High level constructs width IDA Pro.

DataRescue 2005
Data and operands available in the disassembly aren't always interpreted in the most suitable way.: IDA's interactivity allows you to change their type and representation. It even makes high level languages like constructs possible.
The C program.

To introduce these possibilities, let's analyze a small constructions.

#include <stdio.h> #include <alloc.h> // our structures // ============== // information about our customers struct customer_t { // a typical structure long id; char name[32 ; char se!; // "m"ale # "f"emale $; // %e sell boo&s struct boo&_t { char title['2( ; // an )*+,, strin$;

program using particular data and

// and %e sell computer soft%ares struct soft%are_info_t { // a structure containin- .arious bitfields unsigned int plateform / 2; // 2 bits reser.ed for the plateform # // plateforms can be combined 01!132 #define 3+ 1!' // 1!1' #define 4)+ 1!2 // 1!12 unsigned int os / 3; // 3 bits reser.ed for the 5* # // 5* can be combined 01!'+2 #define 6,7856* 1!' // 1!19 #define 85* 1!2 // 1!1( #define 5*_: 1!9 // 1!'1 unsigned int cate-ory / 2; // 2 bits reser.ed for the cate-ory # // cate-ories can"t be combined 01!;12 #define 8,*)**<4=>? 1!' // 1!21 #define @<+5A<@? 1!2 // 1!91 #define +@?3B5C@)3D? 1!3 // 1!;1 $; struct soft%are_t { soft%are_info_t info; char name[32 ; $;

IDA Pro High Level Constructs Tutorial

// -eneric products %e"re sellinenum product_cate-ory_t { // an enumerated type =55EF *5GB6)@<F D)@86)@< // %e actually don"t sell hard%are $; union product_u { // an union to contain product information // dependin- on its cate-ory boo&_t boo&; soft%are_t soft%are; // struct hard%are_t hard%are; // %e actually don"t sell hard%are $; struct product_t { // a structure containin- another structure long id; product_cate-ory_t cate-ory; product_u p; $; // our data // ======== // our customers customer_t customers[ = { // an initialiHed array to memoriHe our customers { 'F I3eterIF "m" $F { 2F IJohnIF "m" $F { 3F I4aryIF "f" $F { 1 $ $; // our products boo&_t ida_boo& = { I,8) Kuic&*tart CuideI $; soft%ares_t soft%ares = // an { 3F { { { 3+F 6,7856*L85*F { { 3+L4)+F 6,7856*L5*_:F { { 3+F 6,7856*F $ $; #define 3@58M+B*_+5M7B 9 initialiHed .ariable len-th structure

8,*)**<4=>? $F I,8) 3roI $F @<+5A<@? $F I3hoto@escueI $F +@?3B5C@)3D? $F Ia+ryptI $

IDA Pro High Level Constructs Tutorial

// our functions // ============= // chec& soft%are information int chec&_soft%are0soft%are_info_t soft%are_info2 { bool .alid = true; if 0soft%are_info.plateform N 3+2 { if 0O 0soft%are_info.plateform N 4)+2 NN 0soft%are_info.os N 5*_:22 .alid = false; // 5*#: isn"t yet a.ailable on 3+ ;2 $ else if 0soft%are_info.plateform N 4)+2 { if 0O 0soft%are_info.plateform N 3+2 NN 00soft%are_info.os N 6,7856*2 LL 0soft%are_info.os N 85*222 .alid = false; // 6indo%s N 85* aren"t a.ailable on 4ac... $ else .alid = false; return .alid; $ // chec& product cate-ory int chec&_product0product_cate-ory_t product_cate-ory2 { bool .alid = true; if 0product_cate-ory == D)@86)@<2 { .alid = false; printf0I6e don"t sell hard%are for the moment...PnI2; $ return .alid; $ // print customer information void print_customer0customer_t Qcustomer2 { printf0I+M*B54<@ R19:/ Rs 0Rc2PnIF customer#>idF customer#>nameF customer#>se!2; $ // print boo& information void print_boo&0boo&_t Qboo&2 { printf0I=55E/ RsPnIF boo&#>title2; $

IDA Pro High Level Constructs Tutorial

// print soft%are information void print_soft%are0soft%are_t Qsoft%are2 { printf0I*5GB6)@</ Rs/IF soft%are#>name2; // plateform // %e use "if"F as plateforms can be combined if 0soft%are#>info.plateform N 3+2 printf0I 3+I2; if 0soft%are#>info.plateform N 4)+2 printf0I 4)+I2; printf0I;I2; // 5* // %e use "if"F as os can be combined if 0soft%are#>info.os N 6,7856*2 printf0I 6,7856*I2; if 0soft%are#>info.os N 85*2 printf0I 85*I2; if 0soft%are#>info.os N 5*_:2 printf0I 5*#:I2; printf0I;I2; // cate-ory // %e use "s%itch"F as cate-ories can"t be combined switch0soft%are#>info.cate-ory2 { case 8,*)**<4=>?/ printf0I 8,*)**<4=>?I2; break; case @<+5A<@?/ printf0I @<+5A<@?I2; break; case +@?3B5C@)3D?/ printf0I +@?3B5C@)3D?I2; break; $ printf0IPnI2; $ // print product information bool print_product0product_t Qproduct2 { if 0O chec&_product0product#>cate-ory22 return false; printf0I3@58M+B R19:/ IF product#>id2; switch0product#>cate-ory2 { case =55E/ print_boo&0Nproduct#>p.boo&2; break; case *5GB6)@</ print_soft%are0Nproduct#>p.soft%are2; break; $ return true;

