Chapter 1 Disassembly Introduction 2
1. 1 disassembly theory 2
1.2 What is disassembly 3?
1.3 Why do you want to dismantle 3?
1.3. 1 Malware Analysis 4
1.3.2 vulnerability analysis 4
1.3.3 Software Interoperability 4
1.3.4 compiler validation4
Display debugging information 5
1.4 How to disassemble 5
1.4. 1 Basic disassembly algorithm 5
1.4.2 linear scanning disassembly 6
1.4.3 recursive descent disassembly 7
1.5 summary 10
Chapter II Reversing and Dismantling Tools 1 1
2. 1 classification tool 1 1
2. 1. 1 file 1 1
2. 1.2 PE tool 13
2. 1.3 PEiD 14
2.2 Summary tool 14
2.2. 1 nm 15
2.2.2 ldd 16
objdump 17
2.2.4 Autol 18
Garbage bin 18
2. 2. 6 c++ filter 19
2.3 Depth detection tool 20
2.3. 1 string 20
Disassembler 2 1
2.4 Summary 22
Chapter 3 IDA Pro background knowledge 23
3. 1 Hex-ray company's anti-piracy strategy 23
3.2 obtaining IDA Pro 24
International Development Association 24th Edition
International development association license 24
3.2.3 purchase IDA 25
Upgrade IDA 25
3.3 International Development Association support resources 25
Install IDA 26
3.4. 1 Windows installation 26
OS X and Linux installation 27
Directory structure of international development association 28
3.5 IDA user interface 29
3.6 Summary 29
The second part is the basic usage of IDA
Chapter 4 Introduction of International Development Association 32
4. 1 Start IDA 32
4. 1. 1 IDA file loading 34
4. 1.2 using binary loader 35
4.2 IDA database file 37
4.2. 1 Create IDA database 38
4.2.2 Close IDA Database38
4.2.3 Reopen the database
4.3 Introduction to IDA Desktop 40
4.4 Desktop Behavior During Initial Analysis 42
4.5 IDA desktop tips and tricks 43
4.6 Reporting Errors 44
4.7 Summary 44
The fifth chapter IDA data display window 45
5. 1 IDA main data display window 45
5. 1. 1 Removing window 45
5. 1.2 Name window 50
5. 1.3 Message Window 5 1
5. 1.4 String Window 52
5.2 Auxiliary IDA Display Window 53
16 hexadecimal window 53
5.2.2 Export window 54
5.2.3 Import Window 54
Function window 55
Structure window 55
Enumeration window 56
5.3 Other IDA Display Window 56
5.3. 1 segment window 56
5.3.2 Signature Window 57
5.3.3 Type Library Window 58
Function call window 58
5.3.5 Problem Window 59
5.4 Summary 59
Chapter 6 Removing Navigation 60
6. 1 basic IDA navigation 60
6. 1. 1 Double-click Navigation 60
6. 1.2 jump to address 62
6. 1.3 Navigation history 62
6.2 Stack Frame 63
6.2. 1 Call Convention 64
Local variable layout 67
6.2.3 Stack Frame Example 67
IDA stack view 70
6.3 Search the database 74
6. 3. 1 text search 75
method of bisection
6.4 Summary 76
Chapter VII Disassembly Operation 77
7. 1 name and nomenclature 77
7. 1. 1 parameters and local variables 77
7. 1.2 Naming location 79
7. 1.3 Registered name 80
7.2 Note 80 in IDA
General note 82
7.2.2 Repeatable Note 82
7.2.3 Pre-note and Post-note 82
Function Note 82
7.3 Basic transcoding 83
7.3. 1 code display option 83
7.3.2 format instruction operand 85
7.3.3 Operating Functions 86
7.3.4 Data and code conversion 9 1
7.4 Basic data conversion 9 1
7.4. 1 Specify data size 92
7.4.2 Processing String 93
7.4.3 Specify the array 94
7.5 Summary 96
Chapter 8 Data Types and Data Structures 97
8. 1 Use identification data structure 98
8. 1. 1 array member access 98
8. 1.2 Access to structural members 102
8.2 Creating IDA Structure 107
8.3 Use the structure template 1 1 1.
8.4 Import new structure 1 14
8.4. 1 Parsing C-structure statement 1 14
8.4.2 Parsing C header file 1 15
8.5 Use the standard structure 1 15.
8.6 IDA TIL file 1 18
Load a new TIL file 1 18.
8.6.2 *** Enjoy the TIL file 1 18.
