Our Tools
How to use 'Our Tools': 1) IDA primer
Ida's philosophy, main settings, how to start
By +Mammon, The Owl and alia
21 October 1998
Courtesy of fravia's pages of reverse engineering
Well, I'm glad to present the first of a series of article about
'how to use our tools', a very important 'reference' section for all
reversers that do peruse my site and for all beginners that never had
the courage to ask...
I hope that many more contributions will follow, so
that this 'first stab at' can develop into a real fundamental reference.
The Owl
let me have my 2 cents on this ;-)
IDA is a reverse
engineering tool which brings us to the definition of RevEng (as i
like to abbreviate it, pun indended ;-). in contrast to crackers,
RevEngers want to get some knowledge embedded in an executable to
put it to their own use or for the experience itself. this info
includes protection routines of course, but that's only a subset of
the info you can find in a program. now, how does IDA come into the
picture?
the entire structure of IDA represents a philosophy
which is very pleasing for a true RevEnger, but may not be obvious
for the first time user, especially if he's looking for some quick
substitute for w32dasm or some other disassembler. IDA treats an
executable file as a structured object which has been created from a
database representing the knowledge of the programmer (called the
source code). IDA wants to help a RevEnger in recreating this
database and has many features for this very purpose. since this is
not an IDA tutorial, i won't go into details, but wanted you to have
some picture on the philosophy behind IDA. so, if you look at IDA
with a different eye, you will understand the enthusiasm of real IDA
users very soon. if you have more questions you can try to use the
various discussion forums or IRC or email...
regards,
the owl
_Mammon+ (1)
IDA really changes the way you think about disassemblers.
It's like having an intelligent hex editor--the entire file is avail
for viewing (unlike in W32dasm, which shows you what it feels to be
the important sections) meaning you can root out code hidden in the
.data or .rsrc segments. You also have a c-style script language
(which contains routines for changing data and code, reading and
writing bytes/files, prompting the user, re-analyzing the
code...everythign you need) to automate things like, say, parsing
string tables or decrypting packed code.
The key to IDA is
that you do NOT save the text to a file and search the file; rather
you view the listing in IDA and root things out using the
View-Functions and View-Names commands to find subroutines. You can
label code on-the fly using the ";" operator, so that if you label
:010100 call CreateWindow
to "Nagscreen", then all
references to that location will change from
jz 08
to
jz
Nagscreen
As you can see, this helps tremendously when poring
through huge code listings.
In addition, the comments area of
the code will often have address references showing code that refers
to that location or code that is referred by that location. These
are known as X-Refs and the are *very* useful...double clicking on
them will bring you to the code that referred to/is reffered by your
current location (ESC brings you back). This allows you to "trace"
through the code --in a rudimentary manner of course-- without
running the program. Try it, you'll like it.
A few hints...in
the loader screen, make sure "Load Resources" is checked and "Rename
DLL entries" is NOT checked. You should of course make sure that the
system directory points to c:\\windows\\system or
c:\\winnt\\system32 or /usr/lib depending on OS. To search for
strings, you can try "find text in core", but it is much easier to
go to View-Names and look for any name beginning with "a" (IDA's
identifier for "ASCII string").... these will be the strings in the
program. Also, in Options-TextRepresentation, display 6 to 8 opcode
bytes...this will give the opcodes of the file and cause things to
make a lot more sense (in case IDA is interpreting data as
code).
It does not hurt to know the PE file format either
(and ELF, if you will be doing Linux...you can run IDA under DOSEMU
and use it to disassemble ELF files)...IDA splits the file into its
native segments (.text =code, .data =data, .stack =empty, .bss
=data/empty, .rsrc =resources, .idata =imports, .edata =exports);
you simply have to look in the various segments for the information
you need (if you want to know the exports for a DLL, look at the
.edata section; if you want to know what API functions a program
uses, browse the .idata section, for string tables check the .rsrc
section).
(deep breath)
Now, for linux....
your
friends are strace and od. I have done quite a bit of aliasing with
od to use it for different things, for example:
alias hexdump='od
-A x -t x2'
alias asciidump = 'od -A x -t a'
(actually I
combine these last two)
alias ss='od -s'
strace will show
you all system calls made by a program. IDA will disassemble linux
files. GDB will debug them (but who needs to do that?). It's fairly
straightforward, once you get into it...but then again, very little
linux software needs cracking :)
have fun
_m
_Mammon+ (2)
There are a few things that make IDA easier to use. I can't think of
any tutorials on IDA offhand, I think Ghiribizzo did one on
Greythorne's site...
But anyhow:
ida.cfg is your
equivalent to the winice.dat file, it allows you to make the program
easier to use.
look for:
SCREEN_MODE
line and change
the parameters to
SCREEN_MODE = 0x6030
This will allow you to
have multiple windows in IDA, so that you do not have to only see
one screen at a time. You may want to change the font for the DOS
box as well.
below this you have the hotkey
definitions...print them out or change them to your
liking.
