We already know that user-defined types such as structures and enums can be created and edited through the corresponding views, or the Local Types list. However, some small edits can be performed directly in the pseudocode view: structure fields can be renamed using the “Rename” action (shortcut N): you can also quickly retype them using […]
Read MoreWe’ve seen how custom structures can be used to format data tables nicely, but sometimes you can improve your understanding even further with small adjustments. For example, in the structure we created, the first member (nMessage) is printed as a simple integer: If you know Win32 API well, you may recognize that these numbers correspond […]
Read MoreCreating user-defined structures can be quite useful both in disassembly and pseudocode when dealing with code using custom types. However, they can be useful not only in code but also data areas. MFC message maps As an example, let’s consider an MFC program which uses message maps. These maps are present in the constant […]
Read MoreEven though most manipulations with binaries can be done directly in IDA, you may occasionally need to use other tools. For example, Binwalk for basic firmware analysis, or a hex editor/viewer to find interesting patterns in the file manually. Let’s say you found an interesting text or byte pattern at some offset in the file […]
Read MoreWhen you load a file into IDA, whether a standard executable format (e.g. PE, ELF, Macho-O), or a raw binary, IDA assigns a particular address range to the data loaded from it, either from the file’s metadata or user’s input (in case of binary file). The lowest address from those occupied by the file […]
Read MoreThis is a guest entry written by Alexander Hanel from CrowdStrike. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Msdocviewer: A simple tool for viewing Microsoft’s technical specifications An invaluable resource when reverse engineering Portable Executable (PE) binaries […]
Read MoreWhen analyzing firmware binaries, a proper memory layout is quite important. When loading a raw binary, IDA usually creates a code segment for the whole binary. This is good enough when that code is all you need to analyze, but it is not always the case. For example, the code can refer to external […]
Read MoreOccasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually […]
Read MoreThis year, our Black Friday deals have come early and include incredible opportunities to save money on Training and IDA Home! Here is what is on offer… 50% Off All December IDA Pro Online Training Sessions Are you ready to take your IDA Pro expertise to the next level? Hex-Rays offers a mind-blowing 50% discount on all […]
Read MoreThis is a guest entry written by Baptiste Verstraeten from the Thalium Team. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. The Symless plugin aims to simplify the process of retrieving and defining structures, classes, and virtual […]
Read More