Hi, it's me again! Upon encouragement by @KLKS and @junyian in last series, I am keen to explore more in IDA Freeware.

Today I will use a more complex executable, created using Visual C++, I call it "lyn.exe".

This is the output by running "lyn.exe" in command prompt window:


Select "lyn.exe" as the file to disassemble.


Click OK to confirm the default setting. (Doesn't load resource)


Voila, this is the main window.


As compared with last time, this time got many function stubs.
The disassembled code is: (I can't paste complete code because forum blocked it)


And this is my original C++ code.


The Win32 API GetTickCount function is to "retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days."
https://learn.microsoft.com/en-us/windows/w...pi-gettickcount

"lyn.exe" is a 64-bit portable executable, as seen from the register used (with r prefix), and the stack alignment.

I highlight a "call cs:GetTickCount" instruction in IDA View:


And get a corresponding hex bytes in Hex View:


Actually if scroll up a little bit the main window, I can see the summary of the executable:
(snipped because forum blocked it)

There is more to explore, like if I click "pre_c_initialization" function stub, this floating window appears:
https://pictr.com/images/2023/04/28/E4E7hv.png
Of course I have no clue what it does...

Now if I right-click the window, this pop-up menu appears:


This brings me to another window:
https://pictr.com/images/2023/04/28/E4EaqD.png

Can confirm "lyn.exe" has dependency on MSVCP140.dll.


Not just MSVCP140.dll, also dependency on VCRUNTIME140.DLL, and KERNEL32.DLL (Of course).

And many more...
; Imports from api-ms-win-crt-math-l1-1-0.dll
; Imports from api-ms-win-crt-runtime-l1-1-0.dll
...
...


Finally, the Debugger menu and Options menu... (snipped because forum doesn't allow images more than these)
https://pictr.com/images/2023/04/28/E4Eru6.png
https://pictr.com/images/2023/04/28/E4ENXq.png

IDA Free is too powerful, there are many features I don't know yet how to use.
I think it is quite difficult to trace a C++ program, because it has so many function stubs.

Function stubs are added by the compiler. It sets up the environment for the executable to run, e.g. getting cmd line arguments and passing to main(), setting up SEH/VEH, clean exit of the executable after main() finishes, etc.

You're already in the right step though. Next, you can explore the debugger, decompiler, IDC scripting, etc.

I couldn't know if you didn't tell me. And I am glad in the right step! Thanks!

Supercool! The cloud decompiler is already good enough, even though I don't have better decompiler that comes with IDA Pro.

Original C code:


Decompiled Pseudocode generated by IDA Freeware:


Choose "Generate Pseudocode..."


Output of the C program above:


IDA Graph view of the program:



This post has been edited by Tullamarine: May 8 2023, 04:45 AM