逆向工具使用

逆向工具使用

x64dbg

x64dbg 使用技巧与实用插件合集 - 吾爱破解 - 52pojie.cn

IDA

ida.cfg配置(9.1)

OPCODE_BYTES            = 6   // display this many instruction/data bytes:
                              //    0 = disable
                              //    N = up to N bytes on one line; go to next line to show remaining bytes
                              //   -N = up to N bytes on one line; truncate remaining bytes
                              // The 'default' configuration in the registry may
                              // override this value
INDENTION               = 0  // Indentation of instructions
                              // The 'default' configuration in the registry may
                              // override this value
COMMENTS_INDENTION      = 30  // Indentation of short comments
MAX_TAIL                = 16  // Tail depth (used to gather xref info)
MAX_XREF_LENGTH         = 80  // Right margin for cross-references
MAX_DATALINE_LENGTH     = 120  // Right margin for data directives (db,dw, etc)
SHOW_AUTOCOMMENTS       = NO  // Display comments for every instruction?
                              // Please   that there is another definition
                              // for IBM PC below
SHOW_BASIC_BLOCKS       = NO  // Generate an empty line at the end of a basic block
SHOW_BORDERS            = YES // Borders between data/code
SHOW_EMPTYLINES         = YES // Generate empty lines to make disassembly more readable
SHOW_LINEPREFIXES       = YES // Show line prefixes (like 1000:0000)
SHOW_SEGMENTS           = YES // Show segments in addresses
USE_SEGMENT_NAMES       = YES // Show segment names instead of numbers
SHOW_REPEATABLE_COMMENTS= YES // Show repeatable comments (disabling this increases IDA speed)
SHOW_SP                 = NO  // Show stack pointer at the start of lines
                              // The 'default' configuration in the registry may
                              // override this value
SHOW_SUSPICIOUS         = NO  // Show <void> marks (the red/orange color is bright enough)
SHOW_XREFS              = 15   // Show 2 cross-references (the rest is accessible by Ctrl-X)
SHOW_XREF_FUNC          = YES // Show function offsets in xrefs
SHOW_XREF_TYPES         = YES // Show xref type marks
SHOW_XREF_VALUES        = YES // If not, xrefs are displayed as "..."
SHOW_SEGXREFS           = YES // Show segment part of addresses in cross-references
SHOW_SOURCE_LINNUM      = NO  // Show source line numbers
SHOW_TRYBLOCKS          = YES // Show try block line information
SHOW_ASSUMES            = YES // Generate 'assume' directives
SHOW_ORIGINS            = YES // Generate 'org' directives
SHOW_REFCMTS            = 16  // Show some references to string literals or demangled names
                              // (the rest is accessible by Ctrl-J)

DEL_CODE_COMMENTS       = YES // Delete a comment attached to an instruction
                              // when the instruction is deleted
MAX_ITEM_LINES          = 25000 // Maximum number of lines for one item (one instruction or data)

配色

zyantific/IDASkins: Advanced skinning plugin for IDA Pro

快捷键

关闭掉的窗口可以在View中打开

Jump->Mark position:打上标签

Ctrl+m:跳转指定标签位置.

g:跳转

x:交叉引用

esc:往前翻 ctrl+enter:往后翻

n:重命名 r:改类型

u:undefine

c:分析为code

p:创建函数

d:修改数据类型,db,dw,dd.在Option->data types中可以设置更多.

a:转化为字符串

*:数组编辑界面

结构体,枚举量的建立可以用C文件,在ida导入即可,比手工建立方便.

调试

F7 步进

F8 步过

F4 跳转到光标位置

Ctrl+F7 步出

F9 运行

Ctrl+F2 终止一个运行进程

F2 断点

Debugger->Tracing->Instruction Tracing 跟踪记录地址,指令和寄存器

Debugger->Tracing->Function Tracing 跟踪call的调用.

脚本

IDA Python 常用函数 | 4nsw3r's Blog

另外可以写条件断点

ghidra