Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 First time using IDA Free!

views
     
TSTullamarine
post Apr 1 2023, 04:28 AM, updated 12 months ago

Getting Started
**
Validating
163 posts

Joined: Apr 2020
Finally! After so many years digging with x86 and x64 Assembly, finally I have started my journey in Disassembly, or reverse-engineering, by first exploring IDA Free!

IDA Free: https://hex-rays.com/ida-free/#download

While there is IDA Pro which supports 68 families of processors and over Over 45 file formats (and for commercial use), I found that (also suggested by others) IDA Free is enough for personal use, as it supports x86/x64 processors, and the well known PE, ELF, Mach-O file formats.

In case you miss my previous "First time using WinDbg" topic, you can visit:
https://forum.lowyat.net/topic/5348191

As pointed out by @junyian, WinDbg is debugger while IDA Free is disassembler.

Let's start disassembling my own msgbox.exe (written in FASM). Go!

user posted image
Output of my msgbox.exe

Click "IDA Freeware".
user posted image

Click "New" (Disassemble a new file).
user posted image

After select 'msgbox.exe', I see this window. I just click OK without changing the default settings.
user posted image

Voila, this is the main window I see.
user posted image

The disassembled code as follows:
CODE

; Attributes: noreturn

public start
start proc near
push    40h; '@'      ; uType
push    offset Caption ; "LYN Codemaster"
push    offset Text    ; "Apa khabar semua, marilah kita bersama-"...
push    0              ; hWnd
call    ds:MessageBoxA
push    eax            ; uExitCode
call    ds:ExitProcess
start endp


And my original source code is:
CODE

start:

      push 0x40
      push title
      push message
      push 0
      call [MessageBox]

      push eax
      call [ExitProcess]  


I think the disassembled code is brilliant, which annotated with data value contents, and as with any full-featured disassembler, the Win32 API function call is in human-readable name (e.g. ds:MessageBoxA), not just memory address.

The IDA Free auto-detects my msgbox.exe as 32-bit (x86) instruction set, because I think PE format has header field specifying whether the executable is in which processor mode (e.g. 0x14C for IMAGE_FILE_MACHINE_I386).

Now I click Windows menu, and then "Imports" (Alt+F6):
user posted image

This is the window for import table:
user posted image

It also matches the source code:
CODE

section '.idata' import readable writable

      library kernel,'KERNEL32.DLL',\
              user,'USER32.DLL'

      import kernel,\
             ExitProcess,'ExitProcess'

      import user,\
             MessageBox,'MessageBoxA'


But I don't know how to find out the resource section, because my 'msgbox.exe' comes with manifest.xml to make the message box in XP style.

This is the end of my session in IDA Free with you all.

Any feedbacks are welcomed, particularily the famous rockstar malware analyst @KLKS and @junyian!


junyian
post Apr 1 2023, 10:44 AM

Casual
***
Junior Member
401 posts

Joined: Jan 2003


I'm not worty enough to be put together with KLKS biggrin.gif My capabilities is probably just at junior level.

Anyway, you didn't check the "Load resources" option in IDA's loading option window, so the resource section won't get loaded.

This is a good start, though barely touching the surface of what IDA Free can do (let alone IDA Pro). Try a more complicated app with functions, local variables, structures, enumerations, etc. Or write one in C/C++. Use some popular stdlibs. Then you'll see much more of what IDA is capable of.
KLKS
post Apr 1 2023, 12:26 PM

Getting Started
**
Junior Member
292 posts

Joined: Jan 2003


do a series highlighting the different features, also explore the options menu, there is an option called "Number of opcode bytes", this will show you the hex bytes of each instruction.

The debugger in IDA is also something worth exploring.

if you highlight an instruction, IDA will tell you the offset in file that you can verify with a hex editor

IDA scripting (IDC/Python) is also an interesting area for automation

and check out some of the user created plugins for IDA @ https://www.hex-rays.com/contests/

 

Change to:
| Lo-Fi Version
0.0136sec    0.45    5 queries    GZIP Disabled
Time is now: 28th March 2024 - 10:32 PM