行业解决方案查看所有行业解决方案
IDA 用于解决软件行业的关键问题。
发布时间:2022-09-29 11: 08: 38
Anchor
Some IDA commands such as selecting a portion of file to output or specifying a segment to move need an anchor.
To drop the anchor, you can either use the Alt-L key or the Shift- combination, which is more convenient. You can also drop the anchor with the mouse by simply clicking and dragging it.
After you've dropped the anchor, you can navigate freely using arrows, etc. Any command that uses the anchor, raises it.
The anchored range is displayed with another color.
When you exit from IDA, the anchor value is lost.
Export data
"Export data" dialog can export binary data into different formats.
Undo
Action name:Undo
This command reverts the database to the state before executing the last user action.It is possible to apply Undo multiple times,in this case multiple user actions will be reverted.
Please note the entire database is reverted,including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action.For example,if a third party plugin modified the database during or after the user action,this modification will be reverted.In theory it is possible to go back in time to the very beginning and revert the database to the state state that was present immediately after performing the very first user action.However,in practice the undo buffers overflow because of the changes made by autoanalysis.Autoanalysis generates copious amounts of undo data.Also please note that maintaining undo data during autoanalysis slows it down a bit.In practice it is not a big deal because the limit on the undo data is reached quite quickly(in a matter of minutes).Therefore,if during analysis the user does not perform any actions that modify the database,the undo feature will turn itself off temporarily.
However,if you prefer not to collect undo data at all during the initial autoanalysis,just turn off the UNDO_DURING_AA parameter in ida.cfg.
The configuration file ida.cfg has 2 more undo-related parameters:
UNDO_MAXSIZE max size of undo buffers;default:128MB
once this limit is reached,the undo info about the oldest
user action will be forgotten.
UNDO_DEPTH max number of user actions to remember;default:1000000
if set to 0,the undo feature will be unavailable.
Since there is a limit on the size of undo buffers,any action,even the tiniest,may become non-undoable after some time.This is true because the analysis or plugins may continue to modify the database and overflow the buffers.Some massive actions,like deleting a segment,may be non-undoable just because of the sheer amount of undo data they generate.
Please note that Undo does not affect the state of IDC or Python scripts.Script variables will not change their values because of Undo.Also nothing external to the database can be changed:created files will not be deleted,etc.
Some actions cannot be undone.For example,launching a debugger or resuming from a breakpoint cannot be undone.
See also Redo Reset Undo Disable Undo Open undo history
Redo
Action name:Redo
This command reverts the previously issued Undo command.It is possible to use Redo multiple times.
This command also reverts all changes that were done to the database after the last Undo command,including the eventual useful modifications made by the autoanalysis.In other words,the entire database is modified to get to the exact state that it had before executing the last Undo command.
See also Undo Reset Undo Disable Undo Open undo history
Convert to instruction
Action name:MakeCode
This command converts the current unexplored bytes to instruction(s).IDA will warn you if it is not possible.
If you have selected a range using the anchor,all the bytes from this range will be converted to instructions.
If you apply this command to an instruction,it will be reanalyzed.
See also Edit submenu
Convert to data
Action name:MakeData
This command converts the current unexplored bytes to data.If it is not possible,IDA will warn you.
Multiple using of this command will change the data type:
db->dw->dd->float->dq->double->dt->packreal->octa\;
^|;
\---------<----------------<--------------<-----------------------/;
You may remove some items from this list using setup data command.
If the target assembler does not support double words or another data type,it will be skipped.
To create a structure variable,use Declare struct var command.
To create an array,use Array command.
To convert back,use Undefine command.
See also Edit submenu
Convert to STRLIT string
Action name:MakeStrlit
This command converts the current unexplored bytes to a string.
The set of allowed characters is specified in the configuration file,parameter StrlitChars.Character'\0'is not allowed in any case.If the current assembler does not allow characters above 0x7F,characters with high bit set are not allowed.
If the anchor has been dropped,IDA will take for the string all characters between the current cursor position and the anchor.
Use the anchor if the string starts a disallowed character.
This command also generates a name for the string.In the configuration file,you can specify the characters allowed in names(NameChars).
You can change the literal string length using Array command.
The GUI version allows you to assign a special hotkey to create Unicode strings.To do so,change the value of the StringUnicode parameter in the IDAGUI.CFG file.
Pascal Strings
To create Pascal style strings(with first byte indicating string length)use Set String Style command.
