IDA Questions

[null_endian]

I have 2 questions:

1. Is anybody familiar with a way to zoom in and out in IDA Pro Graph View without a scroll wheel? I use a special mouse which does not have one. The only ways I've found is hit "w" to zoom WAY OUT and 1 to zoom WAY IN. However, I lost the gradual zoom capability with this mouse :(.

2. What are some ways to handle locating the below function calls in code? When I xref these API calls, I'm brought to a series of jmps and the API calls themselves never actually appear in the code. Interestingly, I also cannot find references to the memory addresses of the jmps themselves in code either, so the code must use some offsets to access these jumps. Effectively, I cannot see where these functions are called at. Are there any tips for getting past this? Also note a similar situation where the graph view is full of "orphaned" jumps. Thanks.

 

[kao]

Zooming - as far as I know, there is no keyboard shortcut for it. AutoHotKey or similar macro program should be able to emulate mouse wheel.

XRefs - if IDA can't find it, it's either unused, or accessed indirectly (eg. via code virtualized by Themida, or something similar). I'd load program in debugger, put breakpoints on these APIs and see if any breakpoint triggers. Then trace back to original program code.

[null_endian]

Ok thanks for that. On that note, do you know of any tips for simply just getting a program running after its headers are obstructed? I actually did a manual unpack on this one, which was packed with ASPack and I was able to successfully repair the IAT, however, I still can't load it up because it's corrupted somehow.

[kao]

I saw your other question.  

Short answer is - you obviously didn't unpack it correctly.
Longer answer - find out what exactly is wrong and fix it. My personal favorite tool for such cases is HIEW (www.hiew.ru) - it has a great PE Verify plugin which helps a lot. Unfortunately demo version of HIEW doesn't have plugin support, so you'll have to find pirated version somewhere..