|
由于IDA PRO反编译专业性较强,平台众多,不一定能够很有效的提供技术支持。所以建议自己学习后有一定基础再尝试,再提供一些教程供学习。 ida pro 7.7 新特性: Features- Processor modules:
- 8051: added configuration for the R8051XC2 core in M5 FPGA by Capital Microelectronics (thanks to Zak Escano).
- 8051: allow loading binary files without a device selection (thanks to Zak Escano).
- ARM: improved function recognition.
- ARM: improved thunk function detection.
- ARM: added decoding of ARMv8.4-CondM and ARMv8.5-CondM instructions (RMIF, SETF8, SETF16, CFINV, XAFlag, AXFlag).
- ARM: added decoding of ARMv8.5-FRINT instructions (FRINT32Z/FRINT32X/FRINT64Z/FRINT64X).
- PC: improved speed in analysis of big x86 PE files.
- PC: recognize switches with BTI notrack prefix (3Eh) on the indirect jump.
- PIC16: allow 8-bit addressing in data segments for the PIC24/PIC33 series.
- PPC: improved ppc64 thunk function detection.
- RISCV: added support for switch patterns.
- RL78: added RL78S3 core instruction decoding.
- RL78: added support 32-bit and 64-bit data items and 32-bit segments.
- RX: new processor module (Renesas RX series).
- SPARC: improved detection of functions that use a stack frame.
- XTENSA: new processor module (Tensilica Xtensa).
- Debuggers:
- bochs: added a config parameter HIDE_CONSOLE in dbg_bochs.cfg.
- bochs: inform the user about the presence of a .lock file, instead of launching bochs that would complain about the wrong img file.
- debugger: improve stack walking for macos x64.
- debugger: improve stack walking for windows x64.
- debugger: ios: improve debugging on iOS15.
- debugger: linux: improve call stack recovery on Linux x86_64 (also use libunwind if present).
- debugger: report the precise address that caused a page breakpoint to trigger (win32, windbg).
- PIN: support PIN 3.21.
- File formats:
- MACHO: support new format of the dyld shared cache split into subcaches (iOS 15, macOS12).
- MACHO: disable ASLR slide detection in dyld shared cache by default (use IDA_DYLD_SHARED_CACHE_SLIDE environment variable to set it manually).
- PE, COFF: parse and format new FH4 (CxxFrameHandler4) C++ exception tables.
- PE: speed up loading of files with a huge number of imports.
- DWARF: support for DWARF 5 debug information.
- DWARF: added DWARF_ENABLE config option, as well as an 'off' command-line option, to disable the plugin.
- DWARF: add a dialog for fine-grained selection of debug information to import (e.g. do not import types for speed).
- FLIRT / TILS / IDS:
- FLAIR: go2pat: go obj file to .pat converter for generating Go function signatures.
- FLAIR: sigmake: added support for signatures with names > 1024 characters.
- FLIRT: GO: added signatures for the major standard libraries for golang 1.10-1.16 (x64 only).
- FLIRT: Updated VC and MFC signatures up to Visual Studio 2019 16.11.
- FLIRT: BC: added signatures for xe104 (RAD Studio 10.4).
- FLIRT: BC: added signatures for xe11 (RAD Studio 11).
- FLIRT: ICL: added signatures for icl213 (intel c++ 2021.3).
- FLIRT: ICL: added signatures for icl214 (intel c++ 2021.4).
- IDS: update coredll ordinal mappings for SH3/SH4 to WinCE 6.0.
- TIL: idaclang: new command-line utility for creating type libraries using clang C++ parser.
- Standard plugins
- golang: add a numerical suffix when a type name already exists (this can happen due to different import paths).
- golang: add definitions of some builtin types (string, array, interface, slice).
- golang: annotate interface (itab) table.
- golang: annotate the full reflect.name (possible presence of field tag and import path).
- golang: improved detection of prologs in x86/x64 bnaries.
- golang: provide the ability to turn off(/on) deriving a function's end from pclntab (GOLANG_FUNC_END_FROM_PCVAL_TABS in golang.cfg).
- golang: show unprocessed (original) function name as function comment if the name was sanitized.
- golang: startup signatures allow detection of golang binaries (currently x86 ELF, PE and Mach-O).
- swift: updated libSwiftDemangle to 5.5.1 to enable recent Swift symbols demangling.
- Core / Misc
- goodname.cfg: simplify names of STL classes in __cxx11 namespace (libstdc++).
- ida.cfg: added DEVICE parameter to specify the target device (e.g. ida -pavr -DDEVICE=\"AT90C8534\" firmware.hex).
- ida.cfg: added PRIVRANGE parameter to specify the default private address interval (addresses for internal usage) for new databases.
- idaclang: added support for libclang-based C++ parser (can be enabled in Options > Compiler…).
- installer: allow running of x64 installers on Apple Silicon (under Rosetta).
- installer: Installers for Apple Silicon are fully native and do not require Rosetta.
- kernel: enabled type system for all processors; the processors that do not define the necessary callbacks will still have limited support (e.g. the argument locations won't be calculated, among other things).
- kernel: improved function recognition in binary files.
- Scripting & SDK
- IDAPython: added colorize_disassembly_on_the_fly.py example to demonstrate dynamically coloring listing lines (w/o touching the IDB).
- IDAPython: added example print_call_stack.py.
- IDAPython: added IDAPYTHON_IDAUSR_SYSPATH parameter to idapython.cfg to automatically add $IDAUSR/python/[2 3]/ directories to sys.path (enabled by default).
