State-of-the-art binary code analysis tools
Sometimes you may see mysterious align keywords in the disassembly, which can appear both in code and data areas: Usually they’re only apparent in the text view. These directives are used by many assemblers to indicate alignment to a specific address boundary, usually a power of two. IDA uses it to replace potentially irrelevant bytes by a […]
When analyzing firmware or other binaries without metadata, IDA is not always able to discover and analyze all functions which means the cross-references can be missing. Let’s say you found a string in the binary (e.g. in the String list) which has no cross references, but you’re reasonably sure it’s actually used. How to […]
We’ve covered choosers previously and talked about searching, sorting and filtering. The default filter (Ctrl–F shortcut) is pretty simple: it performs case-insensitive match on any column of the list. Advanced filters Advanced filter dialog is accessible via the context menu entry “Modify filters…” or the shortcut Ctrl–Shift–F In the dialog you can: match any or a specific […]
Using the string list is one way to look for text in the binary but it has its downsides: building the list takes time for big binaries, some strings may be missing initially so you may need several tries to get the options right, and then you need to actually find what you need […]
When exploring an unfamiliar binary, it may be difficult to find interesting places to start from. One common approach is to check what strings are present in the program – this might give some hints about its functionality and maybe some starting places for analysis. While you can scroll through the listing and look at […]
When analyzing regular, well-formed binaries, you can usually rely on IDA’s autoanalysis to create functions and detect their boundaries correctly. However, there may be situations when IDA’s guesses need to be adjusted. Non-returning calls One example could be calls to non-returning functions. Let’s say a function has been misdetected by IDA as non-returning: But on further analysis […]
Some functions in programs do not return to caller: well-known examples include C runtime functions like exit(), abort(), assert() but also many others. Modern compilers can exploit this knowledge to optimize the code better: for example, the code which would normally follow such a function call does not need to be generated which decreases the […]
When dealing with structure instances in disassembly, sometimes you may want to change how IDA displays them, but how to do it is not always obvious. Let’s have a look at some examples. Win32 section headers Let’s say you have loaded the PE file header using manual load, or found an embedded PE file in your […]
Although IDA was initially created for interactive usage and tries to automate as much of the tedious parts of RE as possible, it still cannot do everything for you and doing the still necessary work manually can take a long time. To alleviate this, IDA ships with IDC and IDAPython scripting engines, which can be […]
When disassembling, you are probably more interested in seeing the code (disassembly or pseudocode) rather than the raw file data, but there may be times you need to see what actually lies behind the instructions. One option is to use the Hex View, possibly docked and synchronized with IDA View. But probably a simpler solution is […]