IDA_Tips.md

<- .tools[IDA Tips] ->

---

Addresses Shown In IDA

---

• When IDA loads a binary, it simulates a mapping of the file in memory. The addresses shown in IDA are the virtual memory addresses and not offsets of the binary file on disk

_{IDA displaying 4 instructions along with their respective virtual addresses}

_{IDA displaying those 4 instructions in hex. Note that the virtual addresses are the same}

_{Actual locations of those 4 instructions on disk}

---

Functions Window

---

• Functions Window displays all the functions the binary uses: local functions, linked functions (e.g. crt0), and dynamically-linked functions.
  • dynamically-linked functions increase the disassembly's glance value and provide the reverser with more context to figure out what the surrounding code is doing since their original names can't be stripped away
    • Glance value: being able to quickly look over the code and have a general idea of what it is doing

_{Functions Window example}

• By default, Functions Windows will only show the "Function name" column but you can expand it to see the other columns
  • Segment: segment that contains the function
  • Start: offset of the function within the segment
  • Length: function length in bytes
  • Locals: size (in bytes) of local variables + saved registers
  • Arguments: size (in bytes) of arguments passed to the function
  • R: function returns to the caller
  • F: far function
  • L: library function
  • S: static function
  • B: BP based frame. IDA will automatically convert all frame pointer [BP+xxx] operands to stack variables
  • T: function has type information
  • =: Frame pointer is equal to the initial stack pointer. In this case the frame pointer points to the bottom of the frame
    • Source: idadoc

_{expanded Functions Window}

• To hide API (dynamically-linked functions) calls from displaying in the Functions Window, a programmer can dynamically resolve API functions
  • How To Find Dynamically Resolved APIs: get the binary's function trace (e.g. hybrid-analysis, ltrace). If any of the APIs in the function trace is not in the Functions Window, then that API is dynamically resolved
  • How To Find Where A Dynamically Resolved API Is Called: in IDA's debugger view, the Module Windows allows you to place a breakpoint on any function in a loaded dynamically linked library. Use it to place a breakpoint on a dynamically resolved API and once execution breaks there, step back through the call stack to find where it's called from in user code

_{source code showing how `puts` is dynamically resolved. String reference to `puts` is also encoded}

_{even though `puts` is a function from a dynamically linked library it does not show up in IDA's Functions Window}

_{GNU strings can't identify string reference to `puts` either}

_{function tracer like ltrace is able to detect reference to `puts`}

---

Graphs

---

• All the available graphs (beside Proximity Browser and Graph Overview) can be found under View -> Graphs
  • Proximity Browser can be found under View -> Open Subviews
  • Graph Overview can be found under View -> Graph Overview
  • NOTE: Flow Chart, Function Calls, Xrefs To, and Xrefs From graphs are only available in the licensed version of IDA
• When we hear IDA Graphs, most of us will think of IDA's Graph View, which shows how basic blocks of the function mouse cursor is on relate to each other, but IDA also provides many other useful graphs to aid with analysis. We will take a look at those other graphs below:

_{Proximity Browser: interactive function call graph of whole binary}

_{Graph Overview: zoomed out 'Graph View.' It allows one to quickly see the whole structure of a function's CFG}

_{Flow Chart: printable 'Graph View.' Photo courtesy of Hex-Rays}

_{Function Calls: printable non-interactive 'Proximity View.' Photo courtesy of Scratchpad}

_{Xrefs To: function call graph to current function. Photo courtesy of Infosec Institute}

_{Xrefs From: function call graph from current function. Photo courtesy of Infosec Institute}

---

Keeping Track of Manual Analysis

---

• Marker: centralized comments page for the binary under analysis
  • Alt+M: mark current cursor location with comments
  • Ctrl+M: brings up a window showing all marked positions with their corresponding comments
• Notepad: a blank window for jogging down any notes
  • To open Notepad: View->Open subviews->Notepad
• Regular Comment: makes a comment at current cursor location
• Repeatable Comment: same as regular comment except every cross-reference to commented location will also have the same comment
• Additional Comment: regular and repeatable comments will appear to the right of the instruction. You can also insert comments before (Ins) or after (Shift+Ins) the instruction

---

Useful Shortcuts

---

• Ctrl+L: jump to location by name
• Ctrl+P: jump to location by function name
• Ctrl+X: jump to cross reference
• ESC: jump to last location
• u to undefine region of bytes starting at cursor
• d to transform region of bytes starting at cursor to data
• c to transform region of bytes starting at cursor to code
• g to bring up 'Jump to address' menu
• n to rename variables, functions, and labels
• x to show cross-references to an address
• y to redefine function prototype

Miscellaneous <- RERM[.tools] -> GDB_Tips