State-of-the-art binary code analysis tools
The release notes for IDA 8.0 mention outlined functions. What are those and how to deal with them in IDA? Function outlining is an optimization that saves code size by identifying recurring sequences of machine code and replacing each instance of the sequence with a call to a new function that contains the identified sequence […]
We’ve already covered simple offsets, where an operand value or a data value matches an address in the program and so can be directly converted to an offset. However, programs may also employ more complex, or indirect ways of referring to a location. One common approach is using a small offset from some predefined […]
Immediate search is one of three main search types available in IDA. While not that known, it can be very useful in some situations. Here are some examples. Unique (magic) constants If you know some unique constants used by the program, looking for them can let you narrow down the range of code you have to […]
As of the time of writing, IDA does not have a built-in plugin manager, so third-party plugins have to be installed manually. Installing into IDA directory The standard location for IDA plugins is the plugins directory in IDA’s installation (for example, C:\Program Files\IDA Pro 8.0\plugins on Windows). So this is the most common way of installing them […]
While working with pseudocode, you may make various changes to it, for example: add comments rename local variables and change their types collapse code blocks map variables mark skippable instructions split expressions adjust variadic arguments select union members and so on If the results of some actions do not look better, you can always undo, but what […]
Variadic functions are functions which accept different number of arguments depending on the needs of the caller. Typical examples include printf and scanf in C and C++ but there are other functions, or even some custom ones (specific to the binary being analyzed). Because each call of a variadic function may have a different […]
When working with big functions in the decompiler, it may be useful to temporarily hide some parts of the pseudocode to analyze the rest. While currently it’s not possible to hide arbitrary lines like in disassembly, you can hide specific sections of it. Collapsing local variable declarations While the local variable declarations are useful to see […]
In IDA, an enum (from “enumeration”) is a set of symbolic constants with numerical values. They can be thought of as a superset of C/C++ enum types and preprocessor defines. These constants can be used in disassembly or pseudocode to replace specific numbers or their combinations with symbolic names, making the listing more readable and understandable. Creating […]
The autoanalysis engine is the heart of IDA’s disassembly functionality. In most cases it “just works” but in rare situations tweaking it may be necessary. Analysis options The generic analysis options are available in Options > General, Analysis tab, Kernel Options 1..3. The same settings are also available at the initial load time. You can even turn off the […]
We have covered basic usage of cross-references before, but there are situations where they may not behave as you may expect. Accessing large data items If there is a large structure or an array and the code reads or writes data deep inside it, you may not see cross-references from that code listed at the […]