Sign in to follow this  
Followers 0
thepcdude

IDA Pro

9 posts in this topic

I've recently fell in love with IDA and all it's features. Renaming functions, variables, and offsets. The graph view is heavenly, and it's just an amazing program. But sometimes in the code I see an area like this:

.text:0040159C var_54= dword ptr -54h
.text:0040159C var_50= dword ptr -50h
.text:0040159C var_4B= byte ptr -4Bh
.text:0040159C var_4A= byte ptr -4Ah
.text:0040159C var_49= byte ptr -49h
.text:0040159C var_48= dword ptr -48h
.text:0040159C var_44= dword ptr -44h
.text:0040159C var_40= dword ptr -40h
.text:0040159C var_3C= dword ptr -3Ch
.text:0040159C var_38= dword ptr -38h
.text:0040159C var_34= dword ptr -34h
.text:0040159C var_30= dword ptr -30h
.text:0040159C var_2C= dword ptr -2Ch
.text:0040159C var_28= dword ptr -28h
.text:0040159C var_24= dword ptr -24h
.text:0040159C var_20= dword ptr -20h
.text:0040159C var_1A= word ptr -1Ah
.text:0040159C var_18= dword ptr -18h
.text:0040159C var_13= byte ptr -13h
.text:0040159C var_12= byte ptr -12h
.text:0040159C var_11= byte ptr -11h
.text:0040159C var_10= dword ptr -10h
.text:0040159C var_C= dword ptr -0Ch
.text:0040159C var_8= dword ptr -8
.text:0040159C var_4= dword ptr -4
.text:0040159C arg_0= dword ptr 8
.text:0040159C arg_4= dword ptr 0C

And I'm wondering what this is. Any help would be appreciated. I <3 reversing :D

0

Share this post


Link to post
Share on other sites

I'm not sure without the context of the rest of the area, but it looks like it's just moving data around. Assuming that it's being parsed correctly it looks a little odd. I'm not sure what ptr is pointing to, but my assumption is that it's just pulling a bunch of data from one place to another. Maybe an unrolled loop?

0

Share this post


Link to post
Share on other sites

What is .text ?

An unrolled loop, wow.

Why would you use a rolled loop?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.

Edited by Swerve
0

Share this post


Link to post
Share on other sites
What is .text ?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.

.text is the code area of the PE. Usually. Different if packed, or changed. And IDA does an amazing job at making a graphical representation of the code, and does show you what road it takes as a red/green arrow. But patching is weird in IDA, but you can toggle the Z flag which will let you influence JNZs and stuff.

0

Share this post


Link to post
Share on other sites
What is .text ?

An unrolled loop, wow.

Why would you use a rolled loop?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.

What is .text ?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.

.text is the code area of the PE. Usually. Different if packed, or changed. And IDA does an amazing job at making a graphical representation of the code, and does show you what road it takes as a red/green arrow. But patching is weird in IDA, but you can toggle the Z flag which will let you influence JNZs and stuff.

First of all Swerve maybe you should read a little about disassemblers and debuggers before attempting to make useless comments about something which you appear to know nothing about. Second of all an unrolled loop, apposed to a loop, is when a compiler removes the check to see if it should continue executing the code and instead just assembles the block that would normally be executed as many times as the loop would run. It is an attempt to increase performance at the cost of size to the executable.

And thepcdude, the .text section isn't just for PE, ELF uses it as well as I'm sure other formats use the same name and do at least use the same concept of separating the data from instructions.

0

Share this post


Link to post
Share on other sites

Well, I was asking, not stating. I've never installed IDA Pro, but when I do I'll be releasing my first book on it later on that day.

0

Share this post


Link to post
Share on other sites
What is .text ?

Is it not IDA Pro which shows you a GUI of the path's the code can take? User enters 'Y' and an If/Else says 'yes', satisfactory serial number, or not. And if you modify the Assembly code, it will skip the check/pass a true to the result yuo want, which IDA Pro can show you beforehand.

.text is the code area of the PE. Usually. Different if packed, or changed. And IDA does an amazing job at making a graphical representation of the code, and does show you what road it takes as a red/green arrow. But patching is weird in IDA, but you can toggle the Z flag which will let you influence JNZs and stuff.

First of all Swerve maybe you should read a little about disassemblers and debuggers before attempting to make useless comments about something which you appear to know nothing about. Second of all an unrolled loop, apposed to a loop, is when a compiler removes the check to see if it should continue executing the code and instead just assembles the block that would normally be executed as many times as the loop would run. It is an attempt to increase performance at the cost of size to the executable.

And thepcdude, the .text section isn't just for PE, ELF uses it as well as I'm sure other formats use the same name and do at least use the same concept of separating the data from instructions.

Yes, but I meant it in the PE I showed code from. So does anyone have an idea?

0

Share this post


Link to post
Share on other sites

It's the layout of the function's stack frame, not data-moving instructions :) .

0

Share this post


Link to post
Share on other sites

Hi :laughing:

 

Those are local variables and function arguments and is a very useful feature available in IDA.

 

var_54 is the name (you can change this), dword PTR is the type of the variable (dword is basically a 32bit unsigned integer), and -0x54 is its offset from EBP. Negative is used because stack addresses go from high memory to low memory.

.text:0040159C var_54= dword ptr -54h

 

EBP+8 is the address of the first argument (this makes sense since the stack is lifo and when a function is called arguments are pushed on in reverse order). It is +8 as opposed to +4 because EBP+4 is the saved return address.

.text:0040159C arg_0= dword ptr 8

 

You can right click on the variable names and rename them which helps to make the code more readable.

 

Have a nice day :)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0