ida | 易学教程

IDA pro asm instructions change

阅读更多关于 IDA pro asm instructions change

问题 I just want to know how I can change asm instructions in the IDA-view A: How to edit instructions(for instance: jnz to jmp)? How to insert new instructions(call func1, call func2 inserted to existing code)? I know how to make dif files, I know how to apply the changes on my DLL, but how can I "make the difference"? How can I edit the code in IDA? I learned how to modify a DLL: Modify code(how?) Generate dif file. Apply the code modifications to the DLL with the dif file and a script. 回答1:

逆向工具 IDA pro.7.0

阅读更多关于逆向工具 IDA pro.7.0

项目里用到的rpc 库，是一个商业库，只有.a 库文件，没有源码后来需要修改rpc的功能，需要逆向出rpc库的源码，用到了这个逆向工具 IDA pro.7.0 感觉还不错。来源： CSDN 作者： hnbchca 链接： https://blog.csdn.net/hnbchca/article/details/103918812

[IDA] 显示反汇编字节码

阅读更多关于 [IDA] 显示反汇编字节码

[IDA] 显示反汇编字节码一、Options - General 二、Disassembly 中将 Numberxx 改为9，并点击确定即可。来源： https://www.cnblogs.com/onetrainee/p/12172998.html

Reading disassembled code

阅读更多关于 Reading disassembled code

问题 I wrote simple Hello word program with masm32. But then when I try to disassemble it with IDA and I am getting much bigger output (I won't write it there because it would take to much space). And I don't get it why it's different. How to run the disasembled code? 回答1: This is normal. Compilation is a "lossy" process, which means that if you compile code and then decompile it, you're not guaranteed to get exactly the same thing out that you originally put in. The same thing applies to assembly

IDA Pro and editing executables

阅读更多关于 IDA Pro and editing executables

问题 This is kind of an unorthodox question. I'm kinda new to using IDA Pro. Is there a way to edit the assembly code and then have IDA save the result as an executable? Is there some kind of plugin maybe that does that? because it seems that IDA doesn't want to save as an EXE. Or do I need to manually edit it in some other way? 回答1: Version 6.1+ (maybe 6.2+) of IDA Pro will allow you to apply your patches directly to the input file. Equally, it allows you to revert the changes back. 回答2: I've

mysql增量备份依次恢复库

阅读更多关于 mysql增量备份依次恢复库

#!/bin/bash #scripts sh recovery_increment.sh 时间日期例如: 14 20180228 bakfile=/data/dbbackup logfile=/data/bak.log dbuser=xxx dbpasswd=xxxx ip= ifconfig | grep "inet addr"| grep Bcast| awk '{print $2}'| awk -F":" '{print $2}' #增量还原 recovery increment() { #解压增量备份到的新子目录 mkdir -p $bakfile/test cd $bakfile/test tar -xf $bakfile/$2 ${ip}_$1.DailyBak.tar.gz cd daily #把二进制的binlog文件转成sql，按最早的时间开始转换sql mysqlbinlog mysql-bin.000602 > ida.sql #如果有好几个增量备份,用到追加 mysqlbinlog mysql-bin.000603 >> ida.sql mysql -u$dbuser -p$dbpasswd < ida.sql echo "导入完成" if [ -f ida.sql ] then echo "ida.sql 存在" else echo "ida.sql

IDA动态调试技术及Dump内存

阅读更多关于 IDA动态调试技术及Dump内存

IDA动态调试技术及Dump内存来源 https://blog.csdn.net/u010019468/article/details/78491815 最近研究SO文件调试和dump内存时，为了完整IDA调试起来，前后摸索了3天才成功，里面有很多坑和细节，稍微不注意，就一直排行，需要理解每步骤的作用意义，否则就会觉得教程不对，要详细的教程可能找不到，大部分都是简单介绍，没有提醒细节和易忽视的点动态调试步骤，顺序严格如下事先准备工作 1、要求root手机或者直接用模拟器否则没有权限启动android_server 2、IDA在6.6以上版本或者手机为5.0以下否则会出现 pie异常: error: only position independent executables (PIE) are supported. 1 细步骤如下：： 1、首先把IDA安装目录下的android_server文件通过adb push 命令push到手机/data/local/tmp/目录下，并通过root权限身份运行./android_server C:\Windows\System32>adb shell shell@HWGRA:/ $ cd /data/local/tmp/ shell@HWGRA:/data/local/tmp $ ./android_server IDA

ida 动态调试快捷键

阅读更多关于 ida 动态调试快捷键

快捷键 1.F2下断点 2.F7进入函数，F8单步调试，F9跳到下一个断点，F2下断点，G调到函数地址 3.N重名 4.g跳到地址和函数名 5.u取消把函数汇编变成机器码 6.c就是把机器码变成汇编 7.F5 8.p分析函数，把机器码那些东西翻译成函数 9.ctrl+s看见系统所有的模块 10.ctrl+f搜索 11.单步调试注意右上角，寄存器变蓝色表示被改了 12.otions->number of opcode bytes可以查看机器码，填入4一行看4个机器码 13.在hex view-1按F2可以修改机器码，再次按F2确定修改 14.alt+g看是thumb还是arm指令 15.在函数名上按X可以看见上层调用 16.在f5伪c/c++代码的情况下，注释是/，汇编情况下注释是; 17.f4移动到光标处 18.在寄存器窗口按E可以修改寄存器的值 19.在内存窗口f2可以修改内存的值 ———————————————— 在android调试中，你会经常见到这种类型的函数：首先是一个指针加上一个数字，比如v3+676。然后将这个地址作为一个方法指针进行方法调用，并且第一个参数就是指针自己，比如(v3+676)(v3…)。这实际上就是我们在JNI里经常用到的JNIEnv方法。因为Ida并不会自动的对这些方法进行识别

IDA Python - Why My code return incorrect ESP Value?

阅读更多关于 IDA Python - Why My code return incorrect ESP Value?

问题 I made a ida python code which for checking code coverage. But when I used this script, I got a runtime error and I could not get correct ESP value. -My code- from idaapi import * class DbgHook(DBG_Hooks): def dbg_process_exit(self, pid, tid, ea, code): # bpt Del for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())): DelBpt(fun) return debugger.unhook() def dbg_bpt(self, tid, ea): RefCode = get_long(GetRegValue('esp')) print "[*] Hit : 0x%08x - %s" % (ea , GetFunctionName(ea)) print "

How to locate where an error arises in a “PackageManager.AddPackageAsync” method call?

阅读更多关于 How to locate where an error arises in a “PackageManager.AddPackageAsync” method call?

问题 I'm debugging an example app that deploys an Windows Metro App Package (".Appx" file). It call a WinRT method "PackageManager.AddPackageAsync" which fails with detailed error code text (retrieved from the call return value after the operation was finished): error 0x80070002: Windows cannot register the package because of an internal error or low memory. My target is to find where exactly this error arises in the WinRT call. I think the best way for achieving this is by finding where the error