TOUGH
Our Tools

How to use 'Our Tools': 1) IDA primer

Ida's philosophy, main settings, how to start
By +Mammon, The Owl and alia
21 October 1998

red

Courtesy of fravia's pages of reverse engineering

red

Well, I'm glad to present the first of a series of article about 'how to use our tools', a very important 'reference' section for all reversers that do peruse my site and for all beginners that never had the courage to ask...
I hope that many more contributions will follow, so that this 'first stab at' can develop into a real fundamental reference.


The Owl

let me have my 2 cents on this ;-)

IDA is a reverse engineering tool which brings us to the definition of RevEng (as i like to abbreviate it, pun indended ;-). in contrast to crackers, RevEngers want to get some knowledge embedded in an executable to put it to their own use or for the experience itself. this info includes protection routines of course, but that's only a subset of the info you can find in a program. now, how does IDA come into the picture?

the entire structure of IDA represents a philosophy which is very pleasing for a true RevEnger, but may not be obvious for the first time user, especially if he's looking for some quick substitute for w32dasm or some other disassembler. IDA treats an executable file as a structured object which has been created from a database representing the knowledge of the programmer (called the source code). IDA wants to help a RevEnger in recreating this database and has many features for this very purpose. since this is not an IDA tutorial, i won't go into details, but wanted you to have some picture on the philosophy behind IDA. so, if you look at IDA with a different eye, you will understand the enthusiasm of real IDA users very soon. if you have more questions you can try to use the various discussion forums or IRC or email...

regards,
the owl


_Mammon+ (1)

IDA really changes the way you think about disassemblers. It's like having an intelligent hex editor--the entire file is avail for viewing (unlike in W32dasm, which shows you what it feels to be the important sections) meaning you can root out code hidden in the .data or .rsrc segments. You also have a c-style script language (which contains routines for changing data and code, reading and writing bytes/files, prompting the user, re-analyzing the code...everythign you need) to automate things like, say, parsing string tables or decrypting packed code.

The key to IDA is that you do NOT save the text to a file and search the file; rather you view the listing in IDA and root things out using the View-Functions and View-Names commands to find subroutines. You can label code on-the fly using the ";" operator, so that if you label
:010100 call CreateWindow
to "Nagscreen", then all references to that location will change from
jz 08
to
jz Nagscreen
As you can see, this helps tremendously when poring through huge code listings.

In addition, the comments area of the code will often have address references showing code that refers to that location or code that is referred by that location. These are known as X-Refs and the are *very* useful...double clicking on them will bring you to the code that referred to/is reffered by your current location (ESC brings you back). This allows you to "trace" through the code --in a rudimentary manner of course-- without running the program. Try it, you'll like it.

A few hints...in the loader screen, make sure "Load Resources" is checked and "Rename DLL entries" is NOT checked. You should of course make sure that the system directory points to c:\\windows\\system or c:\\winnt\\system32 or /usr/lib depending on OS. To search for strings, you can try "find text in core", but it is much easier to go to View-Names and look for any name beginning with "a" (IDA's identifier for "ASCII string").... these will be the strings in the program. Also, in Options-TextRepresentation, display 6 to 8 opcode bytes...this will give the opcodes of the file and cause things to make a lot more sense (in case IDA is interpreting data as code).

It does not hurt to know the PE file format either (and ELF, if you will be doing Linux...you can run IDA under DOSEMU and use it to disassemble ELF files)...IDA splits the file into its native segments (.text =code, .data =data, .stack =empty, .bss =data/empty, .rsrc =resources, .idata =imports, .edata =exports); you simply have to look in the various segments for the information you need (if you want to know the exports for a DLL, look at the .edata section; if you want to know what API functions a program uses, browse the .idata section, for string tables check the .rsrc section).


(deep breath)
Now, for linux....
your friends are strace and od. I have done quite a bit of aliasing with od to use it for different things, for example:
alias hexdump='od -A x -t x2'
alias asciidump = 'od -A x -t a'
(actually I combine these last two)
alias ss='od -s'

strace will show you all system calls made by a program. IDA will disassemble linux files. GDB will debug them (but who needs to do that?). It's fairly straightforward, once you get into it...but then again, very little linux software needs cracking :)

have fun
_m





_Mammon+ (2)

There are a few things that make IDA easier to use. I can't think of any tutorials on IDA offhand, I think Ghiribizzo did one on Greythorne's site...

But anyhow:
ida.cfg is your equivalent to the winice.dat file, it allows you to make the program easier to use.

look for:
SCREEN_MODE
line and change the parameters to
SCREEN_MODE = 0x6030
This will allow you to have multiple windows in IDA, so that you do not have to only see one screen at a time. You may want to change the font for the DOS box as well.

below this you have the hotkey definitions...print them out or change them to your liking.

