Ida Pro Tutorial

Interactive Disassembler (IDA) Tutorial
Anup C., Joe F.

March 4, 2015
Applied Security
Executive Summary
The Interactive Disassembler (IDA) is a tool used in reversing the internal functionality of an executable binary file. This tutorial describes basic functionality and usage of IDA Free 5.0.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Contents
1
Introduction
Related News
Objectives
Background
Setup & First steps in IDA
Tutorial
6.1 Capture
6.2 Capture
6.3 Capture
6.4 Capture
6.5 Capture
6.6 Capture
The
The
The
The
The
The
Flag
Flag
Flag
Flag
Flag
Flag
1
2
3
4
5
6
.
.
.
.
.
.
Conclusion
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6
7
8
9
10
11
12
13
8 x86 Instruction Cheat Sheet
14
9 Revisions
15
1 Introduction
<>
The Interactive DisAssembler (IDA)

Disassembling vs decompiling
Complications
Instruction sets
Binary file formats
Compilers & compiler options
The basic idea of reversing a binary is not overly complicated. Given a binary, it should be a fairly simple
thing to decode bit streams into sequences of instructions. The complications in this process come mainly
from the many different instruction sets in use for different processors and the different formats available for
binary files.
The different versions of IDA available will all disassemble binaries into a database and automatically
determine things like the file format, the processor the binary was compiled for, control flow, and many basic
data types. The information from the binary is pushed into a database file and the original binary is no
longer needed for reverse engineering. This feature is often brought up in reference to reversing malware as
a very useful feature.
It is important to distinguish between disassembly and decompilation. IDAs default functionality is disassembly. For which it provides a complex Graphical User Interface (GUI) that provides powerful visualizations
of the assembly code and many useful functions to run on the disassembled instructions. Decompilation is
a feature that is not available for free or as a demo and would allow decompilation of the assembly code
into higher-level code that would represent the code structures usually compiled into assembly matching a
certain fingerprint.
The basic method for using IDA involves dumping a binary into IDA for initial treatment. This will
result in the instructions, variable initializers, and basic call/jump structure being recognized and saved for
easier viewing later. All of this data will be presented in a myriad of windows in the somewhat overcrowded
default interface. These windows will show the original bytes, the sequential instructions, a graph view
showing code blocks and control flow, and many other bits of data that could be discovered through luck
or guidance. From here, a dedicated user can comment, correct, rename, debug, modify, recompile, and in
general reverse the functionality of the original binary. If given enough time.
[1] [2]
1
2 Related News
<>
BMW
Researchers were able to reverse engineer some of the software
Dropbox
Researchers found a way to reverse engineer Dropbox
Traffic Lights
Researchers could have reverse-engineered the protocol
Lenovo
Researchers managed to extract the private key for the Superfish certificate authority (CA) by reverse engineering the application
BMW Research
Allowed hackers to remotely unlock vehicles. [3]
DropBox Research
Allowed hackers to bypass authentication. [4]
Traffic Light Research
Allowed hackers full control of stoplights. [5]
Lenovos Superfish Research
Allowed hackers access to the private key for the Superfish Certificate Authority (CA) [6]
3 Objectives
<>
Gain familiarity with the IDAs basic features

Disassemble a binary
Rename a function, label, variable
Locate strings, determine where they are used in a binary
Understand why/how to modify the stack frame
Debug a binary in IDA
4 Background
<>
Some basic info required to understand the process of reversing a binary

in IDA
Executable file formats
Executable and Linkable Format (ELF) - Unix
Portable Executable (PE) - Windows
Instruction sets
x86
Compiler optimizations
Debugging
Performance increase
There are many different executable file formats in use today, and there have been many more in the past.
The two formats of interest during this lab are the Portable Executable (PE) format, and the Executable and
Linkable Format (ELF). These are the formats used in Windows and Unix based systems, and the format
of the binaries we will be reversing in this tutorial. [7]
In addition to the file format, there are many different assembly language variants, called instruction sets,
in use. These languages all share a base set of features like math operations, control flow, data storage, and
data retrieval. The different instruction sets are used to write binaries specific to processors and processor
families. The instruction set we will be viewing in this tutorial is the x86 instruction set. The binaries were
cross compiled on a 64-bit platform using the 32-bit instructions set. [8]
Another set of options that greatly affects the reversing process is the use of compiler optimizations.
Compilers tend to have signature ways of doing things that aids in the reversing process. For this reason,
IDA will often let you know its guess as to which compiler sourced the binary it is displaying. Compiler
options such as including debugging information, stripping data, and including/removing security features
all have an influence on the binary that is very noticeable while reversing. [9]
4
5 Setup & First steps in IDA
<>
Open VMs
Ubuntu
Username: radicl
Password: radicl
Windows
Username: radicl
Password: Windows1
Open IDA free 5.0
Open binary named example in IDA
Some windows & functions to make note of. . .

