State-of-the-art binary code analysis tools
Sometimes you know the structure size but not the actual layout yet. For example, when the size of memory being allocated for the structure is fixed: In such cases, you can quickly make a dummy structure and then modify it as you analyze code which works with it. There are several approaches which can be used […]
When reverse engineering a big program, you often run into information stored in structures. The standard way of doing it involves using the Structures window and adding fields one by one, similar to the way you format data items in disassembly. But are there other options? Let’s look at some of them. Using already formatted data This […]
Arrays are used in IDA to represent a sequence of multiple items of the same type: basic types (byte, word, dword etc.) or complex ones (e.g. structures). Creating an array To create an array: Create the first item; Choose “Array…” from the context menu , or press *; Fill in at least the Array size field and click OK. Step 1 […]
While working in IDA, sometimes you may need to reanalyze some parts of your database, for example: after changing a prototype of an external function (especially calling convention, number of purged bytes, or “Does not return” flag); after fixing up incorrectly detected ARM/Thumb or MIPS32/MIPS16 regions; after changing global processor options (e.g. setting $gp value in MIPS or […]
We’ve briefly covered batch mode last time but the basic functionality is not always enough so let’s discuss how to customize it. Basic usage To recap, batch mode can be invoked with this command line: ida -B -Lida.log <other switches> <filename> IDA will load the file, wait for the end of analysis, and write the full disassembly to […]
Most IDA users probably run IDA as a stand-alone application and use the UI to configure various options. However, it is possible to pass command-line options to it to automate some parts of the process. The full set of options is quite long so we’ll cover the more common and useful ones. In the […]
In IDA, highlight is the dynamic coloring of a word or number under the cursor as well as all matching substrings on the screen. In the default color scheme, a yellow background color is used for the highlight. Highlight is updated when you click on a non-whitespace location in the listing or move the cursor with […]
We posted an addendum to the release notes for IDA 7.2: The Mac Rundown. It dives much deeper into the Mac-specific features introduced in 7.2, and should be great reference material for users interested in reversing the latest Apple binaries. It’s packed full of hints, tricks, and workarounds. We hope you will find it quite useful! […]
One of the new features of IDA 6.6 is the Dalvik debugger, which allows us to debug Dalvik binaries on the bytecode level. Let us see how it can help when analysing Dalvik files. Encoded strings Let us consider the package with the encrypted strings: STRINGS:0001F143 unk_1F143:.byte 0x30 # 0 # DATA XREF: STR_IDS:off_70 STRINGS:0001F144 aFda8sohchnidgh: .string “FDA8sOhCHNidghM2hzFxMXUsivl2k7hFOhkJrW7O2ml8qLVM”,0 STRINGS:0001F144 […]
Recently, one of our customers came to us asking how he should proceed to be able to install python packages, using PIP, and use those from IDA. The issue he was facing is that his system is a 64-bit Ubuntu 12.04 VM. Therefore using the Ubuntu-bundled PIP will just result in installing the desired package (let’s say […]