Some functions in programs do not return to caller: well-known examples include C runtime functions like exit(), abort(), assert() but also many others. Modern compilers can exploit this knowledge to optimize the code better: for example, the code which would normally follow such a function call does not need to be generated which decreases the […]
When dealing with structure instances in disassembly, sometimes you may want to change how IDA displays them, but how to do it is not always obvious. Let’s have a look at some examples.
Win32 section headers
Let’s say you have loaded the PE file header using manual load, or found an embedded PE file in your […]
Although IDA was initially created for interactive usage and tries to automate as much of the tedious parts of RE as possible, it still cannot do everything for you and doing the still necessary work manually can take a long time. To alleviate this, IDA ships with IDC and IDAPython scripting engines, which can be […]
When disassembling, you are probably more interested in seeing the code (disassembly or pseudocode) rather than the raw file data, but there may be times you need to see what actually lies behind the instructions.
One option is to use the Hex View, possibly docked and synchronized with IDA View.
But probably a simpler solution is […]
To save on analysis time and database size, by default IDA only tries to load relevant parts of the binary (e.g. those that are expected or known to contain code). However, there may be cases when you want to see more, or even everything the binary contains. You can always load the file as plain […]
When performing a search in IDA, it by default starts from the current position and continues up to the maximum address in the database (or to the minimal for searches “Up”). This works well enough for small to average files, but can get pretty slow for big ones, or especially in case of debugging […]
For most IDA widgets, a custom background was already possible using standard Qt stylesheets (examples, reference). But since the IDA 8.2 release you can also do it for disassembly listings! (and “Structures”, “Enums”, “Pseudocode”, …)
To achieve this, you would typically want to define a new theme that extends an existing one and adds […]
Previously we’ve described how to use available type info to make decompilation of calls more precise when you have type information, but there may be situations where you don’t have it or the existing type info does not quite match the actual call arguments, and you still want to adjust the decompiler’s guess.
One common […]
When dealing with compile binary code, the decompiler lacks information present in the source code, such as function prototypes and so must guess it or rely on the information provided by the user (where its interactive features come handy).
One especially tricky situation is indirect calls: without exact information about the destination of the call, the […]
We’ve covered structure creation using disassembly or Local Types, but there is also a way of doing it from the decompiler, especially when dealing with unknown, custom types used by the program.
Whenever you see code dereferencing a variable with different offsets, it is likely a structure pointer and the function is accessing different fields […]