State-of-the-art binary code analysis tools
When decompiling code without high-level metadata (especially firmware), you may observe strange-looking address expressions which do not seem to make sense. What are these and how to fix/improve the pseudocode? Because on the CPU level there is no difference between an address and a simple number, distinguishing addresses and plain numbers is a difficult task which […]
When working on a binary, you often recover types used in it from many sources: creating structures manually, from data, or using decompiler; parsing header files; importing them from type libraries or debug information; However, it may happen that eventually you discover duplicates. For example, you find out that the “custom” structure you’ve been […]
Previosuly, we’ve covered creating structures from C code using the Local Types window, however this may be not very convenient when you have complex types with many dependencies (especially of scattered over several fiels or depending on preprocessor defines). In such case it may be nore convenient to parse the original header file(s) on […]
While IDA comes with a rich set of type libraries for Windows API, they don’t cover the whole set of types used in Windows. Our libraries are based on the official Windows SDK/DDK headers, which tend to only include public, stable information which is common to multiple Windows versions. A new Windows build may […]
Floating licenses allow additional flexibility for companies with many IDA users: IDA can be installed on as many computers as required, but only a limited number of copies can run simultaneously. This flexibility its downsides: IDA needs to have permanent connection to your organization’s license server which may make things problematic in some situations (e.g. working […]
While working with decompiled code and retyping variables (or sometimes when they get typed by the decompiler automatically), you might be puzzled by the discrepancies between pseudocode and disassembly. Consider the following example: We see that X22 is accessed with offset 0x10 (16) in the disassembly but 2 in the pseudocode. Is there a bug in the […]
Some of the processors supported by IDA support different ISA variants, in particular: ARM processor module supports the classic 32-bit ARM instructions (A32), 16-bit Thumb or mixed 16/32-bit Thumb32 (T32) , as well as 64-bit A64 instructions (A64) PPC processor module supports the standard 32-bit PowerPC instructions and mixed 16/32-bit Variable Length Environment (VLE) MIPS module supports the […]
When exporting disassembly, sometimes you need to modify it so that it is accepted by a specific assembler you’re using. One little-known fact is that some of IDA’s processor modules support different assembler syntaxes, so it may be useful to try a different one to see if it matches your needs better. The assembler can […]
Although most of the time you can probably do all of the reversing inside IDA, occasionally you may need to continue it using other tools. While sometimes it may be enough to analyze the input file with another tool, or use the Export Data feature, the disassembly listing is more convenient in many cases. […]
If you ever looked at IDA ARM module’s processor-specific settings, you may have been puzzled by the option “Disable BL jumps detection”. What is it and when to use it? Background The ARM instruction set initially used fixed-width 32-bit instructions. The relative branch instruction, B, allocated 24 bits for the offset, giving it a range of ±32MB. Some […]