State-of-the-art binary code analysis tools
In IDA, function is a sequence of instructions grouped together. Usually it corresponds to a high-level function or subroutine: it can be called from other places in the program, usually using a dedicated processor instruction; it has an entry and one or more exits (instruction(s) which return to the caller); it can accept arguments (in registers or […]
Although IDA has been created first and foremost to analyze binaries in “black box” mode, i.e. without any symbols or debug information, it does have the ability to consume such information when available. The debugger functionality was also initially optimized to debug binaries on the assembly level, but nowadays can work with source code too. Source-level […]
We’ve covered arrays previously, but one feature briefly mentioned there is worth a separate highlight. Complex programs may use arrays of data, either of items such as integers or floats, or of complex items such as structures. When the arrays are small, it’s not too difficult to make sense of them, but what to do […]
We’ve covered the major pseudocode formatting options previously but there is one more option which can influence the output. It is the radix used for printing numbers in the pseudocode. In a positional numeral system, the radix or base is the number of unique digits, including the digit zero, used to represent numbers. For example, for […]
The default output of the Hex-Rays decompiler tries to strike a balance between conciseness and readability. However, everyone has different preferences so it offers a few options to control the layout and formatting of the pseudocode. Accessing the options Because of its origins as a third-party plugin for IDA, the decompiler options are accessible not through IDA’s […]
There are multiple ways of annotating IDA databases: renaming, commenting, or adding bookmarks. However, sometimes there is a need for general notes for the database as a whole, not tied to specific locations. Notepad window The database notepad is a text input box which can store arbitrary text within the database, so you can add […]
In addition to comments, IDA offers a few more features for annotating and quickly navigating in the database. Today we’ll cover bookmarks. Adding bookmarks Bookmarks can be added at most locations in the address-based views (disassembly listing, Hex View, Pseudocode), as well as Structures and Enums. This can be done via the Jump > Mark position… […]
Previously we’ve discussed how to reduce the number of variables used in pseudocode by mapping copies of a variable to one. However, sometimes you may run into an opposite problem: a single variable can be used for different purposes. Reused stack slots One common situation is when the compiler reuses a stack location of either a […]
During the work with binaries, IDA sometimes shows warnings to inform the user about unusual or potentially dangerous behavior or asks questions: Hiding messages For some of such messages there is a checkbox “Don’t Display this message again”. If you enable it before answering or confirming the message (hint: you can press ‘D’ to
Quick rename can be useful when you have code which copies data around so the variable names stay the same or similar. However, sometimes there is a way to get rid of duplicate variables altogether. Reasons for duplicate variables Even if in the source code a specific variable may appear only once, on the machine code […]