First Steps In IDA

Many times we have heard that IDA is a better disassembler than Wdasm, and that it is
the best disassembler that exists which is correct, and in spite of not using it frequently,
we will see in this first example some tips for IDA, and some differences with the
listing it shows us in OLLY and in Wdasm.

To practice, we will use a typical example where we note the differences in a crackme
made in VC++ or that is to say level 1 from contest 34. (Attached to this tute)

We open it with WDASM, and we see the names of the imported functions that it shows
us.

Something odd with the name and little information, almost all of them are numbers,
which doesnt permit us to deduce much about what each one is. In OLLY it is not very
different.
This doesnt help much. Now we load it in IDA, we use the new version 4.30 FULL
that is on my FTP, once it is up we go to OPEN FILE we select the file and in the
options window we never forget to put the check on LOAD RESOURCES.

Here we add the check on LOAD RESOURCES since it was unchecked, we go to OK

and we see the red circle above and to the right which is the traffic light that indicates if
it is red, we cant mess with anything, if it is yellow, IDA is working, but we have a
starting list to work with, and if it is green it is done working and is complete.
This is the screen in IDA when it opens we go slowly since we have a lot of options.
Some we will see in a theory later, but we will start with the basics.
We will see the imported functions by looking on the side of the listing we find two
tabs: one is NAMES WINDOW and the other STRINGS WINDOW, we maximize the
NAMES WINDOW.
There we see all the functions have names as opposed to OLLY and WDASM, for
example one that stood out is DoMessageBox and its reference in the import table is on
402010, we see the same line in OLLY gives us this:

Names in Nivel1, item 16

Address=00402010
Section=.rdata
Type=Import
Name=MFC42.#2512

I suppose that it isnt the same to know that the function is DoMessageBoxA which is
#2512, so all the names have a name that tells us what the function does.

If we go to 402010 in OLLY we see that the listing is incomprehensible and it does not
clarify if it is a part of the data or of the code.
In IDA on the same position:

Not only is this part identified by data (idata) at the beginning, it also tells us they are
imported functions from MFC42.dll (IMPORTS from MFC42.dll)
The Strings in IDA are found by going to the tab STRINGS. They are seen here:
Going to the STRINGS window it gives us much more than the sad four that it shows us
in WDASM .

OLLY also doesnt tell us much about the STRINGS REFERENCES.

Also, if in the STRINGS window of IDA we make a right click and go to Refresh (or
Setup) there are options that permit us to obtain more STRINGS
We uncheck STRICT ASCII strings, and add in ALLOWED string types the types of
strings that we want to look for: C and UNICODE are the classics as shown in the
image.

The different tabs are easy to identify:

IDA-VIEWA is the disassembly listing

HEX VIEW is the hexadecimal view with the characteristic that if we select a value for
example: 25 all the 25s that are in the visible area are shown
NAMES are the Imported Functions
FUNCTIONS shows us where to find the jumps to the Imported Functions. The
famous FF 25 hehe that we found in the theory of asprotect, well here in the functions is
also DoMessageBoxA and we see that it shows the value 401628

.text:00401628 jmp ds:__imp_?DoMessageBox@CWinApp@@UAEHPBDII@Z ;

__declspec(dllimport) CWinApp::DoMessageBox(char const *,uint,uint)

IDA shows us on 401628 the jump: Jmp [402010] that takes us directly to the Function
DoMessageBox according to the reference from the import table that we saw before.

In olly this jump shows:

00401628 .- FF25 10204000 JMP DWORD PTR DS:[<&MFC42.#2512>] ;

MFC42.#2512

As we can see it doesnt say much.

ESTRUCTURAS y ENUMS: We wont use this right now hehe

STRINGS: As we have seen already the string references.
Lets play a little with IDA. Go to the disassembly window and then to JUMP TO
ENTRY POINT which sends us directly to the EP

.text:004018A0 push ebp ; sub_4018A0

Now we go to JUMP TO ADRESS to go to a determined point we write 401b10. In

OLLY we can see this routine here:

00401B10 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]

00401B13 .^ E9 E2FBFFFF JMP <JMP.&MFC42.#641>
00401B18 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00401B1B . 83C1 60 ADD ECX,60
00401B1E .^ E9 DDFBFFFF JMP <JMP.&MFC42.#656>
00401B23 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00401B26 . 81C1 A0000000 ADD ECX,0A0
00401B2C .^ E9 CFFBFFFF JMP <JMP.&MFC42.#656>
00401B31 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00401B34 . 81C1 E0000000 ADD ECX,0E0
00401B3A .^ E9 C7FBFFFF JMP <JMP.&MFC42.#800>
00401B3F . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00401B42 . 81C1 E4000000 ADD ECX,0E4
00401B48 .^ E9 B9FBFFFF JMP <JMP.&MFC42.#800>
00401B4D $ B8 80254000 MOV EAX,Nivel1.00402580 ; Structured exception
handler
00401B52 .^ E9 37FDFFFF JMP <JMP.&MSVCRT.__CxxFrameHandler>

Well there are a lot of imported functions with numbers but it does not say much. Now
we see in IDA:

