Plugin focus: msdocviewer

This is a guest entry written by Alexander Hanel from CrowdStrike. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Msdocviewer: A simple tool for viewing Microsoft’s technical specifications An invaluable resource when reverse engineering Portable Executable (PE) binaries […]

Igor’s Tip of the Week #167: Adding and splitting segments

When analyzing firmware binaries, a proper memory layout is quite important. When loading a raw binary, IDA usually creates a code segment for the whole binary. This is good enough when that code is all you need to analyze, but it is not always the case. For example, the code can refer to external […]

Igor’s Tip of the Week #166: Dealing with “too big function”

Occasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually […]

Plugin focus: Symless

This is a guest entry written by Baptiste Verstraeten from the Thalium Team. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The Symless plugin aims to simplify the process of retrieving and defining structures, classes, and virtual […]

Igor’s Tip of the Week #165: Defining floating-point data

IDA supports different representations for the instruction operands and data items. However, only the most common of them are listed in the context menu or have hotkeys assigned. Let’s imagine that you’ve discovered an area in a firmware binary which looks like a table of floating-point values: You can confirm that it looks plausible by […]

Igor’s Tip of the Week #164: Where’s my code? The case of missing function arguments

Let’s consider this snippet from decompilation of an x86 Windows binary: The same function is called twice with the same argument and the last one doesn’t seem to use the result of the GetComputerNameExW call. By switching to disassembly, we can see that eax is initialized before each call with a string address: However the decompiler does not […]

Igor’s Tip of the Week #163: Names list

The Functions list is probably the most known and used part of IDA’s default desktop layout. It includes all detected functions in the current database and offers a quick way to find and navigate to any of them. However, the database consists not only of functions but also data items or instructions which are […]

Igor’s Tip of the Week #161: Extracting substructures

As covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items.  However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed: 00000000 Context […]

Plugin focus: IdaClu

This is a guest entry written by Sergejs Harlamovs from IKARUS Security Software GmbH. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. IdaClu: Finding clues without knowing what to seek IdaClu, as the name suggests, is about […]