IDA編輯二進制代碼
edit->patch program
參考:https://blog.csdn.net/hgy413/article/details/50650232
IDA打開應用程序時,會爲其創建一個數據庫,後綴爲IDB。IDB由4個文件組成:
後綴爲id0的二叉樹形式的數據庫,
後綴爲id1的程序字節標識,
後綴爲nam的Named窗口的索引信息,
後綴爲til的給定數據庫的本地類型定義的相關信息。
更改數據爲結構體和枚舉類型
查看輸入和輸出的idc腳本
#include <idc.idc>
static GetImportSeg()
{
auto ea, next, name;
ea = FirstSeg();
next = ea;
while ( (next = NextSeg(next)) != -1) {
name = SegName(next);
if ( substr( name, 0, 6 ) == ".idata" ) break;
}
return next;
}
static main()
{
auto BytePtr, EndImports;
BytePtr = SegStart( GetImportSeg() );
EndImports = SegEnd( BytePtr );
Message(" \n" + "Parsing Import Table...\n");
while ( BytePtr < EndImports ) {
if (LineA(BytePtr, 1) != "") Message("\n" + "____" + LineA(BytePtr,1) + "____" + "\n");
Message(Name(BytePtr) + "\n");
BytePtr = NextAddr(BytePtr);
}
Message("\n" + "Import Table Parsing Complete\n");
}
//exports.idc
//(c) www.PEDIY.com 2000-2008
#include <idc.idc>
static main()
{
auto x, ord, ea;
Message("\n Program Entry Points: \n \n");
for ( x=0; x<= GetEntryPointQty(); x = x+1){ //GetEntryPointQty()得到入口點個數
ord = GetEntryOrdinal( x ); //得到該入口點的序列數
ea = GetEntryPoint( ord );
Message( Name( ea ) + ": Ordinal " + ltoa( ord,16 ) + " at offset " + ltoa( ea, 16) + "\n");
}
Message("\n" + "Export Parsing Complete\n");
}
解密self modify code
idc文件如下:
//encrypted.idc
//(c) www.PEDIY.com 2000-2008
#include <idc.idc>
static decrypt(from, size, key ) {
auto i, x;
for ( i=0; i < size; i=i+1 ) {
x = Byte(from);
x = (x^key);
PatchByte(from,x);
from = from + 1;
}
}
static main() {
decrypt(0x00401060,0x15,0x1);
}
如果遇到ida未識別十六進制數據,直接強轉爲代碼即可。
FLIRT
能使IDA能在一系列編譯器的標準庫裏自動找出調用的函數
用法打開如下 signatures
導入我們想加載的庫的簽名文件
之後函數就出來了