Windows Reverse Engineering - Basic IDA Configuration and Manipulation Steps

(Page 3 of 9 )

A configuration file controls IDA’s preferences. Search your Program Files directory for the IDA folder and use a text editor to open Ida.cfg (the configuration file). The configuration file is read two times. The first pass is performed as soon as IDA is loaded, while the second pass is performed when IDA determines the processor type. All processor-specific tuning is located in the second part of the config file.

IDA allows you to choose the default processor at program startup. As you can see in Example 2-1, the developers have created support for an extensive range of processor types. Here, you can view the processors that IDA supports. For example, if you mostly crack PocketPC (Windows CE) applications, you will probably be using the ARM processor. Otherwise, the default is setting is "metapc" (x86).

Example 2-1. Processor-specific parameters in IDA Pro

/* Extension    Processor */
"com" :  "8086"        // IDA will try the specified
"exe" :  "metapc"      // extensions if no extension is
"dll" :  "metapc"      // given.
"drv" :  "metapc"
"sys" :  "metapc"
"bin" :  "metapc"
"ovl" :  "metapc"
"ovr" :  "metapc"
"ov?" :  "metapc"
"nlm" :  "metapc"
"lan" :  "metapc"
"dsk" :  "metapc"
"obj" :  "metapc"
"prc" :  "68000"      // PalmPilot programs
"axf" :  "arm710a"
"h68" :  "68000"      // MC68000 for *.H68 files
"i51" :  "8051"       // i8051 for *.I51 files
"sav" :  "pdp11"      // PDP-11 for *.SAV files
"rom" :  "z80"        // Z80 for *.ROM files
"cla*":  "java"
"s19":          "6811"
"o":          "metapc" 

IDA allows you to tune several options for disassembly. For example, you can determine whether you want to automatically analyze 90h NOPs. The configuration for this is shown in Example 2-2.

#ifdef __PC_ _   // INTEL 80x86 PROCESSORS
USE_FPP  = YES
   // Floating Point Processor
   // instructions are enabled
// IBM PC specific analyzer options
PC_ANALYSE_PUSH = YES   // Convert immediate operand
   // of "push" to offset
   //
   // In sequence
   //
   // push seg
   // push num
   //
   // IDA will try to
   //convert <num> to offset.
   //
PC_ANALYSE_NOP   = NO   // Convert db 90h after
   // "jmp" to "nop"
   // Now it is better to turn
   // off this option
   // because the final pass
   // of the analysis will
   // convert 90h to nops
   // more intelligently.
   //
   // Sequence
   //
   // jmp short label
   // db 90h
   //
   // will be converted to
   //
   // jmp short label
   // nop

Now, it’s time to fire up IDA. Run the program and open the target binary that you happen to be using. Figure 2-2 shows IDA’s startup window.

Figure 2-2

On most Windows files you will use the Portable Exectuable (PE) format (discussed later in this chapter), so select this option. Select your processor type if you have not already configured the default in your config file. Make sure both “Analysis” options are checked. Under Options, make sure the “Load resources” and “Make imports segment” boxes are checked. Also make sure “Rename DLL entries” and “Manual load” are unchecked.

Make sure that you chose the correct system DLL directory when configuring IDA Pro.

When you are ready, press OK and watch IDA work its magic.

In order to view strings in IDA, select View -> Open Subviews -> Strings (Figure 2-3). You will also see the other subview options. The keyboard shortcut for strings is Shift-F12. Take some time to explore this sample disassembly and to get used to moving around in IDA.

Figure 2-3

 

If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today! Visit the O'Reilly Network http://www.oreillynet.com for more online content.

Next: Debuggers >>
 

More Windows Security Articles
More By O'Reilly Media

Comments On: Windows Reverse Engineering

>>> Be the FIRST to comment on this article!