Hi,

I'm new to this, and I've read some primers on IDA, but I am still having some problems.

When I open a resource in w32dasm I can quickly see all strings and find the locations in the code where these strings are accessed.

But in IDA I am only shown "push 204h" for example, and have to make my own comment for them.

And I dont see any information in the .data section about these strings, even though they should be there.

Could someone point me in the right direction, if any, to get these strings sorted out? :-)

(I'm using ida strings 0.4D already, but this does'nt seem to list as many as w32dasm does.. )

Some parts of the .data section seems to be like

.data 40002 26 B
.data 40004 27 C

Whereas in w32dasm I would see "BC.... " etc on the same "line".

Should I just read the Primers again, or is there some secret option I have yet to find? :-)

Thanks.

26 and 27 are most likely not B C, but, it was an example

assuming you're using ida 4.x, click the green "N" in the button bar (or press shift-f4) for the "Names window".

and rtfm

Well, if your knowledge about IDA consists of

"Green N buttons" and Shift-F4, as well as 'read the fucking manual', I must say that you're not much use.

Hopefully your manners do not reflect the general population at these boards, and someone with more manners, and knowledge might step forth and give some *helpfull* information.

But perhaps you're one of those "elitist hackers" that feel that everyone should go through the same hardships that you have instead of being able to ask those with more knowledge the hows and whys, and then try for themselves.

And about the N button/Shift-f, as well as the strings plugin. These do not show the same ammount of data w32dasm does, is there a way to make it do so?

Also; IDA shows some information like this

.data:00447C9C 53 db 53h ; S
.data:00447C9D 6F db 6Fh ; o
.data:00447C9E 66 db 66h ; f
.data:00447C9F 74 db 74h ; t
.data:00447CA0 77 db 77h ; w

whereas w32dasm would show it on one line "softw..." etc. Can IDA be configured to show it the same way?

(my questions are most likely aimed at everyone else here, as disavowed have'nt shown to be of much help.. He can change probably, so I'm not dismissing him (for now).

Regards,

I use IDA Pro 4.17.
One added feature is a new stringsfunction.
I think it's pretty good. It will do what you just asked for...
I still use both, though...
Patching and textsearching on code is better in w32dasm, I think...
And for quickies, IDA takes too much time.
Though, more and more, I tend not to mind...
'Cause I love IDA... :P

/Manko

Set up IDA to use the correct type of ascii strings, i.e. ASCII_C_STYLE for
C/C++(and win32asm for that matter) programs and so on... Either you can do
this in the ida.cfg file or in the seetings part for ascii strimng styles... If it still
doesn't show the strings correctly just hit "A" at the beginning of the string...
After setting up the correct style of course... And remeber that pascal/delphi uses
the byte in front of the string to see how long the string is... Hopefully this will
help you poke aronud with the strings a bit more... This is by the way what you
would have found in TFM(tm)...

i answered your question, and what's more i gave you advice on how not to get flamed in the future. you obviously have not read any ida primers nor tfm. your question was much like "how do i open a file in notepad". it could have been answered by looking at the commands in the menubar or reading ida's help file. but again, i was in a helpful mood, so i decided to answer your question anyway, hoping to give you a headstart instead of forcing you to go through "hardships" (although learning how to display strings in ida by reading a help file is NOT a hardship, and if you think it is, i recommend you give up any plans of reverse engineering, because they will be way over your head).

Thing is, you dont know how to get the result I asked about, and no primer or anything I have seen says anything about it either, so either it is impossible, or not that easy to enable, thats why I asked.

I'll have a mars bar that he does.

Anyway, the IDA strings thing has been covered before. Me thinks a tad more W32Dasm work needs to be done before IDA can be used to anywhere near its potential.

With power, comes total control.

With total control, comes...well, tedium!

Write a small program in C/C++ and then re-write the same in Asembly. Understand the lines of codes (heaps, actually) that go in the assembly program. Though assembly gives you TOTAL control, its is more tedious.

Similarly with IDA. Its FAR more powerful to W32Dasm. And it gives you TOTAL Control. Unfortunately, that means, you have to do LOTS of things manually. (Theoritically, you could automate them, but lets leave the macros/plugins/idc scripting for later).

The example you gave is what IDA displays as default. It will display the data section byte-by-byte. All you need to do is go across to the first word, mark the section and press "U" for making it unmarked. THEN, you type in "A" to make it ASCII and it will display it in a line. Let me clarify:

.data:2001 0xA 'S'
.data:2002 0xB 'o'
.data:2003 0xC 'f'
.data:2004 0xD 't'
.data:2005 0xE 'i'
.data:2006 0xF 'c'
.data:2007 0xA1 'e'

is what you see in the data section. Well, it should actually display the same as:

.data:2001 'Softice'
.data:2008 'No debuggers allowed..."

and so on. To do this you will have to place your cursor at .data:2001 and then mark the data upto .data:2007. (Marking is the same as in any word-processor. Press shift and the arrow keys to mark).

Press "U" to make it unidentified.

Select that range again (yes, again!) ie. from .data:2001 to .data:2007 and this time, press "A".

This will make the same as ASCII. You will now see:

.data:2001 'Softice'

You have to do this for EVERY string that you want to find (did I not say, IDA is better than W32dasm, more control, but the control comes for a price?). IDA leave it up to the user to decide which string starts where. W32dasm tries to intellegently guess the same. Of course, w32dasm becomes easy, but can also give erroneous strings. So there.

I trust that your questions are answered. You will have to read the help file for a list of IDC functions that you can use. They are TOO many to be ennumerated.

IDA is also a specialist tool. A very specialist tool. People who use IDA are generally top-of-line people who have the ability to learn everything by reading the manual. HENCE, you will find no tutorial about macros/idc scripts/plugins, etc. If there are, they are ususally for a specific purpose.

Have Phun,

first of all: i'm a big fan of IDA. i don't use w32dasm anymore, actually i never have. but handling IDA takes time, and as stated above, some tasks are tedious.

that's why i wrote a little program called ShowString. It shows every string in a file. in most cases i check the strings before any attempt of cracking a target. just for fun and it usually tells me a lot. my little program is far from being perfect, some functions haven't been implemented yet, but it does its job

figugegl, i haven't tried your program, but anyone reading this thread may also want to take a look at bintext (which i highly recommend): http://www.foundstone.com/knowledge/proddesc/bintext.html

IDA does not display this string in W32dasm style because:

1) it has not come over it during autoanalisys. More precisely,there were NO xref to that address (data:00447c9c).

2) the default string style was not the right one. IDA by defaults expects C's '\0' terminated,and this could not be the case.

In any other case,IDA would have generated a name (aSoftw... if you are using defaults).

Polaris

Frost And Winter Return To My Eyes...