State-of-the-art binary code analysis tools
Let’s say you found a promising-looking string in the binary, followed the cross reference to the function using it, then decompiled it to see how the string is used, only to see no signs of it in the pseudocode. What’s happening? In such situation it often helps to set up two synchronized disassembly<->pseudocode views and […]
In order to faithfully represent the behavior of the code and to conform to the rules of the C language, the decompiler may need to add casts in the pseudocode. A few examples: a variable has been detected to be unsigned but participates in a signed comparison: An argument being passed to a function does not match […]
In order to show the user only the most relevant code and hide the unnecessary clutter, the decompiler performs various optimizations before displaying the pseudocode. Some of these optimizations rely on various assumptions which are usually correct in well-behaved programs. However, in some situations they may be incorrect which may lead to wrong output, so […]
When working with the decompiler, you probably spend most of the time in the pseudocode view, since most interactive operations (e.g. renaming, retyping and commenting) can be done right there. IDA is usually smart enough to detect important changes during such actions and update the pseudocode as necessary. However, occasionally you may perform actions […]
When you need to change the prototype of a function in the decompiler, the standard way is to use the “Set item type…” action (shortcut Y). One case where you may need to do it is to add or remove arguments. Especially in embedded code or when decompiling variadic functions, the decompiler may deduce the argument […]
We’ve covered splitting expressions before, but there may be situations where it can’t be used. For example, consider following situation: The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
When working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you […]
When using the decompiler, you probably spend most of the time in the Pseudocode view. In case you need to consult the corresponding disassembly, it’s a quick Tab away. However, if you actually prefer the disassembly, there is another option you can try. Copy to assembly This action is available in the pseudocode view’s context menu […]
Previously, we’ve run into a function which produces a cryptic error if you try to decompile it: In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K. On the first glance it looks normal: However, […]
When you open a decompilable file in IDA, you get this somewhat mysterious item in the Help menu: And if you invoke it, it shows an even more mysterious dialog: So, what is it and when it is useful? Originally this feature was added to the decompiler to make decompiler bug reporting easier: oftentimes. a decompiler issue cannot really […]