State-of-the-art binary code analysis tools
Cross-references is one of the most useful features of IDA. For example, they allow you to see where a particular function is being called or referenced from, helping you to see how the function is used and understand its behavior better or discover potential bugs or vulnerabilities. For direct calls, IDA adds cross-references automatically, […]
Previously, we have covered offset expressions which fit into a single instruction operand or data value. But this is not always the case, so let’s see how IDA can handle offsets which may be built out of multiple parts. 8-bit processors Although slowly dying out, the 8-bit processors — especially the venerable 8051 — […]
Image-relative offsets are values that represent an offset from the image base of the current module (image) in memory. This means that they can be used to refer to other locations in the same module regardless of its real, final load address, and thus can be used to make the code position-independent (PIC), similarly to […]
When working with big functions in the decompiler, it may be difficult to find what you need if the listing is long. While you can use cross-references to jump between uses of a variable or collapse parts of pseudocode to make it more compact, there is one simple shortcut which can make your […]
Many keyboard shortcuts have been described on this blog, but they may be difficult to retain, especially if you don’t use them every day. To remedy that, we have been publishing a cheat sheet with the most common ones. You can find it linked from our documentation page in HTML or PDF […]
We’ve covered offsets with base previously. There is a variation of such offsets commonly used in position-independent code which can be handled easily with a little trick. Let’s consider this ARM function from an ARM32 firmware: ROM:00000058 ; int sub_58() ROM:00000058 sub_58 […]
The Hex view is used to display the contents of the database as a hex dump. It is also used during debugging to display memory contents. By default it has a part on the right with the textual representation of the data. Usually the text part shows Latin letters or dots for unprintable characters but you […]
Sometimes in pseudocode you may encounter strange-looking code: The code seems to dereference an array calledMEMORY and is highlighted in red. However, this variable is not defined anywhere. What is it? Such notation is used by the decompiler when the code accesses memory addresses not present in the database. In most cases it indicates an error in […]
The Hex-Rays decompiler was initially created to decompile C code, so its pseudocode output uses (mostly) C syntax. However, the input binaries may be compiled using other languages: C++, Pascal, Basic, ADA, and many others. While the code of most of them can be represented in C without real issues, some have peculiarities which require […]
The release notes for IDA 8.0 mention outlined functions. What are those and how to deal with them in IDA? Function outlining is an optimization that saves code size by identifying recurring sequences of machine code and replacing each instance of the sequence with a call to a new function that contains the identified sequence […]