我正在尝试对一个二进制 blob 进行逆向工程,我希望从 16 位实模式转换为 32 位保护模式(它是启动时间代码),所以我希望代码包含两种类型的代码。
当我启动 IDA 时,我可以选择 16 位或 32 位代码,但不能混合使用。
如何指示 IDA 尝试将给定地址处的数据反汇编为 32 位模式?
我可以使用 16 位分析器推断初始跳转(非原始),IDA 很乐意从那里分析代码。我可以看到 32 位代码跳转到的位置(远跳转,因此 IDA 不会尝试对其进行分析),但是当我点击C.
除了启动一个 16 位和一个 32 位的 dissasmbly 会话,我可以在一个中完成吗?
您可以手动执行此操作,也可以为二进制 blob 创建自定义加载器模块。您需要做的是将代码分成 2 段:32 位段和 16 位段,并指定适当的寻址模式。IDA 支持 16、32、64 位模式。如果需要,您可以手动创建 2 个不同的代码段并通过按Alt+手动更改地址模式S
为了将它在加载器,你可以利用getseg并set_segm_addressing从segment.hpp出来的IDA SDK:
// Get pointer to segment by linear address
// ea - linear address belonging to the segment
// returns: NULL or pointer to segment structure
inline segment_t *getseg(ea_t ea) { return (segment_t *)(segs.get_area(ea)); }
// Change segment addressing mode (16, 32, 64 bits)
// You must use this function to change segment addressing, never change
// the 'bitness' field directly.
// This function will delete all instructions, comments and names in the segment
// s - pointer to segment
// bitness- new addressing mode of segment
// 2: 64bit segment
// 1: 32bit segment
// 0: 16bit segment
// returns: 1-ok, 0-failure
idaman bool ida_export set_segm_addressing(segment_t *s, size_t bitness);
首先,您需要使用getseg. 此后,您可以使用 将段寻址模式更改为 16 位或 32 位set_segm_addressing。
艾达免费 5
Edit -> Segments ->CreateSegment
在对话框中
segment name = seg001....seg00n
start = <start address viz 0x0A
end = <end address viz 0x1e
base = 0x0
class = some text viz 32one,32two,16three
radio button = 32 bit segment or 16 bit segment as needed
click yes to a cryptic dialog
示例二进制流包含 16 位 dos puts 例程和 32 位随机推送混合
C:\Documents and Settings\Admin\Desktop>xxd -g 1 1632blob.bin
0000000: b4 01 cd 21 88 c2 b4 02 cd 21 68 78 56 34 12 68 ...!.....!hxV4.h
0000010: 0d d0 37 13 68 be ba 37 13 68 00 0d db ba b4 01 ..7.h..7.h......
0000020: cd 21 88 c2 b4 02 cd 21 68 78 56 34 12 68 0d d0 .!.....!hxV4.h..
0000030: 37 13 68 be ba 37 13 68 00 0d db ba b4 01 cd 21 7.h..7.h.......!
0000040: 88 c2 b4 02 cd 21 68 78 56 34 12 68 0d d0 37 13 .....!hxV4.h..7.
0000050: 68 be ba 37 13 68 00 0d db ba h..7.h....
