|
The first thing you will notice when running IDA Pro is that its interface
looks way more professional then w32dasm's. There are much more options
and advanced features available then in w32dasm. This has the advantage
that you can disassemble better and more profound, but has the disadvantage
that it makes IDA much more difficult to work with
Now, in fact, IDA has exactly the same features as w32dasm: you can goto
a certain code location, you can see where a jump to a certain portion
of code is located, you can see string references, you can save the dead
listing, etc... .
The first difficulty IDA newbies have are finding string references. In
w32dasm you have a button with which you can view directly all string
references. In IDA, this feature is located at scrollmenu View - Names.
Let's jump right into action and disassemble a small .exe (I used startclean.exe).
A screen pops which offers you a lot of options. Don't touch it, just
click 'OK'. Let IDA do its (beautiful) analysis and when it's done, take
a look at the names.
String references, as called in w32dasm, are preceeded by an 'a' in IDA.
To search for a string press 'a' in the names window, then followed by
the string you look for. Once found, press enter or double click on it.
This will take you to the location. CTRL-Enter will take you to the next
occurence. A reference is located near the string, looking like this:
DATA XREF: _WinMain@16+13�o . Double clicking
on it will make IDA go to the reference location.
Another feature of w32dasm: the jump and call references are also (of
course) available in IDA. What follows is a portion of code disassembled
in w32dasm followed by the same portion of code disassembled by IDA:
Start partial code (w32dasm)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B50(C)
|
:00403B5F 81FAFC000000 cmp edx, 000000FC
:00403B65 0F8478010000 je 00403CE3
:00403B6B 8D8424B4000000 lea eax, dword ptr [esp+000000B4]
:00403B72 6804010000 push 00000104
:00403B77 50 push eax
* Reference To: KERNEL32.GetModuleFileNameA, Ord:00E9h
|
:00403B78 8B2D88924000 mov ebp, dword ptr [00409288]
:00403B7E 6A00 push 00000000
:00403B80 FFD5 call ebp
:00403B82 85C0 test eax, eax
:00403B84 7516 jne 00403B9C
* Possible StringData Ref from Data Obj ->""
|
:00403B86 BE206A4000 mov esi, 00406A20
:00403B8B 8DBC24B4000000 lea edi, dword ptr [esp+000000B4]
:00403B92 B905000000 mov ecx, 00000005
:00403B97 F3 repz
:00403B98 A5 movsd
:00403B99 66A5 movsw
:00403B9B A4 movsb
End partial code
Start partial code (IDA
Pro 4.0x)
00403B5F loc_403B5F: ; CODE XREF: sub_403B00+50�j
00403B5F cmp edx, 0FCh
00403B65 jz loc_403CE3
00403B6B lea eax, [esp+1B8h+var_104]
00403B72 push 104h
00403B77 push eax
00403B78 mov ebp, ds:GetModuleFileNameA
00403B7E push 0
00403B80 call ebp ; GetModuleFileNameA
00403B82 test eax, eax
00403B84 jnz short loc_403B9C
00403B86 mov esi, offset aProgramNameUnk ; ""
00403B8B lea edi, [esp+1B8h+var_104]
00403B92 mov ecx, 5
00403B97 repe movsd
00403B99 movsw
00403B9B movsb
End partial code
As you can see, IDA provides much more detailed information, and it's
even more clear.
Take as example the reference:
In w32dasm it looks like this:
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00403B50(C)
In IDA Pro it looks like this:
CODE XREF: sub_403B00+50�j
IDA provides much more info in even a shorter line:
1. It's a jump (j)
2. The jump to the portion of code is located at adress 00403B50 (=403B00+50)
3. The function/ call itself is located at 403B00(403B00+50)
4. The jump is located in the .code section
If the reference would be a call, then it would look like this: CODE
XREF: sub_403B00+50�p
Another great advantage is that IDA translates variables. You can even
double click them to go to the adress where they are stored: lea edi,
[esp+1B8h+var_104]
One of the most powerful features is the use of flirt signatures. Easy
explained: IDA tries to recognize compiler-related library functions.
Like this:
Start partial code (IDA
Pro)
004012D2 loc_4012D2: ; CODE XREF: sub_401280+5F�j
004012D2 movsx ecx, byte ptr [eax]
004012D5 push eax
004012D6 lea ebp, [ebp+ecx*2+0]
004012DA call edi ; CharNextA ; Return a pointer to the next character in a
; string
004012DC cmp byte ptr [eax], 0
004012DF jnz short loc_4012D2
End partial code
Start partial code (w32dasm)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012DF(C)
|
:004012D2 0FBE08 movsx ecx, byte ptr [eax]
:004012D5 50 push eax
:004012D6 8D6C4D00 lea ebp, dword ptr [ebp+2*ecx]
:004012DA FFD7 call edi
:004012DC 803800 cmp byte ptr [eax], 00
:004012DF 75F1 jne 004012D2
End partial code
You notice the great difference? IDA tells you everything!
Other features similar to w32dasm's are quite easy, like "Goto code
location" equals "Jump - Jump to adress" in IDA. Or "Goto
entrypoint" equals "Jump - Jump to entry point" in IDA.
Voilà, that are about the most important things you have to know
to start out with IDA. Ah, maybe, before I forget. Sometimes, IDA displays
a lot of 'db' -s that are no string references, but code. Just set your
cursor and push the 'C' button on your keyboard, IDA will immediately
translate it into code. Example:
Start partial code (before
'C')
00401228 dd offset unk_406130
0040122C db 8Bh ; ï
0040122D db 35h ; 5
0040122E dd offset RegSetValueExA
00401232 db 6Ah ; j
00401233 db 1 ;
00401234 db 6Ah ; j
00401235 db 0 ;
00401236 db 68h ; h
00401237 dd offset aName ; "Name"
0040123B db 51h ; Q
0040123C db 0FFh ;
0040123D db 0D6h ; Í
0040123E db 8Bh ; ï
0040123F db 4Ch ; L
00401240 db 24h ; $
00401241 db 8 ;
00401242 db 68h ; h
End partial code
Start partial code (after
'C')
0040122C mov esi, ds:RegSetValueExA
00401232 ; ---------------------------------------------------------------------------
00401232 push 1
00401234 push 0
00401236 push offset aName ; "Name"
0040123B ; ---------------------------------------------------------------------------
0040123B push ecx
0040123C call esi ; RegSetValueExA
0040123E mov ecx, [esp+8]
00401242 push 100h
00401247 push offset unk_406030
0040124C ; ---------------------------------------------------------------------------
0040124C push 1
0040124E push 0
00401250 push offset aCode ; "Code"
00401255 ; ---------------------------------------------------------------------------
00401255 push ecx
00401256 call esi ; RegSetValueExA
00401258 mov eax, [esp+8]
0040125C push eax
0040125D call ds:RegCloseKey
End partial code
Other (fast summarised) advantages of IDA Pro are:
1. Ability to disassemble even the most difficult programs that w32dasm
can't handle (like packed programs)
2. Ability to export the dead listing into a .asm file a .sym file and
even a .exe file and many other output files
3. The dead listing is compressed, saving a lot of diskspace
4. Possibility to rename functions
5. Ability to program macro's.
etc.... ;-)
|