Sometimes you may see mysterious align keywords in the disassembly, which can appear both in code and data areas: Usually they’re only apparent in the text view. These directives are used by many assemblers to indicate alignment to a specific address boundary, usually a power of two. IDA uses it to replace potentially irrelevant bytes by a […]
Read MoreThis is a guest entry written by Chris Eagle. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The SK3wldbg Plugin When I first started analyzing obfuscated code, I quite often wished that I could simply de-obfuscate the code […]
Read MoreWhen analyzing firmware or other binaries without metadata, IDA is not always able to discover and analyze all functions which means the cross-references can be missing. Let’s say you found a string in the binary (e.g. in the String list) which has no cross references, but you’re reasonably sure it’s actually used. How to […]
Read MoreWe’ve covered choosers previously and talked about searching, sorting and filtering. The default filter (Ctrl–F shortcut) is pretty simple: it performs case-insensitive match on any column of the list. Advanced filters Advanced filter dialog is accessible via the context menu entry “Modify filters…” or the shortcut Ctrl–Shift–F In the dialog you can: match any or a specific […]
Read MoreDebug information, whether present in the binary or loaded separately, can contain not only symbols such as function or variable names, but also mapping of binary’s instructions to the original source files. It can be used by IDA’s debugger for source-level debugging, but what if you want to see this mapping during static […]
Read MoreUsing the string list is one way to look for text in the binary but it has its downsides: building the list takes time for big binaries, some strings may be missing initially so you may need several tries to get the options right, and then you need to actually find what you need […]
Read MoreThis is a guest entry written by Mike Hunhoff, Moritz Raabe, and Willi Ballenthin from the Mandiant FLARE Team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. capa explorer: Focus Your Reverse Engineering Efforts in IDA Pro Read More
When exploring an unfamiliar binary, it may be difficult to find interesting places to start from. One common approach is to check what strings are present in the program – this might give some hints about its functionality and maybe some starting places for analysis. While you can scroll through the listing and look at […]
Read MoreWhen analyzing regular, well-formed binaries, you can usually rely on IDA’s autoanalysis to create functions and detect their boundaries correctly. However, there may be situations when IDA’s guesses need to be adjusted. Non-returning calls One example could be calls to non-returning functions. Let’s say a function has been misdetected by IDA as non-returning: But on further analysis […]
Read MoreSome functions in programs do not return to caller: well-known examples include C runtime functions like exit(), abort(), assert() but also many others. Modern compilers can exploit this knowledge to optimize the code better: for example, the code which would normally follow such a function call does not need to be generated which decreases the […]
Read More