See also Edit submenu
Convert to array
Action name:MakeArray
This command allows you to create arrays and change their sizes.
The arrays are created in 2 simple steps:
1.Create the first element of array using the data
definition commands(data,string,structs)
2.Apply the array command to the created data item.
Enter array size in current array elements(not bytes).The suggested array size is the minimum of the following values:
-the address of the next item with a cross reference
-the address of the next user-defined name
For string literals,you can use this command to change the length of the string.
The dialog box contains the following fields:
Items on a line(meaningless for string literals):
0 place maximal number of items on a line
other value number of items on a line
Please note that the margin parameter affects the number of items on a line too.
Alignment(meaningless for string literals):
-1 do not align items
0 align automatically
other value width of each item
Signed elements:if checked,IDA treats all elements as signed numbers.
only meaningful for numbers(not for offsets and
segments and strings)
Display indexes:if checked,IDA will display the indexes of array
elements in the form of comments(0,1,2...)
Create as array:if not checked,IDA will create a separate item for
each array element.Useful for creating huge arrays.
If the box is unchecked when this command is
applied to string literals,IDA will create many
string literals instead of one big string.
If applied to a variable-sized structure,this command is used to specify the overall size of the structure.You cannot create arrays of variable-sized structures.
See also
Edit submenu
How to Enter a Number.
Undefine
Action name:MakeUnknown
This command deletes the current instruction or data,converting it to'unexplored'bytes.IDA will delete the subsequent instructions if there are no more references to them(functions are never deleted).
If you have selected a range using the anchor,all the bytes in this range will be converted into'unexplored'bytes.In this case,IDA will not delete any other instructions even if there are no references to them after the deletion.
See also Edit submenu
Rename
Action name:MakeName
This command gives name/renames/deletes name for the current item.
To delete a name,simply give an empty name.
If the current item is referenced,you cannot delete its name.Even if you try,IDA will generate a dummy name.
Local name
The name is considered to be defined only in the current function.
Please note that IDA does not check the uniqueness of the local names
in the whole program.However,it does verify that the name is unique for the
function.
Include in name list
Here you can also include/remove the name from the name list.
If the name is hidden,you will not see it in names window.
Public name
You can declare a name as a public(global)name.If the current
assembler supports the"public"directive,IDA will use it.
Otherwise,the publicness of the name will be displayed as a comment.
Autogenerated name
An autogenerated name will appear in a different color.
if the item is indefined,it will disappear automatically.
Weak name
You can declare a name as a weak name.If the current
assembler supports the"weak"directive,IDA will use it.
Otherwise,the weakness of the name will be displayed as a comment.
Create name anyway
If this flag is on,and if the specified name already exists,
IDA will try to variate the specified name by appending a suffix to it.
See also
Edit submenu.
How to Enter an Identifier.
Names representation.
Operand types submenu
Convert operand to offset (data segment)
Action name:OpOffset
This command converts the immediate operand of the current instruction/data to an offset from the current data segment(DS).
If current DS value is unknown(or equal 0xFFFF)IDA will warn you--it will beep.In this case,you have to define DS register value for the current byte.The best way to do it is:
-jump to segment register change point
-change value of DS
-return
or you can change default value of DS for the current segment.
If you want to delete offset definition,you can use this command again-it works as trigger.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwis,all other operands will be affected.
If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.
To create offsets to structure members use Convert to struct offset command.
Convert operand to offset (code segment)
Action name:OpOffsetCs
This command converts the immediate operand of the current instruction/data to an offset from the current segment(CS).
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise,it will be left unmodified.
If this command is applied to a structure member in the structure window,then IDA will create an"automatic offset".An automatic offset is an offset with the base equal to 0xFFFFFFFF.This base value means that the actual value of the base will be calculated by IDA when a structure instance is created.
To create offsets to structure members,use Convert to struct offset command.
Convert operand to offset (any segment)
Action name:OpAnyOffset
This command converts the immediate operand of the current instruction/data to an offset from any segment.
IDA will ask to choose a base segment for the offset.
If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
To create offsets to structure members use Convert to struct offset command.
Convert operand to offset (user-defined base)
Action name:OpUserOffset
This command converts the immediate operand of the current instruction/data to a complex offset expression.
Please click here to learn more about complex offsets.
If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the an operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
If the offset base is specified as 0xFFFFFFFF,then IDA will create"an automatic offset".Automatic offsets mean that the actual value of the base will be calculated by IDA.
