Образ мышления - дизассемблер IDA Pro

Citation preview

ɈȻɊȺɁ ɆɕɒɅȿɇɂə – ȾɂɁȺɋɋȿɆȻɅȿɊ IDA Pro ɌɈɆ I ɈɉɂɋȺɇɂȿ ɎɍɇɄɐɂɃ ȼɋɌɊɈȿɇɇɈȽɈ əɁɕɄȺ IDA Pro Ⱥɧɧɨɬɚɰɢɹ

, IDA Pro 4.01 , π-

. IDA Pro ,

,

. Intel 80x86 Microsoft.

ȼɜɟɞɟɧɢɟ. Ɉɛ ɷɬɨɣ ɤɧɢɝɟ – –

, IDA Pro.

,

,

, . IDA Pro

, .

,

.

,

, ,

:

IDA Pro .

–« IDA Pro»

IDA Pro», « «

». IDA

,–

IDA

, .

, «

»

,

. , IDA Pro . ɈȻɊȺɓȿɇɂȿ ȺȼɌɈɊȺ Ʉ ɑɂɌȺɌȿɅɘ: ɤɨɝɞɚ ɩɢɫɚɥɢɫɶ ɩɟɪɜɵɟ ɫɬɪɨɤɢ ɷɬɨɣ ɤɧɢɝɢ ɟɟ ɚɜɬɨɪ ɟɳɟ ɧɟ ɨɛɥɚɞɚɥ ɬɟɦ ɨɩɵɬɨɦ, ɤɨɬɨɪɵɣ ɧɟɨɛɯɨɞɢɦ ɞɥɹ ɧɚɩɢɫɚɧɢɹ ɫɩɪɚɜɨɱɧɨɣ ɥɢɬɟɪɚɬɭɪɵ ɩɨɞɨɛɧɨɝɨ ɬɢɩɚ. ȼ ɪɟɡɭɥɶɬɚɬɟ, ɢɡ-ɩɨɞ ɩɟɪɚ ɜɵɥɟɡɥɨ ɧɟɱɬɨ ɭɠɚɫɧɨɟ, ɢ ɜɫɟ ɩɪɢɲɥɨɫɶ ɩɟɪɟɩɢɫɵɜɚɬɶ ɡɚɧɨɜɨ. Ʉ ɫɨɠɚɥɟɧɢɸ, ɫɪɨɤɢ ɢɡɞɚɧɢɹ ɧɟɥɶɡɹ ɛɟɫɤɨɧɟɱɧɨ ɨɬɬɹɝɢɜɚɬɶ (ɱɢɬɚɬɟɥɢ ɧɟɪɜɧɢɱɚɸɬ, ɢɡɞɚɬɟɥɶ ɫɟɪɞɢɬɫɹ) ɢ ɜ ɬɨɦ ɢɡɞɚɧɢɢ, ɱɬɨ ɜɵ ɞɟɪɠɢɬɟ ɫɟɣɱɚɫ ɜ ɪɭɤɚɯ, «ɞɨɜɟɞɟɧɵ ɞɨ ɭɦɚ» ɥɢɲɶ ɞɟɫɹɬɶ ɩɟɪɜɵɯ ɝɥɚɜ ɢɡ ɞɜɚɞɰɚɬɢ, ɚ ɨɫɬɚɥɶɧɵɟ ɞɚɧɵ ɜ ɩɟɪɜɨɡɞɚɧɧɨɦ ɜɚɪɢɚɧɬɟ. 1

Ⱥɜɬɨɪ ɩɪɨɫɢɬ ɱɢɬɚɬɟɥɹ ɢɡɜɢɧɢɬɶ ɟɝɨ ɡɚ ɬɚɤɭɸ ɫɢɬɭɚɰɢɸ ɢ, ɩɨɥɨɠɚ ɪɭɤɭ ɧɚ ɫɟɪɞɰɟ, ɨɛɟɳɚɟɬ, ɱɬɨ ɜ ɫɥɟɞɭɸɳɟɦ ɢɡɞɚɧɢɢ (ɟɫɥɢ ɬɨɥɶɤɨ ɨɞɧɨ ɛɭɞɟɬ ɷɬɨ ɫɥɟɞɭɸɳɟɟ ɢɡɞɚɧɢɟ – ɷɬɨ ɠ ɨɬ ɱɢɬɚɬɟɥɟɣ ɡɚɜɢɫɢɬ) ɜɫɟ ɨɝɪɟɯɢ ɛɭɞɭɬ ɢɫɩɪɚɜɥɟɧɵ. К

К

. 2001 К .

ȼɟɪɫɢɢ IDA Pro IDA Pro

, – , 3.84,

, , 3,84b, 3,85, 4.0,

IDA 3.6. ,

– , .

IDA Pro 4.0.1, . – ɫɬɚɧɞɚɪɬɧɚɹ (IDA Pro Standard), ɩɪɨɝɪɟɫɫɢɜɧɚɹ (IDA Pro Advanced) ɞɟɦɨɧɫɬɪɚɰɢɨɧɧɚɹ (IDA Pro Demo). IDA Pro Standard IDA Pro Advanced , IDA . : Intel 80x86 win32 PE ; – Microsoft Visual C++ 6.0 Borland C++ Builder; , . ( ) – ɝɪɚɮɢɱɟɫɤɚɹ Windows-32 ( IDAG) ɤɨɧɫɨɥɶɧɵɯ MS-DOS, OS/2 Windows-32. . , , Windows-32 ( IDAW) IDA Pro Standard IDA Pro Advanced IDA SDK (Software Development Kit) – , , ( ). IDA Pro, , . SDK IDA Pro,

,

IDA Pro, ,

. . Ɋɢɫɭɧɨɤ 1 ”ida.console.view” Ɍɚɤ ɜɵɝɥɹɞɢɬ ɤɨɧɫɨɥɶɧɚɹ ɢɩɨɫɬɚɫɶ IDA Pro 4.01 Ɋɢɫɭɧɨɤ 2 “ida.gui.view” Ɍɚɤ ɜɵɝɥɹɞɢɬ ɝɪɚɮɢɱɟɫɤɚɹ ɢɩɨɫɬɚɫɶ IDA Pro 4.01 Ɋɢɫɭɧɨɤ 3 “ida.gui.view.4.14.bmp” Ɍɚɤ ɜɵɝɥɹɞɢɬ ɝɪɚɮɢɱɟɫɤɚɹ ɢɩɨɫɬɚɫɶ IDA Pro 4.14 Demo 2

Ʉɪɚɬɧɨɟ ɜɜɟɞɟɧɢɟ ɜ ɞɢɡɚɫɫɟɦɛɥɢɪɨɜɚɧɢɟ ɞɢɡɚɫɫɟɦɛɥɢɪɨɜɚɧɢɟ,

– .

:

,

. –

,

,

ɧɟɜɨɡɦɨɠɧɨ.

(

).

, . : (a).

s0,

s0 , “MOV DX, offset s0” “MOV DX, 108h”. – “…offset s0” “…108h” ɧɟ ɢɧɴɟɤɬɢɜɧɚ 1. , ( ɩɪɨɫɬɵɦ ɞɢɡɚɫɫɟɦɛɥɢɪɨɜɚɧɢɟɦ), (b). – , 108h. (c) – 0x10C, DX – 0x108 (d). mov mov int ret s0

ah,9 dx, offset s0 21h

DB 'Hello,World!',0Dh,0Ah,'$'

mov ah,9 mov dx,0108h int 21h ret s0 DB 'Hello,World!',0Dh,0Ah,'$'

( )И

я

(b) Д

Æ

я

:0100 start :0100 :0102 :0105 :0107 :0109 :010B :010B aHelloWorld :010C end

Æ

108h,

, , . .

,

. .

ɫɢɧɬɚɤɫɢɱɟɫɤɢɦ ,

mov ah,09 mov dx,0108h int 21h xor ax,ax int 16h ret s0 DB 'Hello,World!',0Dh,0Ah,'$' ( )М я

proc near mov ah, 9 mov dx, 108h ─┐ int 21h │ xor ax, ax │ int 16h ◄────┘ retn db 'Hello,World!',0Dh,0Ah,'$' start

(d)

– « clue”,

» “this is switch”… , .

“this is key”, , ,

1

f(x) = y ,

, ,

“this is -

. .

DX f(y) = x,

. 3

,

,

,

0x9

0x21. , – ,

,

, «

» ɤɨɧɬɟɤɫɬɧɵɦ) ,

(

. ,

.

, 100%-

.

,

( ),

AX ,

,

BX

, ? MOV MOV ADD MOV ( )

.

(b),

,– ,

AX,offset Table BX,200h ; Index AX,BX Æ AX,[BX]

BB 00 02 01 D8 8B 07 B8 10 00 (b)

, MOV MOV ADD MOV (c)

Æ

AX,0010 BX,0200 AX,BX AX,Word ptr [BX]

.

(a) (b)

, ( «

»

),

,

, (c).

JMP Label Align 4 Label: XOR RET ( )

00: 03: 04: 06: (b)

AX,AX

00: E9 01 00 03: 00 33 05: C0 C3 (c)

jmp add rol

E90100 00 33 C0 C3

04 [bp][di],dh bl,-070; ,

,

, , ,

. ,

,

. , ,

– ,

, . ,

. ,

. – ɚɜɬɨɧɨɦɧɵɟ

, ɢɧɬɟɪɚɤɬɢɜɧɵɟ. .

, , 4

,

! ,

.

,

,

«

»

,

,

,

– . . SOURCER,

IDA.

SOURCER-

– ,

IDA

. SOURCER, ,

π-

.

,

,

,

!

IDA,

ɜɫɟ –

, .

, .

ɉɟɪɜɵɟ ɲɚɝɢ ɫ IDA Pro “Hello, World!”, -IDA Pro

. Microsoft Visual C++ 6.0

“cl.exe first.cpp”

(

):

#include void main() { cout > : > > > > >... b)

OS: : 01: : 29:

5.0 2195 1 CRt0.demo 30 windir=C:\WINNT

CRt0.demo.c ,

2

6

, main.

– , “Start”.

3

,

. ,

CRt0.c (Microsoft Visual C) . , W32Dasm:

, “first.exe”,

c0w.asm (Borland C) –

//******************** Program Entry Point ******** :00401B2C 55 push ebp :00401B2D 8BEC mov ebp, esp :00401B2F 6AFF push FFFFFFFF :00401B31 6870714000 push 00407170 :00401B36 68A8374000 push 004037A8 :00401B3B 64A100000000 mov eax, dword ptr fs:[00000000] :00401B41 50 push eax :00401B42 64892500000000 mov dword ptr fs:[00000000], esp :00401B49 83EC10 sub esp, 00000010 :00401B4C 53 push ebx :00401B4D 56 push esi :00401B4E 57 push edi :00401B4F 8965E8 mov dword ptr [ebp-18], esp Reference | :00401B52 :00401B58 :00401B5A :00401B5C :00401B62 :00401B64 :00401B6A :00401B70 :00401B73 :00401B75 :00401B7B :00401B7E :00401B83 :00401B85 :00401B8A :00401B8B :00401B8D :00401B8F :00401B91 :00401B96

To: KERNEL32.GetVersion, Ord:0174h FF1504704000 33D2 8AD4 8915B0874000 8BC8 81E1FF000000 890DAC874000 C1E108 03CA 890DA8874000 C1E810 A3A4874000 6A00 E8D91B0000 59 85C0 7508 6A1C E89A000000 59

Call dword ptr [00407004] xor edx, edx mov dl, ah mov dword ptr [004087B0], mov ecx, eax and ecx, 000000FF mov dword ptr [004087AC], shl ecx, 08 add ecx, edx mov dword ptr [004087A8], shr eax, 10 mov dword ptr [004087A4], push 00000000 call 00403763 pop ecx test eax, eax jne 00401B97 push 0000001C call 00401C30 pop ecx

edx ecx ecx eax

Referenced by a (U)nconditional or (C)onditional Jump at Address: 3

, Microsoft Visual C –

,

main ,

,

7

|:00401B8D(C) | :00401B97 8365FC00 :00401B9B E8D70C0000

and dword ptr [ebp-04], 00000000 call 00402877

Reference | :00401BA0 :00401BA6 :00401BAB :00401BB0 :00401BB5 :00401BBA :00401BBF :00401BC4 :00401BC9 :00401BCE :00401BCF :00401BD5 :00401BDB :00401BE0 :00401BE3 :00401BE6 :00401BE7 :00401BEC :00401BEF :00401BF1 :00401BF3 :00401BF6 :00401BF7 :00401BF8 :00401BFD :00401BFE :00401BFF a)

Call dword ptr [00407060] mov dword ptr [00409CE4], eax call 00403631 mov dword ptr [00408788], eax call 004033E4 call 0040332B call 004030A5 mov eax, dword ptr [004087C0] mov dword ptr [004087C4], eax push eax push dword ptr [004087B8] push dword ptr [004087B4] call 00401000 add esp, 0000000C mov dword ptr [ebp-1C], eax push eax call 004030D2 mov eax, dword ptr [ebp-14] mov ecx, dword ptr [eax] mov ecx, dword ptr [ecx] mov dword ptr [ebp-20], ecx push eax push ecx call 004031A7 pop ecx pop ecx ret W32Dasm

To: KERNEL32.GetCommandLineA, Ord:00CAh FF1560704000 A3E49C4000 E8811A0000 A388874000 E82A180000 E86C170000 E8E1140000 A1C0874000 A3C4874000 50 FF35B8874000 FF35B4874000 E820F4FFFF 83C40C 8945E4 50 E8E6140000 8B45EC 8B08 8B09 894DE0 50 51 E8AA150000 59 59 C3 “first.exe”,

IDA, ( ).

, –

IDA Pro

,

.

(

“%IDA%/SIG/list”). 00401B2C 00401B2C 00401B2C 00401B2C 00401B2C 00401B2C 00401B2C 00401B2C 00401B2C 00401B2D 00401B2F 00401B31 00401B36 00401B3B

start

proc near

var_20 var_1C var_18 var_14 var_4

= = = = =

dword dword dword dword dword

push mov push push push mov

ptr ptr ptr ptr ptr

-20h -1Ch -18h -14h -4

ebp ebp, esp 0FFFFFFFFh offset stru_407170 offset __except_handler3 eax, large fs:0 8

00401B41 push eax 00401B42 mov large fs:0, esp 00401B49 sub esp, 10h 00401B4C push ebx 00401B4D push esi 00401B4E push edi 00401B4F mov [ebp+var_18], esp 00401B52 call ds:GetVersion 00401B58 xor edx, edx 00401B5A mov dl, ah 00401B5C mov dword_4087B0, edx 00401B62 mov ecx, eax 00401B64 and ecx, 0FFh 00401B6A mov dword_4087AC, ecx 00401B70 shl ecx, 8 00401B73 add ecx, edx 00401B75 mov dword_4087A8, ecx 00401B7B shr eax, 10h 00401B7E mov dword_4087A4, eax 00401B83 push 0 00401B85 call __heap_init 00401B8A pop ecx 00401B8B test eax, eax 00401B8D jnz short loc_401B97 00401B8F push 1Ch 00401B91 call sub_401C30 ; _fast_error_exit 00401B96 pop ecx 00401B97 00401B97 loc_401B97: ; CODE XREF: start+61↑j 00401B97 and [ebp+var_4], 0 00401B9B call __ioinit 00401BA0 call ds:GetCommandLineA 00401BA6 mov dword_409CE4, eax 00401BAB call ___crtGetEnvironmentStringsA 00401BB0 mov dword_408788, eax 00401BB5 call __setargv 00401BBA call __setenvp 00401BBF call __cinit 00401BC4 mov eax, dword_4087C0 00401BC9 mov dword_4087C4, eax 00401BCE push eax 00401BCF push dword_4087B8 00401BD5 push dword_4087B4 00401BDB call sub_401000 00401BE0 add esp, 0Ch 00401BE3 mov [ebp+var_1C], eax 00401BE6 push eax 00401BE7 call _exit 00401BEC ; -----------------------------------------------------00401BEC 00401BEC loc_401BEC: ; DATA XREF: _rdata:00407170↓o 00401BEC mov eax, [ebp-14h] 00401BEF mov ecx, [eax] 00401BF1 mov ecx, [ecx] 00401BF3 mov [ebp-20h], ecx 00401BF6 push eax 9

00401BF7 00401BF8 00401BFD 00401BFE 00401BFF 00401BFF start b)

push ecx call __XcptFilter pop ecx pop ecx retn endp ; sp = -34h “first.exe”,

IDA Pro 4.01

IDA Pro “Using FLIRT signature: VC v2.0/4.x/5.0 runtime”

,

Ɋɢɫɭɧɨɤ 7 "0x003" Ɂɚɝɪɭɡɤɚ ɛɢɛɥɢɨɬɟɤɢ ɫɢɝɧɚɬɭɪ

,

,

0 0401BDB. ,

_exit, main . 0x0401000 –

,

main ,

, IDA Pro

. , IDA

, . call)

“sub_401000” ( ,

, :

00401000 00401000 00401000 00401000 00401000 00401000 00401001 00401003 00401008 0040100D 00401012 00401013 00401013

; -------------- S U B R O U T I N E ---------------------; Attributes: bp-based frame sub_401000 proc near ; CODE XREF: start+AF↓p push ebp mov ebp, esp push offset aHelloSailor ; "Hello, Sailor!\n" mov ecx, offset dword_408748 call ??6ostream@@QAEAAV0@PBD@Z ; ostream::operator%d\n",long(s0)+x);

auto x,s0;x=1;s0=”3h”; Message(">%d\n",x+long(s0));

>4

>4 !

IDA : • • • • •

#define #undef #include #error #ifdef\#ifndef\#else\#endif ȼɧɢɦɚɧɢɟ:

– IDC-

.

Ɂɚɦɟɱɚɧɢɟ:

,

,

, “#inclide ”.

– ,

,

,

BADADDR. IDA

, .

IDA

, :

• • • •

if, else; for; while, do, break, continue; return

Ɂɚɦɟɱɚɧɢɟ:

“for (expr1; expr2; expr3 ) statement” .

– ɫɥɨɠɟɧɢɟ: ɜɵɱɢɬɚɧɢɟ: “-“, ɭɦɧɨɠɟɧɢɟ: “*”, ɞɟɥɟɧɢɟ “/”, ɩɪɢɪɚɳɟɧɢɟ ɧɚ ɟɞɢɧɢɰɭ “++”. “+=” “-=” .

“+”,

27

ɇȿɌ: “!”,

ɂɅɂ-ɂɋɄɅɘɑȺɘɓȿȿ-ɂ:”^”.

,

IDA ɧɟɬ.

ɂ: “&”,

–

ɂɅɂ:”|”,

,

,

ȼɂɊɌɍȺɅɖɇȺə ɉȺɆəɌɖ Ⱥɪɯɢɬɟɤɬɭɪɚ ɜɢɪɬɭɚɥɶɧɨɣ ɩɚɦɹɬɢ ,

, IDA ɜɢɪɬɭɚɥɶɧɭɸ ɩɚɦɹɬɶ. IDA

, , , 32-

IDA

. , . 0xFF000000

.

MAXADDR. (

. IDA

« ,

« IDA « «

»

»), , ɥɢɧɟɣɧɵɯ

. –

, ,

»

«

.

–

»

, (

. «

SegCreate). »

,

ɹɱɟɣɤɭ

8.

,

24-

,

,

. . «

«

. -

»

», «

».

», «

»

( IDA IDA

.

),

, ,

, ! .

ɢɧɢɰɢɚɥɢɡɢɪɨɜɚɧɧɨɟ, ,

32ɮɥɚɝɨɦ

, ( 32

.

ɧɟɢɧɢɰɢɚɥɢɡɢɪɨɜɚɧɧɨɟ . – – . ,

. 13). 16

8

0

Ɋɢɫɭɧɨɤ 13 ɋɬɪɨɟɧɢɟ ɮɥɚɝɚ ɜɢɪɬɭɚɥɶɧɨɣ ɩɚɦɹɬɢ 28

ɜɢɪɬɭɚɥɶɧɨɦ ɦɚɫɫɢɜɟ, ». ɫɬɪɚɧɢɱɧɨɣ

« IDA

.

. – ,

,

,

,

,

,

–

,

.

Ɍɟɯɧɢɱɟɫɤɢɟ ɞɟɬɚɥɢ: ,

«

»

. *.id1, 1.

0x0 0x4 0x6 0x8 0xC 0x10 +0x4 +0x4 +0x4 ...

0x4 0x2 (Word) 0x2 (Word) 0x4 (long) 0x4 (long) 0x4 (long) 0x4 (long) 0x4 (long) 0x4 (long) ...

“Va4” – “Virtual Array version 4” ( ( (

4

)

) ) *.id1

(

) (

) *.id1

…

Ɍɚɛɥɢɰɚ 1 ɫɬɪɭɤɬɭɪɚ ɮɚɣɥɚ *.id1 “tutor.id1”

(ɜɧɢɦɚɧɢɟ, IDA, :

),

. .

00000000: 56 61 34 00 02 00 03 00 │ 66 06 01 00 78 06 01 00 00000010: 98 39 00 00 77 07 01 00 │ 89 07 01 00 DC 5D 00 00 ??? # ( , ) “Va4”: 00 02: 0x10777 0x10788 00 03: 4 ). 66 06 01 00: 78 06 01 00: 98 39 00 00:

–

Va4 ♥ f♠ x♠ 9 w• • ▄]

0x019_o

)

, ( . .

,

. , 0x10666 – 0x10677 (

,

29

77 07 01 00: 89 07 01 00: DC 5D 00 00:

, 0x003998 (

)

“tutor.id1”

: 00003998: 000039A8: 000039B8: 000039C8: 000039D8:

68 4F 64 52 0D

21 01 01 01 01

00 00 00 00 00

00│45 00│0C 00│61 00│4F 00│FF

01 01 01 01 01

00 00 00 00 00

00│4C 00│00 00│00 00│21 00│00

01 01 01 01 00

00 00 00 00 00

00│4C 00│69 00│70 00│20 00│00

01 01 01 01 00

00 00 00 00 00

00 00 00 00 00

,

H! o D r ♪

e , A o

l

l I P

!

,

,

“Hello,

,

IDA Pro!” Ⱥɪɯɢɬɟɤɬɭɪɚ ɫɬɪɚɧɢɱɧɨɣ ɩɚɦɹɬɢ -

,

. IDA

. , ,

,

ɫɬɪɚɧɢɰɚɦɢ. , . . n

, ,

, .

ɨɤɧɨɦ),

( , IDA

.

. ,

, IDA

. ( ), IDA « .

.

, » ,

. .,

«

»

, “AUTOSAVE”

-

. , «Flushing buffers, please wait...ok» Ɂɚɦɟɱɚɧɢɟ:

IDA

« ),

»

( . . (

).

30

??? #

–

!

Ɋɢɫɭɧɨɤ 14 Ɉɤɧɨ ɫɬɪɚɧɢɱɧɨɣ ɩɚɦɹɬɢ , , .

,

,

, . “VPAGES”

.

“VPAGESIZE”

VPAGES == 0, IDA

, . ( . .

8

.

24

),

, . , ,

, ,

,

. 4096

8192

,

(VPAGESSIZE) ,

,

IDA 16-

,

64

128

. , ,

,

,

128

. , IDA *.idb .

VPAGESIZE

«

» ,

,

–

! ,

– ,

IDA

!

31

VPAGES, ,

, IDA

(

.

2). ??? #

CreateNewTable

0 -- 255 256 – 1023 1024 – 2559 2560 – 10 > 10

(FILESIZE * 4) / VPAGESIZE 1048576 / VPAGESIZE FILESIZE / VPAGESIZE 4194304 / VPAGESIZE (FILESIZE * 2) / (VPAGESIZE *5)

1 1 1 - 2,5 4 >4

Ɍɚɛɥɢɰɚ 2 Ⱥɥɝɨɪɢɬɦ ɚɜɬɨɦɚɬɢɱɟɫɤɨɝɨ ɜɵɞɟɥɟɧɢɹ ɩɚɦɹɬɢ – !

–

-

, ). ,

,

IDA ( , Windows OS/2 ,

. .

, .

,

,

,

IDA

16 (

,

2000 )

32-64

ɡɧɚɱɢɬɟɥɶɧɨ

,

.

,

, ,

, . . DATEBASE_MEMORY Memory for b-tree – “DATEBASE_MEMORY”

IDA .

.

, 8

,

(8.192 ). ), 5 (40 «bTree error: not enough memory» DATEBASE_MEMORY = 0, IDA ( .

0 – 256 256 –1 1 – 2.5 2.5 –5 >5

IDA IDA . 3):

5 128 128 – 320 512 FILESIZE / 20 / PAGESIZE

256 1 1 – 2.5 4 FILESIZE / 20

Ɍɚɛɥɢɰɚ 3 Ⱥɥɝɨɪɢɬɦ ɚɜɬɨɦɚɬɢɱɟɫɤɨɝɨ ɨɩɪɟɞɟɥɟɧɢɹ ɪɚɡɦɟɪɚ ɨɤɧɚ , IDA , .

NPAGES 32

,

NPAGESSIZE. 64

,

1024 , 64-

,

(1

,

IDA

).

4 16 Delphi, IDA NPAGES

,

.

. IDA:

(“allocating memory for virtual array”), (“allocating memory for b-tree”) (“allocating memory for name pointers”). , “first.exe” IDA 3.84 : bytes pages size description --------- ----- ---- -------------------------------------------262144 32 8192 allocating memory for b-tree... 65536 16 4096 allocating memory for virtual array... 65536 64 1024 allocating memory for name pointers... ----------------------------------------------------------------Ɋɢɫɭɧɨɤ 15 "Ɉɬɱɟɬ ɨ ɜɵɞɟɥɟɧɢɢ ɩɚɦɹɬɢ ɩɪɢ ɡɚɝɪɭɡɤɟ IDA"

ȼɡɚɢɦɨɞɟɣɫɬɜɢɟ ɫ ɮɢɡɢɱɟɫɤɨɣ ɩɚɦɹɬɶɸ _peek, _poke, _lpoke

_call,

: • • • •

long _poke(long ea, long value) long _lpoke(long ea, long value) long _peek(long ea, long value) long _call(long ea) _poke

_lpoke

value ,

ea _peek

. _call ea

,

ea , . ,

-

IDA

,

,

. ,

, ,

INT 0x13. ,

MS-DOSWindows 9x 32-

IDA Pro. _peek

IDA Pro.

auto a; SegCreate(0xF0000,0xFFFFF,0x0F000,0,0,0); Message(" ... BIOS..."); for (a=0;a tutor.bin”.

) “echo

–

[■] Load Binary or User-Defined Format file File name: F:\IDAN\SRC\1\tutor.bin (•) Binary file ↓▌ (in paragraphs) ↓▌

Loading segment 0x1000 Loading offset 0x666 Processor: metapc Change processor ▄ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ Analysis options ▄ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ [ ] Create segments OK ▄ ▀▀▀▀

Cancel ▄ ▀▀▀▀▀▀▀▀

F1 - Help ▄ ▀▀▀▀▀▀▀▀▀▀▀

Ɋɢɫɭɧɨɤ 16 Ⱦɢɚɥɨɝ ɡɚɝɪɭɡɤɢ ɛɢɧɚɪɧɨɝɨ ɮɚɣɥɚ IDA Pro, “Loading segment ... (in paragraphs)”, ( “Create segment” ( »).

, ),

, ,

0x666, «

Ɂɚɦɟɱɚɧɢɟ:

IDA Pro ,

–

, .

34

: 0:00010666 ; File Name : 0:00010666 ; Format : 0:00010666 ; Base Address: 0:00010666 0:00010666 0:00010666 0:00010667 0:00010668 0:00010669 0:0001066A 0:0001066B 0:0001066C 0:0001066D 0:0001066E 0:0001066F 0:00010670 0:00010671 0:00010672 0:00010673 0:00010674 0:00010675 0:00010676 0:00010677 0:00010677 0:00010677

0x1000*0x10+0x666,

F:\IDAN\SRC\1\tutor.bin Binary File 1000h Range: 10666h - 10678h Loaded length: 0012h db db db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh 0Ah

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

end

, ,

. .

,

. – Byte(long ea), Dword(long ea) –

Word(long ea)

, ,

. 0xFF ( Word

Dword,

– Word

Dword

).

, -

, . –

– . GetFlags (

.

GetFlags)

: if(MS_VAL & GetFlags(ea)) // else // …

,

; ; ,

hasValue(F), :

if(hasValue(GetFlags(ea))) // else //

,

;

isLoaded(ea), :

35

if(isLoaded(ea)) // else // Ɂɚɦɟɱɚɧɢɟ:

,

; ”

byteValue(F),

, GetFlags,

,

,

.

: F = GetFlags(ea); if (hasValue(F)) val = byteValue(F); Byte ,

GetFlags – –

. ,

–

byteValue Byte.

: auto a; Message(“>”); for (a=0x10666;aHello, IDA Pro! (long ea, long value), PatchWord (long ea, long value) ,

PatchByte PatchDword (long ea, long value) .

. : 0:00010666 0:00010667 0:00010668 0:00010669 0:0001066A 0:0001066B 0:0001066C 0:0001066D 0:0001066E 0:0001066F 0:00010670 0:00010671 0:00010672 0:00010673 0:00010674 0:00010675 0:00010676 0:00010677

a)

db db db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh 0Ah

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

–

auto a; for(a=0x10666;a0x20) Message("'%c'",Byte(a)); Message("\n"); } a) , 0:00010666○db 0:00010667○db 0:00010668○db 0:00010669○db 0:0001066A○db 0:0001066B○db 0:0001066C○db 0:0001066D○db 0:0001066E○db 0:0001066F○db 0:00010670○db 0:00010671○db 0:00010672○db 0:00010673○db 0:00010674○db

68;'h' 45;'E' 4c;'L' 4c;'L' 4f;'O' c; 0; 69;'i' 64;'d' 61;'a' 0; 70;'p' 52;'R' 4f;'O' 21;'!' 37

0:00010675○db 20; 0:00010676○db d; 0:00010677○db ff;' ' b) – ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ ??? #

ChangeTable ɮɭɧɤɰɢɢ ɜɨɡɜɪɚɳɚɸɳɢɟ ɡɧɚɱɟɧɢɟ ɹɱɟɣɤɢ ɜɢɪɬɭɚɥɶɧɨɣ ɩɚɦɹɬɢ

long Byte(long ea) ,

ea

long Word(long ea) ,

ea

ea+1,

. long Dword(long ea) , ea+3,

ea, ea+1, ea+2

ɮɭɧɤɰɢɢ ɦɨɞɢɮɢɰɢɪɭɸɳɢɟ ɡɧɚɱɟɧɢɟ ɹɱɟɣɤɢ ɜɢɪɬɭɚɥɶɧɨɣ ɩɚɦɹɬɢ void PatchByte(long value) void PatchWord(long value)

ea,long

, ea,

value

ea,long

, ea value

void PatchDword(long ea,long value)

ea+1, ,

ea, ea+1, ea+2 ea+3

ɮɭɧɤɰɢɢ ɬɪɚɫɫɢɪɭɸɳɢɟ ɚɞɪɟɫɚ ɜɢɪɬɭɚɥɶɧɨɣ ɩɚɦɹɬɢ long NextAddr(long ea)

, ,

-

long PrevAddr(long ea)

, , ɮɭɧɤɰɢɢ ɩɨɢɫɤɚ

–

long FindBinary(long ea,long flag,char str) ɮɭɧɤɰɢɢ, ɦɚɧɢɩɭɥɢɪɭɸɳɢɟ ɫ ɮɥɚɝɚɦɢ long GetFlags (long ea) long SetFlags(long flags)

ea,

long

long Byte (long ea) , 38

,

ea.

0 FF,

, . ,

Byte

, .

,

’

,

, :

FF_INV, -

if (FF_INV & GetFlags(ea))) value=Byte(ea); else //

hasValue(F) .

isLoaded(ea)

hasValue(F) , . .:

isLoaded(ea), ,

if(hasValue(GetFlags(ea))) value=Byte(ea); else // if(isLoaded(ea)) value=Byte(ea); else // Byte 24, .

MS_VAL : value = (MS_VAL & GetFlags(ea)). ,

byteValue(F),

(hasValue(F)) value=byteValue(F);” – Byte,

GetFlags – 0xFF. , :”F=GetFlags(ea);

if

.

Ɂɚɦɟɱɚɧɢɟ: , byteValue

Byte

: 0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 0:0001000E 0:0001000F 0:00010010 0:00010011 a)

db db db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh 0Ah

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

– 39

auto a; Message(“>”); for (a=0x10000;a Hello, IDA Pro! c) Byte IDA Pro»

«

“memcpy.idc”,

??? #

IDA.