IDA Pro High Level Constructs Tutorial

// our main pro-ram // ================ void main02 { // print customers listinprintf0I+M*B54<@*/PnI2; customer_t Qcustomer = customers; while 0customer#>id O= 12 { print_customer0customer2; customerSS; $ // allocate a small array to store our products in memory product_t Qproducts = 0product_tQ2 malloc03@58M+B*_+5M7B Q sizeof0product_t22; // insert our products products[1 .id = '; products[1 .cate-ory = =55E; products[1 .p.boo& = ida_boo&; products[' .id = 2; products[' .cate-ory = *5GB6)@<; products[' .p.soft%are = soft%ares.softs[1 ; // %e insert soft%ares from our // .ariable len-th structure products[2 .id = 3; products[2 .cate-ory = *5GB6)@<; products[2 .p.soft%are = soft%ares.softs[' ; products[3 .id = 9; products[3 .cate-ory = *5GB6)@<; products[3 .p.soft%are = soft%ares.softs[2 ; // .erify and print each product printf0IPn3@58M+B*/PnI2; for 0int i = 1; i < 3@58M+B*_+5M7B; iSS2 { // chec& .alidity of the product cate-ory if 0O chec&_product0products[i .cate-ory22 { printf0I,n.alid product OOOPnI2; break; $ // chec& .alidity of soft%ares if 0products[i .cate-ory == *5GB6)@<2 { if 0O chec&_soft%are0products[i .p.soft%are.info22 { printf0I,n.alid soft%are OOOPnI2; break; $ $ // and print the product print_product0Nproducts[i 2; $ $ free0products2;

IDA Pro High Level Constructs Tutorial

!unning this program gives us the "ollowing result:

+M*B54<@*/ +M*B54<@ 111'/ 3eter 0m2 +M*B54<@ 1112/ John 0m2 +M*B54<@ 1113/ 4ary 0f2 3@58M+B*/ 3@58M+B 111'/ =55E/ ,8) Kuic&*tart Cuide 3@58M+B 1112/ *5GB6)@</ ,8) 3ro/ 3+; 6,7856* 85*; 8,*)**<4=>? 3@58M+B 1113/ *5GB6)@</ 3hoto@escue/ 3+ 4)+; 6,7856* 5*#:; @<+5A<@? 3@58M+B 1119/ *5GB6)@</ a+rypt/ 3+; 6,7856*; +@?3B5C@)3D?

#et's load the compiled binary "ile in a database to analyze it.

IDA Pro High Level Constructs Tutorial

Fundamental types.

It is easy to associate a "undamental type to data: press 'D' on an unde"ined byte to cycle through the db, dw and dd data types.

$ou can de"ine how IDA cycles through data types through the Setup data types command in the %ptions menu. &ust tick the data types you want IDA to cycle through. #et's add Float to the data carousel: pressing D on a data previously de"ined as dd will convert it to a "loat.

IDA Pro High Level Constructs Tutorial

'otice that the size o" the data changes according to its type. (ere, we pressed 'D' on a de"ined byte )to convert it to a word*, but since the ne+t byte )db ,* is already de"ined IDA prompts us "or a con"irmation.

This de"ault behavior can be modi"ied through the Convert already defined bytes option in the Options dialog.

To unde"ine already de"ined data, press the '-' key.

IDA Pro High Level Constructs Tutorial

"

Operand formats.

%nce the type o" the data has been speci"ied, one might want to display it using a particular "ormat. IDA proposes di""erent commands to change the "ormat. #et's have a look at the more interesting ones. .lease note that all these commands can also be applied to instruction operands. Through the Number commands "ound on the Operands toolbar, we switch "rom one numeric "ormat to another.

/e can print leading zeros "or numeric values.

IDA Pro High Level Constructs Tutorial

It is also possible to change the sign o" an operand and to per"orm a bitwise negation.

0inally, i" the "ormat you want isn't there, it can be manually de"ined.

IDA Pro High Level Constructs Tutorial

10

Characters and strings.

1ost programs contain strings. To speci"y that de"ined data must be displayed as chars, we use the string command "rom the Operands toolbar.

There are, o" course, lots o" di""erent string types. IDA supports most o" them, through the Strings commands. %nce you create a string, IDA automatically gives a name to its address. #et's apply this to some strings "ound in our program.

IDA Pro High Level Constructs Tutorial

11

/hat i" you aren't disassembling a program2 The ASCII string style item "rom the Options menu. allows you to change the de"ault string type associated with the 'A' key, or to de"ine special string "ormats with unusual termination characters.

