IDA Pro Advanced 4.0x

Subject: IDA Pro disassembling
Target: N/A
Author: BlackB
Date: 2000-06-05
Tools used: Your brain
Difficulty (scale 1-5): 1

Published by +Tsehp, June 2000

Before starting!
IDA Pro Advanced is a superb disassembler that surpasses with ease w32dasm. Recently a pirated copy has been released on the web which you can easily get. Opinions about this are divided: some people thinks it's great it's out, some people think it's a shame. Those people that think it's a shame are most of the time 'old elite' Fravias that acutally bought the program.
An understandable reaction if you paid 500$ for it.

What you do, reader, is not my problem and not of my concern, but in my opinion, an illegal version of Winzip is as bad or as good as an illegal version of IDA Pro 4.0x . Just as you shouldn't use Winzip illegally, you shouldn't use IDA Pro illegally.

I. Introduction
Hi! Some time ago I wrote a lesson on a cracking program. So, here it is: a lesson on the powerful, superb, great, IDA Pro Advanced v4.0x . Disliked by newbies and adored by elite Fravias. Disliked because IDA has much more extended functions and features and is much more complex then w32dasm.
In following lesson, I'll try to give a short and clear explanation on how to use IDA when you're used to w32dasm, and will try to answer on the question: "What is the best disassembler?". A simple question with a not-so-straight-answer.

For more advanced Fravias reading this: note that this lesson is intended for 100 % IDA newbies!
II. IDA: a powerful disassembler

The first thing you will notice when running IDA Pro is that its interface looks way more professional then w32dasm's. There are much more options and advanced features available then in w32dasm. This has the advantage that you can disassemble better and more profound, but has the disadvantage that it makes IDA much more difficult to work with

Now, in fact, IDA has exactly the same features as w32dasm: you can goto a certain code location, you can see where a jump to a certain portion of code is located, you can see string references, you can save the dead listing, etc... .
The first difficulty IDA newbies have are finding string references. In w32dasm you have a button with which you can view directly all string references. In IDA, this feature is located at scrollmenu View - Names.
Let's jump right into action and disassemble a small .exe (I used startclean.exe). A screen pops which offers you a lot of options. Don't touch it, just click 'OK'. Let IDA do its (beautiful) analysis and when it's done, take a look at the names.
String references, as called in w32dasm, are preceeded by an 'a' in IDA. To search for a string press 'a' in the names window, then followed by the string you look for. Once found, press enter or double click on it. This will take you to the location. CTRL-Enter will take you to the next occurence. A reference is located near the string, looking like this: DATA XREF: _WinMain@16+13o . Double clicking on it will make IDA go to the reference location.

Another feature of w32dasm: the jump and call references are also (of course) available in IDA. What follows is a portion of code disassembled in w32dasm followed by the same portion of code disassembled by IDA:

Start partial code (w32dasm)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00403B5F 81FAFC000000            cmp edx, 000000FC
:00403B65 0F8478010000            je 00403CE3
:00403B6B 8D8424B4000000          lea eax, dword ptr [esp+000000B4]
:00403B72 6804010000              push 00000104
:00403B77 50                      push eax

* Reference To: KERNEL32.GetModuleFileNameA, Ord:00E9h
:00403B78 8B2D88924000            mov ebp, dword ptr [00409288]
:00403B7E 6A00                    push 00000000
:00403B80 FFD5                    call ebp
:00403B82 85C0                    test eax, eax
:00403B84 7516                    jne 00403B9C

* Possible StringData Ref from Data Obj ->""
:00403B86 BE206A4000              mov esi, 00406A20
:00403B8B 8DBC24B4000000          lea edi, dword ptr [esp+000000B4]
:00403B92 B905000000              mov ecx, 00000005
:00403B97 F3                      repz
:00403B98 A5                      movsd
:00403B99 66A5                    movsw
:00403B9B A4                      movsb

End partial code

Start partial code (IDA Pro 4.0x)

00403B5F loc_403B5F:                             ; CODE XREF: sub_403B00+50j
00403B5F                 cmp     edx, 0FCh
00403B65                 jz      loc_403CE3
00403B6B                 lea     eax, [esp+1B8h+var_104]
00403B72                 push    104h
00403B77                 push    eax
00403B78                 mov     ebp, ds:GetModuleFileNameA
00403B7E                 push    0
00403B80                 call    ebp ; GetModuleFileNameA
00403B82                 test    eax, eax
00403B84                 jnz     short loc_403B9C
00403B86                 mov     esi, offset aProgramNameUnk ; ""
00403B8B                 lea     edi, [esp+1B8h+var_104]
00403B92                 mov     ecx, 5
00403B97                 repe movsd
00403B99                 movsw
00403B9B                 movsb

End partial code

As you can see, IDA provides much more detailed information, and it's even more clear.
Take as example the reference:
In w32dasm it looks like this:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:

