When analyzing firmware binaries, a proper memory layout is quite important. When loading a raw binary, IDA usually creates a code segment for the whole binary. This is good enough when that code is all you need to analyze, but it is not always the case. For example, the code can refer to external […]
Read MoreOccasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually […]
Read MoreThis year, our Black Friday deals have come early and include incredible opportunities to save money on Training and IDA Home! Here is what is on offer… 50% Off All December IDA Pro Online Training Sessions Are you ready to take your IDA Pro expertise to the next level? Hex-Rays offers a mind-blowing 50% discount on all […]
Read MoreThis is a guest entry written by Baptiste Verstraeten from the Thalium Team. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The Symless plugin aims to simplify the process of retrieving and defining structures, classes, and virtual […]
Read MoreIDA supports different representations for the instruction operands and data items. However, only the most common of them are listed in the context menu or have hotkeys assigned. Let’s imagine that you’ve discovered an area in a firmware binary which looks like a table of floating-point values: You can confirm that it looks plausible by […]
Read MoreLet’s consider this snippet from decompilation of an x86 Windows binary: The same function is called twice with the same argument and the last one doesn’t seem to use the result of the GetComputerNameExW call. By switching to disassembly, we can see that eax is initialized before each call with a string address: However the decompiler does not […]
Read MoreIn the heart of Versailles, an unexpected discovery sent ripples through the palace. Madame de Maintenon (the IDA Lady), the secret wife of Louis XIV, stumbled upon an unusual letter, containing a hidden plot for a coup. This letter, with its strange symbols, triggered a quest for answers. With unwavering determination, Madame de Maintenon (aka […]
Read MoreThe Functions list is probably the most known and used part of IDA’s default desktop layout. It includes all detected functions in the current database and offers a quick way to find and navigate to any of them. However, the database consists not only of functions but also data items or instructions which are […]
Read MoreLet’s say you found a promising-looking string in the binary, followed the cross reference to the function using it, then decompiled it to see how the string is used, only to see no signs of it in the pseudocode. What’s happening? In such situation it often helps to set up two synchronized disassembly<->pseudocode views and […]
Read MoreAs covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items. However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed: 00000000 Context […]
Read More