The following offset attributes are available:
Treat the base address as a plain number
if checked,IDA will treat the base address as a number.
In this case,IDA will not create a cross-reference to it
and the base address will be printed as a number,
not as an offset expression.
Offset points past the main object
Offsets of this type point past an object end.
They do not cause an object created/deletion.
Use image base as offset base
These offsets are based on the image base.
There is no need to explicitly specify the offset base.
These offsets are displayed in a concise form:
rva func
instead of
offset func-imagebase
If you intend to reassemble the output file,execute the
following IDC statement:
set_inf_attr(INF_GENFLAGS,get_inf_attr(INF_GENFLAGS)&~INFFL_ALLASM);
Subtract operand value
Use this option when the operand value should be substracted
from the base to get the target address.In this case the displayed
expression will be displayed as
offset base-target
instead of the usual
offset target-base
Signed operand
Use this option if the operand should be interpreted
as a signed value.This option is only available for OFF_REF8,
OFF_REF16,OFF_REF32 and OFF_REF64 offset types.
Convert operand to struct offset
Action name:OpStructOffset
GUI version:
------------
This command pertmits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions.If no selection is active,IDA will simply permit to convert the current operand.In this case,it will display a simple dialog box the same way as the text version(see below).
You can select the desired register in the drop-down list:all operands relative to this register will be added to the'Offsets'list.A special empty line in the drop-down list is used to directly work on immediate values.Checkboxes in the'Offsets'list allow you to select which operand you indeed want to modify.By default,IDA will select only undefined operands,to avoid overwriting previous type definitions.This list is sorted by operand value,by instruction address and finally by operand number.You can easily see the instructions related to the operand by moving the mouse over it,and wait for a hint to be displayed.
The'Structures and Unions'tree will contain all selectable structures,and sub unions.Once you select or move over a structure,the'Offsets'list updates itself for each checked offset:the computed name of the operand is displayed,according to the selected structure in the tree.An icon is also drawn,to easily know if a specific structure matchs the offset or not,or if the offset is too big for the selected structure.The structures who match the most offsets will be near the top of the tree.You can also move your mouse over structures in the tree to obtain an interesting hint.
A'?'icon can also appear,if the offset can be specialized by selecting an union member.In this case,if you expand the structure in the tree,you can select the adequate union member simply by checking the desired radio button.IDA automatically corrects the related name in the'Offsets'list.
The'Offset delta'value represents the difference between the structure start and the pointer value.For example,if you have an operand 4 and want to convert in into an expression like"mystruct.field_6-2",then you have to enter 2 as the delta.Usually the delta is zero,i.e.the pointer points to the start of the structure.
The'Hide sub structures without sub unions'option(checked by default)avoids to add unnecessary sub structures to the tree,to keep it as small as possible.If you uncheck this option,all sub structures will be added to the tree.
By default,IDA displays the structure member at offset 0.To change this behaviour,you can directly disable the'Force zero offset field'in the'Options'frame.Later zero offsets can be forced using Edit,Structs,Force zero offset menu item.
Text version:
-------------
This command converts immediate operand(s)type of the current instruction/data to an offset within the specified structure.Before using this command,you have to define a structure type.
First of all,IDA will ask a so-called"struct offset delta".This value represents the difference between the structure start and the pointer value.For example,if you have an operand 4 and want to convert in into an expression like"mystruct.field_6-2",then you have to enter 2 as the delta.Usually the delta is zero,i.e.the pointer points to the start of the structure.
If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the an operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
By default IDA doesn't display the structure member at offset 0.To change this behaviour,use Force zero field offset command.
Moreover,if there are several possible representations(this can happen if unions are used),select the desired representation using the Select union member...command.
Convert operand to number
Convert operand to number
Action name:OpNumber
This command converts immediate operand(s)type of the current instruction/data to a number.That way,you can delete suspicious mark of the item.
The number is represented in the default radix for the current processor(usually hex,but octal for PDP-11,for example).
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
See also Edit|Operand types|Number submenu.
Convert operand to hex number
Action name:OpHex
This command converts immediate operand(s)type of the current instruction/data to hex number.So you can delete suspicious mark of the item.
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
See also Edit|Operand types|Number submenu.
Convert operand to decimal number
Action name:OpDecimal
This command converts the immediate operand(s)type of the current instruction/data to decimal.Therefore,it becomes a'number'.
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
See also Edit|Operand types|Number submenu.
