ...
Search direction
Then allorino continuaiamo this tedious sitting talking of the "options" true regarding the configuration of the program, this step would jump gladly happy to fly to the conclusion, but "through the floor into a force that I too know how to explain" (by Yale? Keeps me on this chair to write a tutorial that most likely will be useless? read by tens of people .., (((
'Nuff said: ... Text representation: to say the least convoluted menu that presents a myriad of small opzioncine that we will now examine.
Line prefixes: we'll see if we disable the addresses before disappearing bytes
Number of opcode bytes: the opcode are the hexadecimal code for each instruction, IDA default it is 6 and if it requires more education? Then adds a "+" at the end (c '? Well fall rhyme ;)
Use segment names: enables or disables the nomenclature of the segments so? If enabled will see "Segment: 3200" instead of "3000:3200"
Segment addresses: if? Enabled to see the segment in front of an address: "segment: 3000" rather than "3000", this is not that I keep it disabled brothel
Display 'void' marks: brings up the signs of recognition before "void"
Display empty lines: if enabled brings up empty lines by decreasing the usable space on monitor
Display Borders Between the date / code: if disabled dispels the dividing line between the data and the segments
Display Instructions <BAD> bad marks: all processors have their nice features that are not documented and when one of these passes under the disasm the program says "ki kazzo and you are you?", IDA? Very sensitive from this point of view and if is a function that does not know tries to identify it but if it fails the Marchia with such ferocity as a German to a poor jew and a nice red tattoo writes sopa <BAD>
Use tabulations output: with this option disables the well-known IDA-stop tab (0x09) in its output file
These seem intuitive:
Display comments
Display repeatable comments
Car Display comments
Instructions indention: literally, spacing instructions, set this value to 2-3
Comments indention: who will? Ever??? ;)))
void's low limit: see below
void's high limit, these two values are very important in that state if an instruction? or not a "void," an object? said "void" if it has an immediate value as an operand or part of an operand and the immediate value? among those that we define in the box "low limit" and "high limit"? that the importance of the two boxes
"Cross references" here are the choices that we make available to this menu:
Display segments in xrefs here is the difference between enabled and disabled:
; CODE REF: 3000:1025 - enabled
; CODE REF: 1025 - disabled
Display type mark xref: who knows? Perhaps the xref marka
Display function offsets: bho! We will show? Offsets work? ;)))
Display xref values: on this then I do not know what to tell you, perhaps shows the values of xref ;)))
Right margin: interpretation difficult option can? Be that you measure the right margin, but who knows? The ways of the Lord are endless ;))))
Cross reference depth: this one instead? A little 'more? Serious and not to confuse you carry the example of leadership, the author supposed to have an array
A db 100 dup (0)
if some instructions are for 5-th element of the array:
mov al, A +5
with TD = 3 there are shown xrefs
with TD = 10 will be displayed instead
Number of xrefs to display: the function? Obvious, to lift up? A bit '
"Assembler Directives ...": Another small menu
ASSUME Directives: This option enables or disables the generation of some direttve such as "assume" and "origin", can leave it enabled? Be useful in reconstructing the source
. ORG Directives: the same thing as before except that? Valid for. Com
"Name ... representation": not much to say, here we are asked how they call the various segments and I think the default is the best, the other 4 options regarding the types of names will not be analyzed because the I have already? explained before
"Demangled names ..." IDA can? Replace the mangled names (the guide says its hei = mangled mangled) from C + + compilers in this menu and asks us how to do it, whether by way of comment, in the name or slaughtered ;)), the setup of names long and short leave it to you since? easy
"ASCII strings style ...": In this menu we can define the style of the strings and we can also define one when we need, here there '? Else to explain
"ASCII strings options ..." ahhhhhh! One of the menu that I do enjoy most? Aahhhhhhhh, I look like Homer ;) here's what we do:
Generate names: we want the ASCII strings? Then abilitiamola ;)
Names prefix: change the bloody string and put other's qualco
Mark as autogenerated: it marks the string as a self-generated
Serial number: it generates the exact serial ANY password-protected program, it also gets the pass for. Zip and. rar protected ;)))) hahahahaha
Serial width: asks you how long you want the serial for the program ;))))))))))
ASCII char next line: this? Great it makes you choose the word that you want to encode in the serial ;)))))) porka Vakka what I'm fucked up ;))))
"Colors ...": choose the palette you want to use but vaaaaaaaaaaaa ;)))))))
"Dump / normal view" lets you choose between the view that as a hex editor and disassembler as
"Setup data types": asks you what kind of data you want to use the command MakeData
Oki menus are gone, and I hope you did understand the workings of the IDA, see you soon
Quequero
Home Page: http://quequero.cjb.net
E-mail. UIC@mail.usa.com
P. S.
Ahhhhhhhhhh, in this latest release the document? Become 43 Kbytes more? Heavy and even today I have lost my good 4 hours to finish it, it will continue? To update this tutorial soon will become? A book and do? Publish ;) )))))))))) jokes aside I must tell you that we have to write it tuttto I just did my ass ;)))))))))) ciauuuuuuzzzzzzzz the next release that, given the weather will not be? then trope far ;))) ciauz Quequero
|
|
|---|---|
