Igor’s tip of the week #56: String literals in pseudocode

Strings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]

Igor’s tip of the week #55: Using debug symbols

IDA supports many file formats, among them the main ones used on the three major operating systems: PE (Portable Executable) on Windows; ELF (Executable and Linkable Format) on Linux; Mach-O (Mach object) on macOS. Symbols and debugging information Symbols associate locations inside the file (e.g. addresses of functions or variables) with textual names (usually the names used in the original source […]

Igor’s tip of the week #54: Shifted pointers

Previously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]

Igor’s tip of the week #53: Manual switch idioms

IDA supports most of the switch patterns produced by major compilers out-of-box and usually you don’t need to worry about them. However, occasionally you may encounter a code which has been produced by an unusual or a very recent compiler version, or some peculiarity of the code prevented IDA from recognizing the pattern, so it […]

Igor’s tip of the week #52: Special type attributes

IDA uses mostly standard C (and basic C++) syntax, but it also supports some extensions, in particular to represent low-level details which are not necessary for “standard” C code but are helpful for real-life binary code analysis. We’ve already covered custom types and calling conventions, but there are more extensions you may use […]

Igor’s tip of the week #51: Custom calling conventions

The Hex-Rays decompiler was originally created to deal with code produced by standard C compilers. In that world, everything is (mostly) nice and orderly: the calling conventions are known and standardized and the arguments are passed to function according to the ABI. However, the real life is not that simple: even in code coming […]

Igor’s tip of the week #50: Execution flow arrows

Although nowadays most IDA users probably use the graph view, the text view can still be useful in certain situations. In case you haven’t noticed, it has a UI element which can help you visualize code flow even without the full graph and even outside of functions (the graph view is available only for […]

Igor’s tip of the week #49: Navigation band

Navigation band, also sometimes called the navigator, or navbar, is the UI element shown by default at the top of IDA’s window, in the toolbar area. It shows the global overview of the program being analyzed and allows to see at a quick glance how well has the program been analyzed and what areas may need […]