List of Figures | Disassembling Code: IDA Pro and SoftICE

Chapter 1: Introduction to Disassembling

Figure 1.1: Memory dump displayed by the program presented in Listing 1.1
Figure 1.2: Converting a binary number to a hex number
Figure 1.3: Converting a hex number to a binary number
Figure 1.4: An example of a dialog (Listing 1.13)
Figure 1.5: Dump of the program code
Figure 1.6: The Intel processor command format
Figure 1.7: The PE file structure

Chapter 2: The Code Investigator's Toolkit

Figure 2.1: The DeDe program window displaying the disassembled code of a button-click event in an application
Figure 2.2: The Turbo Debugger window with a program loaded for debugging
Figure 2.3: Graphical user interface of the windbg.exe program
Figure 2.4: The hiew.exe program interface
Figure 2.5: Resource Hacker is one of the most advanced resource editors, allowing you to edit resources directly in the executable module
Figure 2.6: The Registry Monitor by Mark Russinovich, a program that tracks all attempts at accessing the system registry carried out by application programs
Figure 2.7: The main window of the W32Dasm program
Figure 2.8: The W32Dasm Debugger Options window
Figure 2.9: A fragment of the disassembled text
Figure 2.10: The window displaying references to strings
Figure 2.11: A fragment of the list of imported modules and functions
Figure 2.12: The information window of the debugger
Figure 2.13: The control window of the debugger
Figure 2.14: The window for modifying the code being debugged
Figure 2.15: The window for modifying the contents of registers and memory cells
Figure 2.16: The OllyDbg debugger with a loaded program
Figure 2.17: The window displaying the list of windows created by the application being investigated
Figure 2.18: The Watch expressions window
Figure 2.19: The annoying error message that appeared when the encyclopedia was started
Figure 2.20: The OllyDbg window displaying the fragment of the call to MessageBox
Figure 2.21: The W32Dasm window
Figure 2.22: Fragment of the disassembled program code produced by IDA Pro
Figure 2.23: The window that appears at start-up of the Allscreen program
Figure 2.24: The delay window displayed by the Allscreen program
Figure 2.25: The message informing the user about expiration of the trial period
Figure 2.26: The GetPixel registration window
Figure 2.27: The nag screen

Chapter 3: Main Paradigms of the Executable Code Analysis

Figure 3.1: The language-executable code hierarchy
Figure 3.2: Standard stack structure in the course of a procedure call
Figure 3.3: The stack structure, with addresses decreasing from bottom to top
Figure 3.4: The exception reported by Windows XP after an artificially-created buffer overflow

Chapter 4: The SoftIce Debugger

Figure 4.1: The SoftIce main window
Figure 4.2: The loader32.exe program window
Figure 4.3: The Settings window allows you to set the loading parameters for the modules to be debugged
Figure 4.4: The settings window for creating persistent macros

Chapter 5: The IDA Pro Disassembler

Figure 5.1: The IDA Pro main window with the loaded executable module
Figure 5.2: The window controlling executable code loading
Figure 5.3: Indication of jumps in the disassembler window
Figure 5.4: Cross-references
Figure 5.5: The signatures window
Figure 5.6: The IDA Pro window that allows the user to enter comments
Figure 5.7: The Debugger setup window
Figure 5.8: The command window that allows execution of the sequence of the IDC language constructs
Figure 5.9: Toolbar for editing and executing an IDC program