State-of-the-art binary code analysis tools
Variadic functions are functions which accept different number of arguments depending on the needs of the caller. Typical examples include printf and scanf in C and C++ but there are other functions, or even some custom ones (specific to the binary being analyzed). Because each call of a variadic function may have a different […]
When working with big functions in the decompiler, it may be useful to temporarily hide some parts of the pseudocode to analyze the rest. While currently it’s not possible to hide arbitrary lines like in disassembly, you can hide specific sections of it. Collapsing local variable declarations While the local variable declarations are useful to see […]
In IDA, an enum (from “enumeration”) is a set of symbolic constants with numerical values. They can be thought of as a superset of C/C++ enum types and preprocessor defines. These constants can be used in disassembly or pseudocode to replace specific numbers or their combinations with symbolic names, making the listing more readable and understandable. Creating […]
The autoanalysis engine is the heart of IDA’s disassembly functionality. In most cases it “just works” but in rare situations tweaking it may be necessary. Analysis options The generic analysis options are available in Options > General, Analysis tab, Kernel Options 1..3. The same settings are also available at the initial load time. You can even turn off the […]
We have covered basic usage of cross-references before, but there are situations where they may not behave as you may expect. Accessing large data items If there is a large structure or an array and the code reads or writes data deep inside it, you may not see cross-references from that code listed at the […]
As we’ve mentioned before, the same numerical value can be used represented in different ways even if it’s the same bit pattern on the binary level. One of the representations used in IDA is offset. Offsets In IDA, an offset is a numerical value which is used as an address (either directly or as part of […]
Variable-sized structures is a construct used to handle binary structures of variable size with the advantage of compile-time type checking. In source code Usually such structures use a layout similar to following: struct varsize_t { // some fixed fields at the start int id; size_t datalen; //[more fields] unsigned char data[];// variable part }; In other words, a fixed-layout part at […]
COM aka Component Object Model is the technology used by Microsoft (and others) to create and use reusable software components in a manner independent from the specific language or vendor. It uses a stable and well-defined ABI which is mostly compatible with Microsoft C++ ABI, allowing easy implementation and usage of COM components in C++. COM […]
The address details pane is a rather recent addition to IDA so probably not many users are familiar with it yet. However, it can be a quite useful addition to the standard workflow, permitting you to perform some common tasks faster. Address details view On invoking View > Open subview > Address details (you can also use […]
When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell […]