State-of-the-art binary code analysis tools
While exporting text disassembly is enough in many cases, many users nowadays prefer IDA’s graph view, and saving its representation may be necessary. What other options are there besides screenshots? WinGraph WinGraph is an external program shipped with IDA which can display graphs. It was used to show function (and other) graphs before introduction of the […]
The Rust language is gaining popularity and nowadays even malware authors started using it, which means our users need to analyze them in IDA. The binaries produced by the Rust compiler have some peculiarities which make them difficult to analyze, such as: non-standard calling conventions non-terminated string literals unusual name mangling scheme While tackling all of them is a […]
We’ve covered exporting disassembly from IDA before but it was in context of interoperability, when simple text is enough. If you want to preserve formatting and coloring of IDA View (e.g. for a web page or blog post), taking a screenshot is one option, but that has its downsides (e.g. no indexing for search […]
Many processors (especially RISC based) use instruction sets with fixed size (most commonly 4 bytes). Among examples are ARM, PPC, MIPS and a few others. This is also obvious in the disassembly when observing the instructions’ addresses – they increase by a fixed amount: However, occasionally you may come across larger instructions: What is this? Does A64 […]
When decompiling code without high-level metadata (especially firmware), you may observe strange-looking address expressions which do not seem to make sense. What are these and how to fix/improve the pseudocode? Because on the CPU level there is no difference between an address and a simple number, distinguishing addresses and plain numbers is a difficult task which […]
When working on a binary, you often recover types used in it from many sources: creating structures manually, from data, or using decompiler; parsing header files; importing them from type libraries or debug information; However, it may happen that eventually you discover duplicates. For example, you find out that the “custom” structure you’ve been […]
Previosuly, we’ve covered creating structures from C code using the Local Types window, however this may be not very convenient when you have complex types with many dependencies (especially of scattered over several fiels or depending on preprocessor defines). In such case it may be nore convenient to parse the original header file(s) on […]
While IDA comes with a rich set of type libraries for Windows API, they don’t cover the whole set of types used in Windows. Our libraries are based on the official Windows SDK/DDK headers, which tend to only include public, stable information which is common to multiple Windows versions. A new Windows build may […]
Floating licenses allow additional flexibility for companies with many IDA users: IDA can be installed on as many computers as required, but only a limited number of copies can run simultaneously. This flexibility its downsides: IDA needs to have permanent connection to your organization’s license server which may make things problematic in some situations (e.g. working […]
While working with decompiled code and retyping variables (or sometimes when they get typed by the decompiler automatically), you might be puzzled by the discrepancies between pseudocode and disassembly. Consider the following example: We see that X22 is accessed with offset 0x10 (16) in the disassembly but 2 in the pseudocode. Is there a bug in the […]