IDA-view A/B
Can view in graph view (think control flow diagram) or text view (assembly code listing)
Switch between views by right clicking in a recognized function in either window
Strings window
View recognized character strings within the file
This window can be used to find sections of interest if a string is used in/near a block of code you
want to find.
Names window
Shows named items that IDA automatically recognized.
These are functions, strings, labels, imports, etc.
Stack Variables window
Accessed through Edit Functions Stack Variables. . .
Somewhat advanced feature, allows you to (re)define stack frame variable types
Useful when you determine the structure of a complex type used in the binary. Rather than
making a note somewhere, just update it in IDA
Try renaming things
Right-click on sub s and loc s in the code and select Rename
In graph view, try clicking the blue N at the top of the box
Variables can also be renamed
6 Tutorial
<>
Capture the Flag!

Five rounds & a bonus round
Each round is the reversal of one binary
Each binary has a password and a flag (character strings)
Winner of a round is the first to announce the correct flag for
the round
Some rules. . .
Please dont skip to the next round after completing the current
one. Wait for the group to move on and help a friend while you
wait.
Please cheat off of your neighbor.
The basic goal of each round is to gain the character string representing a flag. This character string is
returned from each binary upon entry of the correct password. There are multiple ways one could go about
reversing the flags and passwords of each binary. Brute-force password cracking would work on all of these
binaries, but some have rather long password which would make it take too long.
Each of the binaries is an example of poor security. Some binaries contain the passwords and flags in
them as plain text. Other binaries do some obfuscating of the character strings, but not enough to cause
anyone much of a problem once they viewed the binary in a program like IDA. The goal of this tutorial is
not to show you bad coding practices, or to be an exercise in triviality. The reversals in this tutorial are
intentionally simple at first to enable a new user a chance to become familiar with the process, the interface,
and most importantly to hopefully have motivation and an interesting goal while learning.
Some things to consider for each binary
How does the binary respond to. . .
No password
Extremely long passwords
special characters
How are passwords being checked?
Are there potentially key portions of the application you might want to look at first?
6.1 Capture The Flag 1
<>
Run CTF1 binary in Ubuntu

Password prompt
Pass/Fail
How is input checked against password?
Lets investigate. . .
Open CTF1 in IDA
Locate strings window
Determine where the strings are being used
Double-click XREF comments in the assembly to navigate
directly to referencing code
Try to determine not only where a string in the binary is referenced, but how many times. Is it used
repeatedly? What functions is it used in? Try renaming code blocks as you determine their use or irrelevance.
Notice that most strings have an XREF from the initialization to the data used to initialize them and
an XREF from the initialization portion back to the data, but some have additional XREFs. Where do the
extra XREFs point? Can you determine where the password prompt is being printed to the console? Where
else are strings being printed to the console?
Basic steps for solution
1. Find ImAP4$$word in the Strings window, double click it
2. Follow the XREF to the main routine
3. Right click the text and switch to data view if necessary
4. Scroll down through functions identifying any C system calls
5. Use printf calls to locate the flag
<>
Run CTF2 binary in Windows

