随笔分类 - IDA
摘要:IDA: What's new in 6.8HighlightsThis is mainly a maintenance release, so our focus was on fixing bugs. However, there are some improvements too:Suppor...
阅读全文
摘要:.rdata is for const data. It is the read only version of the .data segment..idata holds the import directory (.edata for exports).It is used by EXE's ...
阅读全文
摘要:http://forum.miata.net/vb/showthread.php?t=536601Hey all!About 5 years ago, there was a great thread on reverse engineering the NC ECU (http://forum.m...
阅读全文
摘要:http://www.romraider.com/forum/viewtopic.php?f=25&t=6303All of the 16-bit guidance in the following posts is from Elevenpoint7five. Thank him for his ...
阅读全文
摘要:http://www.tuicool.com/articles/7FZVZna第一次看到这个错误还以为是修改文件导致的,但是觉得又不大像,因为在Win7底下是完全正常的。搜索了一下才发现是由于插件导致的:NOTE3:You get a “Fatal error before kernel init”...
阅读全文
摘要:http://simeonpilgrim.com/blog/2010/03/25/ida-script-remove-empty-auto-labels/#include static main(){ auto seg, loc, flags; auto count; coun...
阅读全文
摘要:/****************************************************************************************** Copyright 2013 Andrea Ragusa Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
阅读全文
摘要:https://www.hex-rays.com/products/decompiler/manual/tricks.shtmlFirst of all, read thetroubleshootingpage. It explains how to deal with most decompilation problems.Below is a mix of other useful information that did not fit into any other page:Volatile memorySometimes the decompiler can be overly ag
阅读全文
摘要:tid_t tid = get_struc_id ( "foo_type" ) ; struc_t * sptr = get_struc ( tid ); if ( sptr == NULL ) { tid = add_struc ( BADNODE, "foo_type" ) ; sptr = get_struc ( tid ); if ( sptr == NULL ) return; add_struc_member ( sptr, "memb0", 0, dwrdflag(), NULL, 4 ); add_...
阅读全文
摘要:1.执行菜单的File->New->Project…(Ctrl-Shift-N)打开新建工程窗口。2.展开左侧的VisualC++项目模板分支,然后选择右侧的Win32Project条目,输入工程名称,然后点击确定。3.出现Win32ApplicationWizard4. 使用默认设置5. 生成的文件夹及文件6. VS 解决方案资源管理器视图7. 运行结果8. 修改项目属性 - 选择所有配置常规 将目标文件扩展名修改为.plw 配置类型 动态库(.dll)C/C++->常规 附加包含目录添加idasdkinclude目录,例如 D:\IDA64\IDASDK64\Includ
阅读全文
摘要:http://www.h4ck.org.cn/2011/11/vs2010-idasdk6-2-ida-plugin-development/1.执行菜单的File->New->Project…(Ctrl-Shift-N)打开新建工程窗口。2.展开左侧的VisualC++项目模板分支,然后选择右侧的Win32Project条目,输入工程名称,然后点击确定。3.在Win32ApplicationWizard先到出现之后,点击左侧的ApplicationSettings连接,在设置界面勾选 DLL 选项,然后选择 EmptyProject,点击完成按钮退出向导。4.在左侧的解决方案浏览
阅读全文
摘要:BitfieldsThere is a special kind of enums: bitfields. A bitfield is an enum where the 32bits are divided into groups. When you define a new symbolic constant in a bitfield, you need to specify the group to which the constant will belong to. By default, IDA proposes groups containing one bi...
阅读全文
摘要:http://www.2cto.com/shouce/ida/1361.htmAction name: SetType该命令允许你指定当前条目类型。如果光标处在函数内部,那么函数类型将会被编辑,否则当前条目的类型将被编辑。在这种情况下当前条目必须有一个名字。函数类型必须按照C定义输入。IDA将会使用类型信息改进反汇编。这里是一个函数定义的例子: int main(int argc, const char *argv[]);为了删除类型定义,请输入空字符串。IDA支持用户定义的调用规则。在调用规则中用户可以显式指定参数位置和返回值。例如: int __usercall...
阅读全文
摘要:/* This file contains definitions used by the Hex-Rays decompiler output. It has type definitions and convenience macros to make the output more readable. Copyright (c) 2007-2011 Hex-Rays*/#if defined(__GNUC__) typedef long long ll; typedef unsigned long long ull; #define __int64...
阅读全文
摘要:#include #include #include #include int __stdcall IDP_init(void){ //在这里做一些校验,以确保您的插件是被用在合适的环境里。 if ( 0 ) { error("sorry!"); return PLUGIN_SKIP; } return PLUGIN_KEEP;}void __stdcall IDP_term(void){ //当结束插件时,一般您可以在此添加一点任务清理的代码。 return; ...
阅读全文
摘要:http://zh.wikipedia.org/wiki/X86%E8%B0%83%E7%94%A8%E7%BA%A6%E5%AE%9A这里描述了在x86芯片架构上的调用约定(calling conventions)。 调用约定描述了被调用代码的接口:原子(标量)参数,或复杂参数独立部分的分配顺序;参数是如何被传递的(放置在栈上,或是寄存器中,亦或两者混合);被调用者应保存调用者的哪个寄存器;调用函数时如何为任务准备堆栈,以及任务完成如何恢复;这与编程语言中对于大小和格式的分配紧密相关。另一个密切相关的是名称修饰,这决定了代码中的符号名称如何映射到链接器中的符号名。调用约定,类型表示和名称修饰
阅读全文
摘要:IDASDK里面提供的UI(userinterface)函数 AskUsingForm_c,该函数弹出一个对话框,而对话框的外观形式,就由此函数的第一个参数form(constchar*类型)指定。 static const char *dialog = // "STARTITEM 0\n" // dont change "This is the title\n\n" // dialog title "This is static text\n" // static text "\n" //need char[MA
阅读全文
摘要:http://www.2cto.com/shouce/ida/162.htm按字母顺序排列的IDC函数列表下面是函数描述信息中的约定: 'ea' 线性地址 'success' 0表示函数失败;反之为1 'void'表示函数返回的是没有意义的值(总是0) AddBptEx AddBpt AddCodeXref AddConstEx AddEntryPoint AddEnum AddHotkey AddSourceFile AddStrucEx AddStrucMember AltOp Analysis AnalyzeArea AppendFchun
阅读全文
摘要:http://www.pediy.com/kssd/pediy05/pediy50528.htmIda Pro 的默认设置里对中文字串的支持比较差,对于首字节大于'E0'的都显示成?了.其实...打开IDA PRO 目录下的IDA.CFG看到如下:// the following characters are allowed in ASCII strings, i.e.// in order to find end of a string IDA looks for a character// which doesn't belong to this array://
阅读全文
摘要:https://www.hex-rays.com/products/ida/support/tutorials/idc/autocomment.shtmlThis program creates a segment at paragraph 0x40 and comments the BIOS data area. You should load and execute this file to see the names of BIOS data area variables.//--------------------------------------------------------
阅读全文
