| ||
This program was briefly mentioned in Chapter 1. In many respects, it is similar to the QUMPBIN.EXE utility; however, it has limited functionality in comparison to it.
This program is widely known among programmers in the hacker world. Its name is an abreviation of the phrase "hacker's view." The main tasks carried out by this program are viewing and editing executable modules. There are three possible modes of work in this program: binary, text, and assembly. There are tons of good disassembling programs; however, the programs similar to this one are few.
The interface of this program makes you recall the interfaces found in FAR Manager or Norton Commander (see Fig. 22.1). All commands are issued by functional keys (including combinations with the <Alt> and <Ctrl> keys). For example, by pressing <F4> , you can choose the mode of displaying the file: text, assembly, or binary. By pressing <F3> , you switch to the editing mode (provided that you are viewing the file in binary or assembly modes). If you switch to the assembly view and press <F2> after <F3> , you'll be able to edit machine commands in symbolic form. I will not describe the commands of this program in detail because they are simple and obvious, and the list of available commands can be obtained by pressing <F1> . Therefore, I'll demonstrate a practical example of using this program. For clarity, I will use a simple console application.
Listing 22.2 presents a simple console application that outputs a text string to the console.
.586P ; Flat memory model .MODEL FLAT, stdcall ; Constants STD_OUTPUT_HANDLE equ -11 INVALID_HANDLE_VALUE equ -1 ; Prototypes of external procedures EXTERN GetStdHandle@4:NEAR EXTERN WriteConsoleA@20:NEAR EXTERN ExitProcess@4:NEAR ; INCLUDELIB directives for the linker includelib c:\masm32\lib\user32.lib includelib c:\masm32\lib\kernel32.lib ;----------------------------------------------- ; Data segment _DATA SEGMENT BUF DB "Output string", 0 LENS DWORD ? ; Number of characters for output HANDL DWORD ? _DATA ENDS ; Code segment _TEXT SEGMENT START: ; Get the HANDLE output handle PUSH STD_OUTPUT_HANDLE CALL GetStdHandle@4 CMP EAX, INVALID_HANDLE_VALUE JNE _EX MOV HANDL, EAX ; String output PUSH 0 PUSH OFFSET LENS PUSH 17 PUSH OFFSET BUF PUSH HANDL CALL WriteConsoleA@20 _EX: PUSH 0 CALL ExitProcess@4 _TEXT ENDS END START
The program in Listing 22.2 is easy. Now imagine that in the course of debugging, you accidentally changed a single command: you inserted JNE instead of JE . As a result, the program ceased to operate after translation. Is it possible to correct it without using the Assembly code? Of course, this is possible. To achieve this goal, it is necessary to disassemble the program, locate the error, and then use the HIEW.EXE program. It is possible to use only the HIEW program because it disassembles correctly. However, to illustrate the approach, I will carry out the task in two stages.
Disassemble the module using the DUMPBIN.EXE program. The disassembled code of this program is presented in Listing 22.3.
Dump of file cons1.exe File Type: EXECUTABLE IMAGE 00401000: 6AF5 PUSH 0F5h 00401002: E82B000000 CALL 00401032 00401007: 83F8FF CMP EAX, 0FFh 0040100A: 751E JNE 0040102A 0040100C: A316304000 MOV [00403016], EAX 00401011: 6A00 PUSH 0 00401013: 6812304000 PUSH 403012h 00401018: 6A11 PUSH 11h 0040101A: 6800304000 PUSH 403000h 0040101F: FF3516304000 PUSH DWORD PTR DS:[00403016h] 00401025: E80E000000 CALL 00401038 0040102A: 6A00 PUSH 0 0040102C: E80D000000 CALL 0040103E 00401031: CC INT 3 00401032: FF2508204000 JMP DWORD PTR DS:[00402008h] 00401038: FF2500204000 JMP DWORD PTR DS:[00402000h] 0040103E: FF2504204000 JMP DWORD PTR DS:[00402004h]
By the disassembled code, it is easy to locate the error. By the way, the CMP EAX, 0FFh command must naturally be interpreted-as CMP EAX, 0FFFFFFFFh . Memorize the required code, 83F8FF , and start HIEW.EXE, then press <F7> to search for the required combination. After that, press <F3> ; then press <F2> and replace JNE with JE . Having completed this, press <F9> to save the change. As a result, you'll correct the program without needing to recompile and rebuild it.