In IDA Pro it looks like this:
CODE XREF: sub_403B00+50j

IDA provides much more info in even a shorter line:
1. It's a jump (j)
2. The jump to the portion of code is located at adress 00403B50 (=403B00+50)
3. The function/ call itself is located at 403B00(403B00+50)
4. The jump is located in the .code section

If the reference would be a call, then it would look like this: CODE XREF: sub_403B00+50p

Another great advantage is that IDA translates variables. You can even double click them to go to the adress where they are stored: lea edi, [esp+1B8h+var_104]
One of the most powerful features is the use of flirt signatures. Easy explained: IDA tries to recognize compiler-related library functions. Like this:

Start partial code (IDA Pro)

004012D2 loc_4012D2:                             ; CODE XREF: sub_401280+5Fj
004012D2                 movsx   ecx, byte ptr [eax]
004012D5                 push    eax
004012D6                 lea     ebp, [ebp+ecx*2+0]
004012DA                 call    edi ; CharNextA ; Return a pointer to the next character in a 
                                                 ; string
004012DC                 cmp     byte ptr [eax], 0
004012DF                 jnz     short loc_4012D2

End partial code

Start partial code (w32dasm)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004012D2 0FBE08                  movsx ecx, byte ptr [eax]
:004012D5 50                      push eax
:004012D6 8D6C4D00                lea ebp, dword ptr [ebp+2*ecx]
:004012DA FFD7                    call edi
:004012DC 803800                  cmp byte ptr [eax], 00
:004012DF 75F1                    jne 004012D2

End partial code

You notice the great difference? IDA tells you everything!
Other features similar to w32dasm's are quite easy, like "Goto code location" equals "Jump - Jump to adress" in IDA. Or "Goto entrypoint" equals "Jump - Jump to entry point" in IDA.

Voilà, that are about the most important things you have to know to start out with IDA. Ah, maybe, before I forget. Sometimes, IDA displays a lot of 'db' -s that are no string references, but code. Just set your cursor and push the 'C' button on your keyboard, IDA will immediately translate it into code. Example:

Start partial code (before 'C')

00401228                 dd offset unk_406130
0040122C                 db  8Bh ; 
0040122D                 db  35h ; 5
0040122E                 dd offset RegSetValueExA
00401232                 db  6Ah ; j
00401233                 db    1 ;  
00401234                 db  6Ah ; j
00401235                 db    0 ;  
00401236                 db  68h ; h
00401237                 dd offset aName         ; "Name"
0040123B                 db  51h ; Q
0040123C                 db 0FFh ;  
0040123D                 db 0D6h ; 
0040123E                 db  8Bh ; 
0040123F                 db  4Ch ; L
00401240                 db  24h ; $
00401241                 db    8 ;  
00401242                 db  68h ; h

End partial code

Start partial code (after 'C')

0040122C                 mov     esi, ds:RegSetValueExA
00401232 ; ---------------------------------------------------------------------------
00401232                 push    1
00401234                 push    0
00401236                 push    offset aName    ; "Name"
0040123B ; ---------------------------------------------------------------------------
0040123B                 push    ecx
0040123C                 call    esi ; RegSetValueExA
0040123E                 mov     ecx, [esp+8]
00401242                 push    100h
00401247                 push    offset unk_406030
0040124C ; ---------------------------------------------------------------------------
0040124C                 push    1
0040124E                 push    0
00401250                 push    offset aCode    ; "Code"
00401255 ; ---------------------------------------------------------------------------
00401255                 push    ecx
00401256                 call    esi ; RegSetValueExA
00401258                 mov     eax, [esp+8]
0040125C                 push    eax
0040125D                 call    ds:RegCloseKey

End partial code

Other (fast summarised) advantages of IDA Pro are:

1. Ability to disassemble even the most difficult programs that w32dasm can't handle (like packed programs)
2. Ability to export the dead listing into a .asm file a .sym file and even a .exe file and many other output files
3. The dead listing is compressed, saving a lot of diskspace
4. Possibility to rename functions
5. Ability to program macro's.

etc.... ;-)

III. w32dasm??

After you saw all this you may ask yourself: "Why should I keep using w32dasm if IDA is so good?". Well, believe it or not, there are still reasons to do so:

First of all there's speed. IDA is very very fast if you take into account what it all does to clarify the code, but if you disassemble real big .exe's you'll notice that it can take 3 hours or longer to disassemble and analyse it for a 100 %.
Secondly , if you have to specifically search for an instruction, IDA will be darn slow, while w32dasm is fast in text searching.
Third : w32dasm is preferred when it's supposed to be an easy protection. If so, you don't need all that additional info IDA Pro is giving.

And with these three reasons everything is said! :-) If you should know other reasons to use w32dasm instead of IDA, let me know.

IV. In the end

Another lesson finished. Enjoy IDA and w32dasm, and above all.....enjoy reversing and keep learning and contribute to the reversing / cracking scene. Not with cracks, but with tutorials, stuff you write, knowledge you spread! That's the importance of cracking. Not making cracks.


The Blackbird

Essay written by The Blackbird © 1999-2000
This essay can be freely distributed/ published/ printed etc... as long as no modifications are made.