We’ve covered splitting expressions before, but there may be situations where it can’t be used. For example, consider following situation: The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
Read MoreWhen working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you […]
Read MoreThis is a guest entry written by Holger Unterbrink from Cisco Talos. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, likely because these […]
Read MoreWhen using the decompiler, you probably spend most of the time in the Pseudocode view. In case you need to consult the corresponding disassembly, it’s a quick Tab away. However, if you actually prefer the disassembly, there is another option you can try. Copy to assembly This action is available in the pseudocode view’s context menu […]
Read MoreOccasionally, especially when working with embedded firmware or obfuscated code, you may see an error message when trying to create a function (from context menu or using P hotkey): There can be multiple reasons for it, for example: some code has been incorrectly converted to data and the execution flows into it; the function calls a non-returning […]
Read MoreThis is a guest entry written by Elias Bachaalany. His views and opinions are his own and not those of Hex-Rays. Any questions with regards to the content of this blog post should be directed to the author. Introduction During the IDA Advanced training, I get asked a lot about how to set up the Read More
We are thrilled to kick off an exciting new campaign – The Plugin Submission Initiative. Our Plugin Repository was developed not too long ago and has already reached a milestone with 122 plugins currently available for our users! It is a great start, but we believe there’s room for growth and improvement. The success of […]
Read MorePreviously, we’ve run into a function which produces a cryptic error if you try to decompile it: In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K. On the first glance it looks normal: However, […]
Read MoreWhen you open a decompilable file in IDA, you get this somewhat mysterious item in the Help menu: And if you invoke it, it shows an even more mysterious dialog: So, what is it and when it is useful? Originally this feature was added to the decompiler to make decompiler bug reporting easier: oftentimes. a decompiler issue cannot really […]
Read MoreThis is a guest entry written by the Airbus CERT team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. The ComIDA plugin is focused on finding usage of COM objects inside Windows modules. When a COM […]
Read More