banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

"Learning Notes on IDA Reverse Engineering from Scratch" - Part 1 (Basic Introduction)

#逆向761
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text discusses the process of identifying and viewing the version of an application using a hex editor and an IDE. It explains how to determine if the application is 32-bit or 64-bit and how to open it in a 32-bit IDE. It also mentions different views available in the IDE, such as disassembly, strings, and hex dump. The text concludes by mentioning the option to view imported external functions.

image

Identifying Application Versions#

Viewing application versions with the hexadecimal editor HxD

image

From the above, it can be seen that the application is a 32-bit program, with the word "PE" followed by "PE..L..." If it were a 64-bit program, the word "PE" would be followed by "PE..d+".

image

The application version can also be viewed through an IDE.

image

Since it is known that this is a 32-bit program, open it with a 32-bit IDA.

image

After opening, the IDA: Quick start window will appear.

image

Click "new" to find the target application and load it. The interface is as follows:

image

Click "OK" and no settings are needed here. IDA will automatically recognize the architecture of the program.

Views#

After opening, the displayed window is as follows. The disassembly view is opened first after loading the executable program.

image

Press the space bar to switch between graphical and non-graphical instruction lists.

In Options-General-Disassembly, check "Line prefixes" to display the addresses of instructions in the graphical view.

image

image

The initial effect is as follows:

image

After modification:

image

IDA has multiple view modes, which can be seen in the view-Open subviews menu.

image

Recognizing Function Entry Points#

image

When there are multiple references pointing to the same address at the function entry point, the last repetition can be used as the entry point of the function, which is "push 0" in this case.

Saving Settings#

image

With this setting, the current configurations can be saved and loaded directly next time.

Character Search#

In the IDA tab that includes lists such as FUNCTIONS, STRINGS, NAMES, etc., you can search by pressing "CTRL+F" and filter based on the entered characters. Opening the menu bar VIEW-OPEN SUBVIEW-STRINGS allows you to search for all strings containing "Lu".

image

Opening the menu bar VIEW-OPEN SUBVIEW-DISASSEMBLY allows you to open a second disassembly tab that displays different content from the first.

image

There are three disassembly display views here.

Opening the menu bar VIEW-OPEN SUBVIEW-HEX DUMP allows you to display the hexadecimal view.

image

Right-clicking allows you to switch to text mode, or you can press the space bar to switch.

image

The text view is as follows:

image

Opening view-Open subviews-import allows you to view referenced external functions.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.