State-of-the-art binary code analysis tools
This error is not very common but may appear in some situations. Such errors happen when there is a function call in the code, but the decompiler fails to convert it to a high-level function call, e.g.: the target function’s prototype is wrong; the decompiler failed to figure out the function arguments: how many of them, or how […]
The Hex-Rays decompiler has been designed to decompile compiler-generated code, so while it can usually handle hand-written or unusual assembly, occasionally you may run into a failure, especially if the code has been modified to hinder decompilation. Here is one of such errors: If you have a genuine function with a huge stack frame, you’ll probably […]
While exporting text disassembly is enough in many cases, many users nowadays prefer IDA’s graph view, and saving its representation may be necessary. What other options are there besides screenshots? WinGraph WinGraph is an external program shipped with IDA which can display graphs. It was used to show function (and other) graphs before introduction of the […]
The Rust language is gaining popularity and nowadays even malware authors started using it, which means our users need to analyze them in IDA. The binaries produced by the Rust compiler have some peculiarities which make them difficult to analyze, such as: non-standard calling conventions non-terminated string literals unusual name mangling scheme While tackling all of them is a […]
We’ve covered exporting disassembly from IDA before but it was in context of interoperability, when simple text is enough. If you want to preserve formatting and coloring of IDA View (e.g. for a web page or blog post), taking a screenshot is one option, but that has its downsides (e.g. no indexing for search […]
Many processors (especially RISC based) use instruction sets with fixed size (most commonly 4 bytes). Among examples are ARM, PPC, MIPS and a few others. This is also obvious in the disassembly when observing the instructions’ addresses – they increase by a fixed amount: However, occasionally you may come across larger instructions: What is this? Does A64 […]
This is a guest entry written by Robert from Interrupt Labs. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Heimdallr: Deep links into IDA Databases When reverse engineering in IDA, I find it useful to take notes on […]
When decompiling code without high-level metadata (especially firmware), you may observe strange-looking address expressions which do not seem to make sense. What are these and how to fix/improve the pseudocode? Because on the CPU level there is no difference between an address and a simple number, distinguishing addresses and plain numbers is a difficult task which […]
When working on a binary, you often recover types used in it from many sources: creating structures manually, from data, or using decompiler; parsing header files; importing them from type libraries or debug information; However, it may happen that eventually you discover duplicates. For example, you find out that the “custom” structure you’ve been […]
Previosuly, we’ve covered creating structures from C code using the Local Types window, however this may be not very convenient when you have complex types with many dependencies (especially of scattered over several fiels or depending on preprocessor defines). In such case it may be nore convenient to parse the original header file(s) on […]