State-of-the-art binary code analysis tools
Occasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually […]
IDA supports different representations for the instruction operands and data items. However, only the most common of them are listed in the context menu or have hotkeys assigned. Let’s imagine that you’ve discovered an area in a firmware binary which looks like a table of floating-point values: You can confirm that it looks plausible by […]
Let’s consider this snippet from decompilation of an x86 Windows binary: The same function is called twice with the same argument and the last one doesn’t seem to use the result of the GetComputerNameExW call. By switching to disassembly, we can see that eax is initialized before each call with a string address: However the decompiler does not […]
The Functions list is probably the most known and used part of IDA’s default desktop layout. It includes all detected functions in the current database and offers a quick way to find and navigate to any of them. However, the database consists not only of functions but also data items or instructions which are […]
Let’s say you found a promising-looking string in the binary, followed the cross reference to the function using it, then decompiled it to see how the string is used, only to see no signs of it in the pseudocode. What’s happening? In such situation it often helps to set up two synchronized disassembly<->pseudocode views and […]
As covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items. However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed: 00000000 Context […]
In order to faithfully represent the behavior of the code and to conform to the rules of the C language, the decompiler may need to add casts in the pseudocode. A few examples: a variable has been detected to be unsigned but participates in a signed comparison: An argument being passed to a function does not match […]
In order to show the user only the most relevant code and hide the unnecessary clutter, the decompiler performs various optimizations before displaying the pseudocode. Some of these optimizations rely on various assumptions which are usually correct in well-behaved programs. However, in some situations they may be incorrect which may lead to wrong output, so […]
When working with the decompiler, you probably spend most of the time in the pseudocode view, since most interactive operations (e.g. renaming, retyping and commenting) can be done right there. IDA is usually smart enough to detect important changes during such actions and update the pseudocode as necessary. However, occasionally you may perform actions […]
Welcome to a new chapter of Igor’s invaluable insights! At Hex-Rays, we understand the importance of continuous learning in our ever-evolving field. Therefore, we are thrilled to introduce you to Igor’s Tip of the Week – Season 3. Three years ago, we embarked on a mission to empower IDA’s […]