.text:00401B10
.text:00401B10 ; S U B R O U T I N E
.text:00401B10
.text:00401B10
.text:00401B10 sub_401B10 proc near ; DATA XREF: .rdata:00402580o
.text:00401B10 mov ecx, [ebp-10h]
.text:00401B13 jmp ??1CDialog@@UAE@XZ ; CDialog::~CDialog(void)
.text:00401B13 sub_401B10 endp
.text:00401B13
.text:00401B18
.text:00401B18 ; S U B R O U T I N E
.text:00401B18
.text:00401B18
.text:00401B18 sub_401B18 proc near ; DATA XREF: .rdata:00402580o
.text:00401B18 mov ecx, [ebp-10h]
.text:00401B1B add ecx, 60h
.text:00401B1E jmp ??1CEdit@@UAE@XZ ; CEdit::~CEdit(void)
.text:00401B1E sub_401B18 endp
.text:00401B1E
.text:00401B23
.text:00401B23 ; S U B R O U T I N E
.text:00401B23
.text:00401B23
.text:00401B23 sub_401B23 proc near ; DATA XREF: .rdata:00402580o
.text:00401B23 mov ecx, [ebp-10h]
.text:00401B26 add ecx, 0A0h
.text:00401B2C jmp ??1CEdit@@UAE@XZ ; CEdit::~CEdit(void)
.text:00401B2C sub_401B23 endp
.text:00401B2C
.text:00401B31
.text:00401B31 ; S U B R O U T I N E
.text:00401B31
.text:00401B31
.text:00401B31 sub_401B31 proc near ; DATA XREF: .rdata:00402580o
.text:00401B31 mov ecx, [ebp-10h]
.text:00401B34 add ecx, 0E0h
.text:00401B3A jmp ??1CString@@QAE@XZ ; CString::~CString(void)
.text:00401B3A sub_401B31 endp
.text:00401B3A
.text:00401B3F
.text:00401B3F ; S U B R O U T I N E
.text:00401B3F
.text:00401B3F
.text:00401B3F sub_401B3F proc near ; DATA XREF: .rdata:00402580o
.text:00401B3F mov ecx, [ebp-10h]
.text:00401B42 add ecx, 0E4h
.text:00401B48 jmp ??1CString@@QAE@XZ ; CString::~CString(void)
.text:00401B48 sub_401B3F endp
.text:00401B48
.text:00401B4D ; ---------------------------------------------------------------------------
.text:00401B4D
.text:00401B4D loc_401B4D: ; DATA XREF: sub_401210+2o
.text:00401B4D mov eax, offset stru_402580
.text:00401B52 jmp loc_40188E
.text:00401B52 ; ---------------------------------------------------------------------------

As we see the subroutines are separated, the names of the functions are there, some we
dont know but having the name, we can find them quickly by doing a search in google
for the name of the function (Cedit,Cdialog,CString)

Now we go to JUMP TO ADRESS. 401984 is a conditional jump

text:00401984 jz short loc_40198A

We see to the right the arrows that indicate where it is jumping but there are more if we
put the pointer of the mouse on _40198A Below the listing, the area it is jumping to
appears without having to go there.
By passing the mouse over many parts of the listing; without doing anything, it shows
us explanations of the code.

We return to the entry point, and select this whole area:

push ebp ; sub_4018A0

.text:004018A1 mov ebp, esp
.text:004018A3 push 0FFFFFFFFh
.text:004018A5 push offset unk_4024E8
.text:004018AA push offset loc_401A26

We make a right click and there we select UNDEFINE

We see that it is converted to an undefined area. It is dirty haha

align 10h
.text:004018A0 public start
.text:004018A0 start db 55h ; U
.text:004018A1 db 8Bh ;
.text:004018A2 db 0ECh ;
.text:004018A3 db 6Ah ; j
.text:004018A4 db 0FFh ;
.text:004018A5 db 68h ; h
.text:004018A6 db 0E8h ;
.text:004018A7 db 24h ; $
.text:004018A8 db 40h ; @
.text:004018A9 db 0 ;
.text:004018AA db 68h ; h
.text:004018AB db 26h ; &
.text:004018AC db 1Ah ;
.text:004018AD db 40h ; @
.text:004018AE db 0 ;
.text:004018AF db 64h ; d
.text:004018B0 db 0A1h ;
.text:004018B1 db 0 ;
.text:004018B2 db 0 ;
.text:004018B3 db 0 ;
.text:004018B4 db 0 ;

Well I made this to see the inverse case when in a program, we have an undefined area,
we select it and make a right click and select ANALYZE SELECTED AREA (or hit the
C key) and it gives a window to analyze or force that this section is code. Well here
there isnt much to force. Only with analyze it returns to what it was.

The famous Xrefererences are references to a part of the listing from another aspect. If
we see in some part of the listing:

text:004019B6 loc_4019B6: ; CODE XREF: .text:0040197Aj

.text:004019B6 ; .text:004019BFj
.text:004019B6 cmp byte ptr [esi], 20h
.text:004019B9 jbe short loc_401993
.text:004019BB inc esi
.text:004019BC mov [ebp-74h], esi
.text:004019BF jmp short loc_4019B6

That means that there is a reference to this point from other places in the listing. Also,
putting the mouse pointer on the XREF it shows us the code from which this part is
being called.

Well I believe this first approach to IDA is sufficient, of course this is only 1 percent of
the possibilities that you have but for beginning to handle it, it will do.

Ricardo Narvaja

This document was poorly translated into English by Innocent.