Disassembling Code: IDA Pro and SoftICE

Chapter 1: Introduction to Disassembling

Figure 1.1: Memory dump displayed by the program presented in Listing 1.1

Figure 1.2: Converting a binary number to a hex number

Figure 1.3: Converting a hex number to a binary number

Figure 1.4: An example of a dialog (Listing 1.13)

Figure 1.5: Dump of the program code

Figure 1.6: The Intel processor command format

Figure 1.7: The PE file structure

Chapter 2: The Code Investigator's Toolkit

Figure 2.1: The DeDe program window displaying the disassembled code of a button-click event in an application

Figure 2.2: The Turbo Debugger window with a program loaded for debugging

Figure 2.3: Graphical user interface of the windbg.exe program

Figure 2.4: The hiew.exe program interface

Figure 2.5: Resource Hacker is one of the most advanced resource editors, allowing you to edit resources directly in the executable module

Figure 2.6: The Registry Monitor by Mark Russinovich, a program that tracks all attempts at accessing the system registry carried out by application programs

Figure 2.7: The main window of the W32Dasm program

Figure 2.8: The W32Dasm Debugger Options window

Figure 2.9: A fragment of the disassembled text

Figure 2.10: The window displaying references to strings

Figure 2.11: A fragment of the list of imported modules and functions

Figure 2.12: The information window of the debugger

Figure 2.13: The control window of the debugger

Figure 2.14: The window for modifying the code being debugged

Figure 2.15: The window for modifying the contents of registers and memory cells

Figure 2.16: The OllyDbg debugger with a loaded program

Figure 2.17: The window displaying the list of windows created by the application being investigated

Figure 2.18: The Watch expressions window

Figure 2.19: The annoying error message that appeared when the encyclopedia was started

Figure 2.20: The OllyDbg window displaying the fragment of the call to MessageBox

Figure 2.21: The W32Dasm window

Figure 2.22: Fragment of the disassembled program code produced by IDA Pro

Figure 2.23: The window that appears at start-up of the Allscreen program

Figure 2.24: The delay window displayed by the Allscreen program

Figure 2.25: The message informing the user about expiration of the trial period

Figure 2.26: The GetPixel registration window

Figure 2.27: The nag screen

Chapter 3: Main Paradigms of the Executable Code Analysis

Figure 3.1: The language-executable code hierarchy

Figure 3.2: Standard stack structure in the course of a procedure call

Figure 3.3: The stack structure, with addresses decreasing from bottom to top

Figure 3.4: The exception reported by Windows XP after an artificially-created buffer overflow

Chapter 4: The SoftIce Debugger

Figure 4.1: The SoftIce main window

Figure 4.2: The loader32.exe program window

Figure 4.3: The Settings window allows you to set the loading parameters for the modules to be debugged

Figure 4.4: The settings window for creating persistent macros

Chapter 5: The IDA Pro Disassembler

Figure 5.1: The IDA Pro main window with the loaded executable module

Figure 5.2: The window controlling executable code loading

Figure 5.3: Indication of jumps in the disassembler window

Figure 5.4: Cross-references

Figure 5.5: The signatures window

Figure 5.6: The IDA Pro window that allows the user to enter comments

Figure 5.7: The Debugger setup window

Figure 5.8: The command window that allows execution of the sequence of the IDC language constructs

Figure 5.9: Toolbar for editing and executing an IDC program