Convert operand to octal number
Action name:OpOctal
This command makes the current instruction or data operand type octal.IDA always uses 123o notation for octal numbers even if the current assembler does not support octal numbers.
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
See also Edit|Operand types|Number submenu.
Convert operand to binary number
Action name:OpBinary
This command makes the current instruction or data operand type binary.IDA always uses 123b notation for binary numbers even if the current assembler does not support binary numbers.
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
See also Edit|Operand types|Number submenu.
Convert operand to floating point number
Action name:OpFloat
This command makes the current operand type floating point.
When you use this command,IDA deletes the manually entered operand.
If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.
See also Edit|Operand types|Number submenu.
Toggle leading zeroes
Action name:ToggleLeadingZeroes
This command displays or hides the leading zeroes of the current operand.Example:if the instruction looked like this:
and ecx,40h
then after applying the command it will look like this:
and ecx,00000040h
If you prefer to see leading zeroes in all cases,then open the calculator and enter the following expression:
set_inf_attr(INF_GENFLAGS,get_inf_attr(INF_GENFLAGS)|INFFL_LZERO);
This will toggle the default for the current database and all numbers without leading zeroes will become numbers with leading zeroes,and vice versa.
See also Edit|Operand types|Number submenu.
中文翻译:
编辑
锚点一些IDA命令,例如选择输出文件的一部分或指定要移动的段,需要锚点。要放置锚点,您可以使用Alt-L键或Shift-组合键,后者更方便。您还可以使用鼠标通过简单地单击和拖动来放置锚点。放置锚点后,您可以自由地导航,使用箭头等。使用锚点的任何命令都会将其提升。锚定范围会以另一种颜色显示。退出IDA后,锚点值将丢失。
导出数据“导出数据”对话框可以将二进制数据导出为不同的格式。
撤消动作名称:撤消此命令将数据库恢复到执行最后一个用户操作之前的状态。可以多次应用Undo,在这种情况下,将撤消多个用户操作。请注意,整个数据库都会恢复,包括在执行用户操作之后和不与用户操作相关联的所有修改。例如,如果第三方插件在用户操作期间或之后修改了数据库,则将撤消该修改。理论上,可以返回到最初的状态,将数据库恢复到执行第一个用户操作后立即存在的状态。但是,在实践中,由于自动分析所做的更改,撤消缓冲区会溢出。自动分析会生成大量的撤消数据。此外,请注意,在自动分析期间维护撤消数据会使其变慢。实际上,这不是什么大问题,因为撤消数据的限制很快就会达到(在几分钟内)。因此,如果在分析期间用户没有执行任何修改数据库的操作,则撤消功能将暂时关闭。
