State-of-the-art binary code analysis tools
Welcome to a new chapter of Igor’s invaluable insights! At Hex-Rays, we understand the importance of continuous learning in our ever-evolving field. Therefore, we are thrilled to introduce you to Igor’s Tip of the Week – Season 3. Three years ago, we embarked on a mission to empower IDA’s […]
When you need to change the prototype of a function in the decompiler, the standard way is to use the “Set item type…” action (shortcut Y). One case where you may need to do it is to add or remove arguments. Especially in embedded code or when decompiling variadic functions, the decompiler may deduce the argument […]
Firmware binaries often use raw binary file format without any metadata so they have to be loaded manually into IDA. You can do it interactively using the binary file loader, but if you have many files to disassemble it can quickly get boring. If you already know some information about the files you’re disassembling, […]
We’ve covered splitting expressions before, but there may be situations where it can’t be used. For example, consider following situation: The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
When working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you […]
When using the decompiler, you probably spend most of the time in the Pseudocode view. In case you need to consult the corresponding disassembly, it’s a quick Tab away. However, if you actually prefer the disassembly, there is another option you can try. Copy to assembly This action is available in the pseudocode view’s context menu […]
Occasionally, especially when working with embedded firmware or obfuscated code, you may see an error message when trying to create a function (from context menu or using P hotkey): There can be multiple reasons for it, for example: some code has been incorrectly converted to data and the execution flows into it; the function calls a non-returning […]
Previously, we’ve run into a function which produces a cryptic error if you try to decompile it: In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K. On the first glance it looks normal: However, […]
We’ve covered the usage of symbolic constants (enums) in the disassembly. but they are also useful in the pseudocode view. Reusing constants from disassembly If a number has been converted to a symbolic constant in the disassembly and it is present in unchanged form in pseudocode, the decompiler will use it in the output. For example, […]
This error is not very common but may appear in some situations. Such errors happen when there is a function call in the code, but the decompiler fails to convert it to a high-level function call, e.g.: the target function’s prototype is wrong; the decompiler failed to figure out the function arguments: how many of them, or how […]