– change table

ea return

=return == ==0xFF

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: Word, Dword ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long Word (long ea) ( ,

)

ea.

,

, 0xFF,

, . :

0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 0:0001000E 0:0001000F 0:00010010 0:00010011

db db db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh 0Ah

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

Message(“>%X\n”, Word (0x10000)); 40

>6548 Message(“>%X\n”, Word (0x0)); >FFFF Message(“>%X\n”, Word (0x10011)); >FF0A Message(“>%X\n”, Word (0xFFFF)); >48FF ( . . 0x10000 ;

– 0xFFFF. ,

0x10001) – 0x0,

0x1,

0x10011,

, –

, 0xFF!

–

0xFF,

. ,

Word

, . –

’

.

, , Byte.

??? #

– change table

ea return

==return == ==FF?? | ==??FF

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: Byte, Dword. ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long Dword (long ea) . Word. ??? #

– change table

ea ==return return ==(FF) Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: Byte, Word ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

41

void PatchByte (long ea, long value) , ea, 7x

value. ( –

EB, . . ),

.

,

,

, . ,

, GetFlags ( Byte). “memcpy.idc”,

IDA. ??? #

– change table

ea value

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PatchWord, PatchDword ɂɧɬɟɤɪɚɬɢɜɧɵɣ ɚɧɚɥɨɝ: «~EDIT\Patch program\Change byte» void PatchWord (long ea,long value) ea

, PatchByte (

value.

.

PathByte). ??? #

– change table

ea value

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PatchByte, PatchDword ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: «~EDIT\ Patch program\Change word» void PatchDword (long ea,long value)

ea

value.

PatchByte (

, .

PatchByte) ??? #

– change table

42

ea value

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PatchByte, PatchWord ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long NextAddr (long ea) , NextAddr (0x0).

.

, BADADDR NextAddr (BADADDR)

: 0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 0:0001000E 0:0001000F 0:00010010 0:00010011 a)

db db db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh 0Ah

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

–

auto a; a=0; while(1) { a=NextAddr(a); if (a==BADADDR) break; Message(">%x\n",a); } b)

NextAddr

>10000 >10001 >10002 >10003 >10004 >10005 >10006 >10007 >10008 >10009 >1000a 43

>1000b >1000c >1000d >1000e >1000f >10010 >10011 )

–

??? #

– change table

ea return

=return !=BADADDR ==BADADDR

ea

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PrevAddr ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long PrevAddr (long ea) ,

ea BADADDR

,

. :

0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 0:0001000E 0:0001000F 0:00010010 0:00010011 a)

db db db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh 0Ah

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

–

auto a; a=BADADDR; while(1) { a=PrevAddr(a); if (a==BADADDR) break; Message(">%X\n",a); 44

} b)

PrevAddr

>10011 >10010 >1000F >1000E >1000D >1000C >1000B >1000A >10009 >10008 >10007 >10006 >10005 >10004 >10003 >10002 >10001 >10000 )

–

??? #

– change table

ea return

=return !=BADADDR ==BADADDR

ea

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: NextAddr ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long GetFlags(long ea) , ,

ea. . . ??? #

– change table

ea return

=return !=0 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SetFlags ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

45

void SetFlags(long ea) , ea. . ȼɧɢɦɚɧɢɟ: – ! ??? #

– change table

ea Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetFlags ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long FindBinary(long ea,long flag,char str) ,

BADADDR,

. ( ),

(

),

.

, ea . ( ),

, ,

str –

.

“h”,

“x”

. flag : ,

,

;

(

–

,

) ,

.

: seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 seg000:0008 seg000:0009 seg000:000A seg000:000B seg000:000C seg000:000D seg000:000E seg000:000F

db db db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

46

Message(">%s\n",atoa(FindBinary( 41"))); ??? #

SegByName("seg000"),1,"49 44

– change table

ea =flag # 0 0 1 0 1 1 =return !=BADADDR ==BADADDR

flag

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Search\Text”, ɋȿȽɆȿɇɌɕ ɂ ɋȿɅȿɄɌɈɊɕ #Definition ɋɟɝɦɟɧɬɨɦ

, .

ɚɞɪɟɫɨɦ ɤɨɧɰɚ -

.

ɛɚɡɨɜɵɦ ɚɞɪɟɫɨɦ

, ɚɞɪɟɫɨɦ ɧɚɱɚɥɚ ,

. , –

;

,

,

. – . .

. ,

, “startea”,

– “endea”,

– “BASE”. “startoffset” :

startoffset = startea – BASE * 0x10

Ɏɨɪɦɭɥɚ 1 ɋɦɟɳɟɧɢɟ ɩɟɪɜɨɝɨ ɛɚɣɬɚ ɜ ɫɟɝɦɟɧɬɟ

,

startoffset , [BASE:offset]

: startea ≥ (BASE* 0x10).

,

: 47

ea = BASE * 0x10 + offset

Ɏɨɪɦɭɥɚ 2 ɉɟɪɟɜɨɞ ɫɟɝɦɟɧɬɧɨɝɨ ɚɞɪɟɫɚ ɜ ɥɢɧɟɣɧɵɣ IDA .

,

, ,

,

.

MK_FP(long BASE*0x10+offset, .

BASE, «

long

offset), » - “[BASE, offset]” 32.

, 16-

,

, . Ɂɚɦɟɱɚɧɢɟ: 4

,

,

, BASEmax* 0x10 = 0xFFFF * 0x10 = 0xFFFF0,

,

. .

. ɫɟɥɟɤɬɨɪɨɜ, 4 ɢɧɞɟɤɫɭ

, 16-

32. . ,

. – 32-

,

. , . , .

, 0x5,0x07,0x16,0x88…

,

, ,

, . – ,

,

.

, (

,

,

, Ɂɚɦɟɱɚɧɢɟ:

).

,

. – ,

(

,

, (

,

), ,

. .).

48

«

,

». ɇɚɜɢɝɚɬɨɪ ɩɨ ɮɭɧɤɰɢɹɦ « IDA

»

“tutor.idb”

,

: 0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 0:0001000E 0:0001000F 0:00010010

SegCreate(long

db db db db db db db db db db db db db db db db db

startea,long

,

endea,long ,

),

,

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

base,long ,

use32,long

align,long , (

comb),

SegCreate, : «SegCreate(0x10000, 0x10012, 0x1000, 0, 0, 0);»

seg000:0000 ; Segment type: Regular seg000:0000 seg000 segment at 1000h private '' use16 seg000:0000 assume cs:seg000 seg000:0000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:0000 db 48h ; H seg000:0001 db 65h ; e seg000:0002 db 6Ch ; l seg000:0003 db 6Ch ; l seg000:0004 db 6Fh ; o seg000:0005 db 2Ch ; , seg000:0006 db 20h ; seg000:0007 db 49h ; I seg000:0008 db 44h ; D seg000:0009 db 41h ; A seg000:000A db 20h ; seg000:000B db 50h ; P seg000:000C db 72h ; r seg000:000D db 6Fh ; o seg000:000E db 21h ; ! seg000:000F db 20h ; seg000:0010 db 0Dh ; seg000:0011 db 0Ah ; seg000:0011 seg000 ends

49

, IDA ( ) “seg001”, “seg002” . . “long SegByName(char segname)” 4 .

“seg000”,

“000”

. ,

,

:

Message(“>%X\n”, SegByName(“seg000”)); > 10000 “success SegRename(long ea, , . :

char name)” ,

–

SegRename(SegByName("seg000"),"MySeg"); MySeg:0000 ; Segment type: Regular MySeg:0000 MySeg segment at 1000h private '' use16 MySeg:0000 assume cs:MySeg MySeg:0000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing MySeg:0000 db 48h ; H MySeg:0001 db 65h ; e MySeg:0002 db 6Ch ; l MySeg:0003 db 6Ch ; l MySeg:0004 db 6Fh ; o MySeg:0005 db 2Ch ; , MySeg:0006 db 20h ; MySeg:0007 db 49h ; I MySeg:0008 db 44h ; D MySeg:0009 db 41h ; A MySeg:000A db 20h ; MySeg:000B db 50h ; P MySeg:000C db 72h ; r MySeg:000D db 6Fh ; o MySeg:000E db 21h ; ! MySeg:000F db 20h ; MySeg:0010 db 0Dh ; MySeg:0011 db 0Ah ; MySeg:0011 MySeg ends

“disable”

long disable)”

“success SegDelete (long ea, ,

, ,

. : SegDelete(0x10000, 0); 0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 4

. .

db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh

SegDelete(0x10000, 0); ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o ,

[■]

IDA view-A ↑

I D A P r o

,

0x10

. 50

0:0001000E 0:0001000F 0:00010010 0:00010011

db db db db

21h 20h 0Dh 0Ah

;! ; ; ;

– . “tutor.bin”,

, . “View” (

“Segments” ),

–

. ,

, IDA (

.

17) Ɋɢɫɭɧɨɤ 17 “0x020” ɋɨɡɞɚɧɢɟ ɫɟɝɦɟɧɬɚ ɩɨ ɜɵɞɟɥɟɧɧɨɣ ɨɛɥɚɫɬɢ «Segment Name»

, IDA

. , Startea BASEdef = 0x10 , .

offsetdef = Startea AND 0xF, ,

, , Crypt.com, , IDA

offsetdef ≤ 0xF.

,

. .

offsetdef --

(~File\Load file\Additional binary file), 0x20100 , , , 0x2010, 0x0, 0x100! –

. ,

0x2000, :

[■] Name seg000 seg001 2/2

Program Segmentation 3 [↑] Start End Align Base Type Cls 32es ss ds fs gs ▲ 00000000 00000012 byte 1000 pub N FFFF FFFF FFFF FFFF FFFF 00010000 00010012 00000100 0000013C byte 2000 pub N FFFF FFFF FFFF FFFF FFFF 00020100 0002013C ■ ▼ ◄■ ►─┘

Ɋɢɫɭɧɨɤ 18

. [■]

: Change segment attributes

Segment name Segment class Start address End address

seg001 0x20100 0x2013C

(•) 16-bit segment ( ) 32-bit segment

↓▌ ↓▌ ↓▌ ↓▌ Combination ▄ (public) ▀▀▀▀▀▀▀▀▀▀▀▀▀ 51

Alignment ▄ (byte) ▀▀▀▀▀▀▀▀▀▀▀

[X] Move adjacent segments [ ] Disable addresses OK ▄ ▀▀▀▀

Cancel ▄ ▀▀▀▀▀▀▀▀

F1 - Help ▄ ▀▀▀▀▀▀▀▀▀▀▀

Ɋɢɫɭɧɨɤ 19

.

: (BASE * 0x10) ≤ Startea > Endea, ,

. . , .

, IDA “Move adjacent segments”

,

.

: │xxxxx│ ├─────┤Å seg000 │ │ │ ↑ │ │ │ │ ├── ──┤Å seg001 │ │ │ │ ├─────┤ │xxxxx│ )

│xxxxx│ ├─────┤Å seg000 │ │ ├─────┤Å seg001 │ │ ├ ┤ │ │ │ │ ├─────┤ │xxxxx│ )

│xxxxx│ ├─────┤Å seg000 │ │ ├ ┤Å « │ │ ├─────┤Å seg001 │ │ │ │ ├─────┤ │xxxxx│

»

)

Ɋɢɫɭɧɨɤ 20 ɂɡɦɟɧɟɧɢɟ ɝɪɚɧɢɰ ɫɟɝɦɟɧɬɨɜ ??? #

–

,

. – .

(10.a) seg001. , IDA 10.b; «

», “Disable addresses” ,

seg000, “Move adjacent segment” “seg001” , 10.c « », . ȼɧɢɦɚɧɢɟ! Э !

. 0x20120 (

, “seg000” “set_segm_end(10000) -> 20120: areas overlap” , . adjacent segment”, , , “seg000” “seg001”

“seg000” “seg001”). – IDA “Move ,

,

, 52

“seg000”

0x10012,

“seg001” –

0x20100. ,

,

:

“seg001” 0x20100),

– ;

“seg000” , “Move adjacent segment”.

( . . “seg000” :

“seg000”,

“seg001” “Start address”

, 0x20120;

“seg000” “End address”

, 0x20100, ,

“End Address”

0x20120”.

. : , 0x20120.

“End address”

. SegCreate, SegBounds, SegRename, SegClass, SegAlign, SegComb, SegAddrng success SegBounds (long ea,long startea,long endea,long disable) , , startea, endea – , disable ( ). , startea ≥ BEGIN_ADDRES * 0x10, . . . , “seg000” : “SegBounds(0x10000,0x10000,0x10012,1);” 0x10000, IDA . , “SegCreate(0x100000,0x100100,0x10000,0,0,0);” : [■] Name seg000 seg001 seg002 3/3

,

Program Segmentation Start End Align Base Type Cls 32es ss 00000000 00000012 byte 1000 pub CODE N FFFF FFFF 00000100 0000013C byte 2000 pub N FFFF FFFF 00000000 00000100 at 0001 pub N FFFF FFFF ◄■

0x1 –

, ,

[■] Sel Value 0001 00010000

ds FFFF FFFF FFFF

fs FFFF FFFF FFFF

3 [↑] gs ▲ FFFF 00010000 00010012 FFFF 00020100 0002013C ■ FFFF 00100000 00100100 ▼ ►─┘

“seg002” 0x1, , 0x0, 0x1000000 – 0x1 * 0x10 = 0xFFFFF0. . “,”: Selectors

3 [↑]

▲

▼ ─┘

1/1 ,

, .

: [■]Define a selector 53

Selector 0x1 ↓▌ Value 0x10000 OK ▄ ▀▀▀▀

↓▌

Cancel ▄ ▀▀▀▀▀▀▀▀ startea ≥ BASE_ADDRES * 0x10, ,

,

.

,

, ,

,

, . . offset = NEG (|startea - SEL_VALUE|) . 0x1 :

seg002:FFFFFFF0 seg002 seg002:FFFFFFF0 seg002:FFFFFFF0 seg002:FFFFFFF0 seg002:FFFFFFF0 seg002:FFFFFFF1 seg002:FFFFFFF2 seg002:FFFFFFF3 seg002:FFFFFFF4 seg002:FFFFFFF5 seg002:FFFFFFF6 seg002:FFFFFFF7 seg002:FFFFFFF8 seg002:FFFFFFF9 seg002:FFFFFFFA seg002:FFFFFFFB seg002:FFFFFFFC seg002:FFFFFFFD seg002:FFFFFFFE seg002:FFFFFFFF seg002:0000 seg002:0001 seg002:0002 seg002:0003 seg002:0004 seg002:0005 seg002:0006 seg002:0007

. [■] Name seg000 seg001 seg002 3/3

db db db db db db db db

segment at 10001h private '' use16 assume cs:seg002 ;org 0FFFFFFF0h assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored db ? ; unexplored ? ; unexplored ? ; unexplored ? ; unexplored ? ; unexplored ? ; unexplored ? ; unexplored ? ; unexplored ? ; unexplored

«SegBounds(0x100000,0x100010,0x100100,1);» : Program Segmentation Start End Align Base Type Cls 32es ss 00000000 00000012 byte 1000 pub CODE N FFFF FFFF 00000100 0000013C byte 2000 pub N FFFF FFFF 00000000 000000F0 at 0001 pub N FFFF FFFF ◄■

“seg002”

ds FFFF FFFF FFFF

fs FFFF FFFF FFFF

4 [↑] gs ▲ FFFF 00010000 00010012 FFFF 00020100 0002013C ■ FFFF 00100010 00100100 ▼ ►─┘

,

. ,

value –

“void SetSelector (long sel,long value)”, , .

sel –

54

,

“SetSelector(0x1,0x10000);” “seg002” “SetSelector(0x4,0x500000);” ).

0x1 , 0x4 (

┌───────────────────────────────────── Program Segmentation ────────────────────────────────4─────┐ │ Name Start End Align Base Type Cls 32es ss ds fs gs │ │ seg000 00000000 00000012 byte 1000 pub CODE N FFFF FFFF FFFF FFFF FFFF 00010000 00010012 │ │ seg001 00000100 0000013C byte 2000 pub N FFFF FFFF FFFF FFFF FFFF 00020100 0002013C │ │ seg002 00000010 00000100 at 0001 pri N FFFF FFFF FFFF FFFF FFFF 00100010 00100100 │ └3/3 ────────────────────────────────────────────────────────────────────────────────────┘ [■] Selectors Sel Value 0001 00010000 0004 00500000

5 [↑]

▲

■ ▼ ─┘

2/2

“void DelSelector (long sel)” – SetSelector (sel, sel). , : offset = startea - sel * 0x10 , sel – !)

, (

. ,

“SelDelete(0x1);”

: [■] Name seg000 seg001 seg002 3/3

Program Segmentation Start End Align Base Type Cls 32es ss 00000000 00000012 byte 1000 pub CODE N FFFF FFFF 00000100 0000013C byte 2000 pub N FFFF FFFF 00100000 001000F0 at 0001 pri N FFFF FFFF ◄■

ds FFFF FFFF FFFF

fs FFFF FFFF FFFF

4 [↑] gs ▲ FFFF 00010000 00010012 FFFF 00020100 0002013C ■ FFFF 00100010 00100100 ▼ ►─┘

Ɋɢɫɭɧɨɤ 21

. , long NextSeg(long ea)

long FirstSeg() , ,

ea.

: auto a; a=FirstSeg(); while(a!=BADADDR) { Message(">%08x\n",a,SegName(a)); a=NextSeg(a); } >00010000 >00020100 >00100010

-

SegName, SegByName; . 55

SegStart

SegEnd .

,

,

, .

auto a; a=FirstSeg(); Message(">Name | Start |End |BASE\n"); Message(">--------------------––––––––-\n”); while(a!=BADADDR) { Message(">%s|%08x|%08x|%08x\n", SegName(a),a,SegEnd(a),SegByName(SegName(a))/0x10); a=NextSeg(a); } Message(">-----------------------------\n\n”); >Name | Start |End |BASE >-------------------------------->seg000|00010000|00010012|00001000 >seg001|00020100|0002013c|00002000 >seg002|00100010|00100100|00010000 >--------------------------------GetSegmentAttr. ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ ??? #

#Unfortunately Change Table ɮɭɧɤɰɢɢ ɩɪɟɨɛɪɚɡɨɜɚɧɢɹ ɚɞɪɟɫɨɜ long MK_FP (long seg, long off) char atoa (long ea)

ɮɭɧɤɰɢɢ, ɪɚɛɨɬɚɸɳɢɟ ɫ ɫɟɝɦɟɧɬɚɦɢ

success SegCreate(long startea,long endea,long base,long use32,long align,long comb) success SegDelete (long ea,long disable)

success SegBounds (long ea,long startea,long endea,long disable)

,

,

long SegStart (long ea) long SegEnd (long ea) long SegByName (char segname) long SegByBase(long base)

56

success SegRename (long ea,char name) success SegAddrng (long ea,long use32) success SegAlign (long ea,long alignment) success SegComb (long segea,long comb) success SegClass (long ea,char class) success SegDefReg (long ea,char reg,long value) success SetSegmentType(long segea,long type)

long GetSegmentAttr (long segea,long attr) char SegName (long ea)

long FirstSeg () long NextSeg (long ea)

Ɏɭɧɤɰɢɢ, ɪɚɛɨɬɚɸɳɢɟ ɫ ɫɟɥɟɤɬɨɪɚɦɢ

void SetSelector (long sel,long value) void DelSelector (long sel)

long AskSelector (long sel) long FindSelector (long val)

long MK_FP (long seg,long off) ea = seg * 0x10 + off.

“seg” ,

,

. “

” (6 ,

,

[“

”,

, «

, – -Æ

MK_FP, “[]”).

“MK_FP()”

Ɂɚɦɟɱɚɧɢɟ:

«

,

].

»

,

,

; ,

»

IDA-C

( . « , MK_FP

, , ,

IDA

» - « ») .

: Message(“>[seg %X,off%X]=%X=%X\n”,0x1000,0x6,MK_FP(0x1000,0x6),[0x1000,0x6]); >[seg 1000,off6]=10006=10006

57

??? #

– change table

seg off return long

(

!),

32-

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ:

[]

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Calculate” char atoa(long ea) ea

,

: •

ea

, ,

“

:

•

” ea

, ea seg = 0x10; off = ea - seg.

: Message(">%s\n",atoa(0x200010)); >0:00200010 SegCreate(0x200000,0x201000,0x20000,0,0,0); 0. Creating a new segment (00200000-00201000) ... ... OK Message(">%s\n",atoa(0x200010)); >seg000:0010 ??? #

– change table

ea return

32=return !=”” ==””

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: success SegCreate(long startea,long endea,long base,long use32,long align,long comb) (startea),

. (endea) .

(BASE),

58

, ,

,

,

,

. –

IDA, ,

, »

«

,

. ɛɚɡɢɪɨɜɚɧɢɹ , ,

startoffset = startea - BASE * 0x10 . , ,

0x100.

,

. , BASE =

startea - startoffset 0x10

–

use32 ,

16-

– 32-

. ,

,

32. align

, . align

! ,

comb

(

)

. comb

– .

Ⱦɟɬɚɥɢ: )

, SetSelector. ,

16⎛0x10000 * 0x10=1⎞. ⎝ 1024 * 1024 ⎠ ɫɟɥɟɤɬɨɪ, SegCreate,

)

0x10000, IDA .

,

,

( . . ( seg000-> ─────── ┌─> │ │ │ │ ─>

.

), )

seg000-> ───────

─ ─ ─ ─

seg001-> ───────

─ ─ ─ ─

seg002-> ───────

─────── ─┐ SegCreate(x,y,.....);

───────

59

Ɋɢɫɭɧɨɤ 22 ??? ɏɭɞɨɠɧɢɤɭ - ɩɟɪɟɪɢɫɨɜɚɬɶ : (

)

SegCreate(0x1000,0x4000,0x100,0,0,0); 0. Creating a new segment (00001000-00004000) ... ... OK [■] Name seg000

Program Segmentation Start End Align Base Type Cls 32es ss ds 00000000 00003000 at 0100 pri N FFFF FFFF FFFF 00001000 00004000

▲

▼ ►─┘

◄■

1/1

4 [↑]

SegCreate(0x2000,0x3000,0x200,0,0,0); 1. Creating a new segment (00002000-00003000) ... Additional segment (00003000-00004000) ... 2. Creating a new segment (00003000-00004000) ... ... OK ... OK [■] Name seg000 seg001 seg002 1/3

Start End Align 00000000 00001000 at 00000000 00001000 at 00002000 00003000 at

??? #

Program Segmentation Base Type Cls 32es 0100 pri N FFFF 0200 pri N FFFF 0100 pri N FFFF ◄■

4 [↑] ss FFFF FFFF FFFF

ds FFFF 00001000 00002000 FFFF 00002000 00003000 FFFF 00003000 00004000

▲ ■

▼ ►─┘

– change table

startea endea Base use32

3216=use32 ==0 ==1

1632-

aling comb =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SetSelector; SegClass; SegAlign; SegComb; SegAddrng; ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”, ; success SegDelete(long ea,long disable) ( ,

. .)

, ,

. ea – ,

, (

. ,

SegCreate – )

60

disable ,

, , .

ȼɧɢɦɚɧɢɟ:

–

,

,

, . , ,

.

. : seg000:0000 seg000 seg000:0000 seg000:0000 seg000:0000 aHelloIdaPro seg000:0000 seg000

)

segment byte public '' use16 assume cs:seg000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing db 'Hello, IDA Pro! ',0Dh,0Ah ; Test ends

,

“aHelloIdaPro”

“Test”

SegDelete(SegByBase(SegByName("seg000")>>4),0); b) 0:00010000 0:00010001 0:00010002 0:00010003 0:00010004 0:00010005 0:00010006 0:00010007 0:00010008 0:00010009 0:0001000A 0:0001000B 0:0001000C 0:0001000D 0:0001000E 0:0001000F 0:00010010

)

db db db db db db db db db db db db db db db db db

–

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h 50h 72h 6Fh 21h 20h 0Dh

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , I D A P r o !

,

-

SegCreate(0x10000,0x10012,0x1000,0,0,0); d) seg000:0000 seg000:0000 ; Segment type: Regular seg000:0000 seg000 segment at 1000h private '' use16 seg000:0000 assume cs:seg000 seg000:0000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:0000 db 48h ; H seg000:0001 db 65h ; e seg000:0002 db 6Ch ; l seg000:0003 db 6Ch ; l seg000:0004 db 6Fh ; o seg000:0005 db 2Ch ; , seg000:0006 db 20h ; seg000:0007 db 49h ; I seg000:0008 db 44h ; D seg000:0009 db 41h ; A seg000:000A db 20h ; seg000:000B db 50h ; P

61

seg000:000C seg000:000D seg000:000E seg000:000F seg000:0010 seg000:0011 seg000:0011 seg000

e)

db 72h ; r db 6Fh ; o db 21h ; ! db 20h ; db 0Dh ; db 0Ah; ends

–

,

–

.

SegDetele(0x10000,1); f) [■]

IDA view-A

э

j)

–

SegCreate(0x10000,0x10012,0x1000,0,0,0); k) seg000:0000 ; Segment type: Regular seg000:0000 seg000 segment at 1000h private '' use16 seg000:0000 assume cs:seg000 seg000:0000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:0000 db ? ; unexplored seg000:0001 db ? ; unexplored seg000:0002 db ? ; unexplored seg000:0003 db ? ; unexplored seg000:0004 db ? ; unexplored seg000:0005 db ? ; unexplored seg000:0006 db ? ; unexplored seg000:0007 db ? ; unexplored seg000:0008 db ? ; unexplored seg000:0009 db ? ; unexplored seg000:000A db ? ; unexplored seg000:000B db ? ; unexplored seg000:000C db ? ; unexplored seg000:000D db ? ; unexplored seg000:000E db ? ; unexplored seg000:000F db ? ; unexplored seg000:0010 db ? ; unexplored seg000:0011 db ? ; unexplored seg000:0011 seg000 ends

l) –

–

,

.

??? #

– change table

ea disable

return

=disable ==0 ==1 =return ==1 ==0

, ,

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegCreate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Segments\Delete segment”; “~View\Segments”, 62

success SegBounds(long ea,long startea,long endea,long disable) , . SegCreate. , . , , .

SegCreate

SetSelector (

). , .

SegCreate. . .

,

,

, disable. ??? #

ea startea endea disable

– change table

, 32-

return

=return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegCreate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: ; “~View\Segments”, long SegStart(long ea) ,

,

. , BADADDR,

. :

SegCreate(0x10000,0x20000,0x1000,0,0,0); a) 0x10000 0. Creating a new segment b)

0x20000

(00010000-00020000) ... ... OK

Message(">%X\n",SegStart(0x10100)); c) SegStart,

, 63

>10000 d)

–

??? #

– change table

ea =return

return

!=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegEnd ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”

[■] Name seg000

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––--┐ │ Program Segmentation │ 3 [↑] Start End Align Base Type Cls 32es ss ds fs gs ▼ ▲ 00000000 00010000 at 1000 pri N FFFF FFFF FFFF FFFF FFFF 00010000 00020000 ▼ ►─┘

◄■

1/1

long SegEnd(long ea) ,

,

. , BADADDR,

. , .

SegCreate. : SegCreate(0x1000,0x2000,0x100,0,0,0); SegCreate(0x2000,0x3000,0x200,0,0,0); a) 0x2000; 0x3000 0. Creating a new segment 1. Creating a new segment

0x1000; 0x2000

(00001000-00002000) ... ... OK (00002000-00003000) ... ... OK

b) Message(">%X\n",SegEnd(0x1100)); c) SegEnd, >2000 d)

,

–

Message(">%X\n",SegStart(0x2000)); e) SegStart, >2000 f)

–

ɜɬɨɪɨɝɨ

.

, 64

–

.

??? #

– change table

ea return

32=return !=BADADDR ==BADADDR

,

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegStart ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”

[■] Name seg000

–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––--┐ │ Program Segmentation == ==== │ 3 [↑] Start End Align Base Type Cls 32es ss ds fs gs ▼ ▲ 00000000 00010000 at 1000 pri N FFFF FFFF FFFF FFFF FFFF 00010000 00020000 ▼ ►─┘

◄■

1/1

long SegByName(char segname) (

)

. , . , BADADDR, Ⱦɟɬɚɥɢ:

) .

. SegByName – ,

,

, BASE = SegByName(SegName(ea)). b)

, IDA , . (

) . :

SegCreate(0x1000,0x2000,0x100,0,0,0); SegRename(0x1000,"MySeg"); a) 0x1000 “MySeg” Message(">%X\n",SegByName("MySeg")); b) SegByName

65

>1000 c)

–

MySeg

SegCreate(0x2000,0x3000,0x200,0,0,0); SegRename(0x2000,"MySeg"); d) “MySeg”, 0x2000 [■] Name MySeg MySeg 2/2

e)

,

Program Segmentation 4 [↑] Start End Align Base Type Cls 32es ss ds fs gs ▲ 00000000 00001000 at 0100 pri N FFFF FFFF FFFF FFFF FFFF 00001000 00002000 00000000 00001000 at 0200 pri N FFFF FFFF FFFF FFFF FFFF 00002000 00003000 ■ ▼ ◄■ ►─┘

!

Message(">%X\n",SegByName("MySeg")); f) SegByName >1000 g)

–

??? #

segname return

“MySeg”

– change table

( =return !=BADADDR ==BADADDR

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegRename, SegName ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments” –––––––––--┐ ┌–│ [■] ▼ ===== = ▼ Program Segmentation == ===== 3 [↑] Name Start End Align Base Type Cls 32es ss ds fs gs ▲ seg000 00000000 00010000 at 1000 pri N FFFF FFFF FFFF FFFF FFFF 00010000 00020000 ▼ ►─┘

◄■

1/1

long SegByBase(long base) ( .

) ,

, BADADDR, , IDA

, , .

, . : SegCreate(0x1100,0x2000,0x100,0,0,0); a) 0x100

0x1100

Message(">%X\n",SegByBase(0x100)); 66

b)

SegByBase

>1100 c)

–

??? #

– change table

base return

=return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegByName ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments” –––––––-–––––-┐ │ -┐ [■] ======== = ▼ Program Segmentation == │==== Name Start End Align Base Type Cls 32es ss ds fs gs ▼ seg000 00000000 00010000 at 100 pri N FFFF FFFF FFFF FFFF FFFF 0001100 0002000

▲

▼ ►─┘

◄■

1/1

3 [↑]

success SegRename(long ea,char name) , . ,

ea .

,

. .

name .

, ,

. NameChars

,

??? (

name

. IDA ,

“”) ,

. ??? #

–

.

SegByName.

Create New Table

PC Java

, "$?@" 5 “_0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz"; "$_@?!" 6

5 6

,

ɬɨɥɶɤɨ

Java67

"0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" " " "; "$_0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "_0123456789." "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz”

TMS320C6

PowerPC

"7

Ɍɚɛɥɢɰɚ 4 : SegCreate(0x1000,0x2000,0x100,0,0,0); Message(">%s\n",SegName(0x1000)); a) >seg000 b)

– “seg000”

SegRename(0x1000,"666"); Message(">%s\n",SegName(0x1000)); c) SegRename SegName >_666 d)

– ,

“666”

“_666”, -

SegRename(0x1000,” ”); Message(">%s\n",SegName(0x1000)); e) SegRename SegName

«

»

>____________ f) – ??? #

– change table

ea name return

, =return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegName, SegByName ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”, ; 7

(

) 68

success SegAddrng(long ea,long use32) , . 0x66

Intel 386+ 32-

16,

,

32-

. - 0x67,

. .

–

«

»,

.

IDA .

, .

, MS-DOS exe IDA

,

.

ȼɧɢɦɚɧɢɟ: –

,

,

. . ,

ea

.

,

. 16-

use32 32-

use16; – use32. 3264 ,

, , IDA

16,

,

«

»

. 328086 (!)

.

: SegCreate(0x1000,0x2000,0x100,0,0,0); a) 16seg000:0000 seg000 b)

segment at 100h private '' use16 .

.

SegAddrng(0x1000,1); c) SegAddrng segment at 100h private '' use32

seg000:00000000 seg000 e) ??? #

– change table

ea use32

return

, =use32 ==0 ==1 =return ==1 ==0

1632-

69

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegCreate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”, ; success SegAlign(long ea,long alignment) , (byte, word, dword, para, page, mempage). , . ɧɟ ɜɵɪɚɜɧɢɜɚɟɬ :

.