然而,如果您不希望在初始自动分析期间收集撤消数据,只需在ida.cfg中关闭UNDO_DURING_AA参数。配置文件ida.cfg还有两个与撤消相关的参数:UNDO_MAXSIZE撤消缓冲区的最大大小;默认值:128MB一旦达到此限制,有关最早用户操作的撤消信息将被遗忘。UNDO_DEPTH要记住的用户操作的最大数量;默认值:1000000如果设置为0,则无法使用撤消功能。由于撤消缓冲区的大小有限,任何动作,即使是微小的动作,也可能在一段时间后变得不可撤消。这是因为分析或插件可能继续修改数据库并溢出缓冲区。一些大规模的操作,例如删除段,可能是不可撤消的,仅因为它们生成了大量的撤消数据。请注意,Undo不会影响IDC或Python脚本的状态。由于Undo,脚本变量不会更改其值。同样,不能更改数据库外部的任何内容:创建的文件不会被删除等。一些动作无法撤消。例如,启动调试器或从断点恢复无法撤消。另请参见Redo Reset Undo Disable Undo Open undo history。
然而,如果您希望在初始自动分析期间根本不收集撤消数据,只需在ida.cfg中关闭UNDO_DURING_AA参数即可。ida.cfg配置文件还有另外两个与撤消相关的参数:UNDO_MAXSIZE撤消缓冲区的最大大小;默认值:128MB一旦达到此限制,最早的用户操作的撤消信息将被遗忘。UNDO_DEPTH要记住的用户操作的最大数量;默认值:1000000如果设置为0,则无法使用撤消功能。由于撤消缓冲区的大小有限,任何操作,即使是最微小的操作,也可能在一段时间后无法撤消。这是因为分析或插件可能会继续修改数据库并溢出缓冲区。某些大型操作,例如删除段,可能无法撤消,仅仅是由于它们生成的撤消数据量巨大。请注意,撤消不影响IDC或Python脚本的状态。由于撤消,脚本变量不会更改其值。此外,无法更改数据库之外的任何内容:创建的文件不会被删除,等等。某些操作无法撤消。例如,启动调试器或从断点恢复无法撤消。
另请参见:重做、重置撤消、禁用撤消、打开撤消历史记录。
转换为STRLIT字符串
操作名称:MakeStrlit
此命令将当前未探索的字节转换为字符串。允许的字符集在配置文件中指定,参数为StrlitChars。在任何情况下,字符'\0'都不允许。如果当前汇编器不允许0x7F以上的字符,则不允许使用高位设置的字符。如果已经放置了锚点,则IDA将以当前光标位置和锚点之间的所有字符作为字符串。如果字符串以不允许的字符开头,请使用锚点。此命令还会为字符串生成名称。您可以在配置文件中指定名称中允许的字符(NameChars)。您可以使用Array命令更改文字字符串长度。GUI版本允许您分配特殊热键以创建Unicode字符串。要执行此操作,请更改IDAGUI.CFG文件中的StringUnicode参数的值。Pascal字符串要创建带有第一个字节表示字符串长度的Pascal样式字符串,请使用Set String Style命令。另请参见Edit子菜单。
转换为数组
操作名称:MakeArray
此命令允许您创建数组并更改其大小。数组的创建分为两个简单的步骤:1.使用数据定义命令(data、string、structs)创建数组的第一个元素。2.将数组命令应用于已创建的数据项。以当前数组元素(而非字节)的形式输入数组大小。建议的数组大小是以下值的最小值:-具有交叉引用的下一个项目的地址-下一个用户定义的名称的地址对于字符串文字,您可以使用此命令更改字符串的长度。对话框包含以下字段:一行上的项目(对于字符串文字无意义):0将最大数量的项目放在一行上其他值一行上的项目数请注意,边距参数也会影响每行的项目数。
对齐(字符串文字无意义):-1不对齐元素0自动对齐其他值每个元素的宽度有符号元素:如果选中,则IDA将所有元素视为有符号数字。仅适用于数字(不适用于偏移和段和字符串)显示索引:如果选中,则IDA将以注释形式显示数组元素的索引(0,1,2...)创建为数组:如果未选中,则IDA将为每个数组元素创建一个单独的项。用于创建大型数组很有用。如果将此命令应用于字符串文字时未选中该框,则IDA将创建许多字符串文字而不是一个大字符串。如果应用于变量大小的结构,则此命令用于指定结构的总大小。您无法创建变量大小的结构的数组。另请参见编辑子菜单输入数字。
未定义
操作名称:MakeUnknown
此命令删除当前指令或数据,将其转换为“未探测”字节。如果没有更多引用它们(函数永远不会被删除),IDA将删除后续指令。如果使用锚点选择了范围,则该范围内的所有字节都将转换为“未探测”的字节。在这种情况下,即使在删除后没有引用它们,IDA也不会删除任何其他指令。另请参见编辑子菜单。