IDA Pro High Level Constructs Tutorial

12

Arrays.

In , A3 II strings are represented as arrays o" chars. (ow does IDA deal with arrays2 /e begin by de"ining the "irst element o" the array with the usual commands. In this case, we set the "irst element type as byte and set its "ormat as char. Then we press the '4' key or use the Array command "rom the Edition toolbar to create the actual array. A dialog bo+ opens, allowing us to speci"y various settings.

IDA suggests an array size, based on the ma+imum size it can use without unde"ining e+isting data. $ou can speci"y the number o" elements to put on a line, and Element width allows you to align items. The Use dup construct option allows to group similar consecutive bytes and the isplay inde! option displays array inde+es as comments.

IDA Pro High Level Constructs Tutorial

13

0or e+ample, i" we create an array o" 56 elements, with 7 elements on a line, a width o" 6 "or each element, without dup constructs, and with inde+ comments, we obtain the "ollowing array:

/hen IDA .ro can't represent bytes in the selected type 8 chars in this case 8 it highlights them in red. It is also possible to select a range: IDA will then propose to create an suitable array.

IDA Pro High Level Constructs Tutorial

14

numerated types.

!emember the product"category"t type de"ined in the using Enumerations.

program 2 #et's try to de"ine it in IDA by

0irst, we open the Enumerations window and create a new enumeration type.

/e add our enumeration values.

IDA Pro High Level Constructs Tutorial

15

In the chec#"product$% "unction, we can "ormat operands using this enumeration. !ight click on the numeric value to get the popup menu, and select Symbolic constant: IDA will list all enumeration values matching the current numeric value.

%nce applied, we get the "ollowing result.

IDA Pro High Level Constructs Tutorial

!itfields.

'ow, let's try to de"ine the bit"ields de"ined in the software"info"t structure "rom our program. 0rom IDA's point o" view, bit"ields are only special enumeration types. /e select the &itfield option in the enumeration type creation dialog bo+.

!emark we have two di""erent types o" bit"ields in our program. The plateform and os bit"ields contain a mask o" combined values )by using the or boolean operator*: a product can e+ist on several plate"orms or %3. %n the other hand, the category bit"ield contains a number representing one category: at the same time, a product can only belong to one category9 0or IDA, a bit"ield can only contain one value in a speci"ied mask. 3o, to represent the plateform and category bit"ields, we have to create tiny bit"ields o" one bit "or each value, to allow combining those.

IDA Pro High Level Constructs Tutorial

1!

'ow, we can create the category bit"ield, with a mask value o" ,+: ); bits*. /e speci"y a member name, a member value and the bit"ield mask. /e can also speci"y a mask name: this one will not be used by IDA, it is only intended as a memory helper.

%nce all bit"ields are inserted, we get the "ollowing de"inition.

IDA Pro High Level Constructs Tutorial

1"

-se the the Enum member command "rom the Operands toolbar to apply those bit"ield de"initions to our so"tware data.

IDA Pro High Level Constructs Tutorial

1#

"tructure types.

%ur program contains lots o" structures. #et's declare these in IDA, to see how it can improve the disassembly's readability. 0irst, we must open the Structures window and create a new structure type.

/e de"ine our structure members as i" we were de"ining data in a disassembly view. #et's de"ine the "irst member o" the software"t structure. .ress 'D' until we obtain a dd, indicating the value is stored in a dword. /e speci"y its "ormat as our previously de"ined software"info"t enumeration, and we give it an appropriate name, info, by using the 'ename command.

IDA Pro High Level Constructs Tutorial

20

/e de"ine the second member o" our structure by using the usual ASCII command. In this case, IDA opens a special dialog bo+ asking us the size o" the string.

IDA Pro High Level Constructs Tutorial

21

/e can also create a structure type "rom already de"ined data. 0or e+ample, suppose we de"ined data in a range with particular types and names precisely representing our customer"t structure. /e can create this structure in IDA "rom these de"initions, by selecting the ade<uate range and using the Create struct from data command.

%nce we run this command, IDA creates a corresponding structure and opens the 3tructures window. To obtain a per"ect structure type, we =ust correct the length o" the name member to :; bytes )as de"ined in our source code* by pressing the 'A' key, and give the structure a more accurate name. /hat can we do with these structure types 2 IDA o""ers us two possibilities:

Apply structure types to initialized data in the program. onvert operands as o""sets inside structures.

/e will present both possibilities in the continuation o" this tutorial.

IDA Pro High Level Constructs Tutorial

22

"tructure varia#les and structure arrays.

#et's de"ine data containing in"ormation about one o" our customer, &ohn, as a customer"t structure. /e put the cursor on the "irst byte o" the data representing the structure, and use the Struct var command.

/e obtain a new structure variable. 'otice how IDA displays structure member names as comments.

IDA Pro High Level Constructs Tutorial

23

>y looking at our source code, we know customers is an array containing 6 elements. /e also previously de"ined (eter and )ohn as customer?t structures. #et's unde"ine the )ohn structure, and create our customers array, by pressing the '4' key on the (eter structure. IDA opens the array settings dialog bo+ and detects that the ma+imum array we can create contains a ma+imum o" 6 elements.

#et's create the array, and rename it properly.

IDA Pro High Level Constructs Tutorial

24

$nion types and structures within structures.

IDA allows you to de"ine unions as easily as you de"ine classical structures. #et's try to de"ine the product"u union. /e suppose the boo#"t and software"t structures are already de"ined. 0or IDA, unions are special structures: so we open the Structures window and click on the Add struct type command. In this dialog bo+, we select the Create union option.

IDA Pro High Level Constructs Tutorial

25

/e can create union members by using all regular data de"inition commands. In our case, we de"ine a boo# member o" boo#"t type, and a software member o" software"t type.

It is also possible to nest structures within structures. In "act, we =ust did it to create our union members in the previous e+ample. !emember: IDA considers unions are nothing more than special structures. 3imply put your mouse over a member's structure name to see how its associated structure type is declared.

IDA Pro High Level Constructs Tutorial

%aria#le si&e structure types.

'ow, let's have a look at the softwares"t structure. The length o" the softs "ield o" this structure is not speci"ied. To create such structures in a disassembly, we must create a special kind o" structure called a variable sized structure. 3uch structures are created =ust as a normal structure: the only di""erence is that the last member o" the structure should be declared as an array with , elements.

3ince the structure size can't be calculated by IDA, we speci"y the desired structure size by selecting an area.

IDA Pro High Level Constructs Tutorial

2!

'otice how IDA applies all type in"ormation and add member names as comments.

IDA Pro High Level Constructs Tutorial

2"

"tructure offsets.

'ow that we know how to declare the unions and structures we need, let's have a look at how we can trans"orm numeric operands to o""sets inside those structures. In the print"customer$% "unction, we know that the only argument is a pointer to a customer"t structure. The @AA register is initialized with the value o" this pointer: it points to a customer"t structure. There"ore, we deduce that all operands o" the "orm B@AAC...D represent in "act o""sets in the customer"t structure.

To "ormat each operand as a structure o""set, we right click on it: IDA suggests all possible structure o""sets.

IDA Pro High Level Constructs Tutorial

2#

%nce we have applied this command to each o""set, the disassembly becomes more understandable.

The print"software$% "unction is another e+ample o" this: the @>A register is initialized with the value o" a pointer to a software"t structure. !emark this @>A register is used throughout the "unction to access this structure. 0ear not, in a single operation IDA can change all the o""sets in a selection: click on the Offset $struct% command in the Operands toolbar.

IDA Pro High Level Constructs Tutorial

30

The Structure offsets dialog bo+ opens. #et's select the @>A register in the list o" available registers. The tree view on the le"t o" the dialog bo+ shows all structures de"ined in IDA. The list on the right shows all operands related to @>A. I" we select a structure in the tree view, IDA "ormats the selected operands as o""sets into this structure. Di""erent symbols help to determine i" all selected operands match e+isting o""sets "or the selected structure. In our case, the software"t structure seems to match all our operands.

%nce applied, we obtain the "ollowing result:

IDA Pro High Level Constructs Tutorial

31

$nion offsets.

The print"product$% uses the @>A register to point to a product"t structure. At the end o" this "unction, depending on the product category, we call the ade<uate "unction to print product in"ormation. >ut the structure o""set will have a di""erent representation i" it represents an o""set in the "irst member o" the product"u union or an o""set in the second member o" this union9 To choose the ade<uate member, use the Select union member "rom the Edit struct menu. In the dialog, we select the desired union member.

And here is the result.

IDA Pro High Level Constructs Tutorial

32

The Structure offsets dialog shows how choosing an union member a""ects the o""set representation. I" we select an area and open this dialog, we remark that union types are preceded by a * symbol.

I" we e+pand the ade<uate branch o" the tree, we can choose the union member that represents operand o""sets. %nce a union member is selected )software in our case*, IDA shows by a green symbol that the o""set matches a record in this union member.

0inally, make "ull use o" hints in the tree view to see structure type declarations, as in the previous screenshot.

IDA Pro High Level Constructs Tutorial

33

Address offsets.

IDA can also represents operands as o""sets in the disassembled program. In the "ollowing e+ample, the orange color indicates a possible valid re"erence.

-se the Offset button "rom the Operands toolbar to convert this operand to an o""set.

IDA Pro High Level Constructs Tutorial

34

The final disassem#ly.

To end this tutorial, we propose our "inal interactively disassembled code.

; ############################################################# customer_t struc ; 0siHeof=1!2(2 id dd T name db 32 dup0T2 ; strin-0+2 se! dd T ; char customer_t ends ; ############################################################# soft%ares_t struc ; 0siHeof=1!9F .ariable siHe2 count dd T softs soft%are_t 1 dup0T2 soft%ares_t ends ; ############################################################# boo&_t struc ; 0siHeof=1!(12 title db '2( dup0T2 ; strin-0+2 boo&_t ends ; ############################################################# soft%are_t struc ; 0siHeof=1!292 info dd T ; enum soft%are_info_t name db 32 dup0T2 ; strin-0+2 soft%are_t ends ; ############################################################# product_u union ; 0siHeof=1!(12 boo& boo&_t T soft%are soft%are_t T product_u ends ; ############################################################# product_t struc ; 0siHeof=1!((2 id dd T cate-ory dd T ; enum product_cate-ory_t p product_u T product_t ends ; ############################################################# ; enum product_cate-ory_t =55E = 1 *5GB6)@< = ' D)@86)@< = 2 ; ############################################################# ; enum soft%are_info_t 0bitfield2 3+ = ' 4)+ = 2 6,7856* = 9 85* = ( 5*_: = '1h cate-ory = ;1h 8,*)**<4=>? = 21h @<+5A<@? = 91h +@?3B5C@)3D? = ;1h

IDA Pro High Level Constructs Tutorial

35

; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

S#########################################################################S U Bhis file is -enerated by Bhe ,nteracti.e 8isassembler 0,8)2 U U +opyri-ht 0c2 211V by 8ata@escue sa/n.F <idaWdatarescue.com> U U >icensed to/ <ric <ericWdatarescue.be> U S#########################################################################S Gile 7ame / +/P,8)P3resentationsP8ataPdata.e!e Gormat / 3ortable e!ecutable for ,=4 3+ 03<2 *ection '. 0.irtual address 1111'1112 Airtual siHe / 1111X111 0 3;(;9.2 *ection siHe in file / 1111(<11 0 3;3V2.2 5ffset to ra% data for section/ 11111;11 Gla-s ;1111121/ Be!t <!ecutable @eadable )li-nment / '; bytes T

unicode macro pa-eFstrin-FHero irpc cF<strin-> db "Nc"F pa-e endm ifnb <Hero> d% Hero endif endm .;(;p .mm! .model flat ; ########################################################################### ; *e-ment type/ 3ure code ; *e-ment permissions/ @ead/<!ecute _te!t se-ment para public "+58<" use32 assume cs/_te!t ;or- 91'111h ; [+5>>)3*<8 )@<) .te!t'. 3@<** E<?3)8 ISI B5 <:3)78 ; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

; )ttributes/ bp#based frame ; int __cdecl chec&_soft%are0soft%are_info_t soft%are_info2 chec&_soft%are proc near ; +58< :@<G/ mainS'1(p soft%are_info= byte ptr push mo. mo. mo. and test YH mo. and test YnH (

ebp ebpF esp alF ' dlF [ebpSsoft%are_info ed!F 3+ or 4)+ dlF 3+ short not_3+ clF [ebpSsoft%are_info ec!F 3+ or 4)+ clF 4)+ short end

IDA Pro High Level Constructs Tutorial

mo. dlF [ebpSsoft%are_info shr ed!F 2 and ed!F 06,7856* or 85* or 5*_:2 >> 2 test dlF 5*_: >> 2 YH short end !or ea!F ea! Ymp short end ; ########################################################################### not_3+/ mo. and test YH mo. and test YnH mo. shr and test YnH mo. shr and test YH ; +58< :@<G/ chec&_soft%areS<Y clF [ebpSsoft%are_info ec!F 3+ or 4)+ clF 4)+ short not_4)+ dlF [ebpSsoft%are_info ed!F 3+ or 4)+ dlF 3+ short end clF [ebpSsoft%are_info ec!F 2 ec!F 06,7856* or 85* or 5*_:2 >> 2 clF 6,7856* >> 2 short not_%indo%s dlF [ebpSsoft%are_info ed!F 2 ed!F 06,7856* or 85* or 5*_:2 >> 2 dlF 85* >> 2 short end

not_%indo%s/ ; +58< :@<G/ chec&_soft%areS9GY !or ea!F ea! Ymp short end ; ########################################################################### not_4)+/ !or ea!F ea! ; +58< :@<G/ chec&_soft%areS3;Y

end/ ; +58< :@<G/ chec&_soft%areS'XY chec&_soft%areS2ZY ... !or ed!F ed! mo. dlF al mo. ea!F ed! pop ebp retn chec&_soft%are endp ; ########################################################################### ali-n 9

IDA Pro High Level Constructs Tutorial

3!

; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ; )ttributes/ bp#based frame ; int __cdecl chec&_product0product_cate-ory_t product_cate-ory2 chec&_product proc near ; +58< :@<G/ print_productS)p mainS8(p product_cate-ory= d%ord ptr push mo. push mo. cmp YnH !or push call pop (

ebp ebpF esp eb! blF ' [ebpSproduct_cate-ory F D)@86)@< short not_hard%are eb!F eb! offset a6e8onB*ellDard%areGorBhe ; format _printf ec! ; +58< :@<G/ chec&_productS)Y

not_hard%are/ !or ea!F ea! mo. alF bl pop eb! pop ebp retn chec&_product endp

; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ; )ttributes/ bp#based frame ; .oid __cdecl print_customer0customer_t Qcustomer2 print_customer proc near ; +58< :@<G/ mainS'Xp customer= d%ord ptr (

push ebp mo. ebpF esp mo. ea!F [ebpScustomer mo.s! ed!F byte ptr [ea!Scustomer_t.se! push ed! lea ec!F [ea!Scustomer_t.name push ec! push [ea!Scustomer_t.id push offset a+ustomer19!*+ ; format call _printf add espF '1h pop ebp retn print_customer endp