- IDAPython: added list_function_items.py sample to demonstrate usage of func_t iterators.
- IDAPython: examples directory now has an index with the listing of examples and functions used in them.
- IDAPython: functions returning multiple values or structures, now return tuples instead of lists.
- IDAPython: idalines_generate_disassembly now returns (int, [line, line, …]) instead of (int, (line, line, …)).
- IDAPython: improve return type information shown in docstrings.
- IDAPython: improved online API documentation.
- IDAPython: the xrefblk_t class now provides functions for iterating the cross-references using generator expressions (for … in).
- SDK: added enable_bptgrp() function.
- SDK: added dirtree_t::find_entry().
- SDK: added get_user_input_event() to retrieve information about the event that triggered a certain notification (e.g., view_curpos, hxe_curpos, …).
- SDK: added qstring::split() & qstring::join().
- SDK: added REFINFO_NO_ZEROS/REFINFO_NO_ONES flags for refinfo_t to handle special cases of offset values.
- SDK: added the new ALOPT_ONLYTERM option for get_max_strlit_length() to allow invalid characters inside string literals.
- SDK: clarify documentation for show_wait_box() about HIDECANCEL.
- SDK: idb_event::segm_deleted notification now provides the flags that were used for deletion.
- SDK: introduced functions to convert UTC time to struct tm and back (qgmtime/qtimegm).
- SDK: moved qfsize() from diskio.hpp to fpro.h.
- SDK: renamed inf.comment -> inf.cmt_indent.
- SDK: APIs working with breakpoint groups (e.g. set_bpt_group) now accept a path instead of a simple name.
- UI:
- UI: add the shortcut number to the tabs' titles if Alt is pressed for 1 second.
- UI: added checks in the floating license borrow/retun forms to avoid a problem with decompiler licenses not being returned.
- UI: added ymmword and zmmword data types to "Setup data dialog" (for processors that support them).
- UI: enable Command+F for QuickFilter actions on macOS.
- UI: improved speed when manipulating large numbers of breakpoints.
- UI: improved UI responsiveness when manipulating huge structures.
- UI: messages in Output window can now be timestamped by enabling the option from the context menu.
- UI: multiple lockable highlights are now available in listings.
- UI: show collapse/expand icons to the left of disassembly items when the corresponding action is available.
- UI: support for relative (i.e., '+N', '-N') jumps in structures window.
- UI: when a widget is reopened with WOPN_RESTORE, IDA will attempt to place it where it was previously located, instead of next to the currently active widget.
- UI: the breakpoints view now uses a standard folder view for breakpoint groups.
- Decompilers:
- decompiler: add the "Copy" action in the context menu when it's available.
- decompiler: added PSEUDOCODE_SYNC_XPOS option, to prevent synchronized Pseudocode-* views from scrolling horizontally when navigating in the other view.
- decompiler: optimize complex conditions by removing useless parts. E.g. x==3 x!=4 is replaced by x!=4.
- decompiler: print the decompiler version when writing a C file output.
- decompiler: recognize more magic division sequences.
- decompiler: transform memcpy calls into memset when all source bytes are the same.
- decompiler: transform two shifts in opposite directions into a corresponding division or multiplication.
- decompiler: disable actions 'Set call type', 'Remove function argument' for helper calls generated by the decompiler.
- decompiler: improved comments in hexrays.cfg.
- decompiler: support for the Extended Flow Guard helper (guard_xfg_dispatch).
- decompiler: ARM: intrinsic functions swapXX, __rbitXX now use 32/64 suffix to show the underlying operation size.
- decompiler: MIPS: added support of n64 ABI (MIPS64 decompiler).
- decompiler: MIPS: added support for Cavium-specific instructions.
- decompiler: x86/x64: decompile prefetchnta instruction.
- decompiler: PPC: CR and CR32..CR63 bits can be specified as argument/return locations in __usercall functions, e.g. bool __usercall sub_610ACA@<cr34>(int *a1@<r5>).
学习教程: IDA Pro权威指南 其他文档教程 IDA基础视频教程【20集】 【20集】视频资源目录: 【】1.反汇编简介【】2.逆向与反汇编工具【】3.IDA入门【】4.IDA数据显示窗口【】5.IDA主要数据窗口【】6.IDA次要显示窗口【】7.其他IDA窗口【】8.IDA的导航功能【】9.栈帧--1【】10.栈帧---2【】11.IDA搜索功能【】12.重命名与局部变量【】13.IDA的注释与代码转换【】14.IDA中操纵函数【】15.IDA字符与数据间的转换【】16.IDA中数组元素的访问【】17.IDA中结构体与数据库【】18..C++的逆向工程基础【】19.IDA中的交叉引用【】20.IDA交叉引用列表与绘图。
IDA Pro是反汇编工具, IDA Pro的核心插件是Decompiler。
作逆向分析的各位都明白什么最耗费精力,当然是汇编代码分析了,IDA Pro生成的伪C代码可以节省您两天到一个月的时间,比起区区几百元的花费简直是赚到了。
Decompile Windows平台PE文件 dll exe ocx sys |
简体中文
English(英语)
日本語(日语)
Deutsch(德语)
Русский язык(俄语)
بالعربية(阿拉伯语)
Türkçe(土耳其语)
Português(葡萄牙语)
ภาษาไทย(泰国语)
한어(朝鲜语/韩语)
Français(法语)
