State-of-the-art binary code analysis tools
Output window is part of IDA’s default desktop layout and shows various messages from IDA and possibly third-party components (plugins, processor modules, scripts…). It also contains the Command-line interface (CLI) input box. Opening the Output window Although it is present by default, it is possible to close this window, or use a desktop layout without it. […]
We’ve covered basics of working with string constants (aka string literals) before but IDA support additional features which may be useful in some situations. Exotic string types Pascal and derived languages (such as Delphi) sometimes employ string literals which start with the length followed by the characters. Similarly to the wide (Unicode) strings, they can be […]
Although the Hex-Rays decompiler was originally written to deal with compiler-generated code, it can still do a decent job with manually written assembly. However, such code may use non-standard instructions or use them in non-standard ways, in which case the decompiler may fail to produce equivalent C code and has to fall back to _asm […]
The last week’s post got preempted by the IDA 7.7 release so I’ll take this opportunity to highlight (ha ha) one of the new features. In previous IDA versions we already had highlight with an option to lock it so it remains fixed while browsing the database. In IDA 7.7 it’s been improved so […]
While using the decompiler, sometimes you may have seen the item named Split expression in the context menu. What does it do and where it can be useful? Let’s look at two examples where it can be applied. Structure field initialization Modern compilers perform many optimizations to speed up code execution. One of them is merging two […]
In compiled code, you can sometimes find instructions which do not directly represent the code written by the programmer but were added by the compiler for its own purposes or due to the requirements of the environment the program is executing in. Skippable instruction kinds Compiled functions usually have prolog instructions at the start which perform various […]
We’ve already described custom types used in the decompiled code, but you may also encounter some unusual keywords resembling function calls. They are used by the decompiler to represent operations which it was unable to map to nice C code, or just to make the output more compact. They are listed in the defs.h […]
When working with pseudocode in the decompiler, you may have noticed that variable declarations and hints have comments with somewhat cryptic contents. What do they mean? While meaning of some may be obvious, others less so, and a few appear only in rare situations. Variable location The fist part of the comment is the variable location. For stack […]
The stack frame is part of the stack which is managed by the current function and contains the data used by it. Background The stack frame usually contains data such as: local and temporary variables; incoming arguments (for calling conventions which use stack for passing arguments); saved volatile registers; other bookkeeping information (e.g. the return address on x86). Because the stack may […]
While not commonly used, full-screen mode can be useful on complex IDA layouts when working with a single monitor or on a laptop, for example when you need to read a long listing line but are tired of scrolling around. The feature is somewhat hidden, but the action is present in the View menu. By pressing F11, […]