It is undesirable to disable these options because this reduces the information content of the disassembled code. Principally, disabling these options might be. General Information About Virtual Memory. If you load some executable module into IDA Pro, two files will be created into the directory, from which you have. Disassembling Code: IDA Pro and SoftICE,, (isbn , ean ), by Pirogov V.

Author: Zurg Meztilkis
Country: Qatar
Language: English (Spanish)
Genre: Literature
Published (Last): 8 November 2013
Pages: 46
PDF File Size: 10.44 Mb
ePub File Size: 1.75 Mb
ISBN: 834-6-47736-274-2
Downloads: 69029
Price: Free* [*Free Regsitration Required]
Uploader: Kigagal

Search the history of over billion web pages on the Internet. Introduction to Disassembling 4 1. Intel Pentium Processor Commands and Registers. Specific Features of Windows Programming. Command Format of the Intel Microprocessor.

Structure of the Portable Executable Module. Debugging and Disassembling Assembly Programs. The Code Investigator’s Toolkit 2. The W32Dasm Debugger and Disassembler. Examples of Executable Files Correction. The Softlce Debugger 4. Basic Information about Working with Softlce. Main Paradigms of the Executable Code Analysis.

Introduction to IDA Pro. Appendixes Appendix 1: Also described are the basics of Assembly language programming MASM and the system and format of commands for the Intel microprocessor. Aspects of disassembling, analyzing, and debugging software code are considered in detail, and an overview of contemporary disassemblers and debuggers used when analyzing executable code is provided. The basics of working with these tools and their operating principles are also included, and emphasis is placed on analyzing software code and identifying the main structure of those languages in which they were written.

All brand names and product names mentioned in this book are trademarks or service marks of their respective companies. Any omission or misuse of any kind of service marks or trademarks should not be regarded as intent to infringe on the property of others.

The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products. At that time, the problem of localizing code or reencoding printers was urgent.

One year later, I located codr driver in use by some other company. This driver was installed by a Mister X. However, Mister X didn’t limit himself to installing the driver. That person also modified the copyright information, specifying that the driver’s author was himself. I do not feel angry about that occasion anymore, although a feeling of resentment still remains.

Thus, I understand very well the feelings of software developers whose programs have been illegally reverse-engineered and modified. However, ignoring reality is not the right behavior. To efficiently protect their programs, developers must know the cracker’s toolset.

Furthermore, in addition to negative effects, attacks on protection sftice, worms, and computer viruses have some positive effect, because their existence makes software developers pay more attention to security and develop protection mechanisms more carefully.

To a certain extent, attacks on software and computer systems play the role of stimulators for the software’s “immune system,” although indisputably on a large scale they can result in a softixe epidemic harming many users or even ruining their computer systems.

This book provides some examples of reverse engineering and of patching executable code.


Note that all of these examples are intended for educational purposes only. There are other reasons for investigating executable code. Understanding the internal mechanisms of executable code operation, and the way in which individual structures of high- level programming languages are converted into Assembly commands, is important for writing more efficient and highly-optimized programs.


Often, low-level debugging is required for understanding the causes of random errors that occur at run time. Finally, every professional programmer must be curious and willing to understand how his or her programs operate.

Thus, all examples provided in this book are aimed at achieving positive goals and in no case at performing illegal actions. When planning this book, I didn’t intend to write an official textbook although such textbooks are few and the time has come for them to be written. Rather, Sfotice tried to provide materials that I have accumulated during my long years of professional activity.

In the future, I hope to write a textbook on the basis of this book. I’ll do this with pleasure. This book pays the most attention to such powerful tools of executable code investigation as the IDA Pro disassembler and the Softlce debugger. These tools are characterized by practically unlimited capabilities, and hopefully you’ll add them to your armory.

This book contains lots of reference materials. This is possibly a typical programming style that manifests itself in attempts to write a universal, all-sufficient program which, by the way, remains an unattainable dream. I support the opinion that only few books do not force the reader to undertake, every ten pages, a long search in other books and on the Internet.

Nevertheless, lots of materials provided here will be applicable for the Windows 9 sortice www. The Pascal language and the Delphi compiler are paid less attention. You softicw ask why I use such a limitation. The answer is that I chose the classical language and the most powerful and popular compiler.


Target Audience This book is not intended for readers who have no programming experience. If you program in some high-level programming language but are not acquainted with Assembly, you’ll need to consult some book dedicated to Assembly programming disasswmbling time to time.

I hope that this book will be useful to everyone interested in the internal mechanisms of program operation pr willing to understand how high-level programming language constructs are converted to machine commands.

In other words, this book is intended for all IT professionals interested in code investigation and the secrets of programming. Acknowledgements I would like to express my thanks to Igor Shishigin, who offered me the opportunity to write this book. I enjoyed working on it and hope that it will be useful to you. The assembler and the disassembler are two sides of the same coin.

The assembler converts the source code of the program written in Assembly language into the binary code, and the disassembler converts the binary module into a sequence of Assembly commands. Thus, for analysis of the www. Introduction to Disassembling 5 disassembled code it is sofgice to know machine commands, anc binary format, and their Assembly representation. Also, it is important to understand the structure of data representation in computer memory, as well as to know the structure of programs written for the Windows operating system.


All of codd topics will ifa covered in this chapter. Ccode Information in Computer Memory The main goal of this section is to describe how numeric data are stored in computer memory. Investigating the Memory Consider a simple program written in the C programming language Listing 1. Special cases will be mentioned individually. The program in Listing 1. This memory area, sent to any device, is called the dump. The program outputs to the screen the memory area that stores variables.

Compile the program, then start command-line session and run it. The console screen would display a table made up of hexadecimal hex numbers Fig.

Memory dump displayed by the program presented in Listing 1. What are these data? How is it possible to understand these tables of hex numbers? I will begin by covering issues that advanced users might consider elementary — namely, with representation of numbers in dlsassembling memory.

Most readers that have mastered these concepts can skip Sections 1. Scales of Notation Decimal Notation Most individuals have known the decimal scale of notation from childhood. It is natural and traditional. Binary notation is not as natural for humans, but it is natural for computers. Computer memory is made up of elements that can be in one of two possible states. One of the states is conventionally designated as zero, and the alternative state is one. As a result, all information in memory is written as binary numbers, or sequences of ones and zeros.

Disassembling Code: IDA Pro and SoftICE

In addition, computer memory is divided into blocks, each block containing eight items. These blocks are called memory cells or bytes. A single digit in binary notation is called a bit bit stands for binary digit. Thus, each memory cell is made diasssembling of eight binary digits, or 8 bits.

Recall that decimal system numbers are base 10 numbers. This means that every decimal system number can be represented as a sum of the powers of ten, where the number positions serve as coefficients.

Consider the following example: The position of the digit depends on the ordinal number counted from right to left, cofe from zero. Such numeral systems are also called positional numeral systems. Binary Notation Binary notation is also a positional numeral system.

Thus, any binary number can be represented in the form of a sum of the powers of two, for example: Proo to Disassembling 7 This method of writing binary numbers is actually the method of converting it to another numeral system. For example, if you carry out these actions in decimal system notation, you’ll obtain Converting a decimal system number into the binary representation is somewhat more difficult.

This can be done according to the following algorithm: Djsassembling the given number by two and take the remainder as the next most significant bit.