SegCreate(0x1003,0x2000,0x100,0,0,0); a) seg000:0003 seg000 b) ;

0x1003

segment at 100h private '' use16

Message(">1%x\n",SegAlign(0x1003,saRelWord)); c) SegAlign segment word private '' use16

seg000:0003 seg000 >1 d) – ‘word’ (

)

. (

)!

,

,

. ,

,

, .

SegBounds

. ,

ea

.

,

.

alignment , ɨɩɪɟɞɟɥɟɧɢɟ saAbs saRelByte saRelWord saRelPara saRelPage saRelDble saRel4K saGroup saRel32Bytes saRel64Bytes saRelQword

8

# 0 1 2 3 4 5 6 7 8 9 10

??? ɩɨɹɫɧɟɧɢɹ (8 (16

) ) (16 (256-

) Intel) (4

(4

)

PharLap OMF) 8

Segment group 32 64 8

LINK.

70

Ɍɚɛɥɢɰɚ 5 ??? #

– change table

ea alignment return

, (

)

=return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegCreate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”, ; success SegComb(long segea,long comb) , (private, public, common, at, stack). ,

. ,

. ,

segea

.

,

. ,

comb ,

??? :

SegCreate(0x1000,0x2000,0x100,0,0,scPub); a) seg000:0000 seg000 b)

public

segment at 100h public '' ,

SegComb(0x10000,scStack); c) SegComb segment at 100h stack ''

seg000:0000 seg000 d) scPriv scPub

# 0 2

scPub2 scStack

4 5

private. public. ,

Microsoft, stack.

, scPub . public

,

. scCommon scPub3

6 7

common. ,

Microsoft,

,

scPub .

Ɍɚɛɥɢɰɚ 6 ??? #

– change table

71

ea comb

, ( =return 1 0

return

6)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegCreate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”, ; success SegClass(long ea,char class) , . , .

(

SegComb), , ???.

, , “CODE”, “DATA”, “STACK”

. .

. .

Ɂɚɦɟɱɚɧɢɟ:

, “CODE”,

,

. : SegCreate(0x1000,0x2000,0,0,scPub); a) public seg000:0000 seg000 b) ,

segment at 100h public ''

SegClass(0x1000,”MySegment”); ) SegClass seg000:0000 seg000 d) К а CODE DATA CONST BSS STACK XTRN

segment at 100h public 'MySegment' ( )

Pure code Pure data Pure data Uninitialized data Uninitialized data Extern definitions segment

я

е

я

Ɍɚɛɥɢɰɚ 7 Ɉɛɳɟɩɪɢɧɹɬɵɟ ɧɚɢɦɟɧɨɜɚɧɢɹ ɤɥɚɫɫɨɜ ɫɟɝɦɟɧɬɨɜ ??? #

– change table 72

ea class

, =return 1 0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegCreate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments”, ; success SegDefReg(long ea,char reg,long value) , ASSUME.

(

)

. ,

ASSUME (

,

)

. ,

ea

,

ASSUME. “DS”,”ES”,”SS”

,

reg . .

,

. . ,

value

,

. (“nothing”)

. –

, ( (“seg001” dx,es:[0]”,

. “assume.idb”, (“seg00”) “My666” “My777” IDA “mov ax,ds:[0]”

.

): “seg002”), ,

, . “mov .(

) seg000:0000 seg000:0000 seg000:0000 seg000:0000 seg000:0003 seg000:0003 seg000:0003 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg002:0000

seg000

seg000

segment byte public 'CODE' assume cs:seg000 assume es:nothing, ss:nothing, ds:nothing mov ax, ds:0 mov dx, es:0 ends

; ; Segment type: Pure data seg001 segment byte public 'DATA' assume cs:seg001 My666 dw 6666h seg001 ends ; 73

seg002:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000

; Segment type: Pure data seg002 segment byte public 'DATA' assume cs:seg002 My777 dw 7777h seg002 ends DefSegReg, :

DefSegReg(SegByName(“seg000”), “DS”, SegByName(“seg001”)>>4); DefSegReg(SegByName(“seg000”), “ES”, SegByName(“seg002”)>>4); , IDA

, (

).

,

. seg000:0000 seg000:0000 seg000:0000 seg000:0000 seg000:0003 seg000:0003 seg000:0003 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg001:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000 seg002:0000 ??? #

seg000

segment byte public 'CODE' assume cs:seg000 assume es:seg002, ss:nothing, ds:seg001 mov ax, My666 mov dx, es:My777 ends

seg000 ;

; Segment type: Pure data seg001 segment byte public 'DATA' assume cs:seg001 My666 dw 6666h ; DATA XREF: seg000:0000r seg001 ends ; ; Segment type: Pure data seg002 segment byte public 'DATA' assume cs:seg002 My777 dw 7777h ; DATA XREF: seg000:0003r seg002 ends – change table

ea reg val return

, ( ,

, “DS”)

,

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Segments\Change segment register value”,

74

success SetSegmentType (long segea,long type) , . ,

segea

.

,

.

typ e , S e gCr ea t e

? ??. » - SEG_NORM.

«

SEG_NORM SEG_XTRN SEG_CODE SEG_DATA SEG_IMP SEG_GRP SEG_NULL SEG_UNDF SEG_BSS SEG_ABSSYM SEG_COMM SEG_IMEM

# 0 1 2 3 4 6 7 8 9 10 11 12

('extern')

.

Java implementation Group of segments (

)

8051

Ɍɚɛɥɢɰɚ 8 : SegCreate(0x1000,0x2000,0x100,0,0,0); a) (

)

seg000:0000 ; Segment type: Regular seg000:0000 seg000 segment at 100h private '' seg000:0000 assume cs:seg000 seg000:0000 assume es:nothing, ss:nothing, ds:nothing b) ( ), ASSUME . SetSegmentType(0x1000,SEG_DATA); c) SetSegnetType

«

»

seg000:0000 ; Segment type: Pure data seg000:0000 seg000 segment at 100h private '' seg000:0000 assume cs:seg000 d) , ASSUME, ES SS . ??? #

ea type return

DS,

– change table

, (

???)

=return !=0 75

0 Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetSegmentAttr ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long GetSegmentAttr(long segea,long attr) : ,

,

,

,

,

,

, DefSegReg.

,

SegAlign, – “SetSegmentType”.

SegComb, «

»,

“SegCreate”

“SetSelector”. ,

segea

.

, – attr

attr . ??? #

. ???

– Change Table # 20 21 22

SEGATTR_ALIGN SEGATTR_COMB

ɩɪɢɜɢɥɟɝɢɢ ɞɨɫɬɭɩɚ SEGPERM_EXEC 1 SEGPERM_WRITE 2 SEGPERM_READ 4

SEGATTR_PERM SEGATTR_USE32

SegAlign SegComb

23 24

32

IDA SDK SegAddrnd

ɮɥɚɝɢ ɫɟɝɦɟɧɬɚ ,

ADDSEG_NOSREG

SEGATTR_FLAGS

Add_seg ( IDA SDK)

ADDSEG_OR_DIE

SEGATTR_SEL SEGATTR_DEF_ES SEGATTR_DEF_CS SEGATTR_DEF_SS SEGATTR_DEF_DS SEGATTR_DEF_FS SEGATTR_DEF_GS SEGATTR_TYPE

SetSeelctor

26 28 30 32 34 36 38 40

ES CS SS DS FS GS

DefSegReg

SetSegmentType

Ɍɚɛɥɢɰɚ 9 Ɍɢɩɵ ɫɟɝɦɟɧɬɨɜ ??? #

– change table

ea Type

, (

9)

76

=return !=0 0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegAddrng, SegAling, SegComb, SegClass, SegDefReg, SetSegmentType ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: char SegName(long ea) , ,

ea. . : SegCreate(0x1000,0x2000,0x100,0,0,0); SegRename(0x1000,”MySeg”); a) MySeg:0000 MySeg b)

“MySeg”

segment at 100h private '' )

(

Message(">%s\n",SegName(0x1000)); c) SegName >MySeg d)

–

??? #

Table Change

ea return

, =return !=”” “”

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SegRename, SegByName ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long FirstSeg() .

,

BADADDR,

.

Ɂɚɦɟɱɚɧɢɟ: FirstSeg

NextSeg . :

SegCreate(0x1000,0x2000,0x9,0,0,0); 77

SegCreate(0x100,0x200,0x10,0,0,0); a) 0x100

0x1000.

Message(">%X\n",FirstSeg()); b) FirstSeg >100 c)

–

??? #

Change Table

=return !=BADADDR

return

==BADADDR Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: NextSeg ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments” -┐ [■] ======= = === Program Segmentation │ ======== Name Start End Align Base Type Cls 32es ss ds ▼ seg000 00000000 00000100 at 0010 pri N FFFF FFFF FFFF 00000100 00000200 seg001 00000F70 00001F70 at 0009 pri N FFFF FFFF FFFF 00001000 00002000

3 [↑]

◄■

▲ ■

►─┘

long NextSeg(long ea) , ea. ,

BADADDDR,

. -

,

,

– ,

,

.

Ɂɚɦɟɱɚɧɢɟ: NextSeg

FirstSeg .

К

NextSeg(0)

FirstSeg()

, ,

( ). Ɂɚɦɟɱɚɧɢɟ:

,

, ea,

.

, FirstSeg NextSeg PrevSeg, :

NextSeg

, ea.

– 78

. static PrevSegEx(ea) { uto a; a=0; while (SegEnd(NextSeg(a))100 >1000 >10000 d)

– Change Table

??? #

ea

return

=return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FirstSeg ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Segments” [■] Name seg000 seg001 seg002

–-------------------┐ Program Segmentation │ 5 [↑] Start End Align Base Type Cls 32es ss ds │ ▲ 00000000 00000100 at 0010 pri N FFFF FFFF FFFF 00000100 │ 00000200 ■ 00000000 00001000 at 0100 pri N FFFF FFFF FFFF 00001000 ◄ 00002000 00000000 00010000 at 1000 pri N FFFF FFFF FFFF 00010000 00020000

79

▼ ►─┘

◄■

void SetSelector(long sel,long value) . , ,

,

. 4096 0x0

(0x1000

), .

0xFFFF sel

16,

.

32-

, ,

:

SetSelector(0x1,0x666); Message(">%X\n",AskSelector(0x1)); a) 0x1 >666 b)

0x666

0x666

SetSelector(0x10001,0x777); c)

0x10001

0x777

Message(">%X\n",AskSelector(0x1)); d) 0x1 >777 e)

– , 0x10001 AND 0xFFFF == 0x1 value

0x1

!

16

0x10001

ɛɚɡɵ

32-

.

. Ɂɚɦɟɱɚɧɢɟ: DeleteAll ( , DelSelector. ??? #

.

DeleteAll), «

»

Change Table

sel val return

1632=return void

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: AskSelector, DelSelector ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Selector”, -

, 80

. void DelSelector(long sel) ,

,

.

, base = sel * 0x10, : startoffset = startea - sel * 0x10. SetSelector, sel 1632-

. .

,

, ,

: SetSelector(0x1,0x666); Message(">%X\n",AskSelector(0x1)); a) 0x1 >666 b)

0x666

0x666

DelSelector(0x10001,0x777); c)

0x10001

Message(">%X\n",AskSelector(0x1)); d) 0x1 >FFFFFFFF e) ,

–

??? #

0x1

!

16 0x10001 0x10001 AND 0xFFFF == 0x1

Change Table

sel

16=return void

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SetSelector ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Selectors”, long AskSelector(long sel) . ( ,

!

, BADADDR).

, , ,

sel

BADADDR – 1632-

,

– ,

? . , ,

. 81

: if ((selvalue=AskSelector(sel)) == (sel & 0xFFFF)) // else // ??? #

Change Table

sel

16=return sel & 0xFFFF !=(sel & 0xFFF)

return

32-

: SetSelector, FindSelector : “~View\Selectors” ┌─── │ ┌─── ▼[■] ▼ Selectors Sel Value 0001 00000666 0002 00000999

4 [↑]

▲ ■

▼ ─┘

1/2 long FindSelector(long val)

val, . , . ,

16

. ,

, ,

,

– –

BADADDR

,

? :

if ((sel=FindSelector(selvalue)) == (selvalue & 0xFFFF)) // else // Ɂɚɦɟɱɚɧɢɟ: , .

,

SetSelector

, – ,

. 82

FindSelector

,

,

, . 0x0

??? #

0xFFFF.

Change Table

val

32=return ==(val & 0xFFFF) !=(val & 0xFFF)

return

16-

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: SetSelector, AskSelector ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Selectors” ┌─── │ ┌─── ▼[■] ▼ Selectors Sel Value 0001 00000666 0002 00000999

4 [↑]

▲ ■

▼ ─┘

1/2 ɗɅȿɆȿɆȿɇɕ #Defenition

32«

,

»).

ɮɥɚɝɨɜ (

.

. :

(

) (

.

,

«

»). : .

(

, (

, .

,

)

«

»)

: –

,

,

. . .

,

,

, ,

, .

,

– ,

-

.(

.

«

»)

, ( .

)

–

83

, – IDA - ɷɥɟɦɟɧɬɵ.

, «

»,

. , ,

,–

,

ɯɜɨɫɬɨɦ.

, ɝɨɥɨɜɨɣ,

. . ,

– .

FF_DATA (

.

10) FF_DATA

. FF_TAIL. . ,

. ɤɨɞɚ (CODE)

–

ɞɚɧɧɵɯ.(DATE). ( . (FF_TAIL)

FF_DATA (FF_DATA) – , ;

11) –

CODE,

– DATA; FF_TAIL

FF_TAIL

–

FF_TAIL , , FF_DATA (unexplored), . .

. …

A

9

… …

FF_DATA

FF_TAIL ==1

==0 DATA …

8

0x400

==1 CODE 0x200

FF_IVL ==0

7

…

1

0

MS_VAL

==1 0x100

0xFF

Ɍɚɛɥɢɰɚ 10 ɭɫɬɪɨɣɫɬɜɨ ɷɥɟɦɟɧɬɚ FF_DATA 0

1

FF_UNK

, FF_DATA

FF_FAIL

, FF_CODE

0

FF_TAIL

1

Ɍɚɛɥɢɰɚ 11 Ɉɩɪɟɞɟɥɟɧɢɟ ɬɢɩɚ ɷɥɟɦɟɧɬɚ

. ,

,

– –

.

84

-

,

, . З

:

,

IDA SDK

,

“inline

ushort gettof(flags_t F) { return

ushort((F & TL_TOFF) >> TL_TSFT); }”

ȼɧɢɦɚɧɢɟ:

, IDA,

! . –

,

,

.

ɇɚɜɢɝɚɬɨɪ ɩɨ ɮɭɧɤɰɢɹɦ IDA; «

»

, -

«

». ,

, ,

.

,

,

,

“test”, *\test *,*\j? *”

, .

,

“call ,

,

NextHead, :

#include static main() { auto a; a=0; while(a!=BADADDR) { if (isCode(GetFlags(a))) if( (GetMnem(a)=="call") && (GetMnem(NextHead(a,BADADDR))=="test") && (Byte(NextHead(NextHead(a,BADADDR),BADADDR)) > 0x6F) && (Byte(NextHead(NextHead(a,BADADDR),BADADDR)) < 0x80)) Message(">%s %4s %s\n>%s %4s %s,%s\n>%s %s %s\n>-------\n", atoa(a),GetMnem(a),GetOpnd(a,0), atoa(NextHead(a,BADADDR)), GetMnem(NextHead(a,BADADDR)), GetOpnd(NextHead(a,BADADDR),0), GetOpnd(NextHead(a,BADADDR),1), atoa(NextHead(NextHead(a,BADADDR),BADADDR)), GetMnem(NextHead(NextHead(a,BADADDR),BADADDR)), GetOpnd(NextHead(NextHead(a,BADADDR),BADADDR),0));

85

a=NextHead(a,BADADDR); } } ( first.exe –

.

«

IDA Pro»)

>004010C0 call ostream::opfx(void) >004010C5 test eax,eax >004010C7 jz loc_4010E0 >-------------------------->0040111F call ios::~ios(void) >00401124 test [esp+4+arg_0],1 >00401129 jz loc_401132 >-------------------------->004011BE call ios::~ios(void) >004011C3 test [esp+4+arg_0],1 >004011C8 jz loc_4011D1 >--------------------------... NextHead (

)

(

PrevHead )

, BADADDR

. , . ,

0x70-0x7F ,

, , “DW 6675h”; “MOV AX, 74h”;

, ,

, ,

. (

)

– ,

,

. . .

– 12

–

,

–

, –

.

, : #include static MyGetHead(ea) { auto off,F; F=GetFlags(ea); if (!F) return -1; if (!(F & FF_TAIL)) return ea;

// //

,

if (ea & 1) // ... return (ea - (F >> 20));

86

// ... return MyGetHead(ea-1); } IDA Pro, ,

IDA,

. ItemSize

,

ItemEnd, , ItemSize

ItemEnd(ea) – ItemSize(ea), ! MyGetItemHeadEA, PrevHead, –

, ,

,

isTail, .

static MyGetItemHeadEA(ea) { if (!GetFlags(ea)) return –1; // if (!isTail(GetFlags(ea)) return ea; return PrevHead(ea,0);

//

} NextNotTail (

PrevNotTail .

)

, –

,

,

IDA ,

. ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ ɮɭɧɤɰɢɢ, ɜɨɡɜɪɚɳɚɸɳɢɟ ɨɫɧɨɜɧɵɟ ɯɚɪɚɤɬɟɪɢɫɬɢɤɢ ɷɥɟɦɟɧɬɨɜ long ItemSize (long ea) (

!)

long ItemEnd (long ea) ɮɭɧɤɰɢɢ ɬɪɚɫɫɢɪɨɜɤɢ ɷɥɟɦɟɧɬɨɜ long NextHead (long ea) long NextHead (long ea, long maxea) long PrevHead (long ea) long PrevHead (long ea, long minea) long NextNotTail (long ea)

long PrevNotTail (long ea)

87

long ItemSize(long ea) IDA

,

,

. ,

:

seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

auto a,b; a=SegByName("seg000"); for(b=0;bea:1000 >ea:1001 >ea:1002 >ea:1003 >ea:1004 >ea:1005 >ea:1006 >ea:1007 >ea:1008 >ea:1009 >ea:100A >ea:100B >ea:100C >ea:100D >ea:100E >ea:100F >ea:1010 >ea:1011 c)

-H-> -e-> -l-> -l-> -o-> -,-> -I-> -D-> -A-> - -> -P-> -r-> -o-> -!-> -1-> -2-> -3-> -4-> :

14 13 12 11 10 9 8 7 6 5 4 3 2 1 4 3 2 1 ItemSize ,

,

.

–

,

. ,

ItemSize .

“kpnc.idc”, ( .

MyGetItemSize) static MyGetItemHeadEA(ea) { if (GetFlags(ea) & FF_DATA) // return ea; if (GetFlags(ea) & FF_TAIL) // return PrevHead(ea,0); // return -1; }

-

88

static MyGetItemSize(ea) { if (GetFlags(ea) & MS_CLS) // ? return ItemEnd(ea) - MyGetItemHeadEA(ea); return -1; } : seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

auto a,b; a=SegByName("seg000"); for(b=0;bea:1000 >ea:1001 >ea:1002 >ea:1003 >ea:1004 >ea:1005 >ea:1006 >ea:1007 >ea:1008 >ea:1009 >ea:100A >ea:100B >ea:100C >ea:100D >ea:100E >ea:100F >ea:1010 >ea:1011 c)

-H-> -e-> -l-> -l-> -o-> -,-> -I-> -D-> -A-> - -> -P-> -r-> -o-> -!-> -1-> -2-> -3-> -4-> –

??? #

“kpnc.idc”

15 15 15 15 15 15 15 15 15 15 15 15 15 15 5 5 5 5 – Change Table

ea return

, =return !=0

( !)

==1 Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ:

89

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long ItemEnd(long ea) ,

ea. ,

,

.

Ɂɚɦɟɱɚɧɢɟ:

( . . ),

,

. :

seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

Message(“>%s\n”,atoa(ItemEnd(SegByName(“seg000”)))); b) ItemEnd, , “Hello, IDA Pro!”. >seg000:000E c) –

??? #

,

Change Table

ea return

, =return !=1 ==1

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long NextHead(long ea) (

IDA 3.85

)

, BADADDR,

.

– ea

-

–

. : seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

90

Message(“>%s\n”,atoa(NextHead(SegByName(“seg000”)))); b) NextHead, , “Hello, IDA Pro!”. >seg000:000E c) –

. NextHead

,

IDA. Ɂɚɦɟɱɚɧɢɟ: , ??? #

. – Change Table

ea

,

-

=return !=BADADDR ==BADADDR

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PrevHead ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long NextHead(long ea, long maxea) ( 4.0

NextHead(long ea) ( – maxea,

.

IDA 4.0

)

)

, ,

. ,

, , ea < return value < maxea .

maxea, . . , –

NextHead(ea)

NextHead(ea, BADADDR).

Ɂɚɦɟɱɚɧɢɟ:

, (

??? #

.

SelStart

SelEnd)

– Change Table

ea

,

maxea

return

,

=return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PrevHead 91

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long PrevHead(long ea) (

IDA 3.85

)

( !). . -

, ea

–

. :

seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

Message(“>%s\n”,atoa(PrevHead(SegByName(“seg000”)+0x2))); PrevHead, b) “Hello, IDA Pro!”. >seg000:000E c) – ) ??? #

( – Change table

ea

,

-

=return !=BADADDR

return

( !)

==BADADDR Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: NextHead ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long PrevHead(long ea, long minea) ( 4.0

PrevHead(long ea) ( – minea,

.

IDA 4.0

)

)

, ,

. ,

, , minea ≥ return value > ea .

minea, . . , –

PrevHead(ea)

PrevHead(ea, 0).

Ɂɚɦɟɱɚɧɢɟ:

, (

.

SelStart

SelEnd)

92

??? #

– Change Table

ea

,

minea

,

=return !=BADADDR

return

( !)

==BADADDR Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: NextHead ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long NextNotTail(long ea) .

ea -

–

.

: seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

Message(“>%s\n”,atoa(NextNotTail(0))); b) NextNotTail,

.

>seg000:0000 c) – ??? #

– Change table

,

ea

-

=return !=BADADDR

return

==BADADDR Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PrevNotTail ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long PrevNotTail(long ea) ( !). -

ea –

.

:

93

seg000:0000 aHelloIdaPro seg000:000E a1234 a)

db 'Hello,IDA Pro!' db '1234'

Message(“>%s\n”,atoa(NextNotTail(BADADDR))); b) PrevNotTail,

BADADDR

>seg000:000E c) – Ɂɚɦɟɱɚɧɢɟ:

NextNotTail,

PrevNotTail

. ??? #

– Change table

,

ea return

-

==return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: PrevNotTail ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: Ɍɂɉɕ ɗɅȿɆȿɇɌɈȼ #Definition (

.

«

»), ,

. , float, ASCII-

. .

, Ɂɚɦɟɱɚɧɢɟ:

–

IDA Pro, .

. IDA Pro – ɛɚɣɬ, ɫɥɨɜɨ, ɞɜɨɣɧɨɟ ɫɥɨɜɨ, ɱɟɬɜɟɪɬɧɨɟ ɫɥɨɜɨ, ɜɨɫɶɦɟɪɧɨɟ ɫɥɨɜɨ, float, double, packed real, ASCII-ɫɬɪɨɤɚ, ɦɚɫɫɢɜ, , align – , ( ) ( . 12) ??? #

FF_BYTE FF_WORD FF_DWRD FF_QWRD FF_TBYT

– change table # 0x00000000 0x10000000 0x20000000 0x30000000 0x40000000 94

FF_ASCI FF_STRU FF_XTRN FF_FLOAT FF_DOUBLE FF_PACKREAL FF_ALIGN

0x50000000 0x60000000 0x70000000 0x80000000 0x90000000 0xA0000000 0xB0000000

ASCII-

float double

Ɍɚɛɥɢɰɚ 12 ɩɨɞɞɟɪɠɢɜɚɟɦɵɟ ɬɢɩɵ ɞɚɧɧɵɯ

IDA Pro

,

. ,

, , . ,

, .

: seg000:0000 Var seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 Var2 seg000:0006 seg000:0007 seg000:0008 seg000:0009 seg000:000A

db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 49h 44h 41h 20h

; ; ; ; ;

H e l l o

; ; I ; D ; A ;

“Var” , float, ASCIIdouble, packed real

,

,

, ,

– “seg000:0005”.

.

,

, ,

:

seg000:0000 Var seg000:0002 seg000:0003

)

dw 6548h db 6Ch db 6Ch

seg000:0000 Var seg000:0002

Var

b)

dw 6548h dw 6C6Ch

Var –

–

, ,

.

, seg000:0000 seg000:0000

db 6Ch, 6Fh, 2Ch, 20h, 49h, 44h, 41h, 20h, 50h, 72h, 6Fh db 21h, 0

( !

IDA Pro

, :

,

.

«

») , (

.

95

«

»)

, . ,

, , . ,

. IDA Pro

– .

ɨɞɢɧ

, –

,

, 12

(

,

)

. ,

–

(

)

(

),

. align – ( ,

,

)

.

,

align –

, .

, ,

,

: seg000:0000 db seg000:0001 db seg000:0002 db

48h ; H 65h ; e 6Ch ; l

seg000:0000 seg000:0001 seg000:0002

db 48h ; H align 2 db 6Ch ; l

, ,

–

. ,

,

. . , IDA , –

, ,

,

,

IDA

.

,

( IDA Pro

. . ,

( «

)

. – IDA Pro ) – .

».

ɇɚɜɢɝɚɬɨɪ ɩɨ ɮɭɧɤɭɰɢɹɦ MakeByte, MakeWord, MakeDword, MakeQword, MakeFloat, MakeDouble, MakePackedReal, MakeTbyte ) , ( , , , float, double, PackedReal . “Data” “~Edi” ( « “D”»>, , , . “Setup data types” “Options” , (« – “Alt-D”»). MakeStr ASCII. – ASCIIZ, ; PASCAL,

96

, ),

(

,

:

) b) c) d)

ASCII-

MakeArray , double, packed real, tbyte.

,

,

DELPHI. .

– ,

,

float,

.

. . , . , .

( ) “DUP”. Align

align .

, ,

MakeCode .

,

.

:

) ; b)

, ,

IDA

, (

, RET) IDA

. IDA . ,

MakeUnkn ,

. (

,

,

)

, .

ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ ɮɭɧɤɰɢɢ ɫɨɡɞɚɧɢɹ ɧɨɜɵɯ ɷɥɟɦɟɧɬɨɜ, ɩɪɟɨɛɪɚɡɨɜɚɧɢɹ ɢ ɭɧɢɱɬɨɠɟɧɢɹ ɷɥɟɦɟɧɬɨɜ success MakeByte(long ea) success MakeWord(long ea) success MakeDword(long ea) success MakeQword(long ea) success MakeFloat(long ea)

( ( (

) ) )

(

)

(2

(4

) (8

) (

)

( success MakeDouble(long ea) success MakePackReal(long ea)

)

float ) Double 8 ) PackReal ( 10 4

(

)

( ( 12

) )

97

success MakeTbyte(long ea) ( ) Tbyte (10 success MakeStr (long ASCII ea,long endea) success MakeArray (long ea,long nitems) success MakeAlign(long ea,long count,long align) long MakeCode(long ea) ( ) void MakeUnkn (long ea,long expand); ɮɭɧɤɰɢɢ ɜɨɡɜɪɚɳɚɸɳɢɟ ɫɜɨɣɫɬɜɚ ɷɥɟɦɟɧɬɨɜ

)

char GetMnem (long ea) ɮɭɧɤɰɢɢ, ɩɨɢɫɤɚ ɷɥɟɦɟɧɬɨɜ long FindCode(long ea, long flag) long FindData(long ea,long flag) long FindUnexplored(long ea,long flag) long FindExplored(long ea, long flag); success MakeByte(long ea) ea

ɛɚɣɬ.

, ,

(

)–

. ,

.

,

. : 1. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 a)

db ? ; unexplored

Message(“>%x\n”,MakeByte(SegByName(“seg000”))); b) MakeByte seg000:0000 >1 ) –

,

db ?

Ɂɚɦɟɱɟɧɢɟ: “unexplored” (

ASCII .

), –

. 98

2. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 aHelloSailor a)

db 'Hello, Sailor'

Message(“>%x\n”,MakeByte(SegByName(“seg000”))); b) MakeByte « », seg000:0000 aHelloSailor seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 seg000:0008 seg000:0009 seg000:000A seg000:000B seg000:000C seg000:000D >1 c) . 3. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 aHelloSailor a)

db db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 53h 61h 69h 6Ch 6Fh 72h 66h

; ; ; ; ; ; ; ; ; ; ; ; ;

4. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 a)

»

e l l o , S a i l o r f

;

db 'Hello, Sailor'

Message(“>%x\n”,MakeByte(1+SegByName(“seg000”))); b) MakeByte « », « ». seg000:0000 aHelloSailor >0 c) –

«

,

db 'Hello, Sailor' , PUSH AX

Message(“>%x\n”,MakeByte(1+SegByName(“seg000”))); b) MakeByte seg000:0000 >0 c) – ??? #

PUSH AX , – change table

ea 99

=return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeWord, MakeDouble, MakePAckReal, MakeTbyte.

MakeDword,

MakeQword,

MakeFloat,

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Data”; success MakeWord(long ea) ea

ɫɥɨɜɨ,

. . ,

,

,

Intel .

(

80x86 , .

)– ,

,

.

(

, ) . MakeUnkn (

.

MakeUnkn) ,

. , .

: 1. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 seg000:0001 a)

db ? ; unexplored db ? ; unexplored

Message(“>%x\n”,MakeWord(SegByName(“seg000”))); b) MakeWord , seg000:0000 >1 ) –

dw ?

2. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 seg000:0001 a)

db ? ; unexplored db ?

Message(“>%x\n”,MakeWord(SegByName(“seg000”))); MakeWord b) , seg000:0000 seg000:0001

db ? ; unexplored db ? 100

>0 c)

–

, . . –

seg000:0001

, . MakeUnkn

MakeUnkn(SegByName("seg000")+1,0); d) MakeUnkn “seg000:0001” seg000:0000 seg000:0001 e) –

,

db ? ; unexplored db ? ; unexplored .

Message(“>%x\n”,MakeWord(SegByName(“seg000”))); f) MakeWord, seg000:0000 >1 g) – ??? #

dw ?

– change table

ea return

=return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeDouble, MakePAckReal, MakeTbyte.

MakeDword,

MakeQword,

MakeFloat,

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Data”; success MakeDword(long ea) ea

ɞɜɨɣɧɨɟ ɫɥɨɜɨ,

. .

Intel 80x86 ,

,

. ,

,

(

.

)– ,

, .

( .

) MakeUnkn (

.

MakeUnkn) ,

. , .

:

101

1. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 seg000:0001 seg000:0002 seg000:0003 a)

db db db db

? ? ? ?

; ; ; ;

unexplored unexplored unexplored unexplored

Message(“>%x\n”,MakeDword(SegByName(“seg000”))); b) MakeDword , seg000:0000 >1 ) –

dd ?

2. ɷɤɫɩɟɪɢɦɟɧɬ seg000:0000 seg000:0001 seg000:0002 a)

db ? ; unexplored db ? ; unexplored dw ?

Message(“>%x\n”,MakeDword(SegByName(“seg000”))); b) MakeDword , seg000:0000 seg000:0001 seg000:0002 >0 c) –

db ? ; unexplored db ? ; unexplored dw ? , . . –

seg000:0002

, . MakeUnkn

MakeUnkn(SegByName("seg000")+2,0); d) MakeUnkn “seg000:0002” seg000:0000 seg000:0001 seg000:0002 seg000:0003 e) –

db db db db

? ? ? ?

, ; ; ; ;

unexplored unexplored unexplored unexplored .

Message(“>%x\n”,MakeDword(SegByName(“seg000”))); f) MakeDword, seg000:0000 >1 g) – ??? #

dd ?

– change table

102

ea =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeWord, MakeQword, MakeFloat, MakeDouble, MakePackReal, MakeTbyte. ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Data”; success MakeQword(long ea) ea

ɱɟɬɜɟɪɬɧɨɟ ɫɥɨɜɨ,

. .

Intel 80x86 ,

,

. ,

,

(

) –

.

, ,

.

, ,

,

. MakeUnkn (

.

MakeUnkn).

,

. , .

: seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007

db db db db db db db db

? ? ? ? ? ? ? ?

; ; ; ; ; ; ; ;

unexplored unexplored unexplored unexplored unexplored unexplored unexplored unexplored

a) Message(“>%x\n”,MakeQword(SegByName(“seg000”))); b) MakeQword , seg000:0000 >1 ) – ??? #

dq ?

– change table

ea return

=return ==1 103

==0 Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeWord, MakeDword, MakeFloat, MakeDouble, MakePackReal, MakeTbyte. ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: (“~Options\Setup data types”; ), Ɂɚɦɟɱɟɧɢɟ: , “Setup data types”

«

» ,

, “Quadro word”.

success MakeFloat(long ea) ea . Intel 80x86

float,

(8

float

. (

)

(23

.

???)

)

Ɋɢɫɭɧɨɤ 23 ɉɪɟɞɫɬɚɜɥɟɧɢɟ ɬɢɩɚ float ɧɚ ɦɢɤɪɨɩɪɨɰɟɫɫɨɪɚɯ ɫɟɪɢɢ Intel 80x86 , float,

(

)–

.

, ,

.

, ,

,

. MakeUnkn (

.

MakeUnkn).

,

. , .

: seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 a)

db db db db db

48h 65h 6Ch 6Ch 6Fh

; ; ; ; ;

H e l l o

Message(“>%x\n”,MakeFloat(SegByName(“seg000”))); b) MakeFloat seg000:0000 >1 – ) ??? #

float,

dd 1.1431391e27 float – change table 104

ea =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeDouble, MakePackReal, MakeTbyte.

MakeWord,

MakeDword,

MakeQword,

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: (“~Options\Setup data types”; ), Ɂɚɦɟɱɟɧɢɟ: , “Setup data types”

«

» ,

, “Float ”.

success MakeDouble(long ea) ea .

double,

double

. ???)

(11

Intel 80x86

)

(

(52

.

)

Ɋɢɫɭɧɨɤ 24 ɉɪɟɞɫɬɚɜɥɟɧɢɟ ɬɢɩɚ double ɧɚ ɦɢɤɪɨɩɪɨɰɟɫɫɨɪɚɯ ɫɟɪɢɢ Intel 80x86

double, –

, )

(

.

, , .

, ,

,

. MakeUnkn (

.

MakeUnkn).

,

. , .

: seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 a)

db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 53h

; ; ; ; ; ; ; ;

H e l l o , S

105

Message(“>%x\n”,MakeDouble(SegByName(“seg000”))); b) MakeDouble double, seg000:0000 >1 ) –

dq 2.635692361932979e92 double

??? #

– change table

ea =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeQword, MakePackReal, MakeTbyte.

MakeWord,

MakeDword,

MakeQword,

ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: (“~Options\Setup data types”; ), Ɂɚɦɟɱɟɧɢɟ: , “Setup data types”

«

» ,

, “Double ”.

success MakePackReal(long ea) ea .

packed real,

, packed real,

(

) – ,

. , .

, ,

,

MakeUnkn (

.

. MakeUnkn).

,

. , packed real

. : seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 seg000:0008 seg000:0009 a)

db db db db db db db db db db

? ? ? ? ? ? ? ? ? ?

; ; ; ; ; ; ; ; ; ;

unexplored unexplored unexplored unexplored unexplored unexplored unexplored unexplored unexplored unexplored

106

Message(“>%x\n”,MakePackReal(SegByName(“seg000”))); b) MakePackReal packed real, seg000:0000 >1 ) –

db ?, ?, ?, ?, ?, ?, ?, ?, ?, ? packed real

??? #

– change table

ea =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeWord, MakeDword, MakeFloat, MakeQword, MakeDouble, MakeTbyte. ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: (“~Options\Setup data types”; ),

Ɂɚɦɟɱɟɧɢɟ: , “Setup data types”

«

» ,

, “Packeed real”.

success MakeTbyte(long ea) ea .

tbyte, .

,

,

tbyte,

Intel .

(

80x86 , .

)– ,

,

.

, ,

.

, MakeUnkn (

.

MakeUnkn). ,

. , tbyte

. : seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007

db db db db db db db db

? ? ? ? ? ? ? ?

; ; ; ; ; ; ; ;

unexplored unexplored unexplored unexplored unexplored unexplored unexplored unexplored 107

seg000:0008 seg000:0009

db ? ; unexplored db ? ; unexplored

a) Message(“>%x\n”,MakeQword(SegByName(“seg000”))); b) MakeTbyte seg000:0000 >1 ) –

tbyte,

db ?, ?, ?, ?, ?, ?, ?, ?, ?, ? tbyte

??? #

– change table

ea =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeByte, MakeWord, MakeDword, MakeQword, MakeFloat, MakeDouble, MakePackReal. ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: (“~Options\Setup data types”; ), Ɂɚɦɟɱɟɧɢɟ: , “Setup data types”

«

» ,

, “Tbyte.

success MakeStr(long ea,long endea) ASCII-

,

, “SetLongPrm(INF_STRTYPE)” ( ea , , . endea BADADDR, IDA ; PASCAL,

.

SetLongPrm). . ,

, .

.

, (

) “AsciiStringChars” , “AsciiStringChars”

– ASCIIZ, ), , ASCII.

cp866

, DELPHI. : . . :

,

"\r\n\a\v\b\t\x1B" " !\"#$%&'()*+,-./0123456789:;?" "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_" "`abcdefghijklmnopqrstuvwxyz{|}~" 108

" " "└┴┬├─┼ "

│┤ ";

" ┐" ┘┌█▄▌ ▀"

b) c) d) ,

,

. Ɂɚɦɟɱɚɧɢɟ:

3.85 BADADDR . :

seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 seg000:0008 seg000:0009 seg000:000A seg000:000B seg000:000C seg000:000D )

– ASCIIZ-

db db db db db db db db db db db db db db .

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 53h 61h 69h 6Ch 6Fh 72h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , S a i l o r

MakeStr(SegByName(“seg000”),BADADDR); b) MakeStr ASCIIseg000:0000 aHelloSailor ) – ??? #

db 'Hello, Sailor',0 ,

change table

ea endea

return

!=BADADDR ==BADADDR =return ==1 ==0 109

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\ASCII”; Ɂɚɦɟɱɟɧɢɟ: , ASCII-

, IDA . , ,

,

. success MakeArray(long ea,long nitems) – , packed real, tbyte.

,

,

,

float,

double, .

. . , . , .

( ) “DUP”. ea . nitems ,

, nitems

. .

: seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 seg000:0008 seg000:0009 seg000:000A seg000:000B seg000:000C a)

db db db db db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 53h 61h 69h 6Ch 6Fh 72h

; ; ; ; ; ; ; ; ; ; ; ; ;

H e l l o , S a i l o r

MakeArray(SegByName(“seg000”),14); b) MakeArray seg000:0000 db 48h, 65h, 2 dup(6Ch), 6Fh, 2Ch, 20h, 53h, 61h, 69h seg000:0000 db 6Ch, 6Fh, 72h, 0 ) – . ȼɧɢɦɚɧɢɟ:

, 110

, ,

!

Ɂɚɦɟɱɚɧɢɟ:

(

) .

??? #

– change table

ea nitems

, =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Array”; success MakeAlign(long ea,long count,long align) align .

, Ɂɚɦɟɱɚɧɢɟ:

Intel 80x86 ( Intel),

, (

)

. ,

ea .

, , count

. , ,

count 2align > count > 0,

. . .

. align

, . . 24=16.

.

. . align

align

,

–

,

,

. Align

count

MakeAlign align.

: seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 a)

db db db db db

48h 65h 6Ch 6Ch 6Fh

; ; ; ; ;

H e l l o

MakeAlign(SegByName(“seg000”)+1,3,2); 111

b)

MakeAlign

seg000:0001 – seg0001, seg0002 seg0003.

align 4. seg000:0000 seg000:0001 seg000:0004 c) –

db 48h ; H align 4 db 6Fh ; o

??? #

– change table

ea

, align

count align

, =align ==[1..5] ==0 =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Structs\Other\ Create alignment directive”; long MakeCode (long ea) , .

,

.

:

) ; b)

, ,

IDA

, (

, RET) IDA

. IDA .

«

»

«

»

.

Ɂɚɦɟɱɚɧɢɟ: IDA

, , , . , ,

(

IDA ,

, 32-

0x10000

–

.

«

, ,

»). ,

.

112

, ;

,

. .,

,

ea. : seg000:0100 start seg000:0101 seg000:0102 seg000:0103 seg000:0104 seg000:0105 seg000:0106 seg000:0107 seg000:0108 seg000:0109 seg000:010A seg000:010B seg000:010C seg000:010D seg000:010E seg000:010F seg000:0110 seg000:0111 seg000:0112 seg000:0113 seg000:0114 seg000:0115 a)

db db db db db db db db db db db db db db db db db db db db db db

83h 0C6h 6 0FFh 0E6h 0B9h 0BEh 14h 1 0ADh 91h 56h 80h 34h 66h 46h 0E2h 0FAh 0FFh 0E6h 18h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

V 4 f F ·

Message(">%X\n",MakeCode(SegByName("seg000")+0x100)); b) MakeCode seg000:0100 add si, 6 seg000:0103 jmp si seg000:0103 ; ─────────────────────────── seg000:0105 db 0B9h ; seg000:0106 db 0BEh ; seg000:0107 db 14h ; seg000:0108 db 1; seg000:0109 db 0ADh ; seg000:010A db 91h ; seg000:010B db 56h ; V seg000:010C db 80h ; seg000:010D db 34h ; 4 seg000:010E db 66h ; f seg000:010F db 46h ; F seg000:0110 db 0E2h ; seg000:0111 db 0FAh ; · seg000:0112 db 0FFh ; seg000:0113 db 0E6h ; seg000:0114 db 18h ; seg000:0115 db 0; >3 ) –

,

113

,

; ,

Message(">%X\n",MakeCode(SegByName("seg000")+0x106)); d) MakeCode, ( SI com 0x100, ADD SI, 6 – 0x106, 0x106) seg000:0100 seg000:0103 seg000:0103 seg000:0105 seg000:0106 seg000:0106 seg000:0109 seg000:010A seg000:010B seg000:010C seg000:010C seg000:010C seg000:010F seg000:0110 seg000:0112 seg000:0112 seg000:0114 seg000:0115 >3 e)

JMP SI

add si, 6 jmp si ; ─────────────────────────────────────────────────────────────── db 0B9h ; ; ─────────────────────────────────────────────────────────────── mov si, 114h lodsw xchg ax, cx push si loc_0_10C:

; CODE XREF: seg000:0110j xor byte ptr [si], 66h inc si loop loc_0_10C jmp si ; ─────────────────────────────────────────────────────────────── db 18h ; db 0; –

, , ,

??? #

. – chabge table

ea =return !=0 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Code”’ char GetMnem(long ea)

ea. GetOpnd (

( .

«

, )

»)

: seg000:0000 a)

mov

ah, 9

– 114

Message(“>%s\n”,GetMnem(SegByName(“seg000”))); b) GetMnem >mov c)

–

??? #

– chabge table

ea =return !=”” ==””

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetOpnd ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

void MakeUnkn(long ea,long expand) ,

, .

(

,

,

,

)

.

Ɂɚɦɟɱɚɧɢɟ:

,

ASCII,

ea . expand ,

« »(

.

«

»)

: 1. ɗɤɫɩɟɪɢɦɟɧɬ seg000:0000 aHelloSailor a)

db 'Hello, Sailor',0

MakeUnkn(SegByName(“seg000”)+0x1,0); b) MakeUnkn seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0004 seg000:0005 seg000:0006 seg000:0007 seg000:0008

db db db db db db db db db

48h 65h 6Ch 6Ch 6Fh 2Ch 20h 53h 61h

«ASCII; ; ; ; ; ; ; ; ;

»

H e l l o , S a 115

seg000:0009 seg000:000A seg000:000B seg000:000C ) –

db db db db

69h 6Ch 6Fh 72h

; ; ; ;

i l o r

2. ɗɤɫɩɟɪɢɦɟɧɬ seg000:0100 seg000:0103 a)

add jmp

si, 6 si

MakeUnkn(SegByName(“seg000”),0); b) MakeUnkn seg000:0100 start db 83h ; seg000:0101 db 0C6h ; seg000:0102 db 6 ; seg000:0103 ; ───────────────────────── ) 3. ɗɤɫɩɟɪɢɦɟɧɬ seg000:0100 seg000:0103 a)

add jmp

si, 6 si

MakeUnkn(SegByName(“seg000”),1); b) MakeUnkn seg000:0100 start seg000:0101 seg000:0102 seg000:0103 seg000:0104 seg000:0105 ) – ??? #

db db db db db db

83h 0C6h 6 0FFh 0E6h 0B9h

; ; ; ; ; ;

– change table

ea

, ==0

expand !=0 return

.

=return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Undefine”; Ɂɚɦɟɱɟɧɢɟ:

MakeUnk(ScreenEA(),1) 116

. ,

,

,

.

long FindCode(long ea,long flag) ,

ea . ( ( .

),

).

ɧɟ ɜɯɨɞɢɬ

–

flag ,

,

.

: seg000:0100 seg000:0103 a)

mov mov

ax, 9 dx, 133h

–

Message(“>%s\n”,atoa(FindCode(0,1))); b) FindCode –

,

>seg000:0100 – ??? #

– change table

ea

, -

flag

return

=flag ==1 ==0 =return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FindData, FindExplored, FindUnexplored ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~Nabigate\Search for\Next Code”; long FindData(long ea,long flag) ,

ea . ( ( .

),

).

ɧɟ ɜɯɨɞɢɬ

–

flag ,

,

.

: 117

seg000:0000 mov ah, 9 seg000:0002 mov dx, 108h seg000:0005 int 21h seg000:0005 seg000:0007 retn seg000:0007 ; ────────────────────────────── seg000:0008 aHelloIda db 'Hello, IDA' a) – Message(“>%s\n”,atoa(FindData(BADADDR,0))); b) FindData >seg000:0108 – ??? #

– change table

ea

, -

flag

return

=flag ==1 ==0 =return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FindCode, FindExplored, FindUnexplored ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~Nabigate\Search for\Next Data”; long FindExplored(long ea,long flag) ea ,

. (

),

(

).

ɧɟ ɜɯɨɞɢɬ

.

–

flag ,

,

.

: seg000:0100 seg000:0101 a)

DB 99h ; DW 666h –

Message(“>%s\n”,atoa(FindExplored(0,1))); FindExplored – b)

,

>seg000:0101 – 118

??? #

– change table

ea

, -

flag

return

=flag ==1 ==0 =return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FindCode, FindData, FindUnexplored ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~Nabigate\Search for\Next explored”; long FindUnexplored(long ea,long flag) ,

ea . (

),

(

).

ɧɟ ɜɯɨɞɢɬ

-

.

–

flag ,

,

.

: seg000:0100 seg000:0102 a)

DW 666h DB 99h ; –

Message(“>%s\n”,atoa(FindUnexplored(0,1))); b) FindUnexplored –

,

>seg000:0102 – ??? #

– change table

ea

, -

flag

return

=flag ==1 ==0 =return !=BADADDR ==BADADDR

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FindCode, FindData, FindExplored ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~Nabigate\Search for\Next Unexplored”; 119

ɈɉȿɊȺɇȾɕ #definition , . ,

,

.

, ASCII(

. ;

, .

14). , ,

.

, ,( . .

“void”)

. IDA Pro ).

(

FF_IMMD , ,

.

– ,

.

– void, – (

)

FF_IMMD ,

: FF_IMMD ,

,

.

void, –

, . IDA Pro

: )

(fixup info) IDA Pro

b)

32-

,

,

0x10000 c) d)

,

,

,

,

b push,

, ,

, ,

e) ,

MOV ,

MOV, f)

,

MOV

,

, .

MOV, -

IDA , -

,

Pro

, ,

, .

120

FF_0VOID FF_0NUMH FF_0NUMD FF_0CHAR FF_0SEG FF_0OFF FF_0NUMB FF_0NUMO FF_0ENUM FF_0FOP FF_0STRO FF_0STK

FF_1VOID FF_1NUMH FF_1NUMD FF_1CHAR FF_1SEG FF_1OFF FF_1NUMB FF_1NUMO FF_1ENUM FF_1FOP FF_1STRO FF_1STK

ɩɪɟɞɫɬɚɜɥɟɧɢɟ ɩɟɪɜɨɝɨ ɫɥɟɜɚ ɨɩɟɪɚɧɞɚ # 0x00000000 void 0x00100000 0x00200000 0x00300000 0x00400000 0x00500000 0x00600000 0x00700000 0x00800000 0x00900000 0x00A00000 0x00B00000 ɩɪɟɞɫɬɚɜɥɟɧɢɟ ɜɬɨɪɨɝɨ ɫɥɟɜɚ ɨɩɟɪɚɧɞɚ # 0x00000000 void 0x00100000 0x00200000 0x00300000 0x00400000 0x00500000 0x00600000 0x00700000 0x00800000 0x00900000 0x00A00000 0x00B00000

Ɍɚɛɥɢɰɚ 13 ɜɨɡɦɨɠɧɵɟ ɩɪɟɞɫɬɚɜɥɟɧɢɹ ɧɟɩɨɫɪɟɞɫɬɜɟɧɧɵɯ ɨɩɟɪɚɧɞɨɜ ɷɥɟɦɟɧɬɨɜ ɬɢɩɚ ɞɚɧɧɵɟ ɢ ɤɨɞ

ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ ɮɭɧɤɰɢɢ, ɢɡɦɟɧɹɸɳɢɟ ɨɬɨɛɪɚɠɟɧɢɟ ɨɩɟɪɚɧɞɨɜ success OpBinary(long ea,int n) success OpOctal(long ea,int n) success OpDecimal(long ea,int n) success OpHex(long ea,int n) success OpChr (long ea,int n) success OpNumber(long ea,int n) success OpOff (long ea,int n,long base)

(

) (

) (

) (

(

) (

(

)

) )

,

121

success OpOffEx(long ea,int n,long reftype,long target,long base,long tdelta) success OpSeg(long ea,int n)

(

) (

, , )

,

success OpAlt(long ea,long n,char str) success OpSign(long ea,int n)

(

)

, (

) (

) success OpStkvar(long ea,int n)

,

ɮɭɧɤɰɢɢ, ɜɨɡɜɪɚɳɚɸɳɢɟ ɨɩɟɪɚɧɞɵ char GetOpnd(long ea,long n) long GetOpType(long ea, long n) long GetOperandValue (long ea,long n) char AltOp (long ea,long n)

,

ɮɭɧɤɰɢɢ, ɨɛɟɫɩɟɱɢɜɚɸɳɢɟ ɩɨɢɫɤ ɨɩɟɪɚɧɞɨɜ long FindVoid(long ea, long flag) long FindImmediate (long ea, long flag, long value);

,

char Demangle (char name, long disable_mask) success OpBinary(long ea,int n) (

)

,

‘b’. : seg000:0000 a)

mov

ax,41h

OpBinary(SegByName(“seg000”),1); b) OpBinary . seg000:0000 ) – ??? #

mov

ax, 1000001b

– change table

122

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

,

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpOcatl, OpDeciminal,.OpHex, OpChr, OpNumer ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɥɨɝ: “~Edit\Operand types\Binary”; success OpOctal(long ea,int n) (

)

,

‘o’. : seg000:0000 a)

mov

ax,41h

OpOctal(SegByName(“seg000”),1); b) OpOctal . seg000:0000 ) – ??? #

mov

ax, 101o

– change table

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

,

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpBinary, OpDeciminal,.OpHex, OpChr, OpNumer ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɥɨɝ: «~Edit\Operand types\Octal» success OpDecimal(long ea,int n) (

)

.

: seg000:0000

mov

ax,41h 123

a) OpDecimal(SegByName(“seg000”),1); b) OpDecimal . seg000:0000 ) – ??? #

mov

ax, 65

– change table

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

,

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpBinary, OpOctal,.OpHex, OpChr, OpNumer ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɥɨɝ: «Edit\Operand types\Decimal»; success OpHex(long ea,int n) (

)

,

‘h’. : seg000:0000 a)

mov

ax,65

mov

ax, 41h

OpHex(SegByName(“seg000”),1); b) OpHex . seg000:0000 ) – ??? #

– change table

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

,

(

)

124

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpBinary, OpOctal, OpDeciminal,. OpChr, OpNumer ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɥɨɝ: «~Edit\Operand types\Hexadeciminal»; success OpChr(long ea,int n) (

)

,

.

, “AsciiStringChars” “AsciiStringChars”

. . :

cp866

"\r\n\a\v\b\t\x1B" " !\"#$%&'()*+,-./0123456789:;?" "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_" "`abcdefghijklmnopqrstuvwxyz{|}~" " " " │┤ ┐" "└┴┬├─┼ ┘┌█▄▌ ▀" " "; Ɂɚɦɟɱɚɧɢɟ: . ,

Intel 80x86 ,

,

. : 1. ɗɤɫɩɟɪɢɦɟɧɬ seg000:0000 a)

mov

ax,65

mov

ax, ‘A’

dq

4944412050726F21h

dq

'IDA Pro!'

OpChr(SegByName(“seg000”),1); b) OpChar . seg000:0000 ) – 2. ɗɤɫɩɟɪɢɦɟɧɬ seg000:0000 a) OpChr(SegByName(“seg000”),0); b) OpChr seg000:0000 ) – ??? #

– change table

ea n

, =n 125

return

==0 ==1 ==-1 =return ==1 ==0

,

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpBinary, OpOctal, OpDeciminal,. OpHex, OpNumer ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɥɨɝ: «Edit\Operand types\Chaster»; success OpNumber(long ea,int n) (

)

. . : seg000:0000 a)

mov

ax,65

OpNumber(SegByName(“seg000”),1); b) OpNumber . seg000:0000 ) –

mov

??? #

ax, 41h

– change table

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

,

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpBinary, OpOctal, OpDeciminal,. OpHex, OpChr. ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɥɨɝ: «Edit\Operand types\ Number»; success OpOff(long ea,int n,long base) (

)

,

( )

«

»).

( ,

. ,

, . ea

, 126

. ,

base !)

( .

,

n

(

.

). ,

. .

, . : seg000:0100 seg000:0100 seg000:0102 seg000:0105 seg000:0107 seg000:0107 seg000:0107 seg000:0107 seg000:0108 seg000:0108 a)

start

proc near mov ah, 9 mov dx, 108h int 21h retn endp

start

; ────────────────────────────────────────── db 'Hello,World!',0Dh,0Ah,'$ seg000 ends

OpOff(SegByName("seg000")+0x102,1,SegByName("seg000")); b) OpOff , seg000:0100 seg000:0100 seg000:0102 seg000:0105 seg000:0107 seg000:0107 seg000:0107 seg000:0107 seg000:0108 seg000:0108 )

start

DX

proc near mov ah, 9 mov dx, offset asc_0_108 ; "Hello,World!\r\n$" int 21h retn endp

start

; ────────────────────────────────────────────────────────── asc_0_108 db 'Hello,World!',0Dh,0Ah,'$' ; DATA XREF: start+2o seg000 ends – , DX , “offset”, ( ). (~Edit\Operad types\Offset by any segment)

??? #

– change table ea

n

, =n ==0 ==1

,

(

)

==-1 ,

base return

(

!)

=return ==1 127

==0 Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpOffEx ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Operad types\Offset by any segment”; success OpOffEx(long ea,int n,long reftype,long target,long base,long tdelta) (

)

,

,

. , . OpOff , ,

(

) ???).

( «

. »

AND. ,

ea . ,

n

(

.

?? ?) ,

reftype ???

,

target . BADADDR, : target = operand_value - tdelta +base , . ,

base tdelta . . OpOff (

, , OpOff).

.

.

operand_value = target + tdelta - base,

REF_OFF8 REF_OFF16 REF_OFF32 REF_LOW8

,

# 0 1 2 3

816328 16 t

REF_LOW16

4

16 32 t

REF_HIGH8

5

8 16 t

REF_HIGH16

6

16 32 t

128

Ɍɚɛɥɢɰɚ 14 : seg000:0100 seg000:0100 seg000:0103 seg000:0103 seg000:0104 seg000:0105 seg000:0107 seg000:0107 seg000:0107 a)

start: mov ax, 105h retn ; ──────────────────────────────────── MyStruc db 0 dw 6666h dw 9999h seg000 ends –

,

AX

,

MyStruc. OpOffEx(SegByName("seg000")+0x100,1,REF_OFF16, SegByName("seg000")+0x104,SegByName("seg000"),1); b) OpOffEx , MyStruc. ɉɨɹɫɧɟɧɢɟ: SegByName(“seg000”)+0x104, , SegByName(“seg000”)+0x104; , SegNyName(“seg000”), base SegByName(“seg000”); operand_value – 0x104 = 1,

offset MyStruc, ,

, seg000:0100 seg000:0100 seg000:0103 seg000:0103 seg000:0104 seg000:0105 seg000:0107 seg000:0107 )

. . tdelta 16- REF_OFF16.

MyStruc tagreg , ,

– 0x105 – 1; ,

start: mov ax, offset MyStruc+1 retn ; ────────────────────────────────────────── MyStruc db 0 ; DATA XREF: seg000:0100o dw 6666h dw 9999h seg000 ends – , MyStruc

Ɂɚɦɟɱɟɧɢɟ: ,

,

. ??? #

– chabge table

ea n

, =n ==0 ==1

,

(

) 129

==-1 ==reftype ==REF_OFF8 ==REF_OFF16 ==REF_OFF32 ==REF_LOW8 reftype

# 0 1 2 3

816328

16 t

==REF_LOW16

4

16 32

==REF_HIGH8

t

5

8

16 t

==REF_HIGH16

6

16 32

target

t

==target !=BADADDR ==BADADDR target = operand_value - tdelta +base , ( , ,

base tdelta return

; =return ==1 ==0

!)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpOff ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Operad types\User-defined offset”; success OpSeg(long ea,int n) ( . ,

)

,

. Ɂɚɦɟɱɚɧɢɟ:

IDA . :

seg000:0000 a)

mov

ax, 1000h

–

,

ax OpSeg(SegByName(“seg000”),1); b) OpSeg seg000:0000 c) – ??? #

mov

ax, seg seg000

– change table

130

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

,

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~ Edit\Operand types\ Segment” success OpAlt(long ea,long n,char str) , –

. ,

,

. : seg000:0000 a)

«

mov

OpAlt(SegByName(“seg000”),0,” b) OpAlt AX». seg000:0000 c) –

ax, 9

AX”);

е

mov

??? #

AX, 9

– change table

ea

n

return

, =n ==0 ==1

,

(

)

==-1 =return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: AltOp ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Operand types\ Enter operand manually”; success OpSign(long ea,int n) , –

, ,

,

. 131

: seg000:0000 a)

mov

ax, 0FFFFh

–

,

AX OpSign(SegByName(“seg000”),1); b) OpSign AX

,

seg000:0000 ) -

mov ,

ax,-1 AX

. ??? #

– change table

ea

n

return

, =n ==0 ==1

,

(

)

==-1 =return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Operand types\ Change Sign”; success OpStkvar(long ea,int n) , BP (EBP) (

.

MakeLocal). BP (EBP)

SP (ESP)

. MakeLoacal

SP (ESP) IDA

IDA

,

,

, SP (ESP)

. SetSpDiff,

SP (ESP) . Ɂɚɦɟɱɚɧɢɟ:

IDA ,

PUSH, POP, ADD, SUB SP (ESP).

. .,

. : seg000:0000 start seg000:0000 seg000:0002

proc near mov bp, sp sub sp, 10h 132

seg000:0005 seg000:000A seg000:000D seg000:000D start ) bp

mov add retn endp

word ptr [bp-2], 666h sp, 10h

–

, .

MakeLocal(SegByName(“seg000”),SegByName(“seg000”)+0xD,"[BP-2]","MyVar"); b) MakeLocal ( . MakeLocal) MyVar, « » OpStkvar(SegByName(“seg000”),0); c) OpStkvar seg000:0100 start seg000:0100 seg000:0100 MyVar seg000:0100 seg000:0100 seg000:0102 seg000:0105 seg000:010A seg000:010D seg000:010D start d) – MyVar (

proc near = word ptr -2 mov sub mov add retn endp

bp, sp sp, 10h [bp+MyVar], 666h sp, 10h

)

Ɂɚɦɟɱɚɧɢɟ: « ??? #

»

– change table

ea n

return

, =n ==0 ==1 ==-1 =return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: ”Edit\Operand types\ Stack variable”; char GetOpnd(long ea,long n) ,

. .

,

. : seg000:0000 a)

mov –

ax, 9 , 133

. Message(“>%s,%s\n”,GetOpnd(SegByName(“seg000”),0), GetOpnd(SegByName(“seg000”),1)); b) GetOpnd

,

>ax, 0 c) ??? #

– change table

ea

, =n ==0 ==1 =return ==1 ==0

n

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetOpType, GetOperandValue ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: char AltOp (long ea,long n) ,

(

.

OpAlt). seg000:0000 a)

mov

AX, 9

Message(“>%s\n”,AltOp(SegByName(“seg000”),1)); b) AltOp , > c)

AX –

??? #

, – change table

ea n

return

, =n ==0 ==1 =return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: OpAlt ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

134

long GetOpType (long ea,long n) ( (

!).

.

???),

,

,

. , . , , “mov dx,offset MyLabel” ,

,

,

.

Ɉɛɳɢɟ ɞɥɹ ɜɫɟɯ ɩɪɨɰɟɫɫɨɪɨɜ # 1 2 3 +[ ] 4 +[ ]+ 5 6 far7 nearIntel 80x86 # 8 386+ 9 386+ 10 386+ 11 FPP ( ) 12 MMX 8051 # 8 9 10 80196 # 8 [ ] 9 10 [ ] ARM # 8 9 MLA10 ( LDM/STM) 11 CDP 12 LDC/STC Power PC # 8 9 10 SH & MB & ME 11

CR

TMS320C5 # 8

(A1:A0..B15:B14) 135

Z8 # 8 9 Z80 # 8

@ @Rx

Ɍɚɛɥɢɰɚ 15 : seg000:0000 a)

mov

ax, 9

–

Message(“>%x, %x\n”,GetOpType(SegByName(“seg000”),0), GetOpType(SegByName(“seg000”),1)); b) GetOpType >1,5 )

–

???

– .

??? #

– change table

ea

, =n ==0 ==1

n

return

,

=return >1 ==0 ==BADADDR

(

(

.

)

???)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetOpnd, GetOperandValue ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: longGetOperandValue(long ea,long n) ( seg000:0000 a) b)

!), . . :

#5 (

, GetOpType).

. mov

ax, 9

–

Message(“>%x\n”,GetOperandValue(SegByName(“seg000”),1)); GetOperandValue

136

>9 )

–

??? #

– change table

ea n

return

, =n ==0 ==1 =return ==1 ==0

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetOpnd, GetOpType ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: long FindVoid (long ea,long flag) ea “void”,

, . (

),

(

-

).

ɧɟ ɜɯɨɞɢɬ

. –

flag ,

,

.

: seg000:0100 seg000:0103 a) “void”

mov mov

ax, 9 dx, 133h

–

,

Message(“>%s\n”,atoa(FindVoid(0,1))); b) FindVoid – >seg000:0103 – ??? #

,

,

void,

– change table

ea

, -

flag return

=flag ==1 ==0 =return !=BADADDR

,

137

==BADADDR Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FindImmediate ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~Nabigate\Search for\Next void”; long FindImmediate(long ea,long flag,long value) ea value. ,

. (

),

(

flag

).

ɧɟ ɜɯɨɞɢɬ

.

– ,

,

.

: seg000:0100 seg000:0103 a)

mov mov

ax, 9 dx, 133h ,

– ,

9

Message(“>%s\n”,atoa(FindImmediate(0,1,9))); b) FindImmediate –

, .

>seg000:0100 –

,

,

9 ??? #

– change table

ea

, -

flag

=flag ==1 ==0

value return

=return !=BADADDR

,

==BADADDR Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: FindVoid ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:”~Nabigate\Search for\Immediate”; , ”~Nabigate\Search for\Next Immediate”;

138

ɈȻɔȿɄɌɕ #Definition ( ) ɨɛɴɟɤɬɚ – , . IDA – , ɨɩɪɟɞɟɥɟɧɧɵɟ ɩɨɥɶɡɨɜɚɬɟɥɟɦ , ɚɜɬɨɦɚɬɢɱɟɫɤɢ ɫɝɟɧɟɪɢɪɨɜɚɧɧɵɟ IDA, – ɩɨɫɬɨɹɧɧɵɣ , « » ( ), ɩɨɜɬɨɪɹɟɦɵɣ , , ɩɪɟɞɜɚɪɹɸɳɢɯ ɡɚɦɵɤɚɸɳɢɯ . « ». . , (

)

(

, .

