1. Jump to addressUse the Jump▶jump to address command or press the hotkey G in the active disassembly window to open the Jump to Address dialog box, which may help you remember the relevant hotkey if you think of the dialog as a Go dialog box.
Ida remembers the value you entered in this dialog box and displays it through a drop-down list to make it easier for you to later use
2. Navigation button (navigation history)Navigation buttons, with a history drop-down next to each button, you can quickly access any location in the navigation history list without having to traverse the entire history list
3. Stack frameDetailed steps to call a function:
(1) The caller puts any parameters required by the calling function into the location specified by the calling convention in which the function is invoked. If the parameter is placed on the runtime stack, the operation may cause the program's stack pointer to change. (2) The caller transfers control to the called function, and then the return address is saved to the program stack or the CPU register. (3) If necessary, the called function configures a stack pointer (EBP) and saves any register values that the caller wants to remain unchanged. (4) The called function allocates space for any local variables it may require. In general, this task is accomplished by adjusting the stack pointer to reserve space on the runtime stack. (5) The called function performs its operation and may produce a result. During the execution of an operation, the called function may access the arguments passed to it by the calling function. If the function returns a result, the result is usually placed in a particular register, or in a register that the caller can access immediately after the function returns. (6) After the function has completed its operation, any stack space reserved for the local variable will be freed. Typically, this task can be accomplished by performing the operations in step (4) in reverse. (7) If the value of a register is also called Fang Paoquan (step (3)), then restore it to the original value. This includes restoring the caller's frame pointer register. (8) The called function returns control to the caller. Depending on the calling convention used, this operation may also purge one or more parameters from the program stack. (9) Once the caller regain control, it may need to remove the parameters from the program stack. You may need to adjust the stack to restore the stack pointer to a value prior to step (1).
Steps (3) and (4) are usually performed when entering functions, collectively known as the preamble of the function. Similarly, step (6) to step (8) is generally performed at the end of the function, which together form the end of the function. Step (5) represents the body of the function, which is all the operations performed when a function is called.
4. Calling convention
4.1.C calling conventionThe caller puts the function arguments in a right-to-left order, and the caller (not the callee) is responsible for purging the parameters from the stack when the called function completes its operation.
One result of putting a parameter in the stack from right to left is that if the function is called,
The leftmost (first) parameter will always be at the top of the stack. Thus, we can easily find the first parameter, no matter how many parameters the function requires. If a function can accept a parameter, the caller is well suited for this kind of adjustment because it knows clearly how many parameters it passes to the function, making it easy to make the correct adjustments. The called function does not know in advance how many parameters it will receive, so it is difficult to make the necessary adjustments to the stack, so the following test:
Answer: __stdcall does not apply to incoming arguments, and if a parameter is passed in the __stdcall function, the system is automatically treated as a C call, the following disassembly
4.2.__stdcall calling conventionThe difference between using the stdcall calling convention is that when the function finishes executing, the function arguments in the stack should be deleted by the called function.
To accomplish this task, it must be clear how many parameters are in the stack, which determines only the fixed parameters. Therefore, the function of the parameter printf cannot use the stdcall calling convention.
By convention, Microsoft uses the StdCall convention for all functions that are fixed by the number of parameters that are output by shared library (DLL) files
4.3.x86 fastcall ConventionThe Fastcall convention is a variant of the StdCall convention, which passes a maximum of two parameters to the CPU register (not the program stack), and the first two parameters (two on the left) are in the ECX and edx registers respectively. The remaining parameters are placed on the stack from right to left in a manner similar to stdcall conventions
Such as:
int __fastcall Fast (int a,int b,int c,int d)
{
return 0;
}
int _tmain (int argc, _tchar* argv[])
{
int a = fast (1,2,3,4);
Since two parameters are passed to the register, only a RETN 8 is required, as shown in the Assembly
4.4.c++ calling convention
The C + + class needs to use the this pointer, which must be provided by the caller, so it is provided as a parameter. The C + + language standard does not specify how the this pointer should be passed to a non-static member function, so different compilers use different tricks to pass the this pointer, and Microsoft Visual C + + provides the thiscall calling convention, which passes this to the ECX register. And as in stdcall, it requires the function to clear the parameters in the stack
The GNU g++ compiler regards this as the first implied parameter of any non-static member function, and in all other respects the same as the use of the CDECL Convention. Therefore, for code compiled with g++, this is placed at the top of the stack before a non-static member function is called, and the caller is responsible for removing the parameters (at least one parameter) from the stack when the function returns 4.5. System calls Typically, system calls cause state transitions, Enter kernel mode by user mode, the x86 operating system generally uses the Sysenter directive, the parameters of the system call are on the runtime stack, and before the system call is initiated, put a system call number in the EAX register
5. The local variable layout has a calling convention that specifies how parameters are passed to the function, but there is no convention for local variable layout of the defined function ~ that is, by examining the source code of the function, it is often impossible to determine the local variable layout of the function.
The first task of the compiler is to calculate the space required for local variables of the function. (The calculation below is not true because the compiler allocates more stack space, either because it is aligned, or because of the buffer size), for example, in the following code:
int fun (int a,int b,int c)
{
int x;
Char buf[64];
int y;
int Z;
return 0;
}
int _tmain (int argc, _tchar* argv[])
{fun
(n/a);
If you do not use the frame pointer register (that is, ESP is a frame pointer) you can write this directly:
Sub ESP, 76
The offset column shows the base + displacement address required to reference any local variables or parameters in the stack frame:
However, in X86, the EBP register is typically used exclusively as a stack frame pointer, resulting in a stack frame layout as shown:
6.IDA Stack ViewIda names a variable based on the position of the variable relative to the saved return address. The local variable is above the saved return address, and the function parameter is located under the saved return address.
0. local variable The default named local variable name is prefixed with Var_, followed by a hexadecimal suffix that represents the distance (in bytes) between the variable and the saved frame pointer. If the local variable var_c is a 4-byte (DWORD) variable, it is located above the saved frame pointer, and the distance is 12 bytes ([Ebp-och]).
1. function parameters The default named function parameter name is prefixed with Arg_, followed by a hexadecimal suffix representing its relative distance from the topmost parameter therefore, the topmost 4-byte parameter is named Arg_0, and the subsequent parameters are Arg_4, Arg_8, Arg_c
Arg_0 corresponds to Ebp+8, and so on we can right-click the Arg_0 in the Assembly (not in the digest, in the assembly code), the menu shows the actual location of the ARG_0:
Da will only automatically generate names for stack variables that are directly referenced in the function. If da cannot determine any memory references to [ebp+8] (the position of the first parameter), then ARG_0 will not be listed in the summary stack view
In particular, it is important to note that the order in which the VAR_ local variables are defined and the order in which you declare them in the code does not matter, and you must use a series of clues in the Disassembly window to match the name of the variable generated by IDA with the name used in the source code. Note the relationship between the observed and incoming parameters to correlate local variables
2. Double-click the variable to jump to the detailed view of the variable
The two special values shown are S and r (preceded by spaces). These pseudo variables are special methods that IDA represents the saved return address (R) and the saved register value (s represents EBP only)