重命名
命令名称:MakeName
此命令为当前项目命名/重命名/删除名称。要删除名称,只需提供一个空名称。如果当前项被引用,您不能删除其名称。即使尝试删除,IDA也会生成一个虚拟名称。局部名称名称被认为仅在当前函数中定义。请注意,IDA不会检查整个程序中局部名称的唯一性。但是,它确保该名称对于函数而言是唯一的。包含在名称列表中在此处,您还可以将名称包含/移除名称列表中。如果名称已隐藏,则在名称窗口中将看不到它。公共名称您可以将名称声明为公共(全局)名称。如果当前汇编器支持"public"指令,IDA将使用它。否则,名称的公共性将显示为注释。自动生成名称自动生成的名称将以不同的颜色显示。如果该项未定义,则将自动消失。弱名称您可以将名称声明为弱名称。如果当前汇编器支持"weak"指令,IDA将使用它。否则,名称的弱性将显示为注释。无论如何创建名称如果打开此标志,并且指定的名称已存在,则IDA将尝试通过将后缀附加到其上来变化指定的名称。另请参阅编辑子菜单。如何输入标识符。名称表示。
操作数类型子菜单将操作数转换为偏移量(数据段)
操作名称:OpOffset
该命令将当前指令/数据的立即操作数转换为相对于当前数据段(DS)的偏移量。如果当前的DS值未知(或等于0xFFFF),IDA会发出警告声。在这种情况下,您必须为当前字节定义DS寄存器值。最好的方法是:-跳转到段寄存器更改点-更改DS的值-返回或者,您可以更改当前段的DS默认值。如果您想要删除偏移定义,可以再次使用此命令-它作为触发器起作用。如果光标在第一个操作数上(光标位于','之前),则第一个操作数将受到影响;否则,所有其他操作数都将受到影响。如果使用锚点选择了范围,IDA将执行“大规模”转换。它将把所选范围内所有指令的立即操作数转换为偏移量。但是,IDA会首先询问立即操作数值的下限和上限。如果操作数值>=下限且<=上限,则将将操作数转换为偏移量,否则将不进行修改。要创建到结构成员的偏移量,请使用“转换为结构偏移量”命令。
将操作数转换为代码段偏移量
操作名称:OpOffsetCs
该命令将当前指令/数据的立即操作数转换为从当前段(CS)的偏移量。如果光标在第一个操作数上(光标在“,”之前),则第一个操作数将受到影响;否则,所有其他操作数都将受到影响。如果使用锚定选择范围,则IDA将执行“批量”转换。它将转换所选范围中所有指令的立即操作数为偏移量。但是,IDA首先会询问您立即操作数值的下限和上限。如果操作数值>=下限且<=上限,则将转换操作数为偏移量,否则将保持不变。如果将此命令应用于结构窗口中的结构成员,则IDA将创建“自动偏移量”。自动偏移量是具有基数等于0xFFFFFFFF的偏移量。该基值表示IDA在创建结构实例时将计算基的实际值。要创建结构成员的偏移量,请使用“转换为结构偏移量”命令。
Convert operand to offset(用户定义的基址)
Action name:OpUserOffset
此命令将当前指令/数据的立即操作数转换为复杂的偏移表达式。请单击此处了解有关复杂偏移的更多信息。如果使用锚定选择了范围,则IDA将执行“批量”转换。它将转换所选范围内所有指令的立即操作数为偏移量。但是,IDA首先会询问立即操作数值的下限和上限。如果操作数值>=下限并且<=上限,则将将其转换为偏移量;否则,将不予修改。如果光标位于第一个操作数上(光标位于','之前),则第一个操作数将受到影响;否则,所有其他操作数都将受到影响。如果偏移基址被指定为0xFFFFFFFF,则IDA将创建“自动偏移”。自动偏移意味着基地址的实际值将在IDA创建结构实例时计算。以下偏移属性可用:将基地址视为纯数字如果选中此复选框,IDA将将基地址视为数字。在这种情况下,IDA不会对其创建交叉引用,并且基地址将以数字形式而不是偏移表达式形式打印。偏移量指向主对象之外这种类型的偏移量指向对象结尾之外。它们不会引起对象的创建/删除。使用映像基址作为偏移基址这些偏移是基于映像基址的。没有必要明确指定偏移基址。
将操作数转换为结构体偏移量
动作名称:OpStructOffset
该命令将当前指令/数据的立即操作数转换为结构体偏移量。如果光标位于第一个操作数(光标位于“,”之前),则只会影响第一个操作数;否则,会影响所有其他操作数。如果使用锚点选择了一定范围,则IDA将执行“批量”转换。它将把所选范围内所有指令的立即操作数转换为偏移量。但是,IDA首先会询问立即操作数值的下限和上限。如果操作数值>=下限且<=上限,则将将其转换为偏移量;否则,将保持不变。在结构窗口中应用此命令来创建指向结构成员的偏移量。此时,IDA将创建一个“自动偏移量”。自动偏移量是基地址为0xFFFFFFFF的偏移量。此基地址的值由IDA在创建结构实例时计算得出。要创建指向结构成员的偏移量,请使用“转换为结构体偏移量”命令。