IDA Pro High Level Constructs Tutorial

3"

; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ; )ttributes/ bp#based frame ; .oid __cdecl print_boo&0boo&_t Qboo&2 print_boo& proc near ; +58< :@<G/ print_productS3(p boo&= d%ord ptr (

push ebp mo. ebpF esp push [ebpSboo& push offset a=oo&* ; format call _printf add espF ( pop ebp retn print_boo& endp ; ########################################################################### ali-n 9 ; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ; )ttributes/ bp#based frame ; .oid __cdecl print_soft%are0soft%are_t Qsoft%are2 print_soft%are proc near ; +58< :@<G/ print_productS99p soft%are= d%ord ptr (

push ebp mo. ebpF esp push eb! push esi mo. eb!F [ebpSsoft%are mo. esiF offset a6e8onB*ellDard%areGorBhe ; I6e don"t sell hard%are for the moment..I... lea ea!F [eb!Ssoft%are_t.name push ea! lea ed!F 0a*oft%are* # a6e8onB*ellDard%areGorBhe2[esi ; I6e don"t sell hard%are for the moment..I... push ed! ; format call _printf add espF ( mo. and test YH lea for the push call pop clF byte ptr [eb!Ssoft%are_t.info ec!F 3+ or 4)+ clF 3+ short not_pc ea!F 0a3c # a6e8onB*ellDard%areGorBhe2[esi moment..I... ea! ; format _printf ec!

; I6e don"t sell hard%are

IDA Pro High Level Constructs Tutorial

3#

not_pc/ mo. and test YH lea for the push call pop

dlF byte ptr [eb!Ssoft%are_t.info ed!F 3+ or 4)+ dlF 4)+ short not_mac ec!F 0a4ac # a6e8onB*ellDard%areGorBhe2[esi moment..I... ec! ; format _printf ec!

; I6e don"t sell hard%are

not_mac/ ; I6e don"t sell hard%are for the moment..I... lea ea!F 0asc_91)3'= # a6e8onB*ellDard%areGorBhe2[esi push ea! ; format call _printf pop ec! mo. dlF byte ptr [eb!Ssoft%are_t.info shr ed!F 2 and ed!F 06,7856* or 85* or 5*_:2 >> 2 test dlF 6,7856* >> 2 YH short not_%indo%s lea ec!F 0a6indo%s # a6e8onB*ellDard%areGorBhe2[esi ; I6e don"t sell hard%are for the moment..I... push ec! ; format call _printf pop ec! not_%indo%s/ mo. alF byte ptr [eb!Ssoft%are_t.info shr ea!F 2 and ea!F 06,7856* or 85* or 5*_:2 >> 2 test alF 85* >> 2 YH short not_dos lea ed!F 0a8os # a6e8onB*ellDard%areGorBhe2[esi for the moment..I... push ed! ; format call _printf pop ec! not_dos/ mo. clF byte ptr [eb!Ssoft%are_t.info shr ec!F 2 and ec!F 06,7856* or 85* or 5*_:2 >> 2 test clF 5*_: >> 2 YH short not_os_! lea ea!F 0a5s: # a6e8onB*ellDard%areGorBhe2[esi for the moment..I... push ea! ; format call _printf pop ec!

; I6e don"t sell hard%are

; I6e don"t sell hard%are

IDA Pro High Level Constructs Tutorial

40

not_os_!/ ; I6e don"t sell hard%are for the moment..I... lea ed!F 0asc_91)33' # a6e8onB*ellDard%areGorBhe2[esi push ed! ; format call _printf pop ec! mo. clF byte ptr [eb!Ssoft%are_t.info shr ec!F V and ec!F cate-ory >> V dec ec! YH short 8,*)**<4=>? dec ec! YH short @<+5A<@? dec ec! YH short +@?3B5C@)3D? Ymp short end ; ########################################################################### 8,*)**<4=>?/ ; I6e don"t sell hard%are for the moment..I... lea ea!F 0a8isassembly # a6e8onB*ellDard%areGorBhe2[esi push ea! ; format call _printf pop ec! Ymp short end ; ########################################################################### @<+5A<@?/ ; I6e don"t sell hard%are for the moment..I... lea ed!F 0a@eco.ery # a6e8onB*ellDard%areGorBhe2[esi push ed! ; format call _printf pop ec! Ymp short end ; ########################################################################### +@?3B5C@)3D?/ ; I6e don"t sell hard%are for the moment..I... lea ec!F 0a+rypto-raphy # a6e8onB*ellDard%areGorBhe2[esi push ec! ; format call _printf pop ec! end/ ; I6e don"t sell hard%are for the moment..I... lea ea!F 0asc_91)3V( # a6e8onB*ellDard%areGorBhe2[esi push ea! ; format call _printf pop ec! pop esi pop eb! pop ebp retn print_soft%are endp ; ########################################################################### ali-n 9

