Tổng hợp

Introduction to IDA Pro – SecPod Blog

IDA Pro is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering. It can be used as a local or as a remote debugger on various platforms. Plug-ins can be developed and supports a variety of executable formats for different processors and operating systems.

Here is the screenshot of the IDA Pro Desktop:

IDA desktop

1) The toolbar area is the space below menu bar where the tools can be docked.

2) Navigation band is the horizontal color band below the toolbar area which can be used to jump to particular code region of the executable under analysis. It represents the address space of the executable. Light blue stands for library code, red is compiler-generated code and dark blue is user-written code. Code analysis is usually done in the user-written code region.

3) Dis-assembly window is the primary window showing the assembly level code of executable under analysis. This window is available in two formats: graph mode (as shown above in figure) and text mode. Graph mode view represents program control flow. In graph mode the executable is broken into blocks of functions with colored arrows showing control flow between the function blocks. If arrow is red, a conditional jump is not taken. If it is green then jump is taken, and if color is blue an unconditional jump is taken. On the other hand, the text mode presents the entire dis-assembled code of the executable under analysis. Here in text mode an arrow facing up indicates a loop, the unconditional jump is indicated by solid lines and conditional jumps are shown as dashed lines.

4) Functions window shows all the functions in the executable. This window can be used to differentiate the functions based on the length as well as type. It uses flags like F, L, S, and so on, to indicates function type.

5) Names window shows functions, named data, named code, and strings address with a color and letter coded name.

I indicates an imported name, F indicates a regular function, L indicates a library function, D indicates named data locations, A indicates ASCII string data location and C indicates named code that is memory location,

6) Strings window shows ASCII strings within the executable.

7) Imports window lists all functions that are imported by the file under analysis.

8) Exports window shows all the functions and variables that the file under analysis exports to be used by other files.

9) Message window is the status window which displays the output generated by IDA Pro which may be error messages or status of on going analysis.

Some useful IDA pro plug-ins are :

1) AsPack/ASPR: A plug-in that can be used to un-pack or de-compress files compressed using Win32 file compressor.

2) Hex-Rays Decompiler: A plug-in that translates an object file into a compatible source file.

3) Stealth: An open-source anti-debugger plug-in which tries to hide the IDA Pro from most common anti-debugging techniques.

4) PatchDiff2: An open-source plug-in that can be used to compare two IDA Pro database (IDB) files and find the differences between both.

5) IDAPython: An open-source plug-in that combines the Python programming language with IDA Pro and thus allows scripts to run in IDA Pro.

6) Ida struct: An open-source plug-in which helps in recognizing high-level objects and structures in binary code.

7) EPF – Entry-Point-Finder: A plug-in which can be used to get original entry point of a packed or crypt-ed windows PE executable.

– Shakeel

Related Articles

Back to top button