Jump to content


Photo
- - - - -

IDA Pro


  • Please log in to reply
8 replies to this topic

#1 thepcdude

thepcdude

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 353 posts
  • Location:Computer, Desk

Posted 14 April 2009 - 09:26 PM

I've recently fell in love with IDA and all it's features. Renaming functions, variables, and offsets. The graph view is heavenly, and it's just an amazing program. But sometimes in the code I see an area like this:

.text:0040159C var_54= dword ptr -54h
.text:0040159C var_50= dword ptr -50h
.text:0040159C var_4B= byte ptr -4Bh
.text:0040159C var_4A= byte ptr -4Ah
.text:0040159C var_49= byte ptr -49h
.text:0040159C var_48= dword ptr -48h
.text:0040159C var_44= dword ptr -44h
.text:0040159C var_40= dword ptr -40h
.text:0040159C var_3C= dword ptr -3Ch
.text:0040159C var_38= dword ptr -38h
.text:0040159C var_34= dword ptr -34h
.text:0040159C var_30= dword ptr -30h
.text:0040159C var_2C= dword ptr -2Ch
.text:0040159C var_28= dword ptr -28h
.text:0040159C var_24= dword ptr -24h
.text:0040159C var_20= dword ptr -20h
.text:0040159C var_1A= word ptr -1Ah
.text:0040159C var_18= dword ptr -18h
.text:0040159C var_13= byte ptr -13h
.text:0040159C var_12= byte ptr -12h
.text:0040159C var_11= byte ptr -11h
.text:0040159C var_10= dword ptr -10h
.text:0040159C var_C= dword ptr -0Ch
.text:0040159C var_8= dword ptr -8
.text:0040159C var_4= dword ptr -4
.text:0040159C arg_0= dword ptr  8
.text:0040159C arg_4= dword ptr  0C

And I'm wondering what this is. Any help would be appreciated. I <3 reversing :D

#2 livinded

livinded

    Dangerous free thinker

  • Agents of the Revolution
  • 1,942 posts
  • Location:~/

Posted 15 April 2009 - 04:32 PM

I'm not sure without the context of the rest of the area, but it looks like it's just moving data around. Assuming that it's being parsed correctly it looks a little odd. I'm not sure what ptr is pointing to, but my assumption is that it's just pulling a bunch of data from one place to another. Maybe an unrolled loop?

#3 Swerve

Swerve

    Dangerous free thinker

  • Members
  • 809 posts
  • Country:
  • Gender:Male

Posted 15 April 2009 - 05:47 PM

What is .text ?

An unrolled loop, wow.

Why would you use a rolled loop?


Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.

Edited by Swerve, 15 April 2009 - 05:48 PM.


#4 thepcdude

thepcdude

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 353 posts
  • Location:Computer, Desk

Posted 15 April 2009 - 09:17 PM

What is .text ?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.


.text is the code area of the PE. Usually. Different if packed, or changed. And IDA does an amazing job at making a graphical representation of the code, and does show you what road it takes as a red/green arrow. But patching is weird in IDA, but you can toggle the Z flag which will let you influence JNZs and stuff.

#5 livinded

livinded

    Dangerous free thinker

  • Agents of the Revolution
  • 1,942 posts
  • Location:~/

Posted 15 April 2009 - 10:02 PM

What is .text ?

An unrolled loop, wow.

Why would you use a rolled loop?


Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.



What is .text ?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.


.text is the code area of the PE. Usually. Different if packed, or changed. And IDA does an amazing job at making a graphical representation of the code, and does show you what road it takes as a red/green arrow. But patching is weird in IDA, but you can toggle the Z flag which will let you influence JNZs and stuff.


First of all Swerve maybe you should read a little about disassemblers and debuggers before attempting to make useless comments about something which you appear to know nothing about. Second of all an unrolled loop, apposed to a loop, is when a compiler removes the check to see if it should continue executing the code and instead just assembles the block that would normally be executed as many times as the loop would run. It is an attempt to increase performance at the cost of size to the executable.

And thepcdude, the .text section isn't just for PE, ELF uses it as well as I'm sure other formats use the same name and do at least use the same concept of separating the data from instructions.

#6 Swerve

Swerve

    Dangerous free thinker

  • Members
  • 809 posts
  • Country:
  • Gender:Male

Posted 16 April 2009 - 04:50 PM

Well, I was asking, not stating. I've never installed IDA Pro, but when I do I'll be releasing my first book on it later on that day.

#7 thepcdude

thepcdude

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 353 posts
  • Location:Computer, Desk

Posted 16 April 2009 - 07:53 PM

What is .text ?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.


.text is the code area of the PE. Usually. Different if packed, or changed. And IDA does an amazing job at making a graphical representation of the code, and does show you what road it takes as a red/green arrow. But patching is weird in IDA, but you can toggle the Z flag which will let you influence JNZs and stuff.


First of all Swerve maybe you should read a little about disassemblers and debuggers before attempting to make useless comments about something which you appear to know nothing about. Second of all an unrolled loop, apposed to a loop, is when a compiler removes the check to see if it should continue executing the code and instead just assembles the block that would normally be executed as many times as the loop would run. It is an attempt to increase performance at the cost of size to the executable.

And thepcdude, the .text section isn't just for PE, ELF uses it as well as I'm sure other formats use the same name and do at least use the same concept of separating the data from instructions.


Yes, but I meant it in the PE I showed code from. So does anyone have an idea?

#8 trietptm

trietptm

    the 0ne

  • Members
  • 1 posts
  • Country:
  • Gender:Male

Posted 18 June 2014 - 01:30 PM

It's the layout of the function's stack frame, not data-moving instructions :) .



#9 Syn

Syn

    the 0ne

  • Members
  • 1 posts
  • Gender:Not Telling

Posted 01 July 2014 - 11:28 PM

Hi :laughing:

 

Those are local variables and function arguments and is a very useful feature available in IDA.

 

var_54 is the name (you can change this), dword PTR is the type of the variable (dword is basically a 32bit unsigned integer), and -0x54 is its offset from EBP. Negative is used because stack addresses go from high memory to low memory.

.text:0040159C var_54= dword ptr -54h

 

EBP+8 is the address of the first argument (this makes sense since the stack is lifo and when a function is called arguments are pushed on in reverse order). It is +8 as opposed to +4 because EBP+4 is the saved return address.

.text:0040159C arg_0= dword ptr 8

 

You can right click on the variable names and rename them which helps to make the code more readable.

 

Have a nice day :)






BinRev is hosted by the great people at Lunarpages!