Same basic functionality as CTF1, any differences?
Open CTF2 in IDA
Binary is much more complex due to added Windows protections
Use IDAs XREFs to jump from strings to relevant portions of
assembly
Q1: Why are the password and flag strings so easy to find
and how could this be avoided?
The code for CTF1 and CTF2 is nearly identical. The only real differences are in the string initializers. The
main reason the binaries look so different is all of the memory protection and rights management code that
is inserted by default into binaries compiled in visual studio.
To find the flag in this binary follow the same steps as in CTF1. Find a string that you think is significant.
Trace the XREF to the code were the string is used. Follow the code in text and/or graph views until you
find where the flag is being printed to the console.
The strings in this binary and in CTF1 are initialized directly as in const char *str = "hello
world";. Because of this, the compiler places this data directly into the binary as a null-terminated array
of bytes.
1. Find up with flags in the Strings window, double click it
2. Follow the XREF to the main routine
4. Use the connecting arrows to navigate through calls by double clicking them
6. Determine which variable is being printed to console
7. Backtrack to determine what the variable was assigned
<>

Same basic functionality, any differences?
Open CTF3 in IDA
It appears some strings have been obfuscated
Do we still have enough information to retrieve the flag?
Q2: Why cant we see the password string in this binary?
Q3: What are some methods that might have been used to
hide it?
What strings are there? Follow the XREFs. Rename things to make it easier to tell where you have
been. Dont waste time on rabbit trails, go back to main routine if you find yourself off in the weeds tracking
down system calls.
This binary uses some trickery to make things slightly less simple. A simple mathematical operation was
applied to the string of characters in order to keep them from displaying as ASCII in the binary.
1. Find Unobtanium9000 in the Strings window, double click it
2. Follow the XREFs to the main routine
8. This one is slightly more tricky, check the value of the variable carefully
<>

Open CTF4 in IDA
More cryptic strings
Q4: Is it possible to run the binary in IDA?
What would you try if you could step through the code in debug mode? What strings are in the file?
Where are they used? Can you use anything gleaned from reversing while actually running the executable?
If this were a Windows binary, then IDA for windows could run it in debug mode.
1. Find password1 in the Strings window, double click it
8. If figuring out what the flag is directly proves complex, try figuring out the password that is used in
strcmp()
9. Try the password in the running executable
10
<>
Run CTF5 binary in Windows

Open CTF5 in IDA
This a Windows binary, you can cheat a bit
Debug it in IDA
Q5: What jump logic (jump if ) is being used for the

comparison of input against password?
Follow the XREFs. Try debugging the binary in IDA. Can we cheat? Is there some way to force the jz
to jump to the password accepted location even when the zero flag is not set?
1. Find football in the Strings window, double click it
5. Use printf calls to locate the flag & password
8. Try running the executable in debug mode and setting the zero flag to the correct value to make the
input vs. password comparison jump to the printf(flag) code
9. Just ignore and hit continue for any exceptions IDA spits out during debugging
11
<>

Try various length passwords, theorize why you can get some
odd behavior.
Open CTF6 in IDA
Q6: Why do strange characters appear in the output for

certain password attempts?
This round is the closest we will come to what actual reversing courses examples look like. We will need
to run the binary, potentially multiple times, while reversing to test out different theories. Different lengths
of input will result in different behaviors for this binary because of an unchecked string length that allows
a buffer overflow. The thing that gives this away is the mystery character that sometimes shows up in the
Password x was incorrect string. The goal of this round is to determine how to take advantage of a fairly
straightforward buffer overflow vulnerability.
1. Find Please enter the password in the Strings window, double click it
5. Use printf calls to locate the flag & password
8. Determine what the logic is for a valid password
9. Take a guess at the buffer size for the password
10. Try to overflow the buffer in such a way that the code execution changes
12
7 Conclusion
<>
What can be done to prevent/delay the reverse engineering in this

tutorial?
Remove debug info from binaries
Strip symbols from binaries
Dont include sensitive strings in distributed binaries
Separate functionality across libraries
Compare password hashes instead of strings
Apply defense in depth
13
x86 Instruction Cheat Sheet
Registers
eax
al
ah
ax
rax
ebx
ecx
edx
accumulator register
base register
computer register
data register
io, arithmetic, interrupts

eax bits 0 - 7
eax bits 8 - 15
eax bits 8 - 15
eax bits 33 - 64
base pointer, pointers are offset off of this, interrupt return values
loops, shifting, interrupt return values
io, arithmetic, interrupts
Memory
mov
lea
push
pop
mov source, destination

lea destination, source
push source
pop destination
move data from source to destination

load effective address into destination after calculating source
push source data onto stack
pop top item from stack into destination
Arithmetic
add
sub
mul
div
inc
dec
cmp
test
add source, destination