8.7 C++ reverse engineering foundation 1 19
8.7. 1 this pointer 1 19
8.7.2 Virtual functions and virtual tables 120
8.7.3 Object Life Cycle 122
8.7.4 name adaptation 124
Runtime type recognition 125
8.7.6 Inheritance 126
8.7.7 C++ Reverse Engineering Reference 127
8.8 Summary 127
Chapter 9 Control and Drawing Functions 128
9. 1 cross reference 128
9. 1. 1 code cross reference 129
9. 1.2 Data Cross Reference 13 1
9. 1.3 cross-reference list 133
9. 1.4 function call 134
9.2 IDA drawing 135
9.2. Legacy drawing function of1IDA135
9.2.2 IDA integrated graphic view 14 1
9.3 Summary 143
Chapter 10 IDA of various faces 144
10. 1 console mode IDA 144
10. 1. 1 console mode * * has the same function as 144.
10. 1.2 Windows console 145
10. 1.3 Linux console 146
10. 1.4 OS X console 148
10.2 uses the batch mode of IDA 150.
10.3 guiida151
10.4 summary 152
The third part IDA advanced application
Chapter 1 1 Customize IDA 154
1 1. 1 profile 154
1 1. 1 master configuration file: ida.cfg 154.
11.1.2 Introduction to GUI: idagui.cfg 155.
1 1. 1.3 console configuration file: idatui.cfg 157.
1 1.2 Other IDA configuration options 158
1 1.2. 1 IDA color 159
1 1.2.2 Customize IDA toolbar 159
1 1.3 summary 16 1
Chapter 12 uses flirting signatures to identify the library 162.
12. 1 Fast Database Identification and Appraisal Technology5438+062
12.2 Application for flirting signature 163
12.3 Create flirting signature file 166
12. 3. 1 Overview of signature creation 166
12.3.2 Identify and obtain static libraries 167
12.3.3 Create schema file 168
12.3.4 Create a signature file 169.
12.3.5 startup signature 17 1
12.4 summary 172
Chapter 13 extends IDA's knowledge.
13. 1 extended function information 173
13. 1. 1 IDS file 175
13. 1.2 Create id file 176
13.2 use loadint to extend the predefined comment 178.
13.3 summary 179
Chapter 14 patching binaries and other IDA restrictions 180
14. 1 hide patch menu 180
14. 1. 1 change database bytes 18 1
14. 1.2 Change the word 18 1 in the database.
14. 1.3 Use the assembly dialog box 182.
14.2 IDA output file and patch generation 183
0 IDA generated mapping file 14.2. 183.
ASM file generated by 14.2.2 IDA 184.
INC file generated by 14.2.3 IDA 184.
The LST file is generated by 14.2.4 IDA 185.
EXE file generated by 14.2.5 IDA 185.
14.2.6 DIF file generated by IDA 185.
14.2.7 IDA 186 generated HTML file.
14.3 summary 186
The fourth part extends the function of IDA.
Chapter 15 Writing IDC Script 188
15. 1 Basic knowledge of executing scripts 188
15.2 international data center language
15.2. 1
International data center expression 190
International data center statement 190
15.2.4 IDC function 19 1
International data center project 192
15.2.6 IDC error handling
15.2.7 permanent data storage in international data center
15.3 Associate the IDC script with the hotkey 194.
15.4 Useful IDC functions 195
15. 4. 1 function of reading and modifying data 196
15.4.2 User interaction function 196
15.4.3 string manipulation function 197
15.4.4 file input and output function 197
15.4.5 operation database name 198
15.4.6 function processing function 199
15.4.7 code cross-reference function 199
15.4.8 data comparison function 200
15.4.9 database operation function 200
15.4. 10 database search function 20 1
15. 4. 1 1 Disassemble pipeline assembly 20 1
15.5 IDC script sample 202
15.5. 1 enumeration function 202
15.5.2 enumeration instruction 202
15.5.3 Enumeration Cross Reference 203
15.5.4 Enumerating export functions 205
15.5.5 Find and mark function parameters 206.
Simulate assembly language behavior 208
15.6 summary 209
Chapter 16 IDA Software Development Toolkit 2 1 1
Introduction to16.1sdk212
16. 1. 1 Install SDK 2 12.
