Results 1 to 7 of 7

Thread: IDA

  1. #1
    Emerson
    Guest

    IDA

    I've noticed that 'real' reversers use IDA alot but I just cant seem to get my head around the real advantages of it. I should say at this point that I'm not that experienced but I've learnt quite alot and had good success with the various pieces of code that I've tried to reverse. That said, I use olly cos I can see whats going on in real time. What am I missing ? Am I simply still too inexperienced to be able to read a dead-list straight off ? I've not seen any tuts for IDA so I'm guessing thats probably it. Any practical tips on getting the most from IDA would be very welcome. I hate it when I think I'm missing out on something !!

    thanks,
    Emerson
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    There are many great tutorials for IDA, including (someone correct me, off the top of my head) Mammon's IDA primer. Start clicking links in the "Useful Places" table below.
    Still here...

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Tip 1:
    scroll down and you will find links to other boards in china.
    Look in their E-books links
    There are a few books that uncover disassembling and IDA in depth.

    Tip 2:

    For quick cracking, Wdasm works well, until it does not work anymore. . .
    For more serious reversing you need IDA. You can customize [Hey Laola, that "costumize" spelling is quite close to my native language, spanish ] IDA, use its script language to make it do jobs that WDASM authors would never have dreamt of.

    Wdasm disassembly is linear: just like HIEW. it blindly backtranslate from bytes to opcodes, regardless of the code flow.

    IDA disassembly is intelligent. it recognizes the meaning of the instructions, it follows the code flow and the code branching.

    With FLIRT, IDA recognizes a lot of library and system calls that in WDASM would be meaningless and clueless: call [004562334]. The same line in IDA may well be disassembled to: call [_StrLen]
    Last edited by naides; June 13th, 2005 at 15:47.

  4. #4
    OllyDbg and IDA are used for almost entirely different things. OllyDbg is second to none (no, I don't like SoftICE) at live tracing and the likes, whereas IDA is far more powerful at the heuristic side of disassembly. I tend to use OllyDbg more towards the beginning of the reversing process when I'm trying to locate sensitive pieces of code (nobody can keep track of registers and variables in their heads when the program is far jumping all over the place). My methods rely more on IDA later on, once I've isolated the algorithm(s) demanding the most attention.

    IDA can save you a big headache when you have to identify the finer details of an algorithm, particularly a recursive/iterative one. The ability to give names to memory addresses (primarily variables and functions) and have IDA automatically mark all references clearly is alone a winning trait. I'm sure you can also see the benefits of 'modular breakdown' (effectively recovering the functional structure of the code) and the ability to use a fairly flexible scripting engine to automate the more tedious tasks.

    I'd say my time is divided 4:1 in Olly/IDA respectively. This is not to say that OllyDbg is four times as useful, but perhaps one could go as far as saying that IDA possesses four times the efficiency (when used correctly) of OllyDbg . Of course, it's hugely unfair to make this comparison, so don't hold me to anything.

  5. #5
    Zapp
    Guest
    I use the free version of IDA and even with the good stuff stripped out it works better than W32Dasm. I've been messing with OllyDBG but it always seems to crash the program when it breaks as does W32Dasm so I have to get that squared away one of these days. I'd think the more tools you become comfortable with the better off you'll be so experiment.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Emerson
    Guest
    Thanks for the comments...

    I think I didnt give it a fair crack of the whip. I've just forced myself to use IDA to reverse a simple algo for a piece of audiosoft. I think the Olly\IDA combo is the best. I could see where a name\serial check was made in Olly but building the algo in reverse was made easy(er) once I used IDA and (re)named and commented almost everything that I could to the point of overkill. That said, once I had done this, any half-wit newbie (me?) could have read it with ease. Building a keygen was then fairly simple once I had a good understanding of what was happening.

    So the enlightenment for me was :- readability.

    Scripting looks interesting, but thats for another day I think
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    use IDA, I applyed sig file to the program.
    I saw, IDA said that sig has been applied and there are 31 functions..My question is :
    31 mean that the program call functions which sig file regconized 31 times, is that right?

    The sig file I appllied is sentinel super pro sig. I try to search throught .text segment to find something relate to sprofindfirst.. but not found .! what wrong am I doing?
    How can I find the sprofindfirstunit CALL?
    http://www.google.com

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •