Igor’s Tip of the Week #127: Changing function bounds

When analyzing regular, well-formed binaries, you can usually rely on IDA’s autoanalysis to create functions and detect their boundaries correctly. However, there may be situations when IDA’s guesses need to be adjusted. Non-returning calls One example could be calls to non-returning functions. Let’s say a function has been misdetected by IDA as non-returning: But on further analysis […]

Igor’s Tip of the Week #126: Non-returning functions

Some functions in programs do not return to caller: well-known examples include C runtime functions like exit(), abort(), assert() but also many others. Modern compilers can exploit this knowledge to optimize the code better: for example, the code which would normally follow such a function call does not need to be generated which decreases the […]

Igor’s Tip of the Week #125: Structure field representation

When dealing with structure instances in disassembly, sometimes you may want to change how IDA displays them, but how to do it is not always obvious. Let’s have a look at some examples. Win32 section headers Let’s say you have loaded the PE file header using manual load, or found an embedded PE file in your […]

Igor’s Tip of the Week #124: Scripting examples

Although IDA was initially created for interactive usage and tries to automate as much of the tedious parts of RE as possible, it still cannot do everything for you and doing the still necessary work manually can take a long time. To alleviate this, IDA ships with IDC and IDAPython scripting engines, which can be […]

Igor’s Tip of the Week #123: Opcode bytes

When disassembling, you are probably more interested in seeing the code (disassembly or pseudocode) rather than the raw file data, but there may be times you need to see what actually lies behind the instructions. One option is to use the Hex View, possibly docked and synchronized with IDA View. But probably a simpler solution is […]

Igor’s Tip of the Week #122: Manual load

To save on analysis time and database size, by default IDA only tries to load relevant parts of the binary (e.g. those that are expected or known to contain code). However, there may be cases when you want to see more, or even everything the binary contains. You can always load the file as plain […]

Igor’s Tip of the Week #121: Limiting search to an address range

When performing a search in IDA, it by default starts from the current position and continues up to the maximum address in the database (or to the minimal for searches “Up”). This works well enough for small to average files, but can get pretty slow for big ones, or especially in case of debugging […]

Igor’s Tip of the Week #120: Set call type

Previously we’ve described how to use available type info to make decompilation of calls more precise when you have type information, but there may be situations where you don’t have it or the existing type info does not quite match the actual call arguments, and you still want to adjust the decompiler’s guess. One common […]

Igor’s Tip of the Week #119: Force call type

When dealing with compile binary code, the decompiler lacks information present in the source code, such as function prototypes and so must guess it or rely on the information provided by the user (where its interactive features come handy). One especially tricky situation is indirect calls: without