banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

"Learning Notes on Starting IDA Reverse Engineering from Scratch - 1 (Basic Introduction)"

#逆向761
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article explains how to identify the version of an application using a hex editor called HxD. It also shows how to use the IDA software to view the application's architecture and version. The article includes instructions on how to open the application in IDA, how to switch between graphical and non-graphical instruction lists, and how to search for specific characters in the code. Additionally, it explains how to save settings and view external function references.

Identifying Application Version

Using the hexadecimal editor HxD to view the application version

You can see that the above application is a 32-bit program, with "PE" followed by "PE..L..." If it is a 64-bit program, "PE" is followed by "PE..d+".

You can also view the application version through an IDE.

Since we know that this is a 32-bit program, we will use a 32-bit version of IDA to open it.

After opening it, the IDA: Quick start window will appear.

Click "new" to find the target application and load it. The interface will look like this:

Click OK, no settings are needed here, IDA will automatically recognize the architecture of the program.

Views

After opening, the displayed window will show the disassembly view.

Press the space bar to switch between graphical and non-graphical instruction lists.

In Options-General-Disassembly, check "Line prefixes" to display the addresses of instructions in the graphical view.

At first, it will look like this:

After modification:

IDA has multiple view modes, which can be seen in the view-Open subviews menu.

Function Entry Point Recognition

When there are multiple references pointing to the same address at the function entry point, the last repetition can be used as the function entry point, in this case, it is "push 0".

Save Settings

This setting allows you to save the current configurations, so that you can directly load them next time.

Character Search

In the IDA include list tab, such as FUNCTIONS, STRINGS, NAMES, etc., you can search by pressing "CTRL+F" and filter based on the input characters. Opening the menu bar VIEW-OPEN SUBVIEW-STRINGS, you can search for all strings containing "Lu".

Opening the menu bar VIEW-OPEN SUBVIEW-DISASSEMBLY, you can open a second disassembly tab that displays different content from the first one.

There are 3 disassembly display views here.

Opening the menu bar VIEW-OPEN SUBVIEW-HEX DUMP can display the hexadecimal view.

Right-clicking can switch to text mode, or you can press the space bar to switch.

The text view looks like this:

Opening view-Open subviews-import can view the referenced external functions.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.