16)

,

, ,

, .

,

– ,

-

– .

FF_COMM FF_REF FF_LINE FF_NAME FF_LABL FF_FLOW FF_VAR

# 0x00000800 0x00001000 0x00002000 0x00004000 0x00008000 0x00010000 0x00080000

, ,

IDA

Ɍɚɛɥɢɰɚ 16 Ɏɥɚɝɢ, ɭɤɚɡɵɜɚɸɳɢɟ ɧɚ ɧɚɥɢɱɢɟ ɫɜɹɡɚɧɧɵɯ ɨɛɴɟɤɬɨɜ

ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ ɮɭɧɤɰɢɢ, ɫɨɡɞɚɸɳɢɟ ɢ ɭɧɢɱɬɨɠɚɸɳɢɟ ɨɛɴɟɤɬɵ success MakeName ea, char name) success JmpTable jmpea, long tableea, nitems, long is32bit) success MakeComm ea, char comment) success MakeRptCmt ea, char comment)

(long (long long (long (long

139

void ExtLinA (long ea,long n, char line) void ExtLinB (long ea,long n, char line); void DelExtLnA (long ea, long n) void DelExtLnB (long ea, long n) void MakeVar(long ea) , « ɮɭɧɤɰɢɢ, ɜɨɡɜɪɚɳɚɸɳɢɟ ɷɥɟɦɟɧɬɵ char Name (long ea)

»

,

char GetTrueName (long ea) char Comment (long ea) char RptCmt (long ea) char LineA (long ea,long num); char LineB (long ea,long num); ɮɭɧɤɰɢɢ, ɩɨɢɫɤɚ ɨɛɴɟɤɬɨɜ long LocByName name)

, ,

(char

success MakeName(long ea,char name) ,

ea,

name. , .

; , .

“NameChars”

PC

Java

TMS320C6

PowerPC

, "$?@" 9 “_0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz"; "$_@?!" 10 "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" " " "; "$_0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "_0123456789." "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz”

" 11

9 10 11

, (

ɬɨɥɶɤɨ

Java) 140

Ɍɚɛɥɢɰɚ 17 ɩɟɪɟɱɟɧɶ ɫɢɦɜɨɥɨɜ, ɞɨɩɭɫɬɢɦɵɯ ɜ ɢɦɟɧɚɯ ɦɟɬɨɤ , . ,

,

.

, IDA Pro

,

(dummy)

. Ɂɚɦɟɱɚɧɢɟ: “MakeName” ,

, (

.

«

»)

: seg000:0000 a) seg000:000

mov

ah, 9

–

“NoName”

MakeName(SegByName(“seg000”),”NoName”); b) MakeName seg000:0000 NoName c) – ??? #

mov

ah, 9

– change table

ea name =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: GetTrueName ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Name” success MakeComm(long ea,char comment) ,

comment, ea. ,

;

. «

»

. IDA (

.

«

»). ,

, IDA,

, . .

,

,

IDA. '\n', . 141

: seg000:0000 a)

mov

MakeComm(0x1275C," b) MakeComm seg000:0000

0x9 –

mov

c)

ah, 9

– ");

ah, 9

;

0x9 –

–

??? #

– change table

ea comment =return ==1 =0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeRptCmt, ExrLinA, ExtLinB ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~Edit\Comments\Enter comment”; success MakeRptCmt(long ea,char comment) comment, ,

ea. ,

;

. «

»

. IDA (

.

«

»). ,

,

,

IDA,

. . '\n', . , , ,

.

Ɂɚɦɟɱɚɧɢɟ:

, ,

-

,

, (

),

. : seg000:0100

mov

ah, 9

142

seg000:0102 mov dx, offset aHello seg000:0105 int 21h ; seg000:0107 retn seg000:0107 ; ────────────────────────────────────────────────────────────────────────── seg000:0108 aHello db 'Hello,',0 ; DATA XREF: seg000:0102↑o seg000:0108 ;

a)

–

aHello, ,

.

MakeRptCmt(SegByName(“seg000”)+0x108,”

b)

”);

MakeRptCmt

seg000:0100 mov ah, 9 seg000:0102 mov dx, offset aHello ; Э яе ы е а seg000:0105 int 21h ; DOS - PRINT STRING seg000:0105 ; DS:DX -> string terminated by "$" seg000:0107 retn seg000:0107 ; ────────────────────────────────────────────────────────────────────────── seg000:0108 aHello db 'Hello,',0 ; DATA XREF: seg000:0102↑o seg000:0108 ;

)

–

– aHello (

,

,

) ??? #

– change table

ea comment =return ==1 ==0

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeComm, ExrLinA, ExtLinB ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “Edit\Comments\Enter repeatable comment”; %s\n”, Name(SegByName(“seg000”))); b) Name > aHelloIdaPro c) – ??? #

– change table

ea return

=return !=””

,

,

12 13 14

, (

ɬɨɥɶɤɨ

Java) 148

==”” Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeName, GetTrueName ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

(

)

char GetTrueName(long ea) (

),

ea, (

.

Name) :

seg000:0000 _HelloIdaPro a) –

db 'Hello, IDA Pro! ',0Dh,0Ah

Message(“>%s\n”, GetTrueName(SegByName(“seg000”))); b) GetTrueName >%HelloIdaPro c) –

(

) ??? #

– change table

ea =return !=”” ==””

return

(

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeName, Name ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: char Comment(long ea) , ,

ea. ,

. :

seg000:0000

mov

a)

ah, 9

;

0x9 –

–

Message(“>%s\n”,Comment(SegByName(“seg000”))); b) Comment > c) ??? #

0x9 – – change table

149

ea =return !=”” ==””

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeComment ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

char RptCmt(long ea) , ,

ea. ,

. :

seg000:0100 mov ah, 9 seg000:0102 mov dx, offset aHello ; seg000:0105 int 21h ; DOS - PRINT STRING seg000:0105 ; DS:DX -> string terminated by "$" seg000:0107 retn seg000:0107 ; ────────────────────────────────────────────────────────────────────────── seg000:0108 aHello db 'Hello,',0 ; DATA XREF: seg000:0102↑o seg000:0108 ;Э яе ы е а

a)

–

Message(“>%s\n”,RptCmt(SegByName(“seg000”)+0x108))); b) RptCmt > c)

–

ȼɧɢɦɚɧɢɟ:

RptCmt , . . . RptCmt(SegByName(“seg000”)+0x102)) ??? #

, , .

– change table

ea return

=return !=”” ==””

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: MakeRptCmt ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: , char LineA(long ea,long num) ,

num ,

ea. 150

: seg000:0100 seg000:0102 seg000:0105 ; seg000:0105 ; seg000:0105 a)

mov mov

ah, 9 dx, offset aHello

int

21h

1 2 ;

–

Message(“>%s\n”,LineA(SegByName(“seg000”)+0x105,0))); b) LineA . >; )

1

??? #

– change table

ea n

0

500

.

=return !=”” ==””

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: LineB ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

char LineB(long ea,long num) ,

num ,

ea. :

seg000:0100 seg000:0102 seg000:0102 ; seg000:0102 ; seg000:0105 a)

mov mov

ah, 9 dx, offset aHello

int

21h

1 2 ;

–

Message(“>%s\n”,LineB(SegByName(“seg000”)+0x102,0))); b) LineB . >; ) ??? #

1

– change table 151

ea n

0

500

.

=return !=”” ==””

return

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: LineA ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ:

long LocByName(char name) ( ( BADADDR,

) ,

)

name.

. , .

ȼɧɢɦɚɧɢɟ:

,

,

, (

.

GetTrueName) :

seg000:0000 aHelloIdaPro a) –

db 'Hello, IDA Pro! ',0Dh,0Ah “aHelloIdaPro”

Message(“>%s\n”,atoa(LocByName(“aHelloIdaPro”))); b) LocByName >seg000:0000 c) – ??? #

“aHelloIdaPro” – change table

name return

( =return !=BADADDR ==BADADDR

) (

)

Ɋɨɞɫɬɜɟɧɧɵɟ ɮɭɧɤɰɢɢ: ɂɧɬɟɪɚɤɬɢɜɧɵɣ ɚɧɚɥɨɝ: “~View\Names” ??? all – ɎɍɇɄɐɂɂ

152

#Definition , . BASIC, ,

, .

, .

, Pascal. ,

.

,

,

.

,

-

щ

,

-

,

– . , щ

, :

, .

Resultant := MyProc (arg1, ard2); Pascal

,

. ,

Turbo-Pascal, AX, . ,

,

AX. .

,

,

. .

-

,

void,

. , . ,

IDA. ?

-

, «

». , ,

«

»

.

, ,

. MASM

TASM

,

,

,

,

,

(

). ,

-

,

. ,

,

,

.

, «

, –

».

,

,

,

,

, IDA

. ,

,

, ,

.

153

, ,

. , . .

! ,

(

)

,

,

. . Turbo-Pascal,

, , PROC ( :

,

,

IDA , procedure)

Procedure MyProc; begin WriteLn('Hello'); end; BEGIN MyProc; End. IDA

:

seg000:0006 ; Attributes: bp-based frame seg000:0006 seg000:0006 sub_0_6 proc near ; CODE XREF: PROGRAM+14p seg000:0006 push bp seg000:0007 mov bp, sp seg000:0009 xor ax, ax seg000:000B call @__StackCheck$q4Word ; Stack overflow check (AX) seg000:0010 mov di, offset unk_E1_166 seg000:0013 push ds seg000:0014 push di seg000:0015 mov di, offset asc_0_0 ; "\x05Hello" seg000:0018 push cs seg000:0019 push di seg000:001A xor ax, ax seg000:001C push ax seg000:001D call @Write$qm4Textm6String4Word ; Write(var f; s: String; width: seg000:0022 call @WriteLn$qm4Text ; WriteLn(var f: Text) seg000:0027 call @__IOCheck$qv ; Exit if error seg000:002C pop bp seg000:002D retn seg000:002D sub_0_6 endp seg000:002D seg000:002E assume ss:seg004

154

seg000:002E PROGRAM seg000:002E __SystemInit(void) seg000:0033 seg000:0038 seg000:0039 seg000:003B seg000:003D overflow check (AX) seg000:0042 seg000:0045 seg000:0046 seg000:0048 seg000:0048 PROGRAM

proc near call @__SystemInit$qv ; call push mov xor call

sub_5_D bp bp, sp ax, ax @__StackCheck$q4Word ; Stack

call pop xor call endp

sub_0_6 bp ax, ax @Halt$q4Word

; Halt(Word)

. ,

-

. ,

,

,

: seg000:0006 sub_0_6 seg000:0006 seg000:0007

proc near push bp mov bp, sp

seg000:0027 seg000:002C seg000:002D

call pop retn

@__IOCheck$qv bp

. ,

,

IDA ,

. ,

. ?

,

,

,

IDA . . seg000:0006 sub_0_6

proc near

seg000:002D sub_0_6

endp ,

, ,

MASM)

( ,

, .

ɋɜɨɞɧɚɹ ɬɚɛɥɢɰɚ ɮɭɧɤɰɢɣ

155

success MakeFunction(long start,long end); success DelFunction(long ea); success SetFunctionEnd(long ea,long end); long NextFunction(long ea);

long PrevFunction(long ea)

long GetFunctionFlags(long ea); success SetFunctionFlags(long ea,long flags); char GetFunctionName(long ea); void SetFunctionCmt(long ea, char cmt, long repeatable);

(

)

char GetFunctionCmt(long ea, long repeatable); long ChooseFunction(char title);

char GetFuncOffset(long ea); long GetFrame(long ea);

ID

long GetFrameLvarSize(long ea); long GetFrameLvarSize(long ea);

long GetFrameArgsSize(long ea)

long GetFrameSize(long ea);

long MakeFrame(long ea,long lvsize,long frregs,long argsize) long GetSpd(long ea);

SP

long GetSpDiff(long ea); SP 156

success SetSpDiff(long ea,long delta);

SP,

long FindFuncEnd(long ea)

success MakeFunction(long start,long end); MakeFunction

. IDA

–

. . , .

API

. . ,

. , .

. IDA : seg000:002A seg000:002D seg000:0030 seg000:0033 seg000:0036

mov call mov call retn

si, 211h sub_0_DD si, 2BAh sub_0_DD

MakeFunction(0x1002A,0x10037); seg000:002A seg000:002A seg000:002A seg000:002A seg000:002A seg000:002D seg000:0030 seg000:0033 seg000:0036 seg000:0036 seg000:0036 seg000:0037 seg000:0037

; _______________ S U B R O U T I N E sub_0_2A

sub_0_2A

proc near mov si, 211h call sub_0_DD mov si, 2BAh call sub_0_DD retn endp

; _______________ S U B R O U T I N E , subroutine )

‘sub’ ( –

IDA

. ;

. BADADDR,

IDA

. ( jmp)

ret . 157

, .

,

.

IDA

,

«

». ,

. ,

. MakeFunction undefined.

, seg000:002A seg000:002B seg000:002C seg000:002D seg000:002E seg000:002F seg000:0030 seg000:0031 seg000:0032 seg000:0033 seg000:0034 seg000:0035 seg000:0036

db db db db db db db db db db db db db

, :

0BEh 11h 2 0E8h 0ADh 0 0BEh 0BAh 2 0E8h 0A7h 0 0C3h

Message(“0x%X \n”,MakeFunction(0x1002A,0x10037)); 0 ,

BADADDR, !

seg000:002A seg000:002B seg000:002C seg000:002D seg000:002E seg000:002F seg000:0030 seg000:0031 seg000:0032 seg000:0033 seg000:0034 seg000:0035 seg000:0036

db db db db db db db db db db db db db

0BEh 11h 2 0E8h 0ADh 0 0BEh 0BAh 2 0E8h 0A7h 0 0C3h

Message(“0x%X \n”,MakeFunction(0x1002A,-1)); 1

seg000:002A ; _______________ S U B R O U T I N E _______________________________________ seg000:002A seg000:002A seg000:002A sub_0_2A proc near seg000:002A mov si, 211h 158

seg000:002D call sub_0_DD seg000:0030 mov si, 2BAh seg000:0033 call sub_0_DD seg000:0036 retn seg000:0036 sub_0_2A endp seg000:0036 seg000:0037 seg000:0037 ; _______________ S U B R O U T I N E _______________________________________

.

Start ==end

. !=-1

. IDA

End

. ==-1

IDA undefined

0

Return

.

1

success DelFunction(long ea); DelFunction

,

,

.

, .

(

,

,

)

, .

: .text:00400FFF ; _____________ S U B R O U T I N E ____________________________________ .text:00400FFF .text:00400FFF ; Attributes: library function .text:00400FFF proc near ; CODE .text:00400FFF __amsg_exit XREF: __setenvp+4Ep .text:00400FFF ; __setenvp+7Dp ... .text:00400FFF = dword ptr 4 .text:00400FFF arg_0 .text:00400FFF .text:00400FFF cmp dword_0_408758, 2 .text:00401006 jz short loc_10_40100D .text:00401008 call __FF_MSGBANNER .text:0040100D .text:0040100D loc_10_40100D: ; CODE XREF: __amsg_exit+7j .text:0040100D push [esp+arg_0] 159

.text:00401011 .text:00401016 .text:0040101B .text:00401021 .text:00401022 .text:00401023 .text:00401023 __amsg_exit

call push call pop pop retn endp

__NMSG_WRITE 0FFh off_0_408050 ecx ecx

DelFuncton(0x400FFF); .text:00400FFF __amsg_exit: XREF: __setenvp+4Ep .text:00400FFF __setenvp+7Dp ... .text:00400FFF .text:00401006 .text:00401008 .text:0040100D .text:0040100D loc_10_40100D: XREF: .text:00401006j .text:0040100D .text:00401011 .text:00401016 .text:0040101B .text:00401021 .text:00401022 .text:00401023

ea

; CODE ; cmp jz call

dword_0_408758, 2 short loc_10_40100D __FF_MSGBANNER ; CODE

push call push call pop pop retn

dword ptr [esp+4] __NMSG_WRITE 0FFh off_0_408050 ecx ecx

, 0

Return

.

1

success SetFunctionEnd(long ea,long end); . ,

.

: seg000:22C0 start seg000:22C0 seg000:22C3 seg000:22C6 seg000:22C9 seg000:22CC seg000:22CF seg000:22D2 seg000:22D4 seg000:22D5

proc near call sub_0_22DD call sub_0_2325 call sub_0_235B call sub_0_2374 call sub_0_23B6 call sub_0_23F8 jnz loc_0_22DA nop nop 160

seg000:22D6 seg000:22D7 seg000:22DA seg000:22DA loc_0_22DA: seg000:22DA seg000:22DA start

nop call

sub_0_2412

call endp

sub_0_2305

SetFunctionEnd(0x122C3,0x122 F); seg000:22C0 start seg000:22C0 seg000:22C3 seg000:22C6 seg000:22C9 seg000:22CC seg000:22CF seg000:22CF start seg000:22D2 seg000:22D4 seg000:22D5 seg000:22D6 seg000:22D7 seg000:22DA seg000:22DA loc_0_22DA: seg000:22DA

proc near call sub_0_22DD call sub_0_2325 call sub_0_235B call sub_0_2374 call sub_0_23B6 call sub_0_23F8 ; Æ endp jnz loc_0_22DA ; Å nop nop nop call sub_0_2412 call

sub_0_2305 ,

,

,

undefined,

:

MakeUnkn(0x122C0,1); seg000:22C0 start seg000:22C1 seg000:22C2 seg000:22C3 seg000:22C4 seg000:22C5 seg000:22C6 seg000:22C7 seg000:22C8 seg000:22C9 seg000:22CA seg000:22CB seg000:22CC seg000:22CD seg000:22CE seg000:22CF seg000:22D0 seg000:22D1 seg000:22D2 seg000:22D3 seg000:22D4 seg000:22D5 seg000:22D6

db db db db db db db db db db db db db db db db db db db db db db db

0E8h 1Ah 0 0E8h 5Fh 0 0E8h 92h 0 0E8h 0A8h 0 0E8h 0E7h 0 0E8h 26h 1 75h 6 90h 90h 90h

; ; ; ; ; _ ; ; ; ; ; ; ; ; ; ; ; ; & ; ; u ; ; ; ; 161

,

,

-

( seg000:2305 seg000:2305 seg000:2306 seg000:2309 seg000:230B seg000:230B seg000:230B seg000:230D seg000:230D seg000:230D seg000:230D seg000:230D seg000:230D seg000:2310 seg000:2313 seg000:2316 seg000:2319 seg000:231B seg000:231C seg000:231D seg000:231E seg000:2321 seg000:2321 seg000:2321 seg000:2324 seg000:2324

,

),

sub_0_2305

.

proc near sti call sub_0_1CA mov ah, 4Ch int 21h endp

sub_0_2305

; _______________ S U B R O U T I N E sub_0_230D

proc near mov si, 2C51h call sub_0_DD mov si, 2C4Dh call sub_0_2E2 jnb loc_0_2321 nop nop nop mov si, 2A2Dh

loc_0_2321: call retn endp

sub_0_230D

sub_0_DD

Message(“0x%X \n”, SetFunctiinEnd(0x12305,0x12310) ); 1 , .

.(

, )

,

(

),

. seg000:292F sub_0_292F proc near seg000:292F inc bx seg000:2930 loop loc_0_292F seg000:2932 nop seg000:2933 retn endp seg000:2933 sub_0_292F seg000:2933 seg000:2933 ; ---------------------------------seg000:2934*word_0_2934 dw 0 seg000:2934* seg000:2936*byte_0_2936 db 0 162

SetFuctionEnd(0x12930,0x12934); seg000:292F sub_0_292F proc near seg000:292F inc bx seg000:2930 loop loc_0_292F seg000:2932 nop seg000:2933 retn seg000:2933 seg000:2933 ; ---------------------------------seg000:2934*word_0_2934 dw 0 seg000:2934* endp seg000:2934 sub_0_292F seg000:2936*byte_0_2936 db 0 . ,

,

,

IDA

! ,

,

. Message(“0x%X \n”, SetFuctionEnd(0x12930,0x12935) ); 0 seg000:292F sub_0_292F proc near seg000:292F inc bx seg000:2930 loop loc_0_292F seg000:2932 nop seg000:2933 retn seg000:2933 seg000:2933 ; ---------------------------------seg000:2934*word_0_2934 dw 0 seg000:2934* seg000:2936*byte_0_2936 db 0 , ,

,

,

. 0x12936

, ,

IDA .

Message(“0x%X \n”, SetFuctionEnd(0x12936,0x12933) ); 1 ,

SetFunctionEnd

, .

,

0x12936 :

Message(“0x%X \n”, SetFuctionEnd(0x12935,0x12933) 163

); 0 seg000:292F sub_0_292F proc near seg000:292F inc bx seg000:2930 loop loc_0_292F seg000:2932 nop seg000:2933 retn seg000:2933 seg000:2933 ; ---------------------------------seg000:2934*word_0_2934 dw 0 endp seg000:2934*sub_0_292F seg000:2936*byte_0_2936 db 0 ,

, word_02934,

,

,

.

IDA (

),

,

, . , ,

IDA

,

,

,

. . .

ea end Return

, . 0

.

1

long NextFunction(long ea); ‘ea’. NextFunction(0). , BADADDR. : seg000:0000 sub_0_0 seg000:0000 seg000:0001 …………….. seg000:0027 seg000:0028 seg000:0029 seg000:0029 sub_0_0

proc near push ax push bx pop pop retn endp

bx ax

164

seg000:0029 seg000:002A seg000:002A ; ___________ S U B R O U T I N E ____________________ seg000:002A seg000:002A seg000:002A sub_0_2A proc near seg000:002A mov si, 211h seg000:002D call sub_0_DD seg000:0030 mov si, 2BAh seg000:0033 call sub_0_DD seg000:0036 retn seg000:0036 sub_0_2A endp seg000:0036 seg000:0037 seg000:0037 ; _______________ S U B R O U T I N E ________________ seg000:0037 seg000:0037 seg000:0037 sub_0_37 proc near seg000:0037 seg000:0037 seg000:0037 push ax seg000:0038 push bx auto a; a=0; while ((a=NextFunction(a))!=-1) Message("%x \n",a); 10000 1002a 10037

ea Return

!=BADADDR BADADDR

long PrevFunction(long ea) . PrevFunction(BADADDR). seg000:0000 sub_0_0 seg000:0000 seg000:0001 …………….. seg000:0027 seg000:0028 seg000:0029 seg000:0029 sub_0_0

proc near push ax push bx pop pop retn endp

bx ax

165

seg000:0029 seg000:002A seg000:002A ; ___________ S U B R O U T I N E ____________________ seg000:002A seg000:002A seg000:002A sub_0_2A proc near seg000:002A mov si, 211h seg000:002D call sub_0_DD seg000:0030 mov si, 2BAh seg000:0033 call sub_0_DD seg000:0036 retn seg000:0036 sub_0_2A endp seg000:0036 seg000:0037 seg000:0037 ; _______________ S U B R O U T I N E ________________ seg000:0037 seg000:0037 seg000:0037 sub_0_37 proc near seg000:0037 seg000:0037 seg000:0037 push ax seg000:0038 push bx auto a; a=0x10038; while ((a=PrevFunction(a))!=-1) Message("%x \n",a); 10037 1002a 10000

Ea Return

!=BADADDR BADADDR

long GetFunctionFlags(long ea); GetFunctionFlags

. .

FUNC_NORET FUNC_FAR FUNC_LIB

0x00000001 L 0x00000002 L 0x00000004

FAR (

)

166

L 0x00000008 L 0x00000010L 0x00000020 L 0x00000040 L

FUNC_STATIC FUNC_FRAME FUNC_USERFAR FUNC_HIDDEN

Ф

ц я

ь

я

а а

я а

а

а

BP

(FAR)

. FUNC_NORET , ret.

IDA

. ,

,

.

seg000:2305 sub_0_2305 seg000:2305 seg000:2306 seg000:2309 seg000:230B seg000:230B sub_0_2305

proc near sti call sub_0_1CA mov ah, 4Ch int 21h endp

Message(“%b \n”, GetFunctionFlags(0x12305) ); 0 , , SetFunctionFlags. FUNC_FAR «

»

. IDA – retf.

, .

,

CALL FAR \ RET ,

, IDA

. IDA, , ,

. seg000:048B sub_0_48B seg000:048B seg000:048B seg000:048C seg000:048D seg000:0490 seg000:0494 seg000:0498

proc far pushf push push push push retf

cs offset locret_0_499 word ptr ds:74Dh word ptr ds:74Bh

167

seg000:0498 sub_0_48B endp ; sp = -0Ah seg000:0498 seg000:0499 ; -----------------------------------------seg000:0499 seg000:0499 locret_0_499: seg000:0499 retn Message(“%b \n”, GetFunctionFlags(0x1048B) ); 10 FUNC_LIB «

»

.

,

FLIRT. .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:00401106 .text:00401108 .text:0040110D .text:0040110D .text:0040110D .text:00401111 .text:00401116 .text:0040111B .text:00401121 .text:00401122 .text:00401123 .text:00401123

; Attributes: library function __amsg_exit

proc near

arg_0

= dword ptr

4

cmp jz call

dword_0_408758, 2 short loc_0_40110D __FF_MSGBANNER

push call push call pop pop retn endp

[esp+arg_0] __NMSG_WRITE 0FFh off_0_408050 ecx ecx

loc_0_40110D:

__amsg_exit

Message(“%b \n”, GetFunctionFlags(0x4010FF) ); 100 FUNC_FRAME BP (EBP). IDA PUSH BP MOV BP, SP

168

, ESP. IDA

ESP .

,

seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B8 seg000:20B9 seg000:20BB seg000:20BB seg000:20BD seg000:20BE seg000:20C0 seg000:20C4 seg000:20C6 seg000:20C9

; Attributes: bp-based frame sub_0_20B8

proc near

var_80 var_6B var_62

= byte ptr -80h = byte ptr -6Bh = byte ptr -62h push mov int

bp ah, 2Fh 21h

push mov sub mov lea int

bx bp, sp, ah, dx, 21h

sp 80h 1Ah [bp+var_80]

Message(“%b \n”, GetFunctionFlags(0x4010FF) ); 10000

push bp

, mov bp,sp

IDA

, .

FUNC_USERFAR IDA NEAR FAR, ~ Edit \ Function \ Edit Function.

, ‘Modify Function’

169

,

SetFunctionFlags! .

,

FUNC_HIDDEN « Gray ‘-‘, , IDA .

,

»

. .

dseg:027B ; [00000009 BYTES: COLLAPSED FUNCTION sub_0_27B. PRESS KEYPAD "+" TO EXPAND]

Message(“%b \n”, GetFunctionFlags(0x4010FF) ); 100000 ,

IDC.IDC ,

#define FUNC_HIDDEN

0x00000040L

:

// a hidden function

IDA

,

. dseg:0271 ; Attributes: library function dseg:0271 dseg:0271 __checknull proc near 170

dseg:0271 dseg:0271 __checknull

retn endp

dseg:0272 ; Attributes: library function bp-based frame dseg:0272 dseg:0272 __terminate proc

Ea Return

, !=BADADDR BADADDR

(

)

success SetFunctionFlags(long ea,long flags); . GetFunctionFlags.

Ea flag

, (

Return

GetFunctionFlags)

!=BADADDR BADADDR

(

SetFunctionFlags, (

,

)

IDA ref

). ,

.

: dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0274 dseg:0276 dseg:0279 dseg:0279

; Attributes: library function bp-based frame __terminate

proc near

arg_0

= byte ptr

__terminate

mov mov mov int endp

; COD 2

bp, sp ah, 4Ch ; 'L' al, [bp+arg_0] 21h

; DOS ; AL

SetFunctionFilegs ( 0x10272, GetFunctionFlags(0x10272) + 1 )

171

dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0274 dseg:0276 dseg:0279 dseg:0279

; Attributes: library function noreturn bp-based frame __terminate

proc near

; CODE XREF: sub_0_3C7+44p

arg_0

= byte ptr

__terminate

mov mov mov int endp

2

bp, sp ah, 4Ch ; 'L' al, [bp+arg_0] 21h

; DOS - 2+ - QUIT WITH EXIT ; AL = exit code

. ,

FUNC_FRAME, ,

,

BP.

SetFunctionFilegs ( 0x10272, GetFunctionFlags(0x10272) – 0x10; ) dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0272 dseg:0274 dseg:0276 dseg:0279 dseg:0279

; Attributes: library function __terminate

proc near

; CODE XREF: sub_0_3C7+44p

arg_0

= byte ptr

__terminate

mov mov mov int endp

2

bp, sp ah, 4Ch ; 'L' al, [bp+arg_0] 21h

; DOS - 2+ - QUIT WITH EXIT ; AL = exit code

FUNC_HIDDEN ,

.

SetFunctionFilegs ( 0x10272, GetFunctionFlags(0x10272) + 0x40; ) dseg:0272 ; [00000009 BYTES: COLLAPSED FUNCTION __terminate. PRESS KEYPAD "+" TO EXPAND]

char GetFunctionName(long ea); . ,

. ,

Ea Return

.

,

172

!=”” “”

: dseg:025E __cleanup dseg:025E dseg:0263 dseg:0264

proc near mov es, cs:DGROUP@ push si push di

Message(“%s \n”, GetFunctionName(0x10263) ); __cleanup

void SetFunctionCmt(long ea, char cmt, long repeatable); ,

. IDA

, (

.

repeatable comment).

‘repeatable’

. : SetFunctionCmt(0x10271,”Hello IDA 4.0”,1); dseg:0271 ; Hello IDA 4.0 dseg:0271 ; Attributes: static dseg:0271 dseg:0271 __checknull proc near sub_0_3C7+2Cp dseg:0271 retn dseg:0271 __checknull endp

; CODE XREF:

, : dseg:03F0 dseg:03F3 4.0 dseg:03F6 dseg:03FA

call call

__restorezero __checknull

cmp jnz

[bp+arg_2], 0 loc_0_40F

; Hello

IDA

, : SetFunctionCmt(0x10271,”Hello \nIDA 4.0”,1);

173

dseg:0271 ; Hello dseg:0271 ; IDA 4.0 dseg:0271 ; Attributes: static dseg:03F3 dseg:03F3 dseg:03F6

call

__checknull

; Hello ; IDA 4.0

cmp

[bp+arg_2], 0 . . , ,

. , ,

. .

, ,

– ‘regular’. : SetFunctionCmt(0x10271,”Hello IDA 4.0”,1); SetFunctionCmt(0x10271,”Hello World”,0); dseg:0271 ; Hello World dseg:0271 ; Attributes: static dseg:03F3 dseg:03F6

call cmp

Ea Cmp Repeatable

__checknull [bp+arg_2], 0

; Hello IDA 4.0

, , 0 1

char GetFunctionCmt(long ea, long repeatable); , ,

. .

SetFunctionCmt : dseg:0271 dseg:0271 dseg:0271 dseg:0271 dseg:0271 dseg:0271

; Hello IDA 4.0 ; Attributes: static __checknull __checknull

proc near retn endp

Message(“%s \n”, GetFunctionCmt(0x010271,1) 174

); Hello, IDA 4.0 Message(“%s \n”, GetFunctionCmt(0x010271,0) ); , (

)

,

Ea

.

,

Repeatable

0 1

Return

!=”” “”

long ChooseFunction(char title);

. BADADDR, . : Message(“0x%X \n”, ChooseFunction(“List”) );

175

0x401020

Function Name Segment Start Length

,

RFLSBMICDV

* * * * *

*

R F L S B M I C D V

!FUNC_NORET

,

FUNC_FAR

FAR (

)

FUNC_LIB FUNC_STATIC

Static –

FUNC_FRAME

BP

FUNC_MEMBER

member function

FUNC_VIRTUAL FUNC_CTR FUNC_DTR FUNC_VARARG

. . SetFunctionFlags.

title 176

Return

!=BADADDR BADADDR

, «

. »

, (

)

. . ,



. .