C:\Documents and Settings\Admin\Desktop>
将此 blob 加载为二进制文件并移动到offset 0并按下c会将所有字节反汇编为16 bit
现在你可以移动到offset 0x0a并创建一个32 bit segmentstart as0x0a end as 0x1e base as 0x0 class as 32one use 32bitsegment radio button并c再次按下以创建 32 位反汇编
见下文
seg000:0000 ;
seg000:0000 ; +-------------------------------------------------------------------------+
seg000:0000 ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦
seg000:0000 ; ¦ Copyright (c) 2010 by Hex-Rays SA, <support@hex-rays.com> ¦
seg000:0000 ; ¦ Licensed to: Freeware version ¦
seg000:0000 ; +-------------------------------------------------------------------------+
seg000:0000 ;
seg000:0000 ; Input MD5 : AEB17B9F8C4FD00BF2C04A4B3399CED1
seg000:0000
seg000:0000 ; ---------------------------------------------------------------------------
seg000:0000
seg000:0000 .686p
seg000:0000 .mmx
seg000:0000 .model flat
seg000:0000
seg000:0000 ; ---------------------------------------------------------------------------
seg000:0000
seg000:0000 ; Segment type: Pure code
seg000:0000 seg000 segment byte public 'CODE' use16
seg000:0000 assume cs:seg000
seg000:0000 assume es:seg005, ss:seg005, ds:seg005, fs:seg005, gs:seg005
seg000:0000 B4 01 mov ah, 1
seg000:0002 CD 21 int 21h
seg000:0004 88 C2 mov dl, al
seg000:0006 B4 02 mov ah, 2
seg000:0008 CD 21 int 21h
seg000:0008 seg000 ends
seg000:0008
seg001:0000000A ; ---------------------------------------------------------------------------
seg001:0000000A
seg001:0000000A ; Segment type: Regular
seg001:0000000A seg001 segment byte public '32one' use32
seg001:0000000A assume cs:seg001
seg001:0000000A ;org 0Ah
seg001:0000000A assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg001:0000000A 68 78 56 34 12 push 12345678h
seg001:0000000F 68 0D D0 37 13 push 1337D00Dh
seg001:00000014 68 BE BA 37 13 push 1337BABEh
seg001:00000019 68 00 0D DB BA push 0BADB0D00h
seg001:00000019 seg001 ends
seg001:00000019
seg002:001E ; ---------------------------------------------------------------------------
seg002:001E
seg002:001E ; Segment type: Pure code
seg002:001E seg002 segment byte public 'CODE' use16
seg002:001E assume cs:seg002
seg002:001E ;org 1Eh
seg002:001E assume es:seg005, ss:seg005, ds:seg005, fs:seg005, gs:seg005
seg002:001E B4 01 mov ah, 1
seg002:0020 CD 21 int 21h
seg002:0022 88 C2 mov dl, al
seg002:0024 B4 02 mov ah, 2
seg002:0026 CD 21 int 21h
seg002:0026 seg002 ends
seg002:0026
seg003:00000028 ; ---------------------------------------------------------------------------
seg003:00000028
seg003:00000028 ; Segment type: Regular
seg003:00000028 seg003 segment byte public '32two' use32
seg003:00000028 assume cs:seg003
seg003:00000028 ;org 28h
seg003:00000028 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg003:00000028 68 78 56 34 12 push 12345678h
seg003:0000002D 68 0D D0 37 13 push 1337D00Dh
seg003:00000032 68 BE BA 37 13 push 1337BABEh
seg003:00000037 68 00 0D DB BA push 0BADB0D00h
seg003:00000037 seg003 ends
seg003:00000037
seg004:003C ; ---------------------------------------------------------------------------
seg004:003C
seg004:003C ; Segment type: Pure code
seg004:003C seg004 segment byte public 'CODE' use16
seg004:003C assume cs:seg004
seg004:003C ;org 3Ch
seg004:003C assume es:seg005, ss:seg005, ds:seg005, fs:seg005, gs:seg005
seg004:003C B4 01 mov ah, 1
seg004:003E CD 21 int 21h
seg004:0040 88 C2 mov dl, al
seg004:0042 B4 02 mov ah, 2
seg004:0044 CD 21 int 21h
seg004:0044 seg004 ends
seg004:0044
seg005:00000046 ; ---------------------------------------------------------------------------
seg005:00000046
seg005:00000046 ; Segment type: Regular
seg005:00000046 seg005 segment byte public '32three' use32
seg005:00000046 assume cs:seg005
seg005:00000046 ;org 46h
seg005:00000046 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg005:00000046 68 78 56 34 12 push 12345678h
seg005:0000004B 68 0D D0 37 13 push 1337D00Dh
seg005:00000050 68 BE BA 37 13 push 1337BABEh
seg005:00000055 68 00 0D DB BA push 0BADB0D00h
seg005:00000055 seg005 ends
seg005:00000055
seg005:00000055
seg005:00000055 end