GUI版本:
-------------
此命令允许将范围选择中的所有指令的立即操作数转换为通过结构和其可能的子联合的偏移路径。如果没有选择活动,IDA将仅允许转换当前操作数。在这种情况下,它将像文本版本(见下文)一样显示一个简单的对话框。您可以在下拉列表中选择所需的寄存器:与此寄存器相关的所有操作数将添加到“偏移量”列表中。下拉列表中的一个特殊的空行用于直接处理立即值。'Offsets'列表中的复选框允许您选择确实要修改的操作数。默认情况下,IDA仅选择未定义的操作数,以避免覆盖先前的类型定义。该列表按操作数值、指令地址和操作数号排序。您可以通过将鼠标移动到上面并等待提示来轻松查看与操作数相关的指令。“结构和联合”树将包含所有可选择的结构和子联合。一旦您选择或移动到一个结构,'Offsets'列表就会为每个已选中的偏移更新自身:根据树中选择的结构显示操作数的计算名称。还绘制了一个图标,以便轻松知道特定结构是否与偏移相匹配,或者是否偏移太大了。最匹配的结构将位于树的顶部附近。您还可以将鼠标移动到树中的结构上,以获得有趣的提示。如果偏移量可以通过选择联合成员来专门化,则可能会出现“?”图标。在这种情况下,如果您展开树中的结构,则可以通过选中所需的单选按钮来选择适当的联合成员。IDA会自动在“Offsets”列表中更正相关名称。“偏移增量”值表示结构开始和指针值之间的差值。例如,如果您有一个操作数4并想将其转换为类似于“mystruct.field_6-2”的表达式,则必须将2作为偏移量输入。通常,delta为零,即指针指向结构的开头。默认情况下,IDA在偏移量0处显示结构成员。要更改此行为,可以直接在“选项”框中禁用“强制零偏移字段”。稍后可以使用编辑、结构、强制零偏移菜单项来强制使用零偏移量。
文本版本:
-------------
这个命令将当前指令/数据的立即操作数转换为指定结构体内的偏移量。在使用此命令之前,您需要定义一个结构类型。首先,IDA会要求输入一个“结构体偏移值”。这个值表示结构体开头和指针值之间的差异。例如,如果您有一个操作数4,想要将其转换为一个表达式,比如“mystruct.field_6-2”,那么您需要输入2作为偏移量。通常偏移量是零,也就是指针指向结构体的开头。如果使用锚点选择了一个范围,IDA将会对选择范围内的所有指令的立即操作数执行“批量”转换。但是,IDA会先询问您立即操作数的下限和上限。如果操作数的值在下限和上限之间,那么它将被转换为偏移量,否则将保持不变。使用此命令时,IDA将删除手动输入的操作数。如果光标在第一个操作数上(即在“,”之前),则只会影响第一个操作数;否则,所有其他操作数都会受到影响。默认情况下,IDA不会显示偏移量为0的结构成员。要更改这种行为,请使用“Force zero field offset”命令。此外,如果存在多个可能的表示方式(如果使用了联合体),请使用“Select union member...”命令选择所需的表示方式。
展开阅读全文
︾
读者也喜欢这些内容:
怎么用IDA软件反汇编功能学习汇编指令 IDA反汇编功能如何进行多平台二进制分析
说到反汇编分析,很多人第一时间就会想到IDA。这款工具可以说是做逆向工程的“神器”,不管是学习汇编指令还是分析二进制文件,都非常给力。如果你是个初学者,刚接触反汇编,可能会对IDA的一些功能感到陌生,比如怎么用IDA软件反汇编功能学习汇编指令 IDA反汇编功能如何进行多平台二进制分析。别急,今天就带你一步步搞清楚。...
阅读全文 >
class文件反编译工具有哪些?class文件反编译之后准确吗?
在当今这个信息技术高速发展的时代,Java语言因其跨平台的特性而广泛应用于各种商业和开源项目中。随之而来的,是对Java字节码(即class文件)的反编译需求日益增长,以便于开发者理解、分析甚至重构已编译的Java程序。...
阅读全文 >
IDA怎么修改字符串内容?IDA修改后怎么保存?
在软件开发和逆向工程领域,IDA Pro是一种极其强悍的工具,广泛用于程序剖析、调试和修改。它不仅支持多种处理器架构,还提供了大量的作用,以适应高档讲解的必须。本文将围绕ida怎么修改字符串内容,ida修改后怎么保存这一主题,详细描述怎样在IDA中更改字符串内容,及其修改后的存放方式。此外,我们还将探讨IDA转变的应用场景,帮助读者更深入地了解IDA的实际应用价值。...
阅读全文 >
IDA反汇编代码分析 IDA反汇编代码怎么看
反汇编是软件安全和逆向工程领域中的一项关键技术。对于代码分析,IDA作为业界认可的反汇编工具,其优秀的性能和强大的功能备受专业人士青睐。...
阅读全文 >