,

.

char GetFuncOffset(long ea); :

ɂɦɹɎɭɧɤɰɢɢ+ɋɦɟɳɟɧɢɟɈɬɧɨɫɢɬɟɥɶɧɨɇɚɱɚɥɚɎɭɧɤɰɢɢ. . : .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:00401106 .text:00401108 .text:0040110D .text:0040110D .text:0040110D .text:00401111 .text:00401116 .text:0040111B .text:00401121 .text:00401121 .text:00401121 .text:00401122 .text:00401123

__amsg_exit

proc near

arg_0

= dword ptr

4

cmp jz call

dword_0_408758, 2 short loc_0_40110D __FF_MSGBANNER

push call push call pop endp

[esp+arg_0] __NMSG_WRITE 0FFh off_0_408050 ecx

pop retn

ecx

loc_0_40110D:

__amsg_exit

Message(“%s \n”, GetFuncOffset(0x401108) ); __amsg_exit+9

ea Return

, !=””

(

) 177

“”

,

GetFuncOffset

.

long FindFuncEnd(long ea); ,

, . . .

– –

, ,

. : seg000:22C0 seg000:22C0 seg000:22C3 seg000:22C6 seg000:22C9 seg000:22CC seg000:22CF seg000:22D2 seg000:22D4 seg000:22D5 seg000:22D6 seg000:22D7 seg000:22DA seg000:22DA seg000:22DA seg000:22DD seg000:22DD seg000:22DD seg000:22DD seg000:22DD seg000:22DD

start: call call call call call call jnz nop nop nop call

sub_0_22DD sub_0_2325 sub_0_235B sub_0_2374 sub_0_23B6 sub_0_23F8 loc_0_22DA

call

halt

sub_0_2412

loc_0_22DA:

;

; _______________ S U B R O U T I N E ___ sub_0_22DD

proc near call sub_0_28CC

start

;

ret. ,

Halt. ,

ret, sub_0_22DD!

, . . .

RETN, ,

RETF… « » FindFincEnd.

. ? , , , , (

. ,

FindFuncEnd «

»). 178

, (

,

).

: seg000:0100 seg000:0100 seg000:0103 seg000:0106 seg000:0106 seg000:0106 seg000:0106 seg000:0108 seg000:010A seg000:010B seg000:010B seg000:010B seg000:010B seg000:010E seg000:010E seg000:010F

start: mov mov int

ax, 3D01h dx, 10Fh 21h

jb loc_0_10B retn ; ------------------------------------loc_0_10B: mov ax, 0FFFFh retn ; ------------------------------------aMyfile db 'MyFile',0

Message("0x%X \n", FindFuncEnd(0x10103) ); 0x1010F ,

IDA . «

,

», ,

,

aMyFIle .

IDA .

–

,

. : Message("0x%X \n", FindFuncEnd(0x10102) ); 0xFFFFFFFF , . ,

FindFuncEnd

: seg000:0100 start seg000:0100 seg000:0103 seg000:0106 seg000:0106 seg000:0106 seg000:0106 seg000:0108 seg000:010A

proc near mov ax, 3D01h mov dx, 10Fh int 21h

jb retn

loc_0_10B

179

seg000:010B seg000:010B seg000:010B seg000:010B seg000:010E seg000:010E seg000:010F seg000:010F

; -----------------------------------loc_0_10B: mov ax, 0FFFFh retn ; -----------------------------------aMyfile db 'MyFile',0 start endp

Message("0x%X \n", FindFuncEnd(0x10103) ); 0x10116 , , 0x115, idc.idc .

,

0x10F . FindFuncEnd ,

IDA. , . ,

,

.

ea

Return

,

!=BADADD R BADADDR

ID

long GetFrame(long ea); ID

(

)

BADADDR

.

IDA, (

) ,

, ,

«

, GetFrame

»

BADADDR. :

.text:004010FF __amsg_exit .text:004010FF .text:004010FF arg_0 .text:004010FF .text:004010FF .text:00401106 .text:00401108 .text:0040110D .text:0040110D loc_0_40110D: .text:0040110D .text:00401111

proc near = dword ptr

4

cmp jz call

dword_0_408758, 2 short loc_0_40110D __FF_MSGBANNER

push call

[esp+arg_0] __NMSG_WRITE 180

.text:00401116 .text:0040111B .text:00401121 .text:00401122 .text:00401123 .text:00401123 __amsg_exit

push call pop pop retn endp

0FFh off_0_408050 ecx ecx

Message(“%x \n”, GetFrame(0x40110D) ); ff000162

ea

Return

,

!=BADADD R BADADDR

ID

long GetFrameLvarSize(long ea); ( ,

).

. ,

BADADDR.

: .text:00401806 .text:00401806 .text:00401806 .text:00401806 .text:00401806 .text:00401806 .text:00401809 .text:0040180A

__ioinit var_44 var_12 var_10

proc near = byte ptr -44h = word ptr -12h = dword ptr -10h sub push push

esp, 44h ebx ebp

Message(“0x%X \n”, GetFrameLvarSize(0x401809) ); 0x44

Ea

Return

,

!=0 !=BADADD R 0 BADADDR 181

long GetFrameRegsSize(long ea); . ( (

)

32-

16-

) ,

BADADDR .

: .text:0040124A __XcptFilter .text:0040124A .text:0040124A arg_0 .text:0040124A arg_4 .text:0040124A .text:0040124A .text:0040124B .text:0040124D .text:0040124E

proc near = dword ptr = dword ptr push mov push push

8 0Ch

ebp ebp, esp ebx [ebp+arg_0]

Message(“0x%X \n”, GetFrameRegsSize(0x40124A) ); 4 seg000:2092 sub_0_2092 seg000:2092 seg000:2092 var_40 seg000:2092 seg000:2092 seg000:2093

proc far = byte ptr -40h push mov

bp bp, sp

Message(“0x%X \n”, GetFrameRegsSize(0x12093) ); 2

Ea

Return

,

!=0 !=BADADD R 0 BADADDR

182

long GetFrameArgsSize(long ea); (

)

,

. IDA

,

. .

– . . RET N,

Intel

N IDA

.

, ,

RET. : Pascal_func: Push bp Mov bp,sp Mov ax,[BP+4] 2 RET Endp PUSH CALL

10 Pascal_func

– .

. . ADD SP, N.

N

.

,

IDA

. : C_func: Push Mov Mov RET Endp PUSH CALL ADD

bp bp,sp ax,[BP+4]

10 C_func SP,2 . POP . .

C_opimize_func: Push bp Mov bp,sp Mov ax,[BP+4] RET Endp PUSH CALL

10 C_optimize_func 183

OR JZ MOV Xxx: POP RET

AX,AX xxx AX,[BX] AX

,

POP AX. »,

« . , .

H=open(“MyFile”,”rb”); read(buff,10,H); seek(20,1,H); .

PUSH offset arb PUSH offset aMyFile CALL open ADD SP,4 MOV [offset H],AX PUSH [offset H] PUSH [10] PUSH buff CALL read ADD SP,6 PUSH [offset H] PUSH 1 PUSH 20 CALL seek ADD SP,6 – , , PUSH PUSH CALL PUSH

. ,

:

offset arb offset aMyFile open AX

PUSH [10] PUSH buff CALL read ADD SP,4 PUSH 1 PUSH 20 CALL seek ADD SP,10

184

! . , . »

« 5

,

!

.

, ,

,

, ,

«

»

,

. , ,

.

-

, .

, ,

IDA

.

Ea

Return

,

!=0 !=BADADD R 0 BADADDR

long GetFrameSize(long ea); . : FrameSize == FrameLvarSize + FrameArgsSize + FrameRegsSize + ReturnAddresSize

,

,

. GetFrameLvaerSize, GetFrameArgsSize, GetFrameRegsSize. , , ,

:

ReturnAddresSize == FrameSize - FrameLvarSize + FrameArgsSize + FrameRegsSize

185

,

,

,

.

: seg000:0000 start seg000:0000 seg000:0003 seg000:0006 seg000:0009 seg000:0009 start

proc near call sub_0_A call sub_0_10 call sub_0_16 retn endp

Message(“0x%X \n”, GetFrameSize(0x10000) ); 2 seg000:0010 sub_0_10 seg000:0010 seg000:0011 seg000:0012 seg000:0014 seg000:0015 seg000:0015 sub_0_10

proc near push bp push ax mov bp, sp pop bp retn endp ; sp = -2

Message(“0x%X \n”, GetFrameSize(0x10010) ); 6 Message(“0x%X \n”, GetFrameRegsSize(0x10010) ); 4 , .

,

,

: seg000:000A sub_0_A seg000:000A seg000:000B seg000:000D seg000:000E seg000:000F seg000:000F sub_0_A

proc near push bp mov bp, sp push ax pop bp retn endp ; sp = -2

Message(“0x%X \n”, GetFrameSize(0x1000A) ); 4 186

Message(“0x%X \n”, GetFrameRegsSize(0x1000A) ); 2 , mov bp, sp (

«

»(

) )

(

)

,

.

Ea

,

Return

!=BADADD R BADADDR

long MakeFrame(long ea,long lvsize,long frregs,long argsize); . , ,

. .

,

ID

,

. BADADDR.

Ea lvsize frrgs argsize Return

,

, !=BADADDR

ID

,

BADADDR

. : .text:00401487 __setargv

proc near 187

.text:00401487 .text:00401487 var_8 .text:00401487 var_4 .text:00401487 .text:00401487 .text:00401488 .text:0040148A .text:0040148B

= dword ptr -8 = dword ptr -4 push mov push push

ebp ebp, esp ecx ecx

MakeFrame(0x401487,0,0,0); .text:00401487 __setargv .text:00401487 .text:00401488 .text:0040148A .text:0040148B .text:0040148C

proc near push ebp mov ebp, esp push ecx push ecx push ebx , . ,

.text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401521 .text:00401523 .text:00401526 .text:00401529

«

sub_0_401520

proc near

arg_0 arg_4 arg_8 arg_C arg_10

= = = = =

dword dword dword dword dword

push mov mov mov push

,

ptr ptr ptr ptr ptr

»

8 0Ch 10h 14h 18h

ebp ebp, esp ecx, [ebp+arg_10] eax, [ebp+arg_C] ebx

MakeFrame(0x401520,0,0,0); .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401520 .text:00401521 .text:00401523 .text:00401526 .text:00401529

sub_0_401520

proc near

arg_0 arg_4 arg_8 arg_C arg_10

= = = = =

dword dword dword dword dword

push mov mov mov push

ptr ptr ptr ptr ptr

8 0Ch 10h 14h 18h

ebp ebp, esp ecx, [ebp+arg_10] eax, [ebp+arg_C] ebx

188

long GetSpd(long ea); SP (ESP) . IDA

, . (

SetSpDiff)

IDA

.

: .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:00401106 .text:00401108 .text:0040110D .text:0040110D .text:0040110D .text:00401111 .text:00401116 .text:0040111B .text:00401121 .text:00401122 .text:00401123 .text:00401123 .text:00401123

__amsg_exit

proc near

arg_0

= dword ptr

4

cmp jz call

dword_0_408758, 2 short loc_0_40110D __FF_MSGBANNER

push call push call pop pop retn endp

[esp+arg_0] __NMSG_WRITE 0FFh off_0_408050 ecx ecx

loc_0_40110D:

__amsg_exit

Message(“%d \n”, GetSpd(0x4010FF) ); 0 Message(“%d \n”, GetSpd(0x401111) ); -4 Message(“%d \n”, GetSpd(0x401116) ); -8 Message(“%d \n”, GetSpd(0x401122) ); -4 Message(“%d \n”, 189

GetSpd(0x401123) ); 0 SP (ESP) ,

.

push, ,

, .

ESP

–

. ESP 0 -4

,

.text:0040110D .text:00401111

,

push call

[esp+arg_0] __NMSG_WRITE

SP (ESP) , . IDA (

. , ). SetSpDiff.

Ea Return

SP (ESP)

long GetSpDiff(long ea); SP (ESP)

,

‘ea’. : .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:004010FF .text:00401106 .text:00401108 .text:0040110D .text:0040110D .text:0040110D .text:00401111 .text:00401116 .text:0040111B .text:00401121 .text:00401122 .text:00401123 .text:00401123

__amsg_exit

proc near

arg_0

= dword ptr

4

cmp jz call

dword_0_408758, 2 short loc_0_40110D __FF_MSGBANNER

push call push call pop pop retn endp

[esp+arg_0] __NMSG_WRITE 0FFh off_0_408050 ecx ecx

loc_0_40110D:

__amsg_exit

Message(“%d \n”, 190

GetSpd(0x4010FF) ); 0 Message(“%d \n”, GetSpd(0x401111) ); -4 Message(“%d \n”, GetSpd(0x401116) ); -8 Message(“%d \n”, GetSpd(0x401122) ); -4 Message(“%d \n”, GetSpd(0x401123) ); 0 ESP .text:0040110D .text:00401111

0 -4

push call

[esp+arg_0] __NMSG_WRITE

GetSpd .

,

Ea Return

SP (ESP)

success SetSpDiff(long ea,long delta); SP (ESP) . SP (ESP),

,

,

IDA

,

. ,

, SetSpDiff

. ,

: 191

seg000:0000 seg000:0000 seg000:0000 seg000:0001 seg000:0002 seg000:0003 seg000:0005 seg000:000A seg000:000B seg000:000D seg000:0010 seg000:0011 seg000:0013 seg000:0014 seg000:0016 seg000:0016

000

public start proc near push ax push ax push bp mov bp, sp mov word ptr [bp+2], 2 pop bp mov bp, sp mov cx, [bp+0] pop ax add sp, cx push ax add sp, cx retn endp ; sp = -4

start 002 004 006 006 006 004 004 004 002 002 004 004 start

Message(“%d \n”, GetSpDiff(0x10013) ); 0 Message(“%d \n”, GetSpDiff(0x10016) ); 0

SP CX.

add sp, cx IDA, 0x86

IDA

,

CX

,

. ,

,

SP

. SP. SP

SetSpDiff

. ,

. SP

ADD SP, CX

seg000:0011 seg000:0014. seg000:0013 seg000:0016. SP.

SetSpDiff(0x10013,2); SetSpDiff(0x10016,2); seg000:0000 000 seg000:0000 start seg000:0000 seg000:0001 002 seg000:0002 004

public start proc near push ax push ax push bp 192

seg000:0003 seg000:0005 seg000:000A seg000:000B seg000:000D seg000:0010 seg000:0011 seg000:0013 seg000:0014 seg000:0016 seg000:0016

006 006 006 004 004 004 002 000 002 000

mov mov pop mov mov pop add push add retn endp

start

Ea delta

bp, sp word ptr [bp+2], 2 bp bp, sp cx, [bp+0] ax sp, cx ax sp, cx

SP 1

Return

0

success MakeLocal(long start,long end,char location,char name) 3.74 3.74

IDA

, .

,

. «

»

. 'MakeLocal' 'MakeLocal'

(«~Edit\Functions\Stack variables»). ('start'

'end'),

IDA (

IDA 4.0)

. :

.

,

end

'BADADDR' IDA

. start

,

MakeLocal

(

start ) , "[BP+XX]", location

"xx" .

'x'

,

.

193

,

BP,

'AX',

, 'BP' , .

name

, . IDA 'var_xx'.

Return

==return ==1 ==0

Hot Key

Menu Edit\Functions\Stack variables

,

. .

, (

,

). IDA (

'arg_xx')

. : MakeLocal(ScreenEA(),0,"[bp+0x4]","MyVar"); .text:00401124 sub_0_401124 .text:00401124 .text:00401124 MyVar .text:00401124 .text:00401124

proc near = dword ptr push

4

[esp+MyVar]

success SetReg (long ea,char reg,long value); . IDA (

)

. , ,

IDA , . SetReg

ASSUME, .

. ,

(

,

64 ) SetReg

.

: dseg:0000 start dseg:0000 dseg:0003 dseg:0005 dseg:0005 dseg:0008

proc near mov ax, seg dseg mov ds, ax assume ds:dseg mov dx, offset aHelloSailor ; call WriteLn 194

dseg:000B dseg:000D dseg:000E dseg:0010 dseg:0010 dseg:0013 dseg:0016 dseg:0018 dseg:0018 start

mov ax, ds inc ax mov ds, ax assume ds:nothing mov dx, 2Fh ; '/' call WriteLn mov ah, 4Ch int 21h endp

dseg:0020 aHelloSailor dseg:002F dseg:003F aHelloIda dseg:003F dseg dseg:003F dseg:003F dseg:003F

db 'Hello,Sailor',0Dh,0Ah,'$' db '$$$$$$$$$$$$$$$$' db 'Hello,IDA!',0Dh,0Ah,'$' ends

0x2F

end start

dseg:0x10

. .

dseg:0x3F,

DS )

(

«

» ‘dseg:0x10’

? :

SetReg (SreenEA (),”DS”, 0x1001); : dseg:0010 loc_0_10: dseg:0010

mov

; DATA XREF: start+10o dx, offset aHelloIda - offset loc_0_10 ; "Hello,IDA!\r\n$"

,

IDA

.

,

. ,

«offset aHelloIda - offset loc_0_10»

loc_o_10 0x10. SetReg ‘ASSUME’

,

0x10, ,

OpAlt.

.

‘ea’ ‘reg’ ‘value’ Return

. (“CS”,”DS”,”ES”

. .)

==return ==1 ==0

SetReg

«~EDIT\Segments\Change segment

register value».

long GetReg (long ea,char reg); . SetReg.

195

‘ea’

,

‘reg’ Return

.

16. ,

“DS”, “GS”

==return !=0xFFFF ==0xFFFF

,

32.

AskSelector.

«

» AskSelector

, . .

, ( 0xFFFF,

“MS”) BADADDR,

, IDA

. : seg000:0000 seg000 seg000:0000

segment byte public 'CODE' use16 assume cs:seg000

Message (“%x \n”, GetReg (0x10000,”CS”) ); 1000 .text:00401000 _text .text:00401000

segment para public 'CODE' use32 assume cs:_text

Message (“%x \n”, GetReg (ScreenEA (),”CS”) ); 1 Message (“%x \n”, AskSelector (1) ); 0

ɉȿɊȿɄɊȿɋɌɇɕȿ ɋɋɕɅɄɂ

196

ɑɌɈ ɌȺɄɈȿ ɉȿɊȿɄɊȿɋɌɇɕȿ ɋɋɕɅɄɂ? SOURCER .

,

,

, . ?

.

,

.

:

.MODEL TINY .CODE ORG 100h Start: MOV LEA INT RET s0 DB "Hello, END Start

AH,9 DX,s0 21h Sailor!",0Dh,0Ah,'$' :

seg000:0100 start proc near seg000:0100 mov ah, 9 seg000:0102 mov dx, offset aHelloSailor ; "Hello, Sailor!\r\n$" seg000:0105 int 21h seg000:0105 seg000:0107 retn seg000:0107 start endp seg000:0107 seg000:0107 ; -------------------------------------------------------------------------seg000:0108 aHelloSailor db 'Hello, Sailor!',0Dh,0Ah,'$' seg000:0108 seg000 ends ,

,

.

-

,

, . ,

.

, .

,

,

. ,

(

,

),

–

,

,

,

. ,

-

, ,

. .

! ,

!

(

). ! : 197

.MODEL TINY .CODE ORG 100h Start: LEA AX,s0 PUSH AX CALL Print RET s0 DB 'Hello, Sailor!',0Dh,0Ah,'$' Print: POP AX POP DX PUSH AX MOV AH,9 INT 21h RET END Start . .

,

,

? ,

. .

, .

,

.

(

) «

,

»,

! .

,

.

, .

,

)

( . ,

–

. ,

, ,

, ! ,

,

.

,

,

. ,

,

. .

, ,

,

«

».

, .

. . , CALL 0x666,

, , ,

MOV DX,0x777 CALL BX

, –

BX .

198

, .

IDA

. , (

IDA

!),

. IDA .

3.7 ,

SOURCER,

!

ALMA MATER , «

, »

,

. IDA , . , ,

. ?

.

( ,

.

),

?

,

? , IDA.

, ,

. ,

. IDA

‘from’,

–

,

‘to’. ,

!

,

11 –

: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

.MODEL TINY .CODE ORG 100h Start: MOV AH,9 LEA DX,s0 INT 21h RET s0 DB "Hello, Sailor!",0Dh,0Ah,'$' ; ⇐ END Start 8

; ; ⇒ ; ;

. , .

,

IDA ,

,

–

( CALL BX .

IDA

), :

199

seg000:0100 public start seg000:0100 start proc near seg000:0100 mov ah, 9 seg000:0102 mov dx, offset aHelloSailor seg000:0105 int 21h seg000:0105 seg000:0107 retn seg000:0107 start endp seg000:0107 seg000:0107 ; -----------------------------------------------------seg000:0108 aHelloSailor db 'Hello, Sailor!',0Dh,0Ah,'$' ; DATA XREF: start+2o seg000:0108 seg000 ends ,

IDA

0x102 –

,

. ,

,

. .

– ( ,

,

,

)

. , ,

,

. .

seg000:0100 org 100h seg000:0100 assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing seg000:0100 seg000:0100 public start seg000:0100 start: ; "Hello, World!\r\n$" seg000:0100 push offset aHelloWorld call Print seg000:0103 seg000:0106 push offset aHelloSailor ; "Hello, Sailor!\r\n$" call Print seg000:0109 seg000:010C retn seg000:010D seg000:010D; _____________ S U B R O U T I N E _______________________________________ seg000:010D seg000:010D seg000:010D Print proc near ; CODE XREF: seg000:0103p seg000:010D ; seg000:0109p seg000:010D pop ax seg000:010E pop dx seg000:010F push ax seg000:0110 mov ah, 9 seg000:0112 int 21h ; DOS - PRINT STRING seg000:0112 ; DS:DX -> string terminated by "$" seg000:0114 retn seg000:0114 Print endp ; sp = 2 seg000:0114 seg000:0114 ; -----------------------------------------------------------------------seg000:0115 aHelloWorld db 'Hello, World!',0Dh,0Ah,'$' ; DATA XREF: seg000:0100o seg000:0125 aHelloSailor db 'Hello, Sailor!',0Dh,0Ah,'$' ; DATA XREF: seg000:0106o seg000:0125 seg000 ends -0001010D: sub_0_10D

Print

, ,

,

IDA

. .

,

Enter . 200

0x10D ~ View \ Cross references.

:

, (

!)

,

IDA ( –

, .

), ,

. , . ,

seg000:0002 seg000:0004 seg000:0004 seg000:0006 seg000:0009 seg000:0009 seg000:000C seg000:000C seg000:000C seg000:000C seg000:000E seg000:000F seg000:000F seg000:000F seg000:000F seg000:000F seg000:0011 seg000:0012 seg000:0012 seg000:0012

, : mov ds, ax assume ds:seg000 mov ah, 6 mov di, offset off_0_25 jmp short Print ; --------------------------------------------------Def_1:

; CODE XREF: start+1Bu ; DATA XREF: seg000:0025o dl, 31h ; '1'

mov retn ; ---------------------------------------------------Def_2:

; CODE XREF: start+1Bu ; DATA XREF: seg000:0027o dl, 32h ; '2'

mov retn ; ----------------------------------------------------Print:

; CODE XREF: start+9j 201

seg000:0012 seg000:0012 seg000:0014 seg000:0017 seg000:0019 seg000:001B seg000:001D seg000:001F seg000:0021 seg000:0021 seg000:0021 seg000:0021 seg000:0023 seg000:0023 seg000:0023 seg000:0023 seg000:0025 seg000:0027 seg000:0029 seg000:002B seg000:002D seg000:002F seg000:002F seg000:002F seg000:002F seg000:002F seg000:0031 seg000:0032 seg000:0032 seg000:0032 seg000:0034

; start+1Fj mov bx, [di] add di, 2 or bx, bx jz loc_0_21 call bx int 21h jmp short Print ; -----------------------------------------------------loc_0_21: mov int endp

start

; CODE XREF: start+19j ah, 4Ch 21h ; AL = exit code

; ---------------------------------------------------; DATA XREF: start+6o off_0_25 dw offset Def_1 dw offset Def_2 dw offset def_3 dw offset def_4 dw 0 ; ----------------------------------------------------def_3:

; CODE XREF: start+1Bu ; DATA XREF: seg000:0029o mov retn

dl, '3'

mov retn

dl, '4'

def_4:

.

:

seg000:001B

call

bx ,

, ,

.

, IDA

BX ,

,

, .

‘unexplored’. . .

, ?

,

,

. ,

.

ȺɊɏɂɌȿɄɌɊɍȺ ɉȿɊȿɄɊȿɋɌɇɕɏ ɋɋɕɅɈɄ

202

,

,

–

. . ,

(

). ,

. ,

.

,

, . .

.

,

(

–

,

)

. – ,

JMP, CALL, JZ

, DW offset MyData. ,

,

. , , LEA, MOV xx, offset

.

,

-

IDA

,

, . ,

,

. , IDA).

щ

« IDA

.

» (Ordinary flow .

:

seg000:0012 mov bx, [di] ; ⇒ seg000:0014 add di, 2 ;⇐⇒ seg000:0017 or bx, bx ;⇐⇒ seg000:0019 jz loc_0_21 ;⇐⇒ seg000:001B call bx ;⇐⇒ seg000:001D int 21h ;⇐⇒ seg000:001F jmp short Print ;⇐ seg000:0021 ; -----------------------------------seg000:0021 seg000:0021 loc_0_21: seg000:0021 mov ah, 4Ch ; ⇒ seg000:0023 int 21h ;⇐ seg000:0023 start endp , – -

.

, .

,

. «

.

»,

?

,

, ,

,

RET, ,

CALL, .

,

, .

,

( 203

–

–

, Ordinary flow “

,

).

”

.

–

,

?

, IDA

. 0x21) . .

(

. ,

bTree,

, (

),

.

IDA ,

. Ordinary ,

, ,

flow ,

. ,

,

. , IDA Jump, call

« ,

offset.

»

–

,

.

,

,

,

. , ,

,

.

, ,

.

IDA . , . ,

.

: seg000:000C seg000:000E seg000:0010 seg000:0012 seg000:0015 seg000:0015 seg000:0015 seg000:0017 seg000:0017 loc_0_17 seg000:0017

jnb mov xor mov int

loc_0_17 ah, 3Ch ; '20

slot Comment

long GetMarkedPos(long slot); slot. SetMarkedPos. :

auto a; for (a=1;a20 ==return

Return

!=BADADDR

».

==BADADDR

char GetMarkComment(long slot); ,

slot. SetMarkedPos.

:

auto a; for (a=1;a20 ==return

Slot

!=””

Return

==””

ȽȿɇȿɊȺɐɂə ȼɕɏɈȾɇɕɏ ɮȺɃɅɈȼ

int GenerateFile(long type, long file_handle, long ea1, long ea2, long flags); . «~File\Produce output file». Analyst.idc, IDA. :

OFILE_MAP OFILE_EXE OFILE_IDC OFILE_LST OFILE_ASM OFILE_DIF

exe IDA

IDC

(

crk)

MAP-

Borland :

Start

Stop

Length Name

Class

00000H 032E9H 032EAH seg000 Address 0000:0002 0000:0206 0000:03EA 0000:22C0 0000:2970 0000:297F 0000:2980 0000:298F

CODE

Publics by Value MyLabelName aScreen_log aDeifxcblst start aOtkrivaemFail aMyfile aYfile aCalc

Program entry point at 0000:22C0 . ,

.

,

. . .

Soft-Ice

Borland Turbo Debuger, Periscope, , .

334

, ,

. ‘flag’:

GENFLG_MAPSEGS GENFLG_MAPNAME

«dummy»

.

«Dummy» , off_, seg_ .

IDA , sub_, loc_,

.

.

EXE PatchByte

, PatchWord. IDA,

,

. IDA

.

, 1. 2. 3. 4. 5. 6. 7.

: MS DOS .exe MS DOS .com MS DOS .drv MS DOS .sys general binary Intel Hex Object Format MOS Technology Hex Object Format exe

. (

), .

, .

,

PE

win32

.

exe

, – )

( ,

DIF . IDA

IDC ,

.

.

IDB

. . , ,

, ,

,

IDC

IDB, . .

IDC

?

! static Segments(void) { SegCreate(0x10000,0x132ea,0x1000,0,1,2); SegRename(0x10000,"seg000"); SegClass (0x10000,"CODE"); SetSegmentType(0x10000,2); } 335

IDB , ,

IDA

-

.

, .

LST

, IDA.

,

:

seg000:0100 loc_0_100: seg000:0100 seg000:0103 seg000:0105 seg000:0106

cmp jz inc jmp

byte ptr [bx+si], 0 loc_0_108 bx short loc_0_100

, « LST

». .

ASM

– .

:

p586n ; -------------------------------------------------------------------; Segment type: Pure code seg000 segment byte public 'CODE' use16 assume cs:seg000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, ; _______________ S U B R O U T I N E ________________________________ sub_0_0 proc near ; CODE XREF: sub_0_22DD+1E_p push ax push bx push cx push dx mov ax, 3D02h

ASM . DIF PatchByte (

PatchWord (

,

.

IDA

)

,

win32

. )

. : This difference file is created by The Interactive Disassembler xsafe-iv.exe 00002390: 0C 11 crk (

,

, cra386) IDA- , .

. . , 336

0,

BADADDR

–1. ,

GenerateFile .

:

auto a; a=fopen("myfile.ext","wt"); GenerateFile (OFILE_ASM, a, 0, -1,0); fclose (a); ,

, . .

type file_habdle ea1 ea2 flags

,

,

ɎȺɃɅɈȼɕɃ ȼȼɈȾ – ȼɕȼɈȾ IDA

\

,

.

, . .

,

,

. «

»

.

,

IDA , ,

,

,

long

,

!

fopen

.

(char file,char mode); . .

,

IDA –

qfopen(char *,char *) .

mode .

.

.

,

.

w

( ).

r

.

,

337

(NULL) ,( ).

a ,

. .

r+

,

.

,

.

w+

.

a+

,

, ,

t 27)

.

CTRL-Z (ASCII .

-

‘\n’.

0xA.

0xD 0xA –

MS-DOS Windows,

. , (

) .

b AS IS,

,

.

. -

,

,

. : Del file.dem Message(“0x%X \n”,fopen(“file.dem”,”wb”); 1 dir file.dem file.dem

0

11.11.99

13:33 file.dem

Message(“0x%X \n”,fopen(“Long File Name”,”wb”); 1 dir longfi~1 LONGFI~1

0

11.11.99

15:06 Long File Name

Message(“0x%X \n”,fopen(“myfile”,”r+b”); 0 ,

IDA

,

. , ,

CP\M.

, .

Windows

,

, 338

“PRN”

.

: writestr(fopen(“PRN”,”wt”),”Hello,Printer!”); ,

,

,

. . . , ,

.

,

File

( IDA (

, , ?

). GUI) .

mode

.

Return

(!=0) ==0

IDA.

,

,

,

,

(

IDA)

,

,

IDA .

void

fclose

(long handle); ,

fopen.

, (

,

,

)

,

. (

,

static), IDA. , ,

,

. .

handle : Auto a; A=fopen(“PRN”,”wt”); If (a!=-1) writestr(a,”Hello,Printer!”); fclose(a);

339

,

fclose .

,

, fclose(0)

.

long

filelength

(long handle); . , . (

,

PRN,

)

.

: Message(“0x%X \n”,filelngth(fopen(“PRN”, “wt”)); 0x0

handle

long

fseek

(long handle,long offset,long origin); .

origin, ,

: origin 0 1 2 4.0 ,

‘1’

, ,

‘0’ –

.

: auto a; a=Fopen(“myfile”,”wt”); fseek(a,0x10,0); Message(“0x%X \n”,ftell(a)); fseek(a,0x0,1); Message(“0x%X \n”,ftell(a)); fclose(a); 0x10 0x0 . . auto a; a=Fopen(“myfile”,”wt”); fseek(a,0x0,2); 340

Message(“0x%X \n”,ftell(a)); fseek(a,0x5,2); Message(“0x%X \n”,ftell(a)); fseek(a,-0x5,2); Message(“0x%X \n”,ftell(a)); fclose(a); 0x100 0x105 0x100 ,

DOS

,

(

) «

,

FAT16. FAT32 (Windows 95 OSP0,

») ,

,

. ,

, ! ,

origin > 2.

Handle Offset Origin

(

-

)

,

( )

Return

long

ftell

0 !=0

(long handle); .

handle Return -1

success loadfile

(long handle,long pos,long ea,long size); ( IDA. ,

) ,

.

fopen

.

,

! 341

(

pos).

,

. ,

.

, .

IDA

. , . ),

« :

IDA

– (

»

Can't read input file (file structure error?), only part of file will be loaded...

