I have seen the friend of the Loud Rivers and Lake >> I must know the Satard Dafa. This is a kind of skill that can learn from others to grow, (Duan Yu's north gods is also like this, far away ... For programmers, a good way to grow their programming is to read the source code of the procedures developed by other people, so that other people's technologies have become their own knowledge. Is this very similar to the Battle Dafa? But open source procedures After all, most of the programs will only distribute executables and related files. At this time, we want to see the code of this program, just disassemble it, of course, this requires a certain compilation of the bottom, but a good anti Compilation tools can provide a very helpful program for you to read the disconnected procedures. Understand the anti-assembly friends must also know that Windasm has a famous disassembly tool. For example, we use WINDASM to negotiate a program, which is negative in its program entry point. As follows: // ********************************************************* 6A00 push 00000000: 00401002 E8FF050000 call 00401606: 00401007 A316304000 mov [00403016], eax: 00401007 E8EF050000 call 00401600: 00401011 A30E304000 mov [0040300E], eax: 00401016 6A0A push 0000000A: 00401018 FF350E304000 push dword ptr [0040300E]: 0040101E 6A00 push 00000000 004016,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.
If you don't contact the context and know this is the program entry, it is difficult to see what this code is doing, but IDA is different, it will not only disassemble the program, but also analyze the program, and add the corresponding annotation ( Because of this, Ida disassembles a large program will spend very long time). Please see the code that is disconnected in the following IDA. .text: 00401007 mov hInstance, eax.text: 0040100C call GetCommandLineA.text: 00401011 mov dword_0_40300E, eax.text: 00401016 push 0Ah.text: 00401018 push dword_0_40300E.text: 0040101E push 0.text: 00401020 push hInstance.text: 00401026 Call Sub_0_401031.text: 0040102B Push Eax; UEXITCODE.TEXT: 0040102C CALL EXITPROCESS
After the IDA disassembler, a .idb file will generate a .idb file, save the disassembled code and some other related data for IDA, we can write your own analysis results and notes directly in the IDA, and save it directly Open the .idb file, for example above .text: 00401000 push 0; lpmodulename.text: 00401002 Call getModuleHandlea.Text: 00401007 MOV HINSTANCE, EAX We can see actually hinstance = getModuleHandlea (nil); we can be behind Plus the comment directly, right click on .text: 00401007, right click, select "Comment" in the pop-up menu, then fill in the pop-up window, this line will Change to .text: 00401007 MOV Hinstance, EAX; get the current module instance handle
This adds the code to which the code is compared. Eda can not only add comments in the current code, but also change its default symbol name, such as .text: 00401011 MOV DWORD_0_40300E, Eax's DWRD_0_40300E can be seen Is the buffer pointer to the acquired command line (can double-click the symbol name, the function name jumps to its definition), right-click on the DWORD_0_40300E, select "Rename", then fill in the popcommandline in the pop-up, click OK, In this way, all the variables used in the program will replace DWORD_0_40300E to replace DWORD_0_40300E to LPCommandline. As shown below: .text: 00401011 MOV LPCOMMANDLINE, Eax.Text: 00401016 Push 0ah.text: 00401018 PUSH LPCOMMANDLINE
Let's look at .Text: 00401026 Call Sub_0_401031 This line can be seen from the code, this is called the Winmain function, right-click on the SUB_0_401031, select "Rename", this function is named Winmain, then the IDA will All SUB_0_401031 symbols becomes WinMain, and automatically add function definition, and will add the corresponding variable comments when the stack is sent, and the code we disassembled will be the following. a: .text: 00401000 start proc near.text: 00401000 push 0; lpModuleName.text: 00401002 call GetModuleHandleA.text: 00401007 mov hInstance, eax; obtain the current instance handle module .text: 0040100C call GetCommandLineA.text: 00401011 mov lpCommandline, eax.text: 00401016 push 0Ah; nShowCmd.text: 00401018 push lpCommandline; lpCmdLine.text: 0040101E push 0; hPrevInstance.text: 00401020 push hInstance; hInstance.text: 00401026 call WinMain.text: 0040102B push eax; uExitCode.text: 0040102C C Is All EXITPROCESS awareness? When we can determine the role of a child and the incoming parameter type by reading the source code, we can double-click this function name, jump to the function definition, right click on the function definition Using the "Set Function Type" function to edit the function definition (C syntax), all the calls to this function will be added to the corresponding variable annotation after the parameters of the stack. You can also pass the blank space after the function definition Right-click Plus "Repeatable Comments", so all places where this function will be added later, this repetition comment is added.
If you want to view a variable or function called, you can click the "View Operation Number Cross Index" function by right-oriented, you can check the code that calls it in the open window. And you can jump to this code by double-clicking. This is a very useful feature that helps you quickly find function and variable call relationship.
Pressing F12 You can also check the flowchart of the program, Ctrl 12 can view the call diagram of the function.
IDA also has symbolic debugging technology, which can identify programs embossed by Common Interpretation, such as the program code segment of the VC6.0 that is reversed below: .text: 00405427 Push Edx.Text: 00405428 Call _swscanf.text: 0040542d Lea EAX , [esp 38h arg_40] .text: 00405431 push offset unk_0_5DB1A4; const wchar_t * .text: 00405436 push eax; const wchar_t * .text: 00405437 call _wcscmp.text: 0040543C add esp, 1Ch.text: 0040543F test eax, eax.text: 00405441 jz short loc_0_405459.text: 00405443 lea ecx, [esp 24h arg_40] .text: 00405447 push offset unk_0_5DB18C; const wchar_t * .text: 0040544C push ecx; const wchar_t * .text: 0040544D call _wcscmp on Check the function in the MFC class library and replaced them with the corresponding function name. You can also call IDA export .map files to match other dynamic debug tools such as Soft-ICE for code analysis.
IDA is a very powerful anti-assembly tool. Here is just some basic applications, I hope to play the role of tiles, if you are interested in IDA, you can discuss, or refer to Mr. Steel << Encryption and Decryption >> One book, there is a more detailed explanation for the application of IDA. My mail: akunspy@sina.com
