State-of-the-art binary code analysis tools
When decompiling code without high-level metadata (especially firmware), you may observe strange-looking address expressions which do not seem to make sense. What are these and how to fix/improve the pseudocode? Because on the CPU level there is no difference between an address and a simple number, distinguishing addresses and plain numbers is a difficult task which […]
When working on a binary, you often recover types used in it from many sources: creating structures manually, from data, or using decompiler; parsing header files; importing them from type libraries or debug information; However, it may happen that eventually you discover duplicates. For example, you find out that the “custom” structure you’ve been […]
Previosuly, we’ve covered creating structures from C code using the Local Types window, however this may be not very convenient when you have complex types with many dependencies (especially of scattered over several fiels or depending on preprocessor defines). In such case it may be nore convenient to parse the original header file(s) on […]
While IDA comes with a rich set of type libraries for Windows API, they don’t cover the whole set of types used in Windows. Our libraries are based on the official Windows SDK/DDK headers, which tend to only include public, stable information which is common to multiple Windows versions. A new Windows build may […]
This is a guest entry written by Can Bölük. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. NtRays: Reversing Windows kernel, simplified Windows kernel has changed a lot in the past few years, with the addition of Hypervisor […]
Floating licenses allow additional flexibility for companies with many IDA users: IDA can be installed on as many computers as required, but only a limited number of copies can run simultaneously. This flexibility its downsides: IDA needs to have permanent connection to your organization’s license server which may make things problematic in some situations (e.g. working […]
While working with decompiled code and retyping variables (or sometimes when they get typed by the decompiler automatically), you might be puzzled by the discrepancies between pseudocode and disassembly. Consider the following example: We see that X22 is accessed with offset 0x10 (16) in the disassembly but 2 in the pseudocode. Is there a bug in the […]
This is a guest entry written by Simon Garrelou and Sylvain Peyrefitte from the Airbus CERT Team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. Power up your debugging with time travel: the ttddbg plugin Time Travel […]
Some of the processors supported by IDA support different ISA variants, in particular: ARM processor module supports the classic 32-bit ARM instructions (A32), 16-bit Thumb or mixed 16/32-bit Thumb32 (T32) , as well as 64-bit A64 instructions (A64) PPC processor module supports the standard 32-bit PowerPC instructions and mixed 16/32-bit Variable Length Environment (VLE) MIPS module supports the […]
When exporting disassembly, sometimes you need to modify it so that it is accepted by a specific assembler you’re using. One little-known fact is that some of IDA’s processor modules support different assembler syntaxes, so it may be useful to try a different one to see if it matches your needs better. The assembler can […]