Commenting in IDA

Another useful feature in IDA is the ability to embed comments in your databases. Comments are a particularly useful way to leave notes for yourself regarding your progress as you analyze a program. In particular, comments are helpful for describing sequences of assembly language instructions in a higher-level fashion. For example, you might opt to write comments using C language statements to summarize the behavior of a particular function. On subsequent analysis of the function, the comments would serve to refresh your memory faster than reanalyzing the assembly language statements.

IDA offers several styles of comments, each suited for a different purpose. Comments may be associated with any line of the disassembly listing using options available from Edit ▸ Comments. Hotkeys or context menus offer alternate access to IDA’s commenting features. To help you understand IDA’s commenting features, we refer to the following disassembly of the function bar:

.text:00401050 ; =============== S U B R O U T I N E
=======================================
.text:00401050
.text:00401050 ; void bar(int j, int k);
.text:00401050 ; Attributes: bp-based frame
.text:00401050
.text:00401050 
bar       proc near               ; CODE XREF: demo_stackframe+2A,p
.text:00401050
.text:00401050 arg_0     = dword ptr  8
.text:00401050 arg_4     = dword ptr  0Ch
.text:00401050
.text:00401050   push   ebp
.text:00401051   mov   ebp, esp
.text:00401053   sub   esp, 8
.text:00401056  The next three lines test j < k
.text:00401056   mov   eax, [ebp+arg_0]
.text:00401059   cmp   eax, [ebp+arg_4]
.text:0040105C   jge   short loc_40106C ;
 Repeating comments get echoed at referencing locations
.text:0040105E   mov   [esp], offset aTheSecondParam ;
 "The second parameter is larger"
.text:00401065   call  printf
.text:0040106A   jmp   short locret_40108E ; jump to the end of the function
.text:0040106C ; -------------------
--------------------------------------------------------
.text:0040106C
.text:0040106C loc_40106C:                             ; CODE XREF: bar+C·j
.text:0040106C   mov   eax, [ebp+arg_0] ;
 Repeating comments get echoed at referencing locations
.text:0040106F   cmp   eax, [ebp+arg_4]
.text:00401072   jle   short loc_401082
.text:00401074   mov   [esp], offset aTheFirstParame ;
 "The first parameter is larger"
.text:0040107B   call  printf
.text:00401080   jmp   short locret_40108E
.text:00401082 ; -----------------------
----------------------------------------------------
.text:00401082
.text:00401082 loc_401082:                             ; CODE XREF: bar+22·j
.text:00401082   mov   [esp], offset aTheParametersA ;
 "the parameters are equal"
.text:00401089   call  printf
.text:0040108E
.text:0040108E locret_40108E:                          ; CODE XREF: bar+1A·j
.text:0040108E                                         ; bar+30·j
.text:0040108E   leave
.text:0040108F   retn
.text:0040108F bar  endp

The majority of IDA comments are prefixed with a semicolon to indicate that the remainder of the line is to be considered a comment. This is similar to commenting styles used by many assemblers and equates to #-style comments in many scripting languages or //-style comments in C++.

Regular Comments

The most straightforward comment is the regular comment. Regular comments are placed at the end of existing assembly lines, as at in the preceding listing. Right-click in the right margin of the disassembly or use the colon (:) hotkey to activate the comment entry dialog. Regular comments will span multiple lines if you enter multiple lines in the comment entry dialog. Each of the lines will be indented to line up on the right side of the disassembly. To edit or delete a comment, you must reopen the comment entry dialog and edit or delete all of the comment text as appropriate. By default, regular comments are displayed as blue text.

IDA itself makes extensive use of regular comments. During the analysis phase, IDA inserts regular comments to describe parameters that are being pushed for function calls. This occurs only when IDA has parameter name or type information for the function being called. This information is typically contained within type libraries, which are discussed in Chapter 8 and Chapter 13, but also may be entered manually.

Repeatable Comments

A repeatable comment is a comment that is entered once but that may appear automatically in many locations throughout the disassembly. Location in the previous listing shows a repeatable comment. In a disassembly listing the default color for repeatable comments is blue, making them indistinguishable from regular comments. It is the behavior rather than the appearance that matters in this case. The behavior of repeatable comments is tied to the concept of cross-references. When one program location refers to a second location that contains a repeatable comment, the comment associated with the second location is echoed at the first location. By default, the echoed comment appears as gray text, making the repeated comment distinguishable from other comments. The hotkey for repeatable comments is the semicolon (;), making it very easy to confuse repeatable comments and regular comments.

In the previous listing, note that the comment at is identical to the comment at . The comment at has been repeated because the instruction at (jge short loc_40106C) refers to the address of (0040106C).

A regular comment added at a location that is displaying a repeated comment overrides the repeated comment so that only the regular comment will be displayed. If you entered a regular comment at , the repeatable comment inherited from would no longer be displayed at . If you then deleted the regular comment at , the repeatable comment would once again be displayed.

A variant form of repeatable comment is associated with strings. Whenever IDA automatically creates a string variable, a virtual repeatable comment is added at all locations referencing the string variable. We say virtual because the comment cannot be edited by the user. The content of the virtual comment is set to the content of the string variable and displayed throughout the database just as a repeatable comment would be. As a result, any program locations that refer to the string variable will display the contents of the string variable as a repeated comment. The three comments annotated demonstrate such comments displayed as a result of references to string variables.

Anterior and Posterior Lines

Anterior and posterior lines are full-line comments that appear either immediately before (anterior) or after (posterior) a given disassembly line. These comments are the only IDA comments that are not prefixed with the semicolon character. An example of an anterior line comment appears at in the previous listing. You can distinguish an anterior line from a posterior line by comparing the address associated with the line to the address associated with the instruction immediately preceding or following the line.

Function Comments

Function comments allow you to group comments for display at the top of a function’s disassembly listing. An example of a function comment is shown at , where the function prototype has been entered. You enter function comments by first highlighting the function name at the top of the function () and then adding either a regular or repeatable comment. Repeatable function comments are echoed at any locations that call the commented function. IDA will automatically generate function prototype-style comments when you use the Set Function Type command discussed in Chapter 8.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.158.165