State-of-the-art binary code analysis tools
A friendly heads-up to IDA users: we just published a vulnerability fix for a potential double-free during DWARF parsing. Please grab it from www.hex-rays.com/vulnfix/ and replace the original files with those you will find in the archive.
As we’ve mentioned before, the same numerical value can be used represented in different ways even if it’s the same bit pattern on the binary level. One of the representations used in IDA is offset. Offsets In IDA, an offset is a numerical value which is used as an address (either directly or as part of […]
Variable-sized structures is a construct used to handle binary structures of variable size with the advantage of compile-time type checking. In source code Usually such structures use a layout similar to following: struct varsize_t { // some fixed fields at the start int id; size_t datalen; //[more fields] unsigned char data[];// variable part }; In other words, a fixed-layout part at […]
COM aka Component Object Model is the technology used by Microsoft (and others) to create and use reusable software components in a manner independent from the specific language or vendor. It uses a stable and well-defined ABI which is mostly compatible with Microsoft C++ ABI, allowing easy implementation and usage of COM components in C++. COM […]
The address details pane is a rather recent addition to IDA so probably not many users are familiar with it yet. However, it can be a quite useful addition to the standard workflow, permitting you to perform some common tasks faster. Address details view On invoking View > Open subview > Address details (you can also use […]
When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell […]
Although in general case the problem of correct disassembly is unsolvable, in practice it can get pretty close. IDA uses various heuristics to improve the disassembly and make it more readable, such as converting numerical values to offsets when it “looks plausible”. However, this is not always reliable or successful and it may miss some. […]
Last time we used operand types to make a function more readable and understand its behavior better. Converting operands one by one is fine if you need to do it a few times, but can quickly get tedious if you need to do it for a long piece of code. En masse operation To convert operands of […]
We’ve mentioned operand representation before but today we’ll use a specific one to find the Easter egg hidden in the post #85. More specifically, it was this screenshot: The function surprise calls printf, but the arguments being passed to it seem to all be numbers. Doesn’t printf() usually work with strings? What’s going on? Numbers and characters As […]
We’ve covered function chunks last week and today we’ll show an example of how to use them in practice to handle a common compiler optimization. Shared function tail optimization When working with some ARM firmware, you may sometimes run into the following situation: We have decompilation of sub_8098C which ends with a strange JUMPOUT statement and if […]