banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

"Learning Notes on IDA Reverse Engineering from Scratch - 2 (Numerical Operations)"

#逆向252
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses different number systems, including binary, decimal, and hexadecimal, and how to convert between them using Python functions such as hex() and bin(). It also explains how to represent negative numbers in 32-bit hexadecimal format and how to use IDA's built-in converter to convert numbers to different bases and ASCII characters. The article also covers IDA's search functions, including searching for executable instructions, data, and hardcoded values, as well as searching for text and byte sequences. Finally, it discusses how to search for incomplete functions that may not be recognized by IDA.

Numerical Systems

The commonly used numerical systems are binary, decimal, and hexadecimal.

Binary: Represents numbers using only 0 and 1 characters.
Decimal: Represents numbers using the characters 0 to 9.
Hexadecimal: Represents numbers using the characters 0 to 9 and A to F.

In Python, when entering 0x45 in the interactive shell, the 0x at the beginning will be interpreted as a hexadecimal number. Pressing enter will convert 0x45 to a decimal number, with the output result being 69.

To convert a decimal number to a hexadecimal number, you can use the hex() function.

The bin() function converts numbers from other bases to binary. The output result is 1000101. The 0b at the beginning represents that this is a binary number.

Conversion from decimal and hexadecimal to binary:

Conversion from binary to decimal and hexadecimal:

All directly inputted numbers will be converted to decimal numbers when pressing enter. The hex() and bin() functions in Python can be used to convert them to hexadecimal or binary numbers.

For convenience, the built-in converter in IDA can be opened through the menu VIEW-CALCULATOR. This converter can display the results of converting numbers to various bases. It will also display the corresponding ASCII characters for the numbers. For example, the character corresponding to 0x45 is E.

Almost all reverse engineering work involves hexadecimal numbers. The question is how to represent a negative number in 32-bit hexadecimal. In a 32-bit binary number, the first bit (bit) is used to represent positive numbers (0) or negative numbers (1).

In the calculator, when adding 1 to 0x7fffffff, the highest bit becomes 1 and the other bits become 0.

The IDA converter defaults to positive numbers when inputting, unless we add a "-" sign in front of the number. The maximum negative number -1 corresponds to the hexadecimal 0xffffffff, and the minimum negative number corresponds to 0x80000000. If we don't consider positive or negative, all numbers from 0 to 0xffffffff are positive. Considering positive or negative, 0x0 to 0x7fffffff are all positive numbers, and 0xffffffff to 0x80000000 are all negative numbers.

ASCII Code Characters:

Hexadecimal to Character Conversion:

The chr() function is used for this.

Search Function in IDA:

  • Next Code: This function is used to search for the next executable instruction (CODE). If there is a part in between that is not an executable instruction, it will be skipped.

  • Next Data: This function is used to search for the next data.

  • Next Explored: Search for the next executable instruction or data.

  • Next Unexplored: Search for the next non-executable instruction and non-data.

Search Immediate: This function is used to search for constants in executable instructions and data items.

Open a new window to display the search results.

Search Text: Search for the inputted text, supports regular expressions. If the reader selects a single search, they also need to use Next Text to continue the search.

Search results view.

Search Sequence of Bytes: Search for the inputted sequence of bytes.

Search results view.

Click on the corresponding search result, and IDA will enter the disassembly view.

Search Not Function: Search for the next incomplete function.

The RET instruction at address 004013D7 cannot be recognized as a function. Sometimes, some functions cannot be recognized by IDA due to illegal instructions.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.