sub source, destination
mul register
div register
inc destination
dec destination
cmp A, B
test register, immediate
destination = dest + source

destination = dest - source
edx/eax = eax * register
edx = edx/eax % register, eax = edx/eax register
destination++
destination
set status bits
Control Flow
call
call label
ret
ret
jmp
jmp location / location
j
j location
n, z, p
e, g, l
call a function using the label of the function

return from a function
jump to a label or otherwise given address
jump if arg2 [operator] arg1
negative, zero, positive
equal, greater, less
14
Revisions
Revision #
1.0
Comments
Joe F.
15
References
[1] Hex-Rays, Hex-rays home, 2015, [Online; accessed 2-March-2015]. [Online]. Available:
//www.hex-rays.com/index.shtml
https:
[2] D. Lukan, The basics of ida pro, 2012, [Online; accessed 2-March-2015]. [Online]. Available:
http://resources.infosecinstitute.com/basics-of-ida-pro-2/
[3] R. K. Singh, Bmw fixes security flaw in software that made 2.2 million vehicles vulnerable to
hijack, 2015, [Online; accessed 2-March-2015]. [Online]. Available: http://www.techworm.net/2015/
02/bmw-fixes-security-flaw-software-made-2-2-million-vehicles-vulnerable-hijack.html
[4] S. Colaner, Researchers reverse engineer and hack dropbox, heavily obfuscated python
app, 2015, [Online; accessed 2-March-2015]. [Online]. Available: http://hothardware.com/news/
Researchers-Reverse-Engineer-and-Hack-Dropbox-Heavily-Obfuscated-Python-App
[5] L. Hutchinson, Researchers find its terrifyingly easy to hack traffic lights, 2015, [Online;
accessed 2-March-2015]. [Online]. Available:
http://arstechnica.com/security/2014/08/
researchers-find-its-terrifyingly-easy-to-hack-traffic-lights/
[6] P. Croke, Lenovo caught spying, 2015, [Online; accessed 2-March-2015]. [Online]. Available:
http://lapostexaminer.com/lenovo-caught-spying/2015/02/25
[7] Wikipedia, Comparison of executable file formats wikipedia, the free encyclopedia, 2014,
[Online; accessed 2-March-2015]. [Online]. Available: http://en.wikipedia.org/w/index.php?title=
Comparison of executable file formats&oldid=639706438
[8] , List of instruction sets wikipedia, the free encyclopedia, 2015, [Online; accessed 2-March2015]. [Online]. Available: http://en.wikipedia.org/w/index.php?title=List of instruction sets&oldid=
644815110
[9] , Optimizing compiler wikipedia, the free encyclopedia, 2015, [Online; accessed 2-March-2015].
[Online]. Available: http://en.wikipedia.org/w/index.php?title=Optimizing compiler&oldid=645581075
16

Ida Pro Tutorial

Uploaded by

Copyright:

Available Formats

Ida Pro Tutorial

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ida Pro Tutorial

Uploaded by

Copyright:

Available Formats

Interactive Disassembler (IDA) Tutorial

Anup C., Joe F.

Setup & First steps in IDA

8 x86 Instruction Cheat Sheet

The Interactive DisAssembler (IDA)

Gain familiarity with the IDAs basic features

Some basic info required to understand the process of reversing a binary

5 Setup & First steps in IDA

Some windows & functions to make note of. . .

Capture the Flag!

6.1 Capture The Flag 1

Run CTF1 binary in Ubuntu

6.2 Capture The Flag 2

Run CTF2 binary in Windows

6.3 Capture The Flag 3

Run CTF3 binary in Ubuntu

6.4 Capture The Flag 4

Run CTF4 binary in Ubuntu

Q4: Is it possible to run the binary in IDA?

6.5 Capture The Flag 5

Run CTF5 binary in Windows

Q5: What jump logic (jump if ) is being used for the

6.6 Capture The Flag 6

Run CTF6 binary in Ubuntu

Q6: Why do strange characters appear in the output for

What can be done to prevent/delay the reverse engineering in this

x86 Instruction Cheat Sheet

io, arithmetic, interrupts

mov source, destination

move data from source to destination

add source, destination

destination = dest + source

call a function using the label of the function

You might also like