,

.

seg000:2C93 aWatchAvialable db 'Watch avialable DOS memory...........................' auto a; a=fopen("readme.txt","rb"); loadfile(a,0,0x12C93,0x40); seg000:2C93 aWatchAvialable db 'This patch allows you to permanently access the bonus’

, . ,

! :

seg000:02E4 sub_0_2E4 seg000:02E4 seg000:02E5 seg000:02E7 seg000:02E9 seg000:02E9 seg000:02E9 MyLabel: seg000:02E9 seg000:02EC seg000:02EF seg000:02F2 seg000:02F3 seg000:02F3 seg000:02F3 sub_0_2E4

proc near push ds xor ax, ax mov ds, ax assume ds:nothing

; CODE XREF: seg000:232Ep ; DS == NULL

mov ax, ds:413h shl ax, 6 cmp ax, 0A000h pop ds assume ds:seg000 retn endp

auto a; a=fopen("readme.txt","rb"); loadfile(a,0,0x102E4,0x40); seg000:02E4 sub_0_2E4 seg000:02E4 seg000:02E5 seg000:02E7 seg000:02E9 seg000:02E9 seg000:02E9 MyLabel: seg000:02E9 seg000:02EC seg000:02EF seg000:02F2 seg000:02F3

proc near push sp push 7369h jnb loc_0_309 assume ds:nothing

; CODE XREF: seg000:232Ep ; DS == NULL

jo loc_0_34C arpl [bx+si+20h], bp popa outsw assume ds:seg000

342

seg000:02F3 seg000:02F3 sub_0_2E4

ja endp

near ptr loc_0_367+1

,

,

,

!

IDA,

. . «

»

. ,

,

undefined

.

seg000:02E4 seg000:02E5 seg000:02E8 seg000:02EB seg000:02ED seg000:02F0 seg000:02F1 seg000:02F2

push push and jz push ins ins outsw

:

sp 7369h [bx+si+61h], dh loc_0_350 6120h byte ptr es:[di], dx byte ptr es:[di], dx

. ,

DLL ,

IDA

–

. , ,

. loadfile.

, . seg000:32A0 seg000:32A0 seg000:32A0 seg000:32A0 seg000 seg000:32A0 seg000:32A0 seg000:32A0

db 0E2h, 20h, 0A4h, 0A0h, 2 dup(0ADh), 0EBh, 0A9h, 20h db 0ACh, 0A5h, 0E5h, 0A0h, 0ADh, 0A8h, 0A7h, 0ACh, 21h db 0 ends end start

auto a; a=fopen("readme.txt","rb"); loadfile(a,0,0x102E4,0x10); seg000:32A0 seg000:32A0 seg000:32A0 seg000:32A0 seg000 seg000:32A0 0:000132EA 0:000132EB 0:000132EC 0:000132ED 0:000132EE 0:000132EF 0:000132F0 0:000132F1 0:000132F2 0:000132F3

db 0E2h, 20h, 0A4h, 0A0h, 2 dup(0ADh), 0EBh, 0A9h, 20h db 0ACh, 0A5h, 0E5h, 0A0h, 0ADh, 0A8h, 0A7h, 0ACh, 21h db 0 ends end start db 54h ; T db 68h ; h db 69h ; i db 73h ; s db 20h ; db 70h ; p db 61h ; a db 74h ; t db 63h ; c db 68h ; h

, ( ) SegCreate)

,

Byte.

, (

343

MySeg:000A ; Segment type: Regular MySeg:000A MySeg MySeg:000A MySeg:000A MySeg:000A MySeg:000A aThisPatchAllow MySeg:000A MySeg MySeg:000A

segment byte public '' use16 assume cs:MySeg ;org 0Ah assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing db 'This patch allows you to permanently access the bonus track ' ends

,

. , ,

. . ,

,

.

handle pos ea Size

,

Return

0 1

success savefile

(long handle,long pos,long ea,long size);

,

loadfile (

). .

: seg000:03D3 seg000:03D3 seg000:03D4 seg000:03D5 seg000:03D9 seg000:03DC seg000:03DC seg000:03DC seg000:03DE seg000:03E0 seg000:03E1 seg000:03E4 seg000:03E6 seg000:03E7 seg000:03E7 seg000:03E7 seg000:03E8 seg000:03E9 seg000:03E9 seg000:03E9 seg000:03EA

sub_0_3D3

proc near ; CODE XREF: seg000:03C7p push ax push bx mov al, byte ptr es:loc_0_F+1 mov bx, 3EAh

loc_0_3DC:

; CODE XREF: seg000:03E4j cmp jz inc cmp jnz inc

[bx], al loc_0_3E7 bx byte ptr [bx], 0 loc_0_3DC bx bx ax

sub_0_3D3

pop pop retn endp

aDeifxcblst

db 'DEIFXCBLST',0

loc_0_3E7:

; CODE XREF: seg000:03DEj

auto a; a=fopen(“fileme”,"wb");

344

savefile(a,0,0x103D9,0x200); ╔ [ ]

F:\IDAF\fileme

║00000000: 50 53 26 A0 10 00 BB EA 03 38 07 74 07 43 80 3F ¦ PS&

.+

23:28:03 ╗

8 t C ?

00000010: 00 75 F6 43 5B 58 C3 44 45 49 46 58 43 42 4C 53 ¦ .uЎC[X+DEIFXCBLS

(

,

║

,

,

) , , PatchByte . com MS-DOS EXE.

,

, ,

IDA , PE

,

-

.

. fopen .

savefile

. , FAT,

,

,

. ,

« Byte

»

0xFF, ( ),

,

.

handle pos ea Size

,

Return

long

fgetc

0 1

(long handle); . fopen

,

.

. BADADDR – .

,

. : auto a,ch; a=fopen(“readme.txt”,”rt”); while((ch=fgetc(a))!=-1) Message(ch); fclose(a); This patch allows you to permanently access the bonus track and bonus car without winning the tournaments.

handle 345

Return BADADDR

long

fputc

(long byte,long handle); . fopen. BADADDR,

.

byte handle Return

long

fprintf

0 BADADDR

(long handle,char format,...); sprintf, . fopen.

,

,

: auto a,s0; s0=0x123; a=fopen(“CON”,”wt”); fprintf(a, "%x \n",s0); 123 , Message

%d

%x

%X

%o

'printf' IDA.

: Message(“%d”,0xF); 15 : Message(“%x”,10); a : Message(“%X”,10); A : Message(“%o”,11); 13

%u 346

: Message(“%u”,-1); 4294967295 : Message(“%f”, 1000000); 1.e6

%f

: Message(“%c”,33); !

%c

: Message(“%s”,”Hello, Word! \n”); Hello, Word!

%s

: : Message(“%e”, 1000000); 1.e6

%e

ɁȺɆȿɑȺɇɂȿ:

'%g' -

, , . IDA

. ( ɁȺɆȿɑȺɇɂȿ:

) '%p' IDA

'%a', ,

%g

. , 'Message("%a \n",0x10002)' ,

,

'seg000:2'.

. :

auto a; a="Hello!\n"; Message("%a \n",a); 0 ,

. ,

%p

.

-

%+d

,

ida

‘x'. 'n'

, . : Message(" - 1

-%3d \n”,1);

%+x

'n'

,

. : Message("Чи Чи -10000

-%3d \n”,10000);

'n'

, .

%nd :

347

Message(" - 1

-%3x \n”,1); 'n'

,

. : Message(" -1234

-%3x \n”,0x1234);

‘n’

, . : Message(" -001

-%03d",1);

%nd ‘n’ . П и

Message(" -1000

,

-%03d",1000)

‘n’

, . : Message(" -001

%0nx

-%03x",0x1); ‘n’

,

. : Message("Чи -%03x",0x1234); Чи -1234 ‘0x’ : Message(“%#x”,123); 0x123 ‘0’ : Message(“%#o”,1); 01 (

%#x

%#o %n

long

readshort

)

(long handle,long mostfirst); . fopen

. .

mostfirst », ,

«

,

,

,

. ,

, ,

, mostfirst »

«

. , BADADDR –

16-

.

348

handle mostfirst

==0 ==1

Return

16BADADDR

long

readlong

(long handle,long mostfirst); . fopen

. .

mostfirst », , ,

« mostfirst « »

,

,

,

.

,

, .

, ,

BADADDR – ,

32-

. 32-

. BADADDR

.

:

Message(“0x%X \n”,readlong(123)); 0xFFFFFFFF

handle mostfirst

==0 ==1

Return

16BADADDR

long

writeshort

(long handle,long word,long mostfirst); . fopen

. .

mostfirst », ,

«

,

,

,

. ,

, ,

, mostfirst »

«

. , .

349

Handle Mostfirst

long

==0 ==1

Return

0 !=0

writelong

(long handle,long dword,long mostfirst); . fopen

. .

« mostfirst « »

mostfirst », , ,

,

,

,

.

,

, .

, ,

.

Handle Mostfirst

==0 ==1

Return

char

readstr

0 !=0

(long handle); (

EOL). fopen

. (

readstr

0xD 0xA,

) 0xA.

, 0xA

0xD 0xA.

:

auto a; a=fopen("readme.txt","rb"); Message(readstr(a));

This patch allows you to permanently access the bonus track and bonus car♪ auto a; a=fopen("readme.txt","rt"); Message(readstr(a));

This patch allows you to permanently access the bonus track and bonus car

Handle 350

Return “”

long

writestr

(long handle,char str); .

fopen

. ,

0xA

0xD 0xA.

Handle str Return

0 !=0

ȼɂɊɌɍȺɅɖɇɕȿ ɆȺɋɋɂȼɕ ɈɊȽȺɇɂɁȺɐɂə ɆȺɋɋɂȼɈȼ IDA .

, ,

, (

Array)

~ Edit \

, .

seg000:0006 seg000:0006

db 0A0h,0ACh,0AEh,0A3h,0AEh, 20h,0ADh,0A0h db 0A0h, 20h,0ADh,0A0h,0A4h,0AEh, 20h,0AEh .

-

. . Microsoft API,

,

CArray,

. IDA

,

.

, (

.

) IDA .

351

,

IDA

, .

,

.

. , . ,

, ,

.

,

\ IDA, ,-

,

, . . –

, IDA

.

,

.

,

, . Btree)

IDA ( ,

,

.

, , .

,

"

".

, , . "

-

", ,

. . . 120

,

(

,

)

, :

long CreateArray(char name); ,

BADADRR. , . -

, . ?

,

,

,

,

:

long GetArrayId(char name); ,

BADADDR,

. : success RenameArray(long id,char newname); ,

:

auto ID; ID=GetArrayId("MyArray"); RenameArray(ID,"MyRenamedArray"); "

"

:

352

RenameArray(GetArrayId("MyArray"),"MyRenamedArray"); (

, ) , .

,

(

-

) ,

, IDA,

,

.

. , ,

"

"

,

, . ,

,

: void DeleteArray(long id); ,

, IDA. ,

,

,

,

. (

ida.idc): CreateArray("SysListTempArray"); : static reateTempArray(Name) { auto a,temp; temp=GetLastIndex('S',GetArrayId("SysListTempArray")); a=CreateArray(Name); if (a>0) SetArrayString(GetArrayId("SysListTempArray",++temp,Name); return a; } IDA . ,

,

,

.

,

?

,

! (

) IDA.

"SysListTempArray"

.

IDA. Л ( .

)

,

( IDA

). .

)

( ,

. . .

! 353

: success SetArrayLong (long id,long idx,long value); success SetArrayString(long id,long idx,char str); , . SetArrayString(id,idx,0x21) SetArrayLong (id,idx,'!*') - 0x2A21.

'!' ,

IDA

. ,

-

.

.

, IDA ,

0x100000000 ", "

"

(32

),

". .

"

"

,

. .

GetArrayLong

GetArrayString

:

char or long GetArrayElement(long tag,long id,long idx); ,

. ,

,

'A', .

IDC.IDC . ,

'S', AR_LONG ,

AR_STR, ,

. . idx

-

. (

,

)

, ,

. IDA..

:

long GetFirstIndex(long tag,long id); , .

-1, ,

,

. . ,

:

long GetLastIndex(long tag,long id); : long GetNextIndex(long tag,long id,long idx);

long GetPrevIndex(long tag,long id,long idx); 354

, , ,

"

"

.

,

:

success DelArrayElement(long tag,long id,long idx); "

". :

. if (GetArrayId("Notepad")==-1) CreateArray("Notepad"); , , , "NotepadAdd"

CreateArray("Notepad"), . . . ID. :

static NotepadAdd(s0) { SetArrayString(GetArrayId("Notepad"), GetLastIndex(GetArrayId("Notepad"))+1, s0); } : static NotepadPrint() { auto a; a=0; Message(" : \n"); while((a=GetNextIndex('S',GetArrayId("Notepad"),a))>0) Message("%s \n",GetArrayElement('S',GetArrayId("Notepad"),a)); } "

" .

NotepadAdd("

,

");

. NotepadAdd("

");

NotepadPrint(); :

" .

"

355

auto a,temp; CreateArray("MyArray"); for (a=SegStart(0x10000);aGetArrayElement('A',GetArrayId("MyArra y"),a)) temp=a; a=GetNextIndex('A',GetArrayId("MyArray"),a); } // // DeleteArray(GetArrayId("MyArray")); , . , GetNextIndex() .

, , ,

. IDA Perl. . :

a[" a["

"] = " "] = "

-

"; ";

, IDA

, . .

IDA.

, ( ,

,

IDA

-

"

) .

"

,

,

,

,

. CreateArray, GetArrayID, RenameArray ,

. .

, .

'0x1234',

. .

. SetHashString(GetArrayId("MyArray"),"1st"," "); SetHashLong (GetArrayId("MyArray"),"1st",0x1234); Message("%x \n",GetHashLong(GetArrayId("MyArray"),"1st"));

356

, ( ,

,

).

.

:

long

GetHashLong(long id,char idx);

char

GetHashString(long id,char idx); ,

CreateArray SetArrayLong\SetArrayString, .

, :

success DelHashElement(long id,char idx); IDA

,

DelArrayElement, . ,

, :

char

GetFirstHashKey(long id);

char

GetNextHashKey(long id,char idx);

char

GetLastHashKey(long id);

char

GetPrevHashKey(long id,char idx); , GetHashLong\GetHashString.

ɆȿɌɈȾɕ

long CreateArray(char name) long GetArrayId(char name)

success RenameArray(long id,char newname) void DeleteArray(long id) success SetArrayLong(long id,long idx,long value)

«

success SetArrayString(long id,long idx,char str)

«

»

»

char or long GetArrayElement(long

357

tag,long id,long idx success DelArrayElement(long tag,long id,long idx) long GetFirstIndex(long tag,long id); long GetLastIndex(long tag,long id); long GetNextIndex(long tag,long id,long idx) long GetPrevIndex(long tag,long id,long idx) success SetHashLong(long id,char idx,long value

«

success SetHashString(long id,char idx,char value);

«

long

»

»

GetHashLong(long id,char idx) «

char idx)

»

GetHashString(long id,char «

»

success DelHashElement(long id,char idx) char

GetFirstHashKey(long id)

char

GetLastHashKey(long id)

char idx)

GetNextHashKey(long id,char

char idx);

GetPrevHashKey(long id,char

long CreateArray(char name); , –

, IDA

. Btree

,

.

. ( ).

( 358

) – .

,

120

, ,

(

?) BADADDR.

: Message("0x%X \n", CreateArray("MyArray") ); 0xFF000041

name ==return !=BADADDR

Return

==0

long GetArrayId(char name); . ,

,

. : Message("0x%X \n", CreateArray("MyArray") ); Message(“0x%X \n” GetArrayId(“MyArray”) ); DeleteArray( GetArrayId(“MyArray”) ); Message(“0x%X \n” GetArrayId(“MyArray”) ); 0xFF000041 0xFF000041 0xFFFFFFFF

name ==return Return

!=BADADDR ==0

359

success RenameArray(long id,char newname); ,

.

. : Message("0x%X \n", CreateArray("MyArray") ); 0xFF000041 RemaneArray( GetArrayId(“MyArray”), “MyNewname” ); Message(“0x%X \n” GetArrayId(“MyNewName”) ); 0xFF000041

id Newname ==return ==1 ==0

Return

void DeleteArray(long id); , ,

Btree ,

. IDA

, ,

,

.

:

DeleteArray( GetArrayId(“MyArray”) );

id

success SetArrayLong(long id,long idx,long value); «

»

,

. 32-

. ,

.

360

,

,–

0 0

. 0 10000, –

,

. ,

, –

«

,

». :

SetArrayLong( GetArrayId(“MyArray”), 0x100, 0x666);

id idx value

«

»

==return ==1

Return

==0

success SetArrayString(long id,long idx,char str); «

»

,

. 32-

. ,

. ,

,–

0 0

. 0 10000, –

,

. ,

, –

«

,

». :

SetArrayString( GetArrayId(“MyArray”), 0x100, “MyString”);

id idx str

«

»

==return Return

==1 ==0

361

char or long GetArrayElement(long tag,long id,long idx); . tag. :

AR_LONG

'A'

«

AR_STR

'S'

«

» »

, . : SetArrayLong( GetArrayId(“MyArray”), 0x100, 0x666); SetArrayString( GetArrayId(“MyArray”), 0x100, “MyString”); Message(“%s \n0x%X\n”, GetArrayElement(AR_STR, GetArrayId(“MyArray”), 0x100), GetArrayElement(AR_LONG, GetArrayId(“MyArray”), 0x100), ); MYString 0x666

tag

==tag AR_STR AR_LONG

« «

» »

id idx ==return Return

==1 ==0

success DelArrayElement(long tag,long id,long idx); . tag,

,

:

362

AR_LONG

'A'

«

AR_STR

'S'

«

» »

: DelArrayElement(AR_LONG, GetArrayId(“MyArray”), 0x100);

tag

==tag AR_STR AR_LONG

« «

» »

id idx ==return ==1

Return

==0

long GetFirstIndex(long tag,long id); . «

»

,

Pascal, .

, «

» . :

auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetArrayLong(a,0x100,0x666); SetArrayLong(a,0x77,0x67); SetArrayLong(a,0x210,0x777); Message("0x%X \n", GetFirstIndex(AR_LONG,a) ); DeleteArray(a); 0x77

tag

==tag AR_STR AR_LONG

« «

» »

id ==return Return

!=BADADDR ==BADADDR

363

long GetLastIndex(long tag,long id); . ,

,

. , , , (0x5, 0x777, 0x666777) –

, GetLastIndex

0x666777,

. , . GetNextIndex (GetPrevIndex). , GetLastIndex . :

,

auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetArrayLong(a,0x100,0x666); SetArrayLong(a,0x77,0x67); SetArrayLong(a,0x210,0x777); Message("0x%X \n", GetLastIndex(AR_LONG,a) ); DeleteArray(a); 0x210

tag

==tag AR_STR AR_LONG

« «

» »

id ==return Return

!=BADADDR ==BADADDR

long GetNextIndex(long tag,long id,long idx); . ,

, « ,

» «

. » GetNextIndex. (idx)

,GetNextIndex(,,0) :

,

. GetFirstIndex, ,

auto a,b; b=0; DeleteArray(GetArrayId("MyArray")); 364

a=CreateArray("MyArray"); SetArrayLong(a,0x100,0x666); SetArrayLong(a,0x77,0x67); SetArrayLong(a,0x210,0x777); while(1) { b=GetNextIndex(AR_LONG,a,b); if (b==-1) break; Message("0x%X \n",b); } DeleteArray(a); 0x77 0x100 0x210

tag

==tag AR_STR AR_LONG

« «

» »

id idx ==return Return

!=BADADDR ==BADADDR

long GetPrevIndex(long tag,long id,long idx) . ,

, « ,

» «

. » GetPrevIndex. (idx)

, . GetPrevIndex(,,-1) :

,

GetPrevIndex, ,

auto a,b; b=0; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetArrayLong(a,0x100,0x666); SetArrayLong(a,0x77,0x67); SetArrayLong(a,0x210,0x777); while(1) { b=GetPrevIndex(AR_LONG,a,b); if (b==-1) break; Message("0x%X \n",b); } DeleteArray(a); 365

0x210 0x100 0x77

tag

==tag AR_STR AR_LONG

« «

» »

id idx ==return !=BADADDR

Return

==BADADDR

ȺɋɋɈɐɂȺɌɂȼɇɕȿ ɆȺɋɋɂȼɕ ɈȻ ȺɋɋɈɐɂȺɌɂȼɇɕɏ ɆȺɋɋɂȼȺɏ IDA. . (

)

,

, . ,

Perl,

Internet – ,

.

Pascal . .

– , ».

«

,

,

, ,

.

. ? ? , .

, . ,-

, ,

, . ,

,

. .

ȺɊɏɂɌȿɄɌɍɊȺ ȺɋɋɈɐɂȺɌɂȼɇɕɏ ɆȺɋɋɂȼɈȼ ,

. 366

CraeteArray, .

, .

,

,

(ID) RenameArray

.

DeleteArray.

. . ( IDA «

)

«

»

»

, , . . . ,

, .

IDA

,

,

,

.

. ,

,

, . GetNext ,

(

)

GetPrev. ,

? -

,

,

. ,

IDA

,

. , , IDA (

,

,

,

). .

,

success SetHashLong(long id,char idx,long value); . , ! , . , . : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0x66); SetHashLong(a,"Cheputilo",0x77); SetHashLong(a,"Alushta",0x67); DeleteArray(a);

367

id idx value

(

!) «

»

==return ==1

Return

==0

success SetHashString(long id,char idx,char value); . , ! , . , . : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",”Patron”); SetHashLong(a,"Cheputilo",”Mouse”); SetHashLong(a,"Alushta",”Metro Station”); DeleteArray(a);

id idx value

(

!) «

»

==return ==1

Return

==0

long

GetHashLong(long id,char idx); « »

«

»

«

»

.

,

. . GetHaskLong

, .

, .

: auto a; DeleteArray(GetArrayId("MyArray")); 368

a=CreateArray("MyArray"); SetHashString(a,"Ivanov","Patron"); Message("%s \n", GetHashLong(a,"Ivanov") ); DeleteArray(a); Patr ,

IDA

.

“Ivanov”

“ivanov”

. : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0 66); Message("%x \n", GetHashLong(a,"ivanov") ); DeleteArray(a); 0 , –

,

? . : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0 66); Message("%x \n", GetHashLong(a,"Ivanov") ); DeleteArray(a); 0x66

id idx

(

!)

==return Return

!=0 ==0

char

GetHashString(long id,char idx); «

» 369

«

»

«

»

.

,

. . GetHashString

, .

, : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0x66776677); Message("%s \n", GetHashString(a,"Ivanov")); DeleteArray(a); Wfwf ,

IDA

.

“Ivanov”

“ivanov”

. : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashString(a,"Ivanov",0 66); Message("%s \n", GetHashLong(a,"ivanov") ); DeleteArray(a);

, –

,

? . : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashString(a,"Ivanov",”Patron”); Message("%s \n", GetHashLong(a,"Ivanov") ); DeleteArray(a); Patron

id idx Return

(

!)

==return !=””

370

==””

success DelHashElement(long id,char idx); . «

»

«

» DelArrayElement

(

,

) ,

IDA

.

“Ivanov”

“ivanov”

. , . : auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashString(a,"Ivanov",”Patron”); Message("%s \n", DelHashElement(a,"Ivanov") ); DeleteArray(a); 1

id idx

(

!)

==return ==1

Return

==0

char

GetFirstHashKey(long id); . , . (

)

,

. , ,

, :

auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0x66); SetHashLong(a,"Cheputilo",0x77); SetHashLong(a,"Alushta",0x67); Message("%s \n", 371

GetFirstHashKey(a) ); DeleteArray(a); Alushta

id ==return !=””

Return

==””

char

GetLastHashKey(long id); . , . (

)

,

. , ,

, :

auto a; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0x66); SetHashLong(a,"Cheputilo",0x77); SetHashLong(a,"Alushta",0x67); Message("%s \n", GetLastHashKey(a) ); DeleteArray(a); Ivanov

id ==return !=””

Return

==””

char

GetNextHashKey(long id,char idx); . , . (

)

,

. , ,

, 372

GetNextHashKey . – . GetFirstHashKey, GetNextHashKey(,””) :

.

auto a,b; b=""; DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0x66); SetHashLong(a,"Cheputilo",0x77); SetHashLong(a,"Alushta",0x67); for(;;){ b=GetNextHashKey(a,b); if (b=="") break; Message("%s \n",b);} DeleteArray(a); Alushta Cheputilo Ivanov

id idx

(

!)

==return !=””

Return

==””

char

GetPrevHashKey(long id,char idx); . , . (

)

,

. , , GetPrevHashKey .

,

– . GetLastHashKey, GetNextHashKey(,-1) :

.

auto a,b; b=-1; 373

DeleteArray(GetArrayId("MyArray")); a=CreateArray("MyArray"); SetHashLong(a,"Ivanov",0x66); SetHashLong(a,"Cheputilo",0x77); SetHashLong(a,"Alushta",0x67); for(;;){ b=GetPrevHashKey(a,b); if (b=="") break; Message("%s \n",b);} DeleteArray(a); Ivanov Cheputilo Alushta

Id idx

(

!)

==return !=””

Return

==””

ɈɉȿɊȺɐɂɂ ɋ ȽɅɈȻȺɅɖɇɕɆɂ ɇȺɋɌɊɈɃɄȺɆɂ ɆȿɌɈȾɕ

long

GetLongPrm (long offset)

long

GetShortPrm(long offset);

long

GetCharPrm (long offset)

success SetLongPrm (long offset,long value); success SetShortPrm(long offset,long value); success SetCharPrm (long offset,long value); success SetPrcsr processor); long

Batch

(char

(long batch);

char GetIdaDirectory ()

, IDA 374

char GetInputFile ()

long GetLongPrm (long offset); long GetShortPrm(long offset); long GetCharPrm (long offset); success SetLongPrm (long offset,long value); success SetShortPrm(long offset,long value); success SetCharPrm (long offset,long value); IDA , .

. , \

,

IDA

. GetLongPrm, GetShortPrm, GetCharPrm ,

. . -

.

GetLongPrm

,

»

. ,

ɧɟ

GetCharPrm

.

, .

. .

«

,

GetLongPrm,

(

). ‘offset’

,

IDA

.

.

IDA

, . .

, ,

IDA

.

,

,

,

, IDA,

. ɇȺɋɌɈɃɄɂ IDA ‘IDA’. ,

,

.

Message("%s%s\n", GetShortPrm(0), GetCharPrm(2) ); IDA INF_VERSION ,

Short

IDA.

:

Message("%x \n", 375

GetShortPrm(INF_VERSION) ); 22 INF_PROCNAME ɜɨɫɶɦɢɫɢɦɜɨɥɶɧɨɟ . :

80x86

Intel 8086 Intel 80286 real Intel 80286 protected Intel 80386 real Intel 80386 protected Intel 80486 real Intel 80486 protected Intel Pentium real with MMX Intel Pentium protected with MMX Intel Pentium Pro (P6) with MMX Intel Pentium II AMD K6-2 with 3DNow! Intel Pentium III (

8086 80286r 80286p 80386r 80386p 80486r 80486p 80586r 80586p 80686p p262 K62p3 p3ntel ) GetLongPrm

,

, :

Message("%s%s \n", GetLongPrm(INF_PROCNAME), GetLongPrm(INF_PROCNAME+4) ); p3ntel :

. SetXXXPrm

.

INF_LFLAGS ɨɞɧɨɛɚɣɬɨɜɨɟ

,

IDP

,

: LFLG_PC_FPP (0x1) . LFLG_PC_FLAT (0x2)

376

, ! : auto a; a=GetCharPrm(INF_LFLAGS); Message(“%x \n”,a); if (a & LFLG_PC_FPP) Message ("Decode FPP \n"); if (a & LFLG_PC_FLAT) Message ("FLAT MODEL \n"); 1 Decode FPP INF_DEMNAMES «

Ɉɞɧɨɛɚɣɬɨɜɨɟ » . .

,

IDA ,

DEMNAM_CMNT (0); .

:

SetCharPrm(INF_DEMNAMES,DEMNAFM_CMNT); .text:00403E79 ?sputc@streambuf@@QAEHH@Z proc near ; streambuf::sputc(int) DEMNAM_NAME (1) .

:

SetCharPrm(INF_DEMNAMES,DEMNAFM_NAME); .text:00403E79

public:

int

__thiscall

streambuf::sputc(int)

proc

near

DEMNAM_NONE (2) . SetCharPrm(INF_DEMNAMES,DEMNAFM_NONE); .text:00403E79 ?sputc@streambuf@@QAEHH@Z proc near IDA .

377

INF_FILETYPE ɤɨɪɨɬɤɨɟ ɰɟɥɨɟ, IDA,

.

, . , .

,

3.84 IDC.IDC

, ,

, «

». MS-DOS exe

PalmPilot, IDA,

. IDC.IDC

‘core.hpp’. IDA SDK.

‘ida.hpp’, , IDC.IDC f_EXE_old, f_COM_old, f_BIN, f_DRV, f_WIN, f_HEX, f_MEX, f_LX, f_LE, f_NLM, f_COFF, f_PE, f_OMF, f_SREC, f_ZIP, f_OMFLIB, f_AR, f_LOADER, f_ELF, f_W32RUN, f_AOUT, f_PRC,

. ,

:

FT_EXE_OLD FT_COM_OLD FT_BIN FT_DRV FT_WIN FT_HEX FT_MEX FT_LX FT_LE FT_NLM FT_COFF FT_PE FT_USER FT_OMF FT_SREC FT_ZIP FT_OMFLIB FT_AR FT_LOADER FT_ELF FT_W32RUN FT_AOUT FT_PRC FT_EXE FT_COM FT_AIXAR

, FT_USER

. :

FT_EXE_OLD

MS DOS EXE

FT_COM_OLD FT_BIN

MS DOS COM (

ROM

)

378

FT_DRV FT_WIN FT_HEX FT_MEX FT_LX FT_LE FT_NLM FT_COFF FT_PE FT_USER

MS DOS (drv sys) New Executable (NE) Intel Hex Object File MOS Technology Hex Object File Linear Executable (LX) Linear Executable (LE) Netware Loadable Module (NLM) Common Object File Format (COFF) Portable Executable (PE) , IDP Object Module Format R-records ZIP file (

FT_OMF FT_SREC FT_ZIP IDA) FT_OMFLIB FT_AR FT_LOADER FT_ELF FT_W32RUN FT_AOUT FT_PRC FT_EXE FT_COM FT_AIXAR

OMF ar library LOADER DLL Executable and Linkable Format (ELF) Watcom DOS32 Extender (W32RUN) Linux a.out (AOUT) PalmPilot MS DOS EXE File MS DOS COM File AIX ar library :

Message("%d \n", GetShortPrm(INF_FILETYPE) ); 23

INF_OSTYPE Ʉɨɪɨɬɤɨɟ ɰɟɥɨɟ (

!) :

OSTYPE_MSDOS OSTYPE_WIN OSTYPE_OS2 OSTYPE_NETW ,

0x0001 0x0002 0x0004 0x0008

, MS-DOS , OSTYPE_MSDOS :

MS-DOS MS Windows OS/2 Novell NetWare ,

,

.

Message("%d \n", GetShortPrm(INF_OSTYPE) );

379

0 INF_APPTYPE Ʉɨɪɨɬɤɨɟ ɰɟɥɨɟ, . APPT_MTHREAD)

(16

(APPT_CONSOLE, APPT_GRAPHIC, APPT_1THREAD, FLIRT. FLIRT , . (EXE\DLL\DRIVER) MS-DOS , 32 ).

. APPT_CONSOLE APPT_GRAPHIC APPT_PROGRAM APPT_LIBRARY APPT_DRIVER APPT_1THREAD APPT_MTHREAD APPT_16BIT APPT_32BIT

0x0001 0x0002 0x0004 0x0008 0x0010 0x0020 0x0040 0x0080 0x0100

Console Graphics EXE DLL DRIVER Singlethread Multithread 16 bit application 32 bit application

: Message("%x \n", GetShortPrm(INF_APPTYPE) ); 104

INF_START_SP Ⱦɥɢɧɧɨɟ ɰɟɥɨɟ, . . SP

SP (ESP) ( ,

, ) SetLongPrm.

( ,

IDA ,

com

) –1.

IDA

,

SP (ESP) . :

Message("%x \n", GetShortPrm(INF_START_SP) ); ffff

380

INF_START_AF , IDA. analyser options 1»

«Options\ Analysis options\ Kernel

,

.

.

AF_FIXUP

0x0001

AF_MARKCODE

0x0002

AF_UNK AF_CODE AF_PROC

0x0004 0x0008 0x0010

AF_USED

0x0020

AF_FLIRT AF_PROCPTR

0x0040 0x0080

,

FLIRT 32,

381

AF_JFUNC

0x0100

jumpj_...

AF_NULLSUB

0x0200

AF_LVAR AF_TRACE AF_ASCII AF_IMMOFF

0x0400 0x0800 0x1000 0x2000

AF_DREFOFF

0x4000

AF_FINAL

0x8000

nullsub_...

3232unexplored

AF_FIXUP ,

IDA .

:

B8 01 00 8E D8

AF_FIXUP == 1 mov ax, seg dseg mov ds, ax

AF_FIXUP == 0 mov ax,1001h mov ds, ax ,

0x1.

IDA 0x10000). AF_FIXUP ,

, (

,

IDA .

AF_MARKCODE ,

IDA

,

. , .

,

80x86 BP (EBP)

.text:00401020 .text:00401021 8B EC

push mov

. ebp ebp, esp

, . AF_UNK (

)

, IDA unexplored 382

, unexplored. AF_CODE IDA

, .

,

:

seg000:22C3 E8 5F 00

call , 0x2325.

sub_0_2325

IDA

, AF_CODE IDA

(

)

,

. , .

,

IDA

. AF_PROC call. . : AF_PROC == 0 Seg00:0124 call Seg000:0284 seg000:0284 seg000:0285 seg000:0288 seg000:028A

loc_0_284

loc_0_284: push ds mov ax, 3500h int 21h ret

AF_PROC == 1 Seg00:0124 call loc_0_284 Seg000:0284 sub_0_284 proc near seg000:0284 push ds seg000:0285 mov ax, 3500h seg000:0288 int 21h seg000:028A ret seg000:02C6 sub_0_284 endp

AF_USED IDA IDA

,

, .

, . , . AF_FLIRT FLIRT

IDA .

: AF_FLIRT == 1 dseg:039A push offset aHelloSailor dseg:039D call _printf

AF_FLIRT == 0 dseg:039A pushoffset aHelloSailor sub_0_1035 dseg:039D call

383

dseg:03A0 pop dseg:03A1 retn

cx

dseg:03A0 pop dseg:03A1 retn

cx

AF_PROCPTR ,

IDA

32-

. ,

IDA

. : AF_PROCPTR == 1 .data:004085E0 .text:00405AAC .text:00405AAC .text:00405AAD

AF_PROCPTR == 0

dd offset sub_0_405AAC sub_0_405AAC proc near push ebp mov ebp, esp

.data:004085E0 .text:00405AAC .text:00405AAD .text:00405AAE

dd 405AACh db 55h db 8Bh db 0ECh

( IDA)

.

AF_JFUNC , IDA jmp somewhere

,

j_somewhere.

. AF_JFUNC == 1

AF_JFUNC == 0 seg000:22DD sub_0_22DD proc near seg000:22DD jmp short MyJmpTrg seg000:22DD sub_0_22DD endp

seg000:22DD j_MyJmpTrg proc near seg000:22DD jmp short MyJmpTrg seg000:22DD j_MyJmpTrg endp

AF_NULLSUB ,

IDA

« », nullsub_xx.

, , . AF_NULLSUB == 1

seg000:22DF nullsub_1 seg000:22DF retn seg000:22DF nullsub_1

proc near endp

AF_NULLSUB == 0 seg000:22DF sub_0_22DF seg000:22DF seg000:22DF sub_0_22DF

proc near retn endp

AF_LVAR SP (ESP) . BP (EBP).

, , 384

, BP (EBP), ESP.

, , .

IDA . AF_LVAR == 1

AF_LVAR == 0

.text:0040112A mov ecx, [esp+40h+var_1C]

.text:0040112A mov ecx, [esp+24h]

AF_TRACE IDA . . AF_LVAR)

(

AF_PROCPTR == 1

AF_PROCPTR == 0

dseg:187A off_0_187A dw offset loc_0_B45 dseg:0B45 mov dx, 183Ch

dseg:187A word_0_187A dw 0B45 dseg:0B45 mov dx, 183Ch

AF_ASCII IDA

, ASCII

(

16-

). .

AF_IMMOFF ,

3232-

IDA

. .

, 0x10000. 32-

, . ,

( .

)

AF_IMMOFF == 1

AF_IMMOFF == 0

.text:00401000 push offset aHeloSailor .text:00401005 mov ecx, offset ord_0_408900

.text:00401000 push .text:00401005 mov

408040h ecx, 408900h

AF_DREFOFF ,

IDA ,

32-

. , ,

0x10000 385

AF_DREFOFF == 1

AF_DREFOFF == 0 .data:00408330 dword_0_408330 dd 408980h

.data:00408330 off_0_408330 dd offset unk_0_408980 ; DATA XREF: .text:00404758o

.

,

32-

: .text:00404758

mov

AF_IMMOFF (

.

)

, 0x408440 0x408440 > 0x10000. :

, .data:00408330 dword_0_408330 0x408980

eax, 408330h

dd 408980h

0x10000,

,

,

,

,

AF_DREFOFF

. AF_FINAL , ,

unexplored,

. ,

, .

«

IDA – ,

»

,

. com

,

. win32 .

, (

– seg000:210D

).

,

.

,

:

seg000:210D aDir seg000:2110 aMask IDA,

db '..',0 db '*.*',0 (

16)

. ,

. unexpored

IDA, ɁȺɆȿɑȺɇɂȿ:

.

AF_FINAL == 1 seg000:210D db 2 dup(2Eh), 0, 2Ah, 2Eh, 2Ah, 0

( , PE) unexplored . AF_FINAL == 0 seg000:210D seg000:210E seg000:210F seg000:2110 seg000:2111 seg000:2112 seg000:2113

db db db db db db db

2Eh 2Eh 0 2Ah 2Eh 2Ah 0

; ; ; ; ; ; ;

. . * . *

386

INF_START_IP IP (EIP) (BADADDR).

. IDA (

,

,

.

IP (EIP)

com, (Entry point)

). (

INF_BEGIN_EA) : Message("%x \n", GetLongPrm(INF_START_IP) ); 401020 INF_BEGIN_EA . ,

, . :

Message("%x \n", GetLongPrm(INF_BEGIN_EA) ); 401020 INF_MIN_EA , . : Message("%x \n", GetLongPrm(INF_MIN_EA) ); 401000 INF_MAX_EA , ( IDC.IDC).

, ,

.

, , .

Message("%x \n", GetLongPrm(INF_MAX_EA) ); 387

134EA INF_LOW_OFF , void. , IDA

,

,

, .

, : 0x100. 0 0 FF

,

,

, 0xFF

, ,

IDA

. [BP-2]

. 0xFFFE,

–2.

, «~Options\Text representation\void's low limit». . , , ,

, IDA . INF_LOW_OFF

, .

Message("%x \n", GetLongPrm(INF_LOW_OFF) ); 401000 INF_HIGH_OFF , void. INF_LOW_OFF INF_HIGH_OFF

, ,

. . EXE

(SMALL )

, ,

«

»

-

, IDA.

,

. INF_HIGH_OFF

.

INF_MAXREF . 10.

(~Options\Cross references) 388

: Message(“%x \n”,GetLongPrm(INF_MAXREF)); 10 INF_ASCII_BREAK . IDA

. ‘\n’. . ( )

,

,

.

,

.

, «~Options\ ASCII strings options». «ASCII next line char» .

,

: Message ("0x%X \n",GetCharPrm(INF_ASCII_BREAK)); 0x .rdata:00407384 aRuntimeErrorPr db 'Runtime Error!',0Ah .rdata:00407384 db 0Ah .rdata:00407384 db 'Program: ',0 SetCharPrm(INF_ASCII_BREAK,0); Message("0x%X \n",GetCharPrm(INF_ASCII_BREAK)); 0x0 .rdata:00407384 aRuntimeErrorPr db 'Runtime Error!',0Ah,0Ah,'Program: ',0

389

INF_INDENT ,

IDA

. INF_INDENT == 0x10 Set harPrm(INF_INDENT,0x10);

INF_INDENT == 0 SetCharPrm(INF_INDENT,0x0);

0x10,

,

,

. SetCharPrm(INF_INDENT, nn) representation\Instructions indention»

«~Opions\Text

INF_COMMENT , 40. («~Opions\Text representation\Comments indention»), SetCharPrm(INF_COMMENT, nn)

IDA

.

INF_COMMENT == 40 SetCharPrm(INF_COMMENT,40);

INF_COMMENT == 0 SetCharPrm(INF_COMMENT,0);

390

INF_XREFNUM ,

IDA .

. ,

,

IDA

,

.

INF_XREFNUM == 2 SetCharPrm(INF_XREFNUM,2);

INF_XREFNUM == 4 SetCharPrm(INF_XREFNUM,4);

(«~Options\ Cross references\ Number of SetCharPrm(INF_XREFNUM, xx)

xrefs to display»),

INF_ENTAB . ,

IDA

. . ,

.

, (

) . INF_ENTAB ( ). (~Options\ Text representation\ Use tabulations in output) :

SetCharPrm(INF_ENTAB,0); INF_ENTAB == 1 SetCharPrm(INF_ENTAB,1);

INF_ENTAB == 0 SetCharPrm(INF_ENTAB,0);

seg000:22C0Å-------ÆcallÅ->sub_0_22DD

seg000:22C0Å-------ÆcallÅ->sub_0_22DD

391

INF_VOIDS , INF_LOW_OFF

« INF_HIGH_OFF)

IDA

»

( . . «void»,

, .

, , (ASM

IDA .

,

LST),

INF_VOIDS. Display 'void' marks),

(~Options\ Text representation\ SetCharPrm

INF_VOIDS == 0 SetCharPrm(INF_VOIDS,0);

INF_VOIDS == 1 SetCharPrm(INF_VOIDS,0);

INF_SHOWAUTO ,

.

. «~Options\ Analysis options\ Indicator enabled» INF_SHOWAUTO == 1 SetCharPrm(INF_SHOWAUTO,1);

, SetCharPrm INF_SHOWAUTO == 0 SetCharPrm(INF_SHOWAUTO,0);

:

AU:__idle__ AU:disable FL:< > PR:< > AC:< > LL:< > L1:< > L2:< > L3:< > FI:< > ??:< > @:< >

FLIRT FLIRT FLIRT unexplored

INF_AUTO

392

,

.

. . , « » . , ProcDump . (~Options\ Background analysis\Analysis SetCharPrm(INF_AUTO,0);

enabled),

INF_BORDER ,

,

.

,

IDA

. ,

,

, , SetCharPrm(INF_BORDER,0) representation \ Display borders between data/code. INF_BORDER == 1 SetCharPrm(INF_BORDER,1);

~Options\ Text

INF_BORDER == 0 SetCharPrm(INF_BORDER,0);

INF_NULL , .

, (

,

). SetCharPrm(INF_NULL,0) lines INF_NULL == 1 SetCharPrm(INF_NULL,1);

~Options\ Text representation \ Display empty INF_NULL == 0 SetCharPrm(INF_NULL,0);

393

INF_SHOWPREF . : (

, – .text:004024AC , , )

. pop

edi .

. : .text:004023C0 dword_0_4023C0 .text:004023C0 .text:004023C0

dd 68AD123h, 468A0788h,0C102468Ah dd 3C68302h, 8303C783h,0CC7208F9h dd 3498D00h INF_SHOWPREF

(*.asm

)

.

-

, SetCharPrm(INF_SHOWPREF,0) ~ Options\ Text representation \ Line prefixes INF_SHOWPREF == 1 SetCharPrm(INF_SHOWPREF,1);

INF_SHOWPREF == 0 SetCharPrm(INF_SHOWPREF,0);

INF_PREFSEG , . . , «~ Options \ Text representation \ Use SetCharPrm(INF_PREFSEG,0) , :

. segment names», INF_PREFSEG == 1 SetCharPrm(INF_PREFSEG,1); .text:0040100F xor eax, eax

INF_PREFSEG == 0 SetCharPrm(INF_PREFSEG,0); 0000:0040100F xor eax, eax

INF_ASMTYPE , .

PC

,

, «Generic for Intel 80x86»

: Message(“%x \n”,GetCharPrm(INF_ASMTYPE)); 394

0 INF_BASEADDR : Message(“%x \n”,GetLongPrm(INF_BASEADDR)); 1000 INF_XREFS . :

SW_SEGXRF

(0x01) ,

,

,

IDA (

). «~ Options \ Cross-

reference representation \ Display segments in xrefs» SW_SEGXRF == 1 SetLongPrm(INF_XREF,SW_SEGXRF); DATA XREF: .rdata:004070C0o SW_XRFMRK

SW_SEGXRF == 0 SetLongPrm(INF_XREF,!SW_SEGXRF) DATA XREF: 004070C0o

(0x02) ,

,–

IDA . «~ Options \ Cross-

reference representation \ Display xref type mark» SW_XRFMRK == 1 SetLongPrm(INF_XREF,SW_XRFMRK); DATA XREF: .rdata:004070C0o

SW_XRFMRK == 0 SetLongPrm(INF_XREF,!SW_XRFMRK) XREF: 004070C0o

395

SW_XRFFNC

(0x04) ,

IDA

,

. «~ Options \ Cross-

reference representation \ Display function offsets» SW_XRFFNC == 1 SetLongPrm(INF_XREF,SW_XRFFNC); CODE XREF: start+AFp

SW_XRFVAL

SW_XRFFNC == 0 SetLongPrm(INF_XREF,!SW_XRFFNC) CODE XREF: 004010CFp

(0x08) ,

IDA .

. SW_XRFVAL == 1 SetLongPrm(INF_XREF,SW_XRFVAL); CODE XREF: 004010CFp

SW_XRFVAL == 0 SetLongPrm(INF_XREF,!SW_XRFFVAL)

CODE XREF: ...

INF_BINPREF , .

-

,

IDA

.

,

,

,

-

. SetShortPrm(INF_BINPREF,0x10) «~ Options \ Text representation \ Number of opcode bytes» INF_BINPREF == 0 SetShortPrm(INF_BINPREF,0); .text:00401000 .text:00401000 .text:00401005 .text:0040100A .text:0040100F .text:00401011 .text:00401011

sub_0_401000 proc near push offset aHeloSailor mov ecx, offset dword_0_408900 call ??6ostream@@QAEAAV0@PBD@Z xor eax, eax retn sub_0_401000 endp

INF_BINPREF == 0x10 SetShortPrm(INF_BINPREF,0x10); .text:00401000 sub_0_401000 proc near .text:00401000 .text:00401005 .text:0040100A .text:0040100F .text:00401011 .text:00401011

68 40 80 40 00 B9 00 89 40 00 E8 72 2B 00 00 33 C0 C3 sub_0_401000

push offset aHeloSailor mov ecx, offset dword_408900 call ostream@@QAEAAV0@PBD@Z xor eax, eax etn endp

INF_CMTFLAG , . SW_RPTCMT .

. ,

396

SetShortPrm, representation \ Display repeatable comments»

«~Options\ Text

SW_RPTCMT == 1

SW_RPTCMT == 0

SetShortPrm(INF_CMTFLAG,SW_RPTCMT);

SetShortPrm(INF_CMTFLAG,!SW_RPTCMT) Jb short near ptr dword_0_4023AC

Jb short near ptr dword_4023AC ; repeatable comment

SW_ALLCMT ,

IDA

( ). , .

,

, ).

( IDA

.

SW_ALLCMT == 1

SW_ALLCMT == 0

SetShortPrm(INF_CMTFLAG,SW_ALLCMT);

SetShortPrm(INF_CMTFLAG,!SW_ALLCMT)

Call sub_0_2E2 ; Call Procedure jnb loc_0_2321 ; Jump if Not Below (CF=0) nop ; No Operation

call jnb nop

sub_0_2E2 loc_0_2321

SW_NOCMT ,

IDA

,

.

. SW_LINNUM ,

IDA

. SW_MICRO

INF_NAMETYPE (

NM_REL_OFF

0

NM_PTR_OFF

1

NM_NAM_OFF

2

, IDA - dummy names). .

loc_0_1234 loc_1000_1234 (

) 397

NM_REL_EA

3

NM_PTR_EA

4

NM_NAM_EA

5

NM_EA

6

NM_EA4

7

NM_EA8

8

NM_SHORT

9

NM_SERIAL

10

loc_dseg_1234 , loc_0_11234 loc_1000_11234 loc_dseg_11234 ( loc_12 ( loc_0012 ( loc_00000012

) ) )

dseg_1234 (1,2,3...) loc_1

INF_SHOWBADS ,

,

,

IDA

, .

, (

,

www.x86.org)

, , .

,

. . , ADD bx, 0x10 83 C3 10

81 C3 01 00,

80x86

,

BX .

,

,

, –

. ,

« .

»

, . . ,

SetCharPrm(INF_SHOWBADS,1) bad instructions marks.

~Options \ Text representation \ Display

INF_SHOWBADS == 1 SetCharPrm(INF_SHOWBADS,1) seg000:0220

db 0E9h,0,0 ; jmp

ɁȺɆȿɑȺɇɂȿ:

INF_SHOWBADS == 0 SetCharPrm(INF_SHOWBADS,0) $+3

seg000:0220

jmp

IDA

,

$+3

,

. , ,

JMP FAR segment:offset . :

IDA,

DB 0Eah DW offset 398

DW segment

INF_PREFFLAG , . INF_SHOWPREF

,

(

). .

PREF_FNCOFF (PREF_FNCOFF

|

PREF_SEGADR. PREF_FNCOFF. IDA

PREF_SEGADR)

, , . :

PREF_SEGADR PREF_FNCOFF PREF_STACK

Options \ Text representation \ Segment addresses Options \ Text representation \ Function offsets Options \ Text representation \ Display stack pointer 0x01 0x02 0x04

seg000:2190 Sub_0_22DD+1B Seg000:2190 Sub_0_22DD+1B

008 008

INF_PACKBASE IDA, .

INF_PACKBASE == 0 SetCharPrm(INF_PACKBASE,0);

ɁȺɆȿɑȺɇɂȿ:

INF_PACKBASE == 1 SetCharPrm(INF_PACKBASE,1);

INF_PACKBASE == 2 SetCharPrm(INF_PACKBASE,2);

,

399

(

, zip, arj)

,

.

INF_ASCIIFLAGS (

) . ASCF_GEN , ASCII

IDA

,

, “aHello_Word”.

,

«Hello, -

. Word» IDA «asc_0_206».

, .

IDA

.

-

, SetCharPrm(INF_ASCIIFLAG,0) string options \ Generate names»

«~ Options \ ASCII

SetCharPrm(INF_ASCIIFLAG,1);

SetCharPrm(INF_ASCIIFLAG,0);

seg000:2192 a123456789abcde db '123456789ABCDEFG',0

seg000:2192

db '123456789ABCDEFG',0

ASCF_AUTO , ,

, ‘autogenerated’.

,

IDA

‘unexplored’. . , SetCharPrm(INF_ASCIIFLAGS,!ASCF_AUTO) string options \ Mark as autogenerated» ASCF_AUTO == 1 seg000:2192 seg000:2193 seg000:2194 seg000:2195 seg000:2196 seg000:2197 seg000:2198 seg000:2199 seg000:219A seg000:219B seg000:219C seg000:219D seg000:219E seg000:219F seg000:21A0 seg000:21A1 seg000:21A2

db db db db db db db db db db db db db db db db db

«~Options \ ASCII ASCF_AUTO == 0

31h 32h 33h 34h 35h 36h 37h 38h 39h 41h 42h 43h 44h 45h 46h 47h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

1 2 3 4 5 6 7 8 9 A B C D E F G

seg000:2192 a123456789abcde db '123456789ABCDEFG',0

seg000:2192 seg000:2193 seg000:2194 seg000:2195 seg000:2196 seg000:2197 seg000:2198 seg000:2199 seg000:219A seg000:219B seg000:219C seg000:219D seg000:219E seg000:219F seg000:21A0 seg000:21A1 seg000:21A2

db db db db db db db db db db db db db db db db db

31h 32h 33h 34h 35h 36h 37h 38h 39h 41h 42h 43h 44h 45h 46h 47h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

1 2 3 4 5 6 7 8 9 A B C D E F G

seg000:2192 a123456789abcde db '123456789ABCDEFG',0

400

seg000:2192 seg000:2193 seg000:2194 seg000:2195 seg000:2196 seg000:2197 seg000:2198 seg000:2199 seg000:219A seg000:219B seg000:219C seg000:219D seg000:219E seg000:219F seg000:21A0 seg000:21A1 seg000:21A2

db db db db db db db db db db db db db db db db db

31h 32h 33h 34h 35h 36h 37h 38h 39h 41h 42h 43h 44h 45h 46h 47h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

unexplored seg000:2192 a123456789abcde seg000:2193 seg000:2194 seg000:2195 seg000:2196 seg000:2197 seg000:2198 seg000:2199 seg000:219A seg000:219B seg000:219C seg000:219D seg000:219E seg000:219F seg000:21A0 seg000:21A1 seg000:21A2

1 2 3 4 5 6 7 8 9 A B C D E F G

db db db db db db db db db db db db db db db db db

31h 32h 33h 34h 35h 36h 37h 38h 39h 41h 42h 43h 44h 45h 46h 47h 0

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

1 2 3 4 5 6 7 8 9 A B C D E F G

ASCF_SERIAL , IDA ,

)

IDA ‘pref0’,’pref1’,’pref2’… ‘a’

, SetCharPrm( \ ASCII string options\ Generate serial names» ASCF_SERIAL == 1

( ‘pref’ – , «~Options

ASCF_SERIAL == 0

SetCharPrm(INF_ASCIIFLAGS, ASCF_SERIAL);

SetCharPrm(INF_ASCIIFLAGS, !ASCF_SERIAL);

seg000:2192 a0 db '123456789ABCDEFG',0

seg000:2192 a123456789abcde db '123456789ABCDEFG',0

INF_LISTNAMES , (Name List).

LN_NORMAL LN_PUBLIC LN_AUTO LN_WEAK

0x01 0x02 0x04 0x08

( public

)

weak

401

INF_START_SS SS

.

,

.

,

IDA . ,

, .

.

,

INF_START_SS. : Message(“0x%x \n”,GetLongPrm(INF_START_SS)); 0x1000 SetLongPrm(INF_START_SS,0); Message(“0x%x \n”,GetLongPrm(INF_START_SS)); 0 INF_START_CS CS IDA . : Message(“0x%x \n”,GetLongPrm(INF_START_CS)); 0x1000

INF_MAIN IDC.IDC , main(), , : Message(“0x%X \n”,GetLongPem(INF_MAIN)); 0xFFFFFFFF

BADADDR.

INF_SHORT_DN «

»

.

‘idc.idc’, ‘demangle.hpp’,

IDA SDK.

MNG_DEFNEAR

0x00000000

MNG_DEFFAR

0x00000002

MNG_DEFHUGE

0x00000004

MNG_DEFNONE

0x00000006

MNG_NODEFINIT

0x00000008

MNG_NOUNDERSCORE

0x00000010

MNG_NOTYPE

0x00000020

MNG_NORETTYPE

0x00000040

MNG_NOBASEDT

0x00000080

near far huge ё , __ccall, __pascal...

402

MNG_NOCALLC

0x00000100

MNG_NOPOSTFC

0x00000200

MNG_NOSCTYP

0x00000400

MNG_NOTHROW

0x00000800

MNG_NOSTVIR

0x00001000

MNG_NOECSU

0x00002000

MNG_NOCSVOL

0x00004000

MNG_NOCLOSUR

0x00008000

MNG_SHORT_S

0x00010000

MNG_SHORT_U

0x00020000

MNG_ZPT_SPACE

0x00040000

MNG_IGN_ANYWAY

0x00080000

MNG_IGN_JMP

0x00100000

MNG_MOVE_JMP

0x00200000

__pascal\__ccall const public\private\protected throw static virtual class\struct\union\enum const volatile __closure ( Borlnand) signed (int) s(int) unsigned (int) u(int) '_nn' 'j_' 'j_' Demangle.

INF_LONG_DN « ,

»

.

.

INF_DATATYPES , ,

,

,

IDC.IDC

‘D’. ,

(~Options \ Setup date types ) !

0x1 0x2 0x4 0x8 0x10 0x20

Float Double 403

0x40 0x80

Tbyte real

: Message("%b \n", GetLongPrm(INF_DATATYPES)); 111

INF_STRTYPE ASCII –

.

.

0 ASCSTR_PASCAL

Pascal – .data:00408040 aHeloSailor db 0 h, 'Helo,Sailor!' WinPascal –

ASCSTR_LEN2

.data:00408040 aHeloSailor dw 0 h, db 'Helo,Sailor!' ASCSTR_UNICODE

UNICODE `H`,0,`e`,0,`l`,0,`o`,0,`,`,0,`S`,0,`a`,0,`i`,0,`l`,0,`o`,0,`r`,0,`!`

ASCSTR_LEN4

Delphi – 4 .data:00408040 aHeloSailor dw 0 h, dw 0, db 'Helo,Sailor!'

,

,

,

,

. INF_STRTYPE.

. ‘\0’, (

,

. ‘$’),

‘\0’

. : Message(“%x \n”,GetLongPrm(INF_STRTTYPE)); 0 SetLongPrm(INF_STRTTYPE,’$’>>0x10);

INF_AF2 .

AF2_JUMPTBL AF2_DODATA AF2_HFLIRT

0x1 0x2 0x4 (

IDC.IDC)

404

success SetPrcsr

(char processor); , . .

(

)

. , .( IDA

,

. ) Intel

, ,

,

,

.

, .

«meta pc», .

com8086

(

IDA .

), , ,

IDA ,

:

seg000:02E9 seg000:02EC seg000:02ED seg000:02EE seg000:02EF

mov db 0C1h db 0E0h db 6 cmp

ax, ds:413h ; ; ; ax, 0A000h

mov shl cmp

ax, ds:413h ax, 6 ax, 0A000h

SetPrcsr (“metapc”); seg000:02E9 seg000:02EC seg000:02EF ,

,

IDA .

,

8086

,

IDA

, ,

Target Assembler» «Generic for Intel 80x86»

,

«~Options \ –

IBM PC .

405

processor

,

.

,

‘metapc’

‘MetaPC’

. , .

8086 80286r 80286p 80386r 80386p 80486r 80486p 80586r 80586p 80686p k62 p2 p3 athlon metapc 8085 z80 z8 860xr 860xp 8051 80196 m6502 m65c02 64180 pdp11 68000 68010 68020 68030 68040 68330 68882 68851 68020EX 6800 6801 6803 6301 6303 6805 6808 6809

Intel 8086 Intel 80286 real mode Intel 80286 protected mode Intel 80386 real mode Intel 80386 protected mode Intel 80486 real mode Intel 80486 protected mode Intel Pentium & MMX real mode Intel Pentium & MMX prot mode Intel Pentium Pro & MMX AMD K6-2 with 3DNow! Intel Pentium II Intel Pentium III AMD K7

IBM PC

IBM PC Intel 8085 Zilog 80 Zilog 8 Intel 860 XR Intel 860 XP Intel 8051 Intel 80196 6502 65c02 Hitachi HD64180 DEC PDP/11 Motorola MC68000 Motorola MC68010 Motorola MC68020 Motorola MC68030 Motorola MC68040 Motorola CPU32 (68330) Motorola MC68020 with MC68882 Motorola MC68020 with MC68851 Motorola MC68020 with both Motorola MC6800 Motorola MC6801 Motorola MC6803 Hitachi HD 6301 Hitachi HD 6303 Motorola MC6805 Motorola MC6808 Motorola MC6809

Zilog 80 Zilog 8 Intel 860 Intel 51 Intel 80196 65xx line PDP line

Motorola 680x0

Motorola 8bit

406

6811 java ppc arm710a arm armb tms320c2 tms320c5 tms320c6 sh3 sh3b sh4 sh4b avr mipsl mipsb mipsr h8300 h8300a h8s300 h8s300a pic16cxx

Motorola MC6811 java PowerPC ARM 7xx , arm710a ARM big endian TMS320C2x TMS320C5x TMS320C6x Hitachi SH3 (little endian) Hitachi SH3 (big endian) Hitachi SH4 (little endian) Hitachi SH4 (big endian) ATMEL AVR MIPS little endian MIPS big endian MIPS & RSP H8/300x in normal mode H8/300x in advanced mode H8S in normal mode H8S in advanced mode Michrochip PIC

Java PowerPC ARM TMS 16bit TMS VLIW l

Hitachi SH line ATMEL MIPS: R2000, 3000, R4000,R4200, R4300, 4400, R4600,R8000, R10000 Hitachi H8 line

«~Options \ Processor type»

IDA , :«The processor type "metapc" isn't included in the standard version of IDA Pro. Please check our web site for information about ordering additional processor modules» , . , IDA IDA (www.idapro.com) DOS, OS\2 Windows , , , . .

d32 dll

OS\2 MS-DOS 407

w32

Windows 95\Windows NT IDA

ARM AVR H8 I196 I51 I860 JAVA M65 MC8 MC68 PC PDP11 PIC Z8 Z80

,

:

ARM ( ARM 7xx) ATMEL AVR Hitachi H8 (H8/300x H8S ) Intel 80196 Intel 8051 Intel 860 XR Java Virtual Machine 65xx 8Motorola (MC6800, MC6801, MC6803, MC6805, MC6808, MC6809, MC6811) 8Hitachi (HD 6301, HD 6303) Motorola 680x0 IBM PC DEC PDP-11 Microchip PIC16C5x PIC16Cxx PIC17Cxx Zilog 8 Zilog 80

IDA ,

,

.

,

,

IBM PC, .

, ,

IDA

,

. IDA.CFG

DEFAULT_PROCESSOR:

"com" "exe" "dll" "drv" "sys" "bin" "ovl" "ovr" "ov?" "nlm" "lan" "dsk" "obj" "prc" "axf" "h68" "i51" "sav"

"8086" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "metapc" "68000" (PalmPilot ) "arm710a" "68000" (MC68000 *.H68 "8051" (i8051 *.I51 ) "pdp11" (PDP-11 *.SAV

) ) 408

"rom" "class" "cls" "s19" "*"

long

Batch

"z80" ( "java" "java" "6811" "metapc"

*.ROM

)

(long batch); (

)

.

IDA

. . IDA 4.0

,

.

,

IDA, , ,

,

IDA.

==batch 0 1 . . auto a,s; s=" a=Batch(0); Batch(a); if (a) s=" Message("

"; "; %s \n",s);

char GetIdaDirectory (); ,

IDA,

. : Message (“%s \n”, GetIdaDirectory ()); D:\DEBUG\IDA384 Return ,

IDA

IDA.EXE (idaw.exe\ idax.exe). . ,

, IDA 3.6 IDC.

, . «

,

»

,

.

409

char GetInputFile (); . win32

,

.

. : Message (“%s \n “, GetInputFile () ); My File.exe Return

ɋɌɊɈɄɂ , .

IDA ,

, .

IDA

, (

)

,

: auto a,b; a="Hello"; b="IDA! \n"; a=a+","+b; Message("%s \n",a); Hello,IDA! IDA

,

,

,

. (strlen),

. (substr)

(srtsrt).

,

,

, . , idc.idc,

.

static setstr(str, pos, ch) { auto s0; 410

s0=substr(str,0,pos); s0=s0+ch; s0=s0+substr(str,pos+strlen(ch), strlen(str)); return s0; } static

setstr(str, pos, ch) { auto s0; s0=substr(str,0,pos); s0=s0+ch; s0=s0+substr(str,pos, strlen(str)); return s0; } str «

ch

pos,

» , .

Message("%s \n", setstr("Hello World!",5,",") ); Hello, World! Message("%s \n", insstr("Hello, World!",7,"my ") ); Hello, my World! ,

, . ,

,

,

.

,

, ,

. . (

)

, .

,

IDA

sprintf,

form.

,

char

.

substr

(char str, long x1,long x2); . IDA str[a],

'substr' :

411

x1 x2 x2 == -1, Return char 3.84 ,

, ,

IDA,

x2 < x1, .

Windows .

4.0

.

x2 < x1

, )

(

, , ,

, .

( ,

IDA)

,

IDA

. : auto a,temp,c; a="key -Hello"; for (temp=0;temp> 4; offset = ea – (ea >> 4). : Message(“%s \n”, atoa(0x18) ); 1:00000008

char ltoa (long n,long radix); . :

n ==n 417

0 1 -1 radix

, .

ɁȺɆȿɑȺɇɂȿ:

IDA 2, 8, 10, 16.

'radix' ,

,

, ,

3

24,

11.

,

0

,

1, ,

. Return

==return !=”” ==””

: auto a; for (a=0;a