State-of-the-art binary code analysis tools
We’ve covered splitting expressions before, but there may be situations where it can’t be used. For example, consider following situation: The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
When working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you […]
This is a guest entry written by Holger Unterbrink from Cisco Talos. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, likely because these […]
When using the decompiler, you probably spend most of the time in the Pseudocode view. In case you need to consult the corresponding disassembly, it’s a quick Tab away. However, if you actually prefer the disassembly, there is another option you can try. Copy to assembly This action is available in the pseudocode view’s context menu […]
Occasionally, especially when working with embedded firmware or obfuscated code, you may see an error message when trying to create a function (from context menu or using P hotkey): There can be multiple reasons for it, for example: some code has been incorrectly converted to data and the execution flows into it; the function calls a non-returning […]
This is a guest entry written by Elias Bachaalany. His views and opinions are his own and not those of Hex-Rays. Any questions with regards to the content of this blog post should be directed to the author. Introduction During the IDA Advanced training, I get asked a lot about how to set up the
Previously, we’ve run into a function which produces a cryptic error if you try to decompile it: In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K. On the first glance it looks normal: However, […]
When you open a decompilable file in IDA, you get this somewhat mysterious item in the Help menu: And if you invoke it, it shows an even more mysterious dialog: So, what is it and when it is useful? Originally this feature was added to the decompiler to make decompiler bug reporting easier: oftentimes. a decompiler issue cannot really […]
This is a guest entry written by the Airbus CERT team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. The ComIDA plugin is focused on finding usage of COM objects inside Windows modules. When a COM […]
We’ve covered the usage of symbolic constants (enums) in the disassembly. but they are also useful in the pseudocode view. Reusing constants from disassembly If a number has been converted to a symbolic constant in the disassembly and it is present in unchanged form in pseudocode, the decompiler will use it in the output. For example, […]