Igor’s tip of the week #57: Shifted pointers 2
This week we’ll cover another situation where shifted pointers can be useful.
Igor’s tip of the week #56: String literals in pseudocode
Strings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]
Igor’s tip of the week #54: Shifted pointers
Previously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]
Igor’s tip of the week #51: Custom calling conventions
The Hex-Rays decompiler was originally created to deal with code produced by standard C compilers. In that world, everything is (mostly) nice and orderly: the calling conventions are known and standardized and the arguments are passed to function according to the ABI. However, the real life is not that simple: even in code coming […]
Igor’s tip of the week #47: Hints in IDA
Hints (aka tooltips) are popup windows with text which appear when you hover the mouse cursor over a particular item in IDA. They are available in many situations.
Igor’s tip of the week #43: Annotating the decompiler output
Last week we started improving decompilation of a simple function. While you can go quite far with renaming and retyping, some things need more explanation than a simple renamng could provide. Comments When you can’t come up with a good name for a variable or a function, you can add a comment with an explanation or […]
Igor’s tip of the week #42: Renaming and retyping in the decompiler
Previously we’ve covered how to start using the decompiler, but unmodified decompiler output is not always easy to read, especially if the binary doesn’t have symbols or debug information. However, with just a few small amendments you can improve the results substantially. Let’s look at some basic interactive operations available in the pseudocode view. Renaming Although […]
Igor’s tip of the week #40: Decompiler basics
The Hex-Rays decompiler is one of the most powerful add-ons available for IDA. While it’s quite intuitive once you get used to it, it may be non-obvious how to start using it. Basic information As of the time of writing (May 2021), the decompiler is not included with the standard IDA Pro license; some editions of IDA […]
Igor’s tip of the week #18: Decompiler and global cross-references
Previously we’ve covered cross-references in the disassembly view but in fact you can also consult them in the decompiler (pseudocode) view. Local cross-references The most common shortcut (X) works similarly to disassembly: you can use it on labels, variables (local and global), function names, but there are some differences and additions: for local variables, the list of […]
Igor’s tip of the week #08: Batch mode under the hood
We’ve briefly covered batch mode last time but the basic functionality is not always enough so let’s discuss how to customize it. Basic usage To recap, batch mode can be invoked with this command line: ida -B -Lida.log <other switches> <filename> IDA will load the file, wait for the end of analysis, and write the full disassembly to […]