State-of-the-art binary code analysis tools
The Hex-Rays decompiler was initially created to decompile C code, so its pseudocode output uses (mostly) C syntax. However, the input binaries may be compiled using other languages: C++, Pascal, Basic, ADA, and many others. While the code of most of them can be represented in C without real issues, some have peculiarities which require […]
The release notes for IDA 8.0 mention outlined functions. What are those and how to deal with them in IDA? Function outlining is an optimization that saves code size by identifying recurring sequences of machine code and replacing each instance of the sequence with a call to a new function that contains the identified sequence […]
While working with pseudocode, you may make various changes to it, for example: add comments rename local variables and change their types collapse code blocks map variables mark skippable instructions split expressions adjust variadic arguments select union members and so on If the results of some actions do not look better, you can always undo, but what […]
Variadic functions are functions which accept different number of arguments depending on the needs of the caller. Typical examples include printf and scanf in C and C++ but there are other functions, or even some custom ones (specific to the binary being analyzed). Because each call of a variadic function may have a different […]
When working with big functions in the decompiler, it may be useful to temporarily hide some parts of the pseudocode to analyze the rest. While currently it’s not possible to hide arbitrary lines like in disassembly, you can hide specific sections of it. Collapsing local variable declarations While the local variable declarations are useful to see […]
We’ve mentioned operand representation before but today we’ll use a specific one to find the Easter egg hidden in the post #85. More specifically, it was this screenshot: The function surprise calls printf, but the arguments being passed to it seem to all be numbers. Doesn’t printf() usually work with strings? What’s going on? Numbers and characters As […]
We’ve covered function chunks last week and today we’ll show an example of how to use them in practice to handle a common compiler optimization. Shared function tail optimization When working with some ARM firmware, you may sometimes run into the following situation: We have decompilation of sub_8098C which ends with a strange JUMPOUT statement and if […]
Although IDA has been created first and foremost to analyze binaries in “black box” mode, i.e. without any symbols or debug information, it does have the ability to consume such information when available. The debugger functionality was also initially optimized to debug binaries on the assembly level, but nowadays can work with source code too. Source-level […]
We’ve covered the major pseudocode formatting options previously but there is one more option which can influence the output. It is the radix used for printing numbers in the pseudocode. In a positional numeral system, the radix or base is the number of unique digits, including the digit zero, used to represent numbers. For example, for […]
The default output of the Hex-Rays decompiler tries to strike a balance between conciseness and readability. However, everyone has different preferences so it offers a few options to control the layout and formatting of the pseudocode. Accessing the options Because of its origins as a third-party plugin for IDA, the decompiler options are accessible not through IDA’s […]