In the "Second Pass" area there is a Text Representation area that I have adjusted as follows (not much, but a little bit helps):
// Text representation
//
//------------------------------------------ -----

OPCODE_BYTES = 8
INDENTION = 0
COMMENTS_INDENTION = 30
MAX_TAIL = 16
MAX_XREF_LENGTH = 80
MAX_DATALINE_LENGTH = 70
SHOW_AUTOCOMMENTS = NO
SHOW_BAD_INSTRUCTIONS = NO
SHOW_BORDERS = YES
SHOW_EMPTYLINES = YES
SHOW_LINEPREFIXES = YES
SHOW_SEGMENTS = YES
USE_SEGMENT_NAMES = YES
SHOW_REPEATABLE_COMMENTS = YES
SHOW_VOIDS = NO
SHOW_XREFS = 10
SHOW_XREF_VALUES = YES
SHOW_SEGXREFS = NO
SHOW_SOURCE_LINNUM = YES
SHOW_ASSUMES = YES
SHOW_ORIGINS = NO
USE_TABULATION = YES

...hope the board doesn't hose the formatting too much :)

the last thing to change is the
WINDIR
line to
WINDIR = "c:\\winnt\\system32"
or
WINDIR = "c:\\windows\\system"


...the rest of the file you do not need to worry about.

Now, the rest of it is just getting use to IDA. Heed OWL's words: it is designed to produce compilable source code, not to do a "quick crack". When you start off, cracking with IDA will take you ten times longer than cracking with W32dasm, of course using soft-ice; when you get used to it, you will crack 10x as fast in IDA and never touch soft-ice again (as Quine said, how many times do you really NEED to be in ring 0 code?).

Now, for IDA's "strange names".
the "a" prefix stands for "ASCII String". You can change it in ida.cfg in the line
ASCII_PREFIX = "a"
the prefix "j_" stands for "jump to location labelled:"
the prefix "sub_" stands for "subroutine at address:"

Now, let's just say that you open explorer.exe in IDA. you want to see what the exports are. You can either
1) View-Segments, look for .idata and jump to that segment...which isn't here (for some reason they are in _rdata) so we
2) View-Names, and look for API functions. Wow, there are a ton. A good one might be CreateWindowExW. Doubleclick that name, and the code window will jump to the imports section. There will be a line with a yellow label (white is comment) CreateWindowExW about 10 (the max I allowed in my ida.cfg; usually it is 2) blue XREFs (things like sub_159295F). These are locations that call CreateWindow; double click on any of them to view the code. Press Esc to come back to the CreateWindow imports area.

Well, that's neat, but how do you search for strings? You can try Navigate-SearchFor-Text, though it is slow and the results are printed in the Message (yellow-on-blue) window if nothing is found. I prefer either browsing the Names window for entries beginning with "a" 9they are all clustered together). Actually, I lie, I have written IDc scripts to extract the strings and imports for me :)

OK, this is getting long. Important things to remember:
* IDA is not w32dasm and requires a different approach
* Use the Names window
* Learn to write IDC scripts (they help a lot)
* Know the file format (i.e., where the imports are)
* Always define data strings when you find them
ans
* Always Name (and comment!) code locations !!!

I cannot stress this last one enough.

_m



fravia+,

I just read the IDA page in the new section and thought I might be able to add something helpful that I discovered recently.

IDA by default prefixes string names with an "a". One of the other things it does is strip out characters that may affect recompilation. From a crackers point of view, this can increase the time an tedium involved in our pursuit.

For example, the string "%s-%c%c-%d" would be converted to "asccd", which is nowhere near as obvious. Sure, you can click on the reference and be taken to the actual string, but that's an extra click for every string you want to look at.

The solution can be found in the ida.cfg file under the NameChars section. The heading states, "the following characters are allowed in user-defined names," and looks like this:

NameChars =
"$?@" // asm specific character
"_0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz";

What the comment doesn't tell you is that autogenerated names are considered user-defined. That means that only the above chars can be display in a name. Phooey! That certainly detracts from the code readability. Let's fix that.

Change the entry to read something like this:

NameChars =
" !\"#$%&'()*+,-./0123456789:;<=>?"
"@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_"
"`abcdefghijklmnopqrstuvwxyz{|}~";

Now we can see our "%s-%c%c-%d" string the way it is in the program!


edison (No, not ed!son)
in fieri... October 1998




You are deep inside fravia's page of reverse engineering, choose your way out:

TOUGH
Our Tools
redhomepage red links red anonymity +ORC redstudents' essays redacademy database
redantismut redtools redcocktails redsearch_forms redmail_fravia
redIs reverse engineering illegal?