IDA Pro High Level Constructs Tutorial

41

; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ; )ttributes/ bp#based frame ; int __cdecl print_product0product_t Qproduct2 print_product proc near ; +58< :@<G/ mainS'2(p product= d%ord ptr (

push ebp mo. ebpF esp push eb! mo. eb!F [ebpSproduct push [eb!Sproduct_t.cate-ory ; product_cate-ory call chec&_product pop ec! test ea!F ea! YnH short chec&_product_o& !or ea!F ea! pop eb! pop ebp retn ; ########################################################################### chec&_product_o&/ ; +58< :@<G/ print_productS'2Y push [eb!Sproduct_t.id push offset a3roduct19! ; format call _printf add espF ( mo. ed!F [eb!Sproduct_t.cate-ory sub ed!F ' Yb short case_boo& YH short case_soft%are Ymp short default ; ########################################################################### case_boo&/ ; +58< :@<G/ print_productS2<Y add eb!F product_t.p.boo&.title push eb! ; boo& call print_boo& pop ec! Ymp short default ; ########################################################################### case_soft%are/ ; +58< :@<G/ print_productS31Y add eb!F product_t.p.soft%are.info push eb! ; soft%are call print_soft%are pop ec! default/ mo. alF ' pop eb! pop ebp retn print_product endp ; +58< :@<G/ print_productS32Y print_productS3<Y

; ########################################################################### ali-n 9

IDA Pro High Level Constructs Tutorial

42

; UUUUUUUUUUUUUUU * M = @ 5 M B , 7 < UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ; )ttributes/ bp#based frame ; .oid __cdecl main02 main proc near ; 8)B) :@<G/ .data/1191)181o push ebp mo. ebpF esp push eb! push esi push edi push offset a+ustomers ; format call _printf pop ec! mo. eb!F offset customers Ymp short loc_91'3Z; ; ########################################################################### loop_print_customer/ ; +58< :@<G/ mainS2VY push eb! ; customer call print_customer pop ec! add eb!F 91 loc_91'3Z;/ ; +58< :@<G/ mainS';Y cmp [eb!Scustomer_t.id F 1 YnH short loop_print_customer push V99 ; siHe call _malloc pop ec! mo. eb!F ea! mo. [eb!Sproduct_t.id F ' !or ea!F ea! ; =55E mo. [eb!Sproduct_t.cate-ory F ea! mo. esiF offset a,daKuic&startC ; I,8) Kuic&*tart CuideI lea ediF [eb!Sproduct_t.p.boo&.title mo. ec!F 32 rep mo.sd mo. d%ord ptr [eb!Sproduct_t[' .id F 2 mo. d%ord ptr [eb!Sproduct_t[' .cate-ory F *5GB6)@< mo. esiF offset soft%ares.softs lea ediF [eb!Sproduct_t[' .p.soft%are mo. ec!F X rep mo.sd mo. d%ord ptr [eb!Sproduct_t[2 .id F 3 mo. d%ord ptr [eb!Sproduct_t[2 .cate-ory F *5GB6)@< mo. esiF 0offset soft%ares.softs.infoS29h2 lea ediF [eb!Sproduct_t[2 .p.soft%are mo. ec!F X rep mo.sd mo. d%ord ptr [eb!Sproduct_t[3 .id F 9 mo. d%ord ptr [eb!Sproduct_t[3 .cate-ory F *5GB6)@< mo. esiF 0offset soft%ares.softs.infoS9(h2 lea ediF [eb!Sproduct_t[3 .p.soft%are mo. ec!F X rep mo.sd push offset a3roducts ; format call _printf pop ec! !or esiF esi

IDA Pro High Level Constructs Tutorial

43

loop_.erify_print_product/ ; +58< :@<G/ mainS'32Y mo. ea!F esi shl ea!F 9 add ea!F esi push [eb!Sea!Q(Sproduct_t.cate-ory ; product_cate-ory call chec&_product pop ec! test ea!F ea! YnH short product_is_.alid push offset a,n.alid3roduct ; format call _printf pop ec! Ymp short e!it ; ########################################################################### product_is_.alid/ ; +58< :@<G/ mainS<1Y mo. ed!F esi shl ed!F 9 add ed!F esi cmp [eb!Sed!Q(Sproduct_t.cate-ory F *5GB6)@< YnH short print_product mo. ec!F esi shl ec!F 9 add ec!F esi push [eb!Sec!Q(Sproduct_t.p.soft%are.info ; soft%are_info call chec&_soft%are pop ec! test ea!F ea! YnH short print_product push offset a,n.alid*oft%ar ; format call _printf pop ec! Ymp short e!it ; ########################################################################### print_product/ ; +58< :@<G/ mainSG=Y mainS''1Y imul ea!F esiF ((h add ea!F eb! push ea! ; product call print_product pop ec! inc esi cmp esiF 9 Yl short loop_.erify_print_product e!it/ push eb! call _free pop ec! pop edi pop esi pop eb! pop ebp retn main endp ; +58< :@<G/ mainS<8Y mainS''8Y ; bloc&

