About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  Understanding syntax generated by IDA Pro

Topic created on: January 13, 2010 14:46 CST by DrWho .

Hello to all, I am a newbie to reverse engineering and I have downloaded the latest trial version of IDA Pro for disassembly and debugging. I disassembled an EXE file written for use on Win 7 64 bit but there are items in the syntax that I have never seen before. The following is a couple of samples and I am hoping someone can provide some help.

Item 1. mov     rax, cs:qword_14003A358
    I follow the mov command and that qword is a quad word but I don't understand cs:qword_14003A358 as a whole.

Item 2. .data:000000014003A358 qword_14003A358 dq 2B992DDFA232h        ; DATA XREF: sub_140002960+1Fr
    In this line the character  is actually an upward pointing arrow in the IDA Pro text. Even though it is in the Comments section of the line, can someone tell me what the upward arrow means, never seen that before.

all help is greatly appreciated

  phn1x     January 14, 2010 11:30.25 CST
Item 1:
This is a segment register, specifically the code segment register. These are provided by Intel to reduce code complexity and address translation time. It's not an IDA syntax.
Take a moment and read Volume 3A, Chapter 3 of the Intel System Programming Guide
http://www.intel.com/Assets/PDF/manual/253668.pdf

Item 2:
The upward arrow indicates where in the IDA database the selection is referenced.

The item in question is in the data segment and is referenced at an offset 0x1F into the function sub_140002960, whose location in the database (and the file really) is above (.text section) your current location.

  RabidCicada     January 18, 2010 10:36.35 CST
The Intel Doc's as they are lovingly referred to will be a good friend while you are REing on a n x86 or x64 platform:).  They provide all the information for the processor hardware you are reversing on.

Intel Docs are located here

There is a tremendous amount to read and understand.  Pay particular attention to the details present in the text.  They say exactly what they mean and do not really call out very important facts.  ALL of the facts are important.

A good book to understand IDA itself better is "The Ida Pro Book" by Chris Eagle.  It explains everything about IDA.

If you are going to be REing applications only then you should be pretty familiar with the windows api's.

If you are going to be reversing at a lower level then you should read up on on address translation,segmentation, paging, and how to get your own OS running in order to better understand all of the mechanisms as work.  The Intel Docs cover much of this.  You will also need to read up on undocumented apis etc of windows if you will be reversing from within windows.

Big world out there.  It's gonna hurt getting into REing:).

Note: Registration is required to post to the forums.

There are 28,225 total registered users.


Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17


Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr


Recent Blog Entries
cmathieu
Feb/07
Hacker Carnival
waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...
waleedassar
Jan/31
Yet Another Anti-Debug Trick
RolfRolles
Jan/22
Finding Bugs in VMs with a ...
waleedassar
Jan/13
An OllyDbg Bug Disables Sof...
More ...


Recent Blog Comments
waleedassar on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr on:
Feb/05
Yet Another Anti-Debug Trick
trolotou on:
Feb/05
Doudoune Moncler -Pennies F...
waleedassar on:
Feb/01
Yet Another Anti-Debug Trick
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit