State-of-the-art binary code analysis tools
This is a guest entry written by Chris Eagle. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The SK3wldbg Plugin When I first started analyzing obfuscated code, I quite often wished that I could simply de-obfuscate the code […]
When analyzing firmware or other binaries without metadata, IDA is not always able to discover and analyze all functions which means the cross-references can be missing. Let’s say you found a string in the binary (e.g. in the String list) which has no cross references, but you’re reasonably sure it’s actually used. How to […]
We’ve covered choosers previously and talked about searching, sorting and filtering. The default filter (Ctrl–F shortcut) is pretty simple: it performs case-insensitive match on any column of the list. Advanced filters Advanced filter dialog is accessible via the context menu entry “Modify filters…” or the shortcut Ctrl–Shift–F In the dialog you can: match any or a specific […]
Using the string list is one way to look for text in the binary but it has its downsides: building the list takes time for big binaries, some strings may be missing initially so you may need several tries to get the options right, and then you need to actually find what you need […]
This is a guest entry written by Mike Hunhoff, Moritz Raabe, and Willi Ballenthin from the Mandiant FLARE Team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. capa explorer: Focus Your Reverse Engineering Efforts in IDA Pro
When exploring an unfamiliar binary, it may be difficult to find interesting places to start from. One common approach is to check what strings are present in the program – this might give some hints about its functionality and maybe some starting places for analysis. While you can scroll through the listing and look at […]
When analyzing regular, well-formed binaries, you can usually rely on IDA’s autoanalysis to create functions and detect their boundaries correctly. However, there may be situations when IDA’s guesses need to be adjusted. Non-returning calls One example could be calls to non-returning functions. Let’s say a function has been misdetected by IDA as non-returning: But on further analysis […]
Some functions in programs do not return to caller: well-known examples include C runtime functions like exit(), abort(), assert() but also many others. Modern compilers can exploit this knowledge to optimize the code better: for example, the code which would normally follow such a function call does not need to be generated which decreases the […]
When dealing with structure instances in disassembly, sometimes you may want to change how IDA displays them, but how to do it is not always obvious. Let’s have a look at some examples. Win32 section headers Let’s say you have loaded the PE file header using manual load, or found an embedded PE file in your […]
The gooMBA plugin, as well as this blog post, was written by our intern Garrett Gu. You can view the plugin source on GitHub. gooMBA is maintained by Hex-Rays, and will be incorporated in the next IDA release. Hands-Free Binary Deobfuscation with gooMBA At Hex-Rays SA, we are constantly looking for ways to improve […]