Igor’s tip of the week #67: Decompiler helpers

We’ve already described custom types used in the decompiled code, but you may also encounter some unusual keywords resembling function calls. They are used by the decompiler to represent operations which it was unable to map to nice C code, or just to make the output more compact. They are listed in the defs.h […]

Igor’s tip of the week #66: Decompiler annotations

When working with pseudocode in the decompiler, you may have noticed that variable declarations and hints have comments with somewhat cryptic contents. What do they mean? While meaning of some may be obvious, others less so, and a few appear only in rare situations. Variable location The fist part of the comment is the variable location. For stack […]

Igor’s tip of the week #65: stack frame view

The stack frame is part of the stack which is managed by the current function and contains the data used by it. Background The stack frame usually contains data such as: local and temporary variables; incoming arguments (for calling conventions which use stack for passing arguments); saved volatile registers; other bookkeeping information (e.g. the return address on x86). Because the stack may […]

Igor’s tip of the week #64: Full-screen mode

While not commonly used, full-screen mode can be useful on complex IDA layouts when working with a single monitor or on a laptop, for example when you need to read a long listing line but are tired of scrolling around. The feature is somewhat hidden, but the action is present in the View menu. By pressing F11, […]

IDA Training Sessions – December 2021

IDA is the Swiss army knife of reverse-engineering and has countless applications that can’t be summarized with a catchy one-liner. Security experts, malware analysts, and software engineers use IDA daily to solve a critical problem in their workflow. Improving your knowledge of IDA through one of our training sessions can help you to unlock the […]

Igor’s tip of the week #63: IDA installer command-line options

Most users probably run IDA installers in standard, interactive mode. However, they also can be run in unattended mode (e.g. for automatic, non-interactive installation). Available options To get the list of available options, run the installer with the –help argument. For example, here’s the list on Linux: igor@/home/igor$ ./idapronl[…].run –help IDA Pro and Hex-Rays Decompilers (x86, x64, ARM, ARM64, […]

Igor’s tip of the week #60: Type libraries

Type libraries are collections of high-level type information for selected platforms and compilers which can be used by IDA and the decompiler. A type library may contain: function prototypes, e.g.: void *__cdecl memcpy(void *, const void *Src, size_t Size); BOOL __stdcall EnumWindows(WNDENUMPROC lpEnumFunc, LPARAM lParam); typedefs, e.g.: typedef unsigned long DWORD; BOOL (__stdcall *WNDENUMPROC)(HWND, LPARAM); standard structure and enum definitions, e.g.: struct tagPOINT { LONG […]

Igor’s tip of the week #59: Automatic function arguments comments

You may have observed that IDA knows about standard APIs or library functions and adds automatic function comments for the arguments passed to them. For example, here’s a fragment of disassembly with commented arguments to Win32 APIs CreateFileW and ReadFile: This works well when functions are imported in a standard way and are known at load time. […]

Igor’s tip of the week #58: Keyboard modifiers

Today we’ll cover how keyboard modifiers (Ctr, Alt, Shift) can be used with some IDA actions to modify their behavior or provide additional functionality. Modifiers in shortcuts Obviously, some shortcuts already include modifiers as part of their key sequence, but some commonalities may be not immediately obvious. For example, the Search menu commands tend to use Alt-letter […]