To save on analysis time and database size, by default IDA only tries to load relevant parts of the binary (e.g. those that are expected or known to contain code). However, there may be cases when you want to see more, or even everything the binary contains. You can always load the file as plain […]
When performing a search in IDA, it by default starts from the current position and continues up to the maximum address in the database (or to the minimal for searches “Up”). This works well enough for small to average files, but can get pretty slow for big ones, or especially in case of debugging […]
For most IDA widgets, a custom background was already possible using standard Qt stylesheets (examples, reference). But since the IDA 8.2 release you can also do it for disassembly listings! (and “Structures”, “Enums”, “Pseudocode”, …)
To achieve this, you would typically want to define a new theme that extends an existing one and adds […]
Previously we’ve described how to use available type info to make decompilation of calls more precise when you have type information, but there may be situations where you don’t have it or the existing type info does not quite match the actual call arguments, and you still want to adjust the decompiler’s guess.
One common […]
When dealing with compile binary code, the decompiler lacks information present in the source code, such as function prototypes and so must guess it or rely on the information provided by the user (where its interactive features come handy).
One especially tricky situation is indirect calls: without exact information about the destination of the call, the […]
We’ve covered structure creation using disassembly or Local Types, but there is also a way of doing it from the decompiler, especially when dealing with unknown, custom types used by the program.
Whenever you see code dereferencing a variable with different offsets, it is likely a structure pointer and the function is accessing different fields […]
While currently (as of version 8.1) the Hex-Rays decompiler does not try to perform full type recovery, it does try to deduce some types based on operations done on the variables, or using the type information for the API calls from type libraries.
One simple type deduction performed by the decompiler is creation of typed […]
Cross-references is one of the most useful features of IDA. For example, they allow you to see where a particular function is being called or referenced from, helping you to see how the function is used and understand its behavior better or discover potential bugs or vulnerabilities. For direct calls, IDA adds cross-references automatically, […]
Previously, we have covered offset expressions which fit into a single instruction operand or data value. But this is not always the case, so let’s see how IDA can handle offsets which may be built out of multiple parts.
Although slowly dying out, the 8-bit processors — especially the venerable 8051 — […]
Image-relative offsets are values that represent an offset from the image base of the current module (image) in memory. This means that they can be used to refer to other locations in the same module regardless of its real, final load address, and thus can be used to make the code position-independent (PIC), similarly to […]