当有sig文件时,IDA会自动定位到main函数
.text:004013B0 .text:004013B0 ; =============== S U B R O U T I N E ======================================= .text:004013B0 .text:004013B0 ; Attributes: bp-based frame .text:004013B0 .text:004013B0 ; int __cdecl main(int argc, char **argv) .text:004013B0 _main proc near ; CODE XREF: __scrt_common_main_seh+FAp .text:004013B0 ; invoke_main+1Ap .text:004013B0 .text:004013B0 var_4 = dword ptr -4 .text:004013B0 argc = dword ptr 8 .text:004013B0 argv = dword ptr 0Ch .text:004013B0 .text:004013B0 push ebp .text:004013B1 mov ebp, esp .text:004013B3 push ecx .text:004013B4 push esi .text:004013B5 push 4 ; size .text:004013B7 call ??2@YAPAXI@Z ; operator new(uint) .text:004013BC mov esi, eax .text:004013BE add esp, 4 .text:004013C1 mov [ebp+var_4], esi .text:004013C4 test esi, esi .text:004013C6 jz short loc_4013ED**没有sig文件的时候怎么办 通常IDA会停留在这里 endp ; sp-analysis failed
.text:00401728 .text:00401728 ; =============== S U B R O U T I N E ======================================= .text:00401728 .text:00401728 ; Attributes: library function .text:00401728 .text:00401728 public start .text:00401728 start proc near .text:00401728 .text:00401728 ; FUNCTION CHUNK AT .text:00401571 SIZE 00000139 BYTES .text:00401728 ; FUNCTION CHUNK AT .text:004016E7 SIZE 00000006 BYTES .text:00401728 .text:00401728 call sub_401CE0 .text:0040172D jmp loc_401571 .text:0040172D start endp ; sp-analysis failed .text:0040172D我们需要做的是向上向上再向上 寻找拥有这样特征的函数头 它的CODE XREF都向下, 它下方的CODE XREF都向上,它上方的CODE XREF都向下。
.text:004013B0 .text:004013B0 ; Attributes: bp-based frame .text:004013B0 .text:004013B0 sub_4013B0 proc near ; CODE XREF: start-BDp .text:004013B0 ; .text:0040171Dp .text:004013B0 .text:004013B0 var_4 = dword ptr -4 .text:004013B0 .text:004013B0 push ebp .text:004013B1 mov ebp, esp .text:004013B3 push ecx .text:004013B4 push esi .text:004013B5 push 4 .text:004013B7 call sub_40143E .text:004013BC mov esi, eax .text:004013BE add esp, 4 .text:004013C1 mov [ebp+var_4], esi .text:004013C4 test esi, esi