The_IDA_Pro_Book - PDF 무료 다운로드

The IDA Pro Book Hacking Group OVERTIME force (forceteam01@gmail.com)

GETTING STARTED WITH IDA

IDA New : Go : IDA Previous :

IDA File File -> Open Processor type : Loading Segment and Loading Offset x86

IDA File Rom Payload Loading segment & Loading offset 32bit Yes entry point byte IDA

IDA Database File IDA Database File 4 id0 file : B-tree-style database id1 file : Program nam file : IDA Name window named program til file :

IDA Database Don t pack database : IDB 4 Pack database(store) : IDB Pack database(deflate) : IDB Collect garbage : garbage Collection DON T SAVE the database : database

IDA Desktop 3 1 2 4 7 5 6 1. toolbar area 2. overview navigator navigation band : 3. tabs 4. disassembly view 5. graph overview : 6. message window : IDA 7. sub window : Names, Strings windows sub windows

The IDA DATA DISPLAY

The Disassembly Window(IDA Graph View) block CTRL+Wheel CTRL-+, CTRL-- +,- Graph Overview View Virtual Address Line Prefixes Options -> General -> Disassembly Tab-> Display disassembly line parts Line Prefixes check

The Disassembly Window(IDA Text View) 1 2 Virtual address [SECTION NAME]:[VIRTUAL ADDRESS] 1 arrows window Conditional jump, Unconditional jump 2 cross-references code cross-reference cross-references

The Names Window F : regular function (IDA function ) L : Library function (IDA signature matching algorithms Library function ) I : Imported name ( function name) C : Named Code (IDA named program instruction locations) ) Program Symbol table ) D : Data (Named data locations ) A : ASCII string data (null byte 4 ASCII data location named program instruction or Named data

The Names Window IDA sub_xxxxxx : xxxxxx loc_xxxxxx : xxxxxx byte_xxxxxx : xxxxxx 8-bit data word_xxxxxx : xxxxxx 16-bit data dword_xxxxxx : xxxxxx 32-bit data unk_xxxxxx : xxxxxx data

The Message Window IDA output Console IDA

The Strings Window Binary string,,, String Strings Window Strings Window setup List Type 5.1 window 5.2 window

The Hex View Window Disassembly, Names, message, Strings windows IDA windows window Hex Window Disassembly Window Hex Window Disassembly Window Hex Window Disassembly Window window Synchronize with window Hex Window? IDA

The Exports Window Exports window entry point export function Entry point IDA start Window Name, Address, Ordinal Disassembly window

The Imports Window Imports window import function Disassembly window * * Imports window dynamic loader symbol. dlopen/dlsym LoadLibrary/GetProcAddress

The Functions Window Functions Window Functions Names Window sub_xxxxxx function Functions Window Function function Flags R - function returns to the caller F - far function L - library function S - static function B - BP based frame. IDA will automatically convert all frame pointer [BP+xxx] operands to stack variables. T - function has type information = - Frame pointer is equal to the initial stack pointer In this case the frame pointer points to the bottom of the frame

The Structures Window Structure Window C Union

The Enum Window Structures Window C enum

The Segments Window IDA Binary file Section segment Section Name : Segment name Start : End : R : R readable,. not readable,? unknown W : W writable,. not writable,? unknown X : X executable,. not executable,? unknown D : D debugger only,. regular L : L created by loader,. no Align : Segment alignment Base : Segment base selector or address Type : Segment type Class : Segment class AD : Segment addressing width

The Signatures Window IDA IDA signature. File : vc32rft signature #func : 3

The Type Libraries Window Type libraries IDA

The Function Call Window Function Call Window IDA

DISASSEMBLY NAVIGATION

Basic IDA Navigation Double-Click Navigation 1.text:00401331 jg short loc_40134e loc_40134e IDA. 2. text:0040134e loc_40134e ; CODE XREF : sub_4012e4+4d^j IDA display entities. cross-reference. cross-reference +16 2 loc_40134e cross-reference sub_4012e4 16 4D cross-reference 2 00401331 3.data:00409013 dd 404590h 16. Virual address 16 16 16 IDA message window Jump to Address Jump to Address dialog Jump -> Jump to Address G

Navigation History IDA Jump -> Jump to Previous Position repositions. ESC ESC. Jump -> Jump to Next Position. CTRL+ENTER IDA Forward and backward navigation button

Stack Frames Calling Conventions Calling Convention C Calling Convention The Standard Calling Convention The fastcall Convention for x86 C++ Calling Conventions Other Calling Conventions

Local Variable Layout Stack Frame Examples IDA stack frame.. Calling Convention

Searching the Database Text Searches Search -> Text ALT+T CTRL+T Search -> Next Text Binary Searches Search -> Sequence of Bytes ALT+B CTRL+B Search -> Next Sequence of Bytes

DISASSEMBLY MANIPULATION

Names and Naming N Rename Parameters and Local Variables IDA Renaming dialog Named Locations #### Renaming Location Dialog #### Local name : Local name Include in names list : Names Window Public name : Register Names Rename N.

Commenting in IDA IDA Edit -> Comments IDA (;). Regular Comments( ) (:) Comment entry dialog. Repeatable Comments( ) repeatable comments (?) cross-reference tied Anterior and Posterior Lines Anterior and Posterior Lines disassembly line Function Comments( ) disassembly list

Basic Code Transformations IDA disassembly list. disassembly analysis display process. IDA Code transformation data code code data operands

Basic Code Transformations Code Display Options Line prefixes : disassembly line Stack pointer :. Calling convention

Basic Code Transformations Formatting Instruction Operands IDA Disassembly line Operand Creating New Functions Edit->Functions->Create Function Deleting Functions Edit->Functions->Delete Function Function Chunks Function Chunk Edit->Functions->Append Function Tail

Basic Code Transformations Function Attributes Name of functions : Start(End) address : ( ) Local variables area : Saved registers : save registers Purged bytes : Frame pointer delta : saved

Basic Code Transformations Stack Pointer Adjustments Converting Data to Code(and Vice Versa) Data disassembly Data Code undefine disassemble Code.

Basic Data Transformations Specifying Data Sizes Data. db, dw, dd 1,2,4 byte Data item Options-> Setup Data Types dialog item Working with Strings Data String Edit-> Strings string Specifying Arrays IDA data array array array Edit-> Array array-creation dialog