In the "Second Pass" area there is a Text
Representation area that I have adjusted as follows (not much, but a
little bit helps):
// Text
representation
//
//------------------------------------------
-----
OPCODE_BYTES = 8
INDENTION = 0
COMMENTS_INDENTION = 30
MAX_TAIL = 16
MAX_XREF_LENGTH =
80
MAX_DATALINE_LENGTH = 70
SHOW_AUTOCOMMENTS =
NO
SHOW_BAD_INSTRUCTIONS = NO
SHOW_BORDERS = YES
SHOW_EMPTYLINES = YES
SHOW_LINEPREFIXES =
YES
SHOW_SEGMENTS = YES
USE_SEGMENT_NAMES =
YES
SHOW_REPEATABLE_COMMENTS = YES
SHOW_VOIDS =
NO
SHOW_XREFS = 10
SHOW_XREF_VALUES = YES
SHOW_SEGXREFS
= NO
SHOW_SOURCE_LINNUM = YES
SHOW_ASSUMES = YES
SHOW_ORIGINS = NO
USE_TABULATION = YES
...hope
the board doesn't hose the formatting too much :)
the last
thing to change is the
WINDIR
line to
WINDIR =
"c:\\winnt\\system32"
or
WINDIR =
"c:\\windows\\system"
...the rest of the file you do not
need to worry about.
Now, the rest of it is just getting use
to IDA. Heed OWL's words: it is designed to produce compilable
source code, not to do a "quick crack". When you start off, cracking
with IDA will take you ten times longer than cracking with W32dasm,
of course using soft-ice; when you get used to it, you will crack
10x as fast in IDA and never touch soft-ice again (as Quine said,
how many times do you really NEED to be in ring 0
code?).
Now, for IDA's "strange names".
the "a" prefix
stands for "ASCII String". You can change it in ida.cfg in the
line
ASCII_PREFIX = "a"
the prefix "j_" stands for "jump to
location labelled:"
the prefix "sub_" stands for "subroutine at
address:"
Now, let's just say that you open explorer.exe in
IDA. you want to see what the exports are. You can either
1)
View-Segments, look for .idata and jump to that segment...which
isn't here (for some reason they are in _rdata) so we
2)
View-Names, and look for API functions. Wow, there are a ton. A good
one might be CreateWindowExW. Doubleclick that name, and the code
window will jump to the imports section. There will be a line with a
yellow label (white is comment) CreateWindowExW about 10 (the max I
allowed in my ida.cfg; usually it is 2) blue XREFs (things like
sub_159295F). These are locations that call CreateWindow; double
click on any of them to view the code. Press Esc to come back to the
CreateWindow imports area.
Well, that's neat, but how do you
search for strings? You can try Navigate-SearchFor-Text, though it
is slow and the results are printed in the Message (yellow-on-blue)
window if nothing is found. I prefer either browsing the Names
window for entries beginning with "a" 9they are all clustered
together). Actually, I lie, I have written IDc scripts to extract
the strings and imports for me :)
OK, this is getting long.
Important things to remember:
* IDA is not w32dasm and requires a
different approach
* Use the Names window
* Learn to write IDC
scripts (they help a lot)
* Know the file format (i.e., where the
imports are)
* Always define data strings when you find
them
ans
* Always Name (and comment!) code locations
!!!
I cannot stress this last one
enough.
_m
fravia+,
I just read the IDA page in the new
section and thought I might be able to add something
helpful that I discovered recently.
IDA by
default prefixes string names with an "a". One of the
other things it does is strip out characters that may
affect recompilation. From a crackers point of view,
this can increase the time an tedium involved in our
pursuit.
For example, the string "%s-%c%c-%d"
would be converted to "asccd", which is nowhere near as
obvious. Sure, you can click on the reference and be
taken to the actual string, but that's an extra click
for every string you want to look at.
The
solution can be found in the ida.cfg file under the
NameChars section. The heading states, "the following
characters are allowed in user-defined names," and
looks like this:
NameChars =
"$?@"
// asm specific character
"_0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz";
What the comment
doesn't tell you is that autogenerated names are
considered user-defined. That means that only the
above chars can be display in a name. Phooey! That
certainly detracts from the code readability. Let's
fix that.
Change the entry to read something
like this:
NameChars =
"
!\"#$%&'()*+,-./0123456789:;<=>?"
"@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_"
"`abcdefghijklmnopqrstuvwxyz{|}~";
Now we can
see our "%s-%c%c-%d" string the way it is in the
program!
edison (No, not
ed!son)
in fieri... October 1998
You are deep inside fravia's page of reverse engineering,
choose your way out:
Our Tools
homepage
links
anonymity
+ORC
students' essays
academy database
antismut
tools
cocktails
search_forms
mail_fravia
Is reverse engineering illegal?