Igor’s Tip of the Week #150: Extract function

When you open a decompilable file in IDA, you get this somewhat mysterious item in the Help menu: And if you invoke it, it shows an even more mysterious dialog: So, what is it and when it is useful? Originally this feature was added to the decompiler to make decompiler bug reporting easier: oftentimes. a decompiler issue cannot really […]

Plugin focus: ComIDA

This is a guest entry written by the Airbus CERT team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. The ComIDA plugin is focused on finding usage of COM objects inside Windows modules. When a COM […]

Igor’s Tip of the Week #148: Fixing “call analysis failed”

This error is not very common but may appear in some situations. Such errors happen when there is a function call in the code, but the decompiler fails to convert it to a high-level function call, e.g.: the target function’s prototype is wrong; the decompiler failed to figure out the function arguments: how many of them, or how […]

Igor’s Tip of the Week #147: Fixing “stack frame is too big”

The Hex-Rays decompiler has been designed to decompile compiler-generated code, so while it can usually handle hand-written or unusual assembly, occasionally you may run into a failure, especially if the code has been modified to hinder decompilation. Here is one of such errors: If you have a genuine function with a huge stack frame, you’ll probably […]

Igor’s Tip of the Week #146: Graph printing

While exporting text disassembly is enough in many cases, many users nowadays prefer IDA’s graph view, and saving its representation may be necessary. What other options are there besides screenshots? WinGraph WinGraph is an external program shipped with IDA which can display graphs. It was used to show function (and other) graphs before introduction of the […]

Rust analysis plugin tech preview

The Rust language is gaining popularity and nowadays even malware authors started using it, which means our users need to analyze them in IDA. The binaries produced by the Rust compiler have some peculiarities which make them difficult to analyze, such as: non-standard calling conventions non-terminated string literals unusual name mangling scheme While tackling all of them is a […]

Igor’s Tip of the Week #145: HTML export

We’ve covered exporting disassembly from IDA before but it was in context of interoperability, when simple text is enough. If you want to preserve formatting and coloring of IDA View (e.g. for a web page or blog post), taking a screenshot is one option, but that has its downsides (e.g. no indexing for search […]

Igor’s Tip of the Week #144: Macros and simplified instructions

Many processors (especially RISC based) use instruction sets with fixed size (most commonly 4 bytes). Among examples are ARM, PPC, MIPS and a few others. This is also obvious in the disassembly when observing the instructions’ addresses – they increase by a fixed amount: However, occasionally you may come across larger instructions: What is this? Does A64 […]

Plugin focus: Heimdallr

This is a guest entry written by Robert from Interrupt Labs. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Heimdallr: Deep links into IDA Databases When reverse engineering in IDA, I find it useful to take notes on […]