Hex-Rays Blog

Type libraries are collections of high-level type information for selected platforms and compilers which can be used by IDA and the decompiler. A type library may contain: function prototypes, e.g.: void *__cdecl memcpy(void *, const void *Src, size_t Size); BOOL __stdcall EnumWindows(WNDENUMPROC lpEnumFunc, LPARAM lParam); typedefs, e.g.: typedef unsigned long DWORD; BOOL (__stdcall *WNDENUMPROC)(HWND, LPARAM); standard structure and enum definitions, e.g.: struct tagPOINT { LONG […]

You may have observed that IDA knows about standard APIs or library functions and adds automatic function comments for the arguments passed to them. For example, here’s a fragment of disassembly with commented arguments to Win32 APIs CreateFileW and ReadFile: This works well when functions are imported in a standard way and are known at load time. […]

For over a year now, our colleague Igor has been disseminating his deep knowledge of IDA & decompilers through “Igor’s tip of the week” blog posts. Those have received critical acclaim, and we’ve received a lot of very positive feedback during that time. This motivated us to find a way to improve the accessibility to this resource. Today, […]

Today we’ll cover how keyboard modifiers (Ctr, Alt, Shift) can be used with some IDA actions to modify their behavior or provide additional functionality. Modifiers in shortcuts Obviously, some shortcuts already include modifiers as part of their key sequence, but some commonalities may be not immediately obvious. For example, the Search menu commands tend to use Alt-letter […]

This week we’ll cover another situation where shifted pointers can be useful.

Strings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]

IDA supports many file formats, among them the main ones used on the three major operating systems: PE (Portable Executable) on Windows; ELF (Executable and Linkable Format) on Linux; Mach-O (Mach object) on macOS. Symbols and debugging information Symbols associate locations inside the file (e.g. addresses of functions or variables) with textual names (usually the names used in the original source […]

Previously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]

IDA supports most of the switch patterns produced by major compilers out-of-box and usually you don’t need to worry about them. However, occasionally you may encounter a code which has been produced by an unusual or a very recent compiler version, or some peculiarity of the code prevented IDA from recognizing the pattern, so it […]

IDA uses mostly standard C (and basic C++) syntax, but it also supports some extensions, in particular to represent low-level details which are not necessary for “standard” C code but are helpful for real-life binary code analysis. We’ve already covered custom types and calling conventions, but there are more extensions you may use […]