Igor’s tip of the week #44: Hex dump loader

IDA has a file loader named ‘hex’ which mainly supports loading of text-based file formats such as Intel Hex or Motorola S-Record. These formats contain records with addresses and data in hexadecimal encoding. For example, here’s a fragment of an Intel Hex file: :18000000008F9603008FD801008FDC01008FE001008FE401008FE80190 :20004000008FEC01008FF001008FF401008FF801008FFC01008F0002008F0402008F08024D :20006000008F0C02008F1002008F1402008F1802008F1C02008F2002008F2402008F280228 :14008000008F2C02008F3002008F3402008F3802008F3C0293 :1000A000008F4002008F4402008F4802008F4C02F4 :20010000008F5002008F5402008F5802008F5C02008F6002008F6402008F680243204C694C :20012000627261727920436F707972696768742028432920313939352048492D5445434818 or an S-Record S0030000FC S1230100810F0016490F0016816F8A0A0F00000098300016B2310016BC3300168E0D0016A7 S1230108280F00169A2900168A00F001866000080400000018230016792200160C00000032 S12301109800E00182A09E0B8000C2012A38001608000000EA3100163A380016FA310016CA S1230118FF250016BE21001600000000182200169A0100169C330016F9C010010D000000D7 However, you may also have a simple unformatted hex dump, […]

Igor’s tip of the week #43: Annotating the decompiler output

Last week we started improving decompilation of a simple function. While you can go quite far with renaming and retyping, some things need more explanation than a simple renamng could provide. Comments When you can’t come up with a good name for a variable or a function, you can add a comment with an explanation or […]

Igor’s tip of the week #41: Binary file loader

IDA supports more than 40 file formats out of box. Most of them are structured file formats – with defined headers and metadata – so they’re recognized and handled automatically by IDA. However, there are times when all you have is just a piece of a code without any headers (e.g. shellcode or raw firmware) […]

Igor’s tip of the week #40: Decompiler basics

The Hex-Rays decompiler is one of the most powerful add-ons available for IDA. While it’s quite intuitive once you get used to it, it may be non-obvious how to start using it. Basic information As of the time of writing (May 2021), the decompiler is not included with the standard IDA Pro license; some editions of IDA […]

Igor’s tip of the week #39: Export Data

The  Edit > Export Data command (Shift+E) offers you several formats for extracting the selected data from the database: hex string (unspaced): 4142434400 hex string (spaced): 41 42 43 44 00 string literal: ABCD C unsigned char array (hex): unsigned char aAbcd[] = { 0x41, 0x42, 0x43, 0x44, 0x00 }; C unsigned char array (decimal): unsigned char aAbcd[] = { 65, 66, […]

Igor’s tip of the week #38: Hex view

In addition to the disassembly and decompilation (Pseudocode) views, IDA also allows you to see the actual, raw bytes behind the program’s instructions and data. This is possible using the Hex view, one of the views opened by default (or available in the View > Open subviews menu). Even if you’ve used it before, there may […]

Igor’s tip of the week #37: Patching

Although IDA is mostly intended to be used for static analysis, i.e. simply looking at unaltered binaries, there are times you do need to make some changes. For example, you can use it to fix up some obfuscated instructions to clean up the code flow or decompiler output, or change some constants used in the […]

Igor’s tip of the week #36: working with list views in IDA

List views (also called choosers or table views) are used in many places in IDA to show lists of different kind of information. For example, the Function list we’ve covered previously is an example of a list view. Many windows opened via the View > Open subviews menu are list views: Exports Imports Names Strings Segments Segment registers Selectors Signatures Type libraries Local types Problems Patched […]

Igor’s tip of the week #35: Demangled names

Name mangling (also called name decoration) is a technique used by compilers to implement some of the features required by the language. For example, in C++ it is used to distinguish functions with the same name but different arguments (function overloading), as well as to support namespaces, templates, and other purposes. Mangled names often end up in the […]