Although in general case the problem of correct disassembly is unsolvable, in practice it can get pretty close. IDA uses various heuristics to improve the disassembly and make it more readable, such as converting numerical values to offsets when it “looks plausible”. However, this is not always reliable or successful and it may miss some. […]
Read MoreLast time we used operand types to make a function more readable and understand its behavior better. Converting operands one by one is fine if you need to do it a few times, but can quickly get tedious if you need to do it for a long piece of code. En masse operation To convert operands of […]
Read MoreAs software systems becomes more complex, we at Hex-Rays have witnessed a growing desire for more collaboration in the field of reverse-engineering: applying multiple sets of eyes and diversified skill sets, will be a boon for speeding up that process. Over the last months/years, we have been busy cooking an appropriate response to that demand, and […]
Read MoreWe’ve mentioned operand representation before but today we’ll use a specific one to find the Easter egg hidden in the post #85. More specifically, it was this screenshot: The function surprise calls printf, but the arguments being passed to it seem to all be numbers. Doesn’t printf() usually work with strings? What’s going on? Numbers and characters As […]
Read MoreWe’ve covered function chunks last week and today we’ll show an example of how to use them in practice to handle a common compiler optimization. Shared function tail optimization When working with some ARM firmware, you may sometimes run into the following situation: We have decompilation of sub_8098C which ends with a strange JUMPOUT statement and if […]
Read MoreIn IDA, function is a sequence of instructions grouped together. Usually it corresponds to a high-level function or subroutine: it can be called from other places in the program, usually using a dedicated processor instruction; it has an entry and one or more exits (instruction(s) which return to the caller); it can accept arguments (in registers or […]
Read MoreAlthough IDA has been created first and foremost to analyze binaries in “black box” mode, i.e. without any symbols or debug information, it does have the ability to consume such information when available. The debugger functionality was also initially optimized to debug binaries on the assembly level, but nowadays can work with source code too. Source-level […]
Read MoreWe’ve covered arrays previously, but one feature briefly mentioned there is worth a separate highlight. Complex programs may use arrays of data, either of items such as integers or floats, or of complex items such as structures. When the arrays are small, it’s not too difficult to make sense of them, but what to do […]
Read MoreWe’ve covered the major pseudocode formatting options previously but there is one more option which can influence the output. It is the radix used for printing numbers in the pseudocode. In a positional numeral system, the radix or base is the number of unique digits, including the digit zero, used to represent numbers. For example, for […]
Read MoreThe default output of the Hex-Rays decompiler tries to strike a balance between conciseness and readability. However, everyone has different preferences so it offers a few options to control the layout and formatting of the pseudocode. Accessing the options Because of its origins as a third-party plugin for IDA, the decompiler options are accessible not through IDA’s […]
Read More