IDA Pro High Level Constructs Tutorial

44

; ; ; ; ; ; ; ;

[+5>>)3*<8 )@<) .te!t2. 3@<** E<?3)8 ISI B5 <:3)78 *ection 2. 0.irtual address 1111)1112 Airtual siHe / 11113111 0 '22((.2 *ection siHe in file / 11112(11 0 '1291.2 5ffset to ra% data for section/ 1111X911 Gla-s +1111191/ 8ata @eadable 6ritable )li-nment / '; bytes T ###########################################################################

; *e-ment type/ 3ure data ; *e-ment permissions/ @ead/6rite _data se-ment para public "8)B)" use32 assume cs/_data ;or- 91)111h ; [+5>>)3*<8 )@<) .data'. 3@<** E<?3)8 ISI B5 <:3)78 customers customer_t <'F "3eter"F "m"> ; 8)B) :@<G/ mainS''o customer_t <2F "John"F "m"> customer_t <3F "4ary"F "f"> customer_t <1> a,daKuic&startC db ",8) Kuic&*tart Cuide"F1 ; 8)B) :@<G/ mainS3Go db ;=h dup012 soft%ares dd 3 ; count ; 8)B) :@<G/ mainS;2o dd 3+ or 6,7856* or 85* or 8,*)**<4=>?; softs.info db ",8) 3ro"F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1; softs.name dd 3+ or 4)+ or 6,7856* or 5*_: or @<+5A<@?; softs.info db "3hoto@escue"F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1; softs.name dd 3+ or 6,7856* or +@?3B5C@)3D?; softs.info db "a+rypt"F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1F1; softs.name a6e8onB*ellDard%areGorBhe db "6e don"F2ZhF"t sell hard%are for the moment..."F1)hF1 ; 8)B) :@<G/ chec&_productS<o print_soft%areS(o ... a+ustomer19!*+ db "+M*B54<@ R19:/ Rs 0Rc2"F1)hF1 ; 8)B) :@<G/ print_customerS''o a=oo&* db "=55E/ Rs"F1)hF1 ; 8)B) :@<G/ print_boo&S;o a*oft%are* db "*5GB6)@</ Rs/"F1 ; 8)B) :@<G/ print_soft%areS''r a3c db " 3+"F1 ; 8)B) :@<G/ print_soft%areS2Zr a4ac db " 4)+"F1 ; 8)B) :@<G/ print_soft%areS3=r asc_91)3'= db ";"F1 ; 8)B) :@<G/ print_soft%are/not_macr a6indo%s db " 6,7856*"F1 ; 8)B) :@<G/ print_soft%areSV+r a8os db " 85*"F1 ; 8)B) :@<G/ print_soft%areSZ2r a5s: db " 5*#:"F1 ; 8)B) :@<G/ print_soft%areS(Xr asc_91)33' db ";"F1 ; 8)B) :@<G/ print_soft%are/not_os_!r a8isassembly db " 8,*)**<4=>?"F1 ; 8)B) :@<G/ print_soft%are/8,*)**<4=>?r a@eco.ery db " @<+5A<@?"F1 ; 8)B) :@<G/ print_soft%are/@<+5A<@?r a+rypto-raphy db " +@?3B5C@)3D?"F1 ; 8)B) :@<G/ print_soft%are/+@?3B5C@)3D?r asc_91)3V( db 1)hF1 ; 8)B) :@<G/ print_soft%are/endr a3roduct19! db "3@58M+B R19:/ "F1 ; 8)B) :@<G/ print_productS'=o a+ustomers db "+M*B54<@*/"F1)hF1 ; 8)B) :@<G/ mainS;o a3roducts db 1)h ; 8)B) :@<G/ mainS+1o db "3@58M+B*/"F1)hF1 a,n.alid3roduct db ",n.alid product OOO"F1)hF1 ; 8)B) :@<G/ mainS<2o a,n.alid*oft%ar db ",n.alid soft%are OOO"F1)hF1 ; 8)B) :@<G/ mainS''2o ; [+5>>)3*<8 )@<) .data2. 3@<** E<?3)8 ISI B5 <:3)78 ; ########################################################################### ; [1111'111 =?B<*/ +5>>)3*<8 *<C4<7B _tls. 3@<** E<?3)8 ISI B5 <:3)78 ; ########################################################################### ; [1111'111 =?B<*/ +5>>)3*<8 *<C4<7B _rdata. 3@<** E<?3)8 ISI B5 <:3)78 ; ########################################################################### ; [111111+9 =?B<*/ +5>>)3*<8 *<C4<7B _idata. 3@<** E<?3)8 ISI B5 <:3)78

IDA Pro High Level Constructs Tutorial

45

This tutorial is Data!escue 3AE'F ;,,G !evision H.H Data!escue 3AE'F 6, >ld .iercot 6,,, #iIge, >elgium T: C:;868:665GH, 0: C:;868:665GH6

IDA Pro High Level Constructs Tutorial