This program operates in the command-line mode; however, it has several advantages in comparison to DUMPBIN.EXE. Its main advantage is the recognition of high-level languages. In addition, it provides the possibility of writing scripts using the built-in macro language.
This is one of the most powerful disassemblers. Its functional capabilities are so rich that most programmers consider it a universal and almighty tool. When working with the text of the program being disassembled, it is possible to rename labels and procedures and to provide custom comments so that the disassembled text finally becomes easily readable and understandable. The corrected program text is saved in a special database and is recovered at the next startup. The main window of the IDA Pro disassembler is shown in Fig. 22.2. This illustration shows the disassembled code of the EDIT.EXE program (see Listing 3.2 in Chapter 3). By the way, notice the offset WNDPROC reference. The WNDPROC name was assigned in the course of analyzing the code of this program.
Now, consider some features of this disassembler:
It can rename procedures and labels in a program. Naturally, in the course of disassembling, IDA Pro gives internal names to all procedures and labels. You can replace them with custom names to make the program text more understandable. All changes introduced into the text will be stored in special database and can be recovered after restart.
It recognizes library and application program interface functions (see Fig. 22.2). The disassembler not only recognizes these functions but also comments their parameters.
Using the context menu or double-clicking the mouse on the JMP or CALL commands, it is possible to jump to the specified location within a program and continue to execute the jumps any number of times. To return any number of steps back, use the arrow button on the toolbar.
Using key combinations such as <Shift>+<Insert>, the <Insert> key, and commands from the Edit menu, it is possible to insert a comment in any location within a program. Like custom label names, comments are saved in the program database. However, the most advantageous feature is that it is possible to insert the address of a specific program line or label name into the text of the comment. If you double-click that address or label, you'll automatically jump to the required location.
This disassembler can expand and collapse procedures. By pressing the < ˆ > key on the numeric keypad, it is possible to collapse the procedure. Pressing the <+> key expands the collapsed procedure. Presenting procedures in collapsed form allows you to represent the program code in more compact and readable form.
IDA Pro correctly recognizes both code and data. Fig. 22.3 shows the disassembled part of the EDIT.EXE program containing data.
IDA Pro also allows you to create and execute batch files. The language of IDA Pro batch files is close to the C programming language. Because of the limited volume of this book, I will not cover this language in detail. Nevertheless, I will provide an example batch file demonstrating this capability of IDA Pro.
// // This example shows how to get a list of functions. // #include <idc.idc> static main() { auto ea, x; for (ea = NextFunction(0); ea != BADADDR; ea = NextFunction(ea)) { Message("Function at %08lX:%s", ea, GetFunctionName(ea)); x = GetFunctionFlags(ea); if (x & FUNG_NORET) Message(" Noret"); if (x & FUNC_FAR) Message(" Far"); Message("\n"); } ea = ChooseFunction("Please choose a function"); Message("The user chose function at %08lX\n", ea) ; }
The file presented in Listing 22.4 requires some comments. As can be easily guessed, loop organization and conditional constructs have exactly the same syntax as in the C language. The main point here is that you should grasp the sense of the library functions used. As can be easily seen, the Message function outputs the string to the message window located below the main window. The ChooseFunction function opens the window that also can be opened by choosing the Jump to Function command from the Jump menu (the GetFunctionFlags function returns information about the specified function). Finally, the NextFunction function jumps to the next function and returns its address. The argument of the NextFunction function is the address of the previous function, from which the jump to the next function is carried out. I hope that you will study the IDA Pro language on your own, using the online help system. Theoretically, using this language, it is possible to write a program of any level of sophistication that would analyze the disassembled code.
IDA Pro disassembles modules of various formatsOBJ, EXE, DLL, VXD, ZIP, NLM, etc.
IDA Pro functionality can be considerably extended by using various plug-in modules. Plug-ins are written in C++ language and have the structure of typical portable executable modules. Usually, plug-ins are invoked by using hotkeys or by choosing the Edit Plugins menu commands. Plug-ins must be located in a special plug-ins directory with the configuration file that specifies these modules.
Another advantage of this disassembler is that it creates an Assembly file that makes it possible to work in the text mode.
| ||