Layout16.1.2 sdk212
16. 1.3 Configure the build environment 2 13
16.2 IDA application programming interface 2 14
16.2. 1 header file overview 2 14
Network node 2 17
16.2.3 Useful SDK data types 223
16.2.4 Common SDK functions 224
16.2.5 IDA API iteration skills 229
16.3 summary 232
Chapter 17 IDA plug-in architecture 233
17. 1 write plug-in 233
17. 1. 1 plugin life cycle 235
17. 1.2 plugin initialization 236
17. 1.3 event notification 237
17. 1.4 plugin execution 238
17.2 Building plug-in 239
17.3 plug-in installation 243
17.4 plug-in configuration 244
17.5 extended IDC 244
17.6 plugin user interface options 247
17.7 summary 254
Chapter 18 Binary file and IDA loader module 255
18. 1 unknown file analysis 256
18.2 Manually loading Windows PE files 256
18.3 IDA loader module 263
18.4 write IDA loader 263
18.4. 1 "fool loader" 265
18.4.2 build IDA loader module 269
18.4.3 IDA pcap loader 269
18.5 Other loader policies 274
18.6 summary 275
Chapter 19 IDA processor module 276
19. 1 Python bytecode 277
19.2 Python interpreter 277
19.3 Write to processor module 277
1 processor architecture 278
Basic initialization of LPH structure 278
19.3.3 analyzer 282
Simulator 286
19.3.5 Exporter 288
19.3.6 processor notification 293
19.3.7 Other processors _t member 294
19.4 building processor module 296
19.5 Customize existing processors 299
19.6 processor module architecture 30 1
19.7 summary 302
The fifth part is practical application.
Chapter 20 Compiler Variants 304
20. 1 jump table and branch statement 304
20.2 implementation of rtti 308
20.3 Positioning Main Function 308
20.4 debug and publish binary file 3 15
20.5 Other call agreements 3 17
20.6 Summary 3 17
Chapter 2 1 Fuzzy Code Analysis 3 19
2 1. 1 antistatic analysis skills 3 19
2 1. 1. 1 disassembly desynchronization 3 19
2 1. 1.2 Dynamic calculation of target address 322
2 1. 1.3 import function fuzzy 327
2 1. 1.4 targeted attack analysis tool 33 1
2 1.2 anti-dynamic analysis skills 33 1
2 1. 2. 1 detection virtualization
2 1.2.2 inspection "inspection tools" 333
2 1.2.3 detection debugger 333
2 1.2.4 Stop debugging 334
2 1.3 uses IDA 335 to "statically deblur" binary files.
2 1.3. 1 script-oriented deblurring 335
2 1.3.2 simulation-oriented deblurring 339
2 1.4 Summary 349
Chapter 22 Vulnerability analysis 350
22. 1 use IDA to discover new vulnerabilities 35 1
22.2 Using IDA to Find Vulnerabilities Afterwards 356
22.3 IDA and the development process of cracking program 359
22.3. 1 Stack Frame Details 360
22.3.2 Positioning instruction sequence 362
22.3.3 Searching for Useful Virtual Addresses 363
22.4 Analysis of Shell Code 364
22.5 Summary 366
Chapter 23 Practical IDA Plug-in 367
23. 1 hexagonal ray 367
23.2 IDAPython 368
23.3 IDARub 37 1
23.4 IDA synchronization 37 1
23.5 collaboration 374
23.6 ida-x86emu 377
23.7 meters up to 377 meters
23.8 Summary 379
Part VI IDA debugger
Chapter 24 IDA debugger 382
24. 1 Start the debugger 382
24.2 Basic Display of Debugger 384
24.3 process control 387
24.3. 1 breakpoint 388
Tracking 390
Stack trace 393
Monitoring 393
24.4 Debugger Task Automation 393
24.4. 1 Writing Debugger Operation Script with IDC 394
24.4.2 Realizing Debugger Operation Automation with IDA Plugin 398
24.5 Summary 400
Chapter 25 Disassembler/Debugger Integration 40 1
25. 1 background knowledge 40 1
25.2 IDA database and IDA debugger 402
25.3 Debugging Fuzzy Code 404
25.3. 1 Simple Decryption and Decompression Loop 404
25.3.2 Import Table Reconstruction 407
Hide debugger 4 10
25.3.4 Exception Handling 4 14
25.4 Summary 4 18
Chapter 26 IDA and Remote Debugging of Linux and OS X Platforms 4 19
26. Debugging of1console model 4 19
26.2 remote debugging using IDA 420
Exception handling in remote debugging 422
26.2.2 Using scripts and plug-ins in remote debugging 423
26.3 Summary 423
Appendix a uses IDA 4.9 free edition 424.
Appendix B IDC/SDK cross reference 426
New functions of appendix C IDA 5.3 444