Reference resources ： reverse -IDA Basic use of tools
Address ：https://qingmu.blog.csdn.net/article/details/118862881

1、 Opening and closing of files

• 1、F5 Decompile to C Language
  

• 2、 Turn off options

IDA The generated database file will be packaged into a file , You don't need to open the source file next time , Just open the database file . The third one is similar to this one

The first option generates four files

When IDA Very big time , This option will free up a lot of unused memory , Ensure that files take up very little space

This operation is not reserved when closing .IDA The only way to go back .

2、 Window introduction ： graphics Text Other windows

2.1、 The graphical interface ：

2.2、 Text interface ：

The space bar is used to switch between the graphical interface and the file interface

2.3、 Disassembly window

Get into IDA The default window for

2.4、 Hex window

2.5、 The module used by the file （ function ）

See which modules the file uses （ function ）, Actually, it is generated according to the import table

2.6、 Module of file export （ function ）

2.7、 Structure （IDA Identified ）

Identified by a symbol table

2.8、 enumeration

3、 Display hard coding （ACDU）

Enter the hard coded length in the input box , Maximum 16.（ Our executable programs are all hard coded ）. Let's change it to 10 Look at the effect , Here's the picture ：

The part in the figure is hard coded . Each line of hard coding corresponds to a line of assembly code .

Use a random piece of code to illustrate , The original is as follows ：

3.1.1、A

Display the current data as a string

Convert to string ：

3.1.2、C

Display the current data according to the code

3.1.3、D

Display the current data by data

Click once to display a single byte , Press double byte twice to display , Press three times to show four bytes , Press three times to show the eight character knot

3.1.4、U

Set the current data as undefined （ Raw bytes ） To display

4、 Jump instruction G

Click G

Enter the address in the input box to jump .

5、 Search instructions （ALT+T）

Press down alt+t：

6、 Modify name （N）

When we analyze a piece of assembly , To complete the analysis, we need to have our own understanding of a function or a variable , When we need to change it to the name we want, press N To modify the .

for example ：

Press N modify ：

7、 Create structure Modify global variables Modify local variables

7.1、 Create structure

When we use IDA When , When we interpret a piece of assembly code , It is found that it is a structure , here IDA Not recognized , So we can do that Structures Add a structure to the file .

Click on Edit choice add struct type.

At this point, let's enter the name of the structure , Let's enter a random , as follows ：


here AAA The structure has come out , So how to add an integer to the structure , character , Array , The structure ？

The operation is as follows ：

Add common types （db、dw、dd）：
Select the first brother member of the structure we created , Press D

At this point, a member is added , here field_0 The type of is one byte , We selected db Then press D You can change the number of bytes （ One byte , Two bytes , Four bytes ）.

At this time, we need to change the name to the one we want , What shall I do? ？

As explained above , Press N I can modify it

At this time, the name is changed to a, The width was changed to two bytes .

Add structure type
Press... First as above D Add a member . Then select the member and press alt+q You can recognize IDA All existing structures , To add a custom structure, you need to add it yourself first , Pictured ：

Just choose one . Change the name of the structure as above , Press down N that will do .

Add an array

Press... First as above D Add a member .

Right click our members （db）, Select array , Then modify the size of the array .



To change the name, press N modify , Let's change it to C, At this point, an array named C, The type is dw（ Gemini Festival ）, The length is 10.

At this point, we are IDA A structure is created in . We can reference this structure in our code .

7.2、 Modify global variables

For example, we select a global variable , We will modify it to the structure we just added , How to do it? ？

Simply select this variable , Press down alt+q, This will be listed here IDA All identified structures , Select the structure we just added .

Change his type ,IDA Will automatically generate a name for us , We can also modify this name , And the subsequent use of this variable will be changed to our modified name .

7.3、 Modify local variables

When we modify local variables , Shortcut keys are T, We need to find the structure, select its members and click OK to modify it .（IDA The corresponding values will be listed according to the offset ）


Our reverse process , Is to name the function , Analyze the structure , Analyze the structure type , Analyze the global variable type , Analyze the parameter type , When we analyze all this , The whole reverse process is almost complete .

8、 notes

There are three ways to annotate

8.1、 Semicolon note

Press a semicolon at the end of a sentence （;） A text box will pop up , At this point we enter a comment , Comments will be added at the end of the code .

In doing so , He will not only add notes at the end of the line , A comment will also be added in other places that jump to this line . Cut both ways .

8.2、SHIFT Plus a semicolon note

As we mentioned above, he will not only add comments at the end of the line , A comment will also be added in other places that jump to this line . So what if we don't want to show comments where we jump ？

shift + ; Comments can be added in other places that jump to this line without adding comments

8.3、 Function Comments

that , We are writing to C Language functions , We want to add comments to the front of the function （ Function name , Parameters 、 Return value and other information ） When , We select the function name , Press the semicolon , Now you can add comments .

9、 Cross reference

For example, we encounter a function , We want to see who else quoted him , How to do it? ？

Of course, there is also a display in the lower right corner of the function name , But complement , as follows ：

So how do we look at the full references ？

First select the function name , Click... In the upper menu bar view, choice open subviews, In the choice cross reference, Then you can see where the function is referenced .

Of course what I'm looking for here is main There is only one Korean style .

10、 summary

IDA There are many more functions , Master some basic operations from the above , The basic reverse operation is basically no problem , If you have any other questions, you are welcome to add , thank you .