State-of-the-art binary code analysis tools
We already know that user-defined types such as structures and enums can be created and edited through the corresponding views, or the Local Types list. However, some small edits can be performed directly in the pseudocode view: structure fields can be renamed using the “Rename” action (shortcut N): you can also quickly retype them using […]
We’ve seen how custom structures can be used to format data tables nicely, but sometimes you can improve your understanding even further with small adjustments. For example, in the structure we created, the first member (nMessage) is printed as a simple integer: If you know Win32 API well, you may recognize that these numbers correspond […]
Creating user-defined structures can be quite useful both in disassembly and pseudocode when dealing with code using custom types. However, they can be useful not only in code but also data areas. MFC message maps As an example, let’s consider an MFC program which uses message maps. These maps are present in the constant […]
Even though most manipulations with binaries can be done directly in IDA, you may occasionally need to use other tools. For example, Binwalk for basic firmware analysis, or a hex editor/viewer to find interesting patterns in the file manually. Let’s say you found an interesting text or byte pattern at some offset in the file […]
When you load a file into IDA, whether a standard executable format (e.g. PE, ELF, Macho-O), or a raw binary, IDA assigns a particular address range to the data loaded from it, either from the file’s metadata or user’s input (in case of binary file). The lowest address from those occupied by the file […]
This is a guest entry written by Alexander Hanel from CrowdStrike. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Msdocviewer: A simple tool for viewing Microsoft’s technical specifications An invaluable resource when reverse engineering Portable Executable (PE) binaries […]
When analyzing firmware binaries, a proper memory layout is quite important. When loading a raw binary, IDA usually creates a code segment for the whole binary. This is good enough when that code is all you need to analyze, but it is not always the case. For example, the code can refer to external […]
Occasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually […]
This is a guest entry written by Baptiste Verstraeten from the Thalium Team. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The Symless plugin aims to simplify the process of retrieving and defining structures, classes, and virtual […]
IDA supports different representations for the instruction operands and data items. However, only the most common of them are listed in the context menu or have hotkeys assigned. Let’s imagine that you’ve discovered an area in a firmware binary which looks like a table of floating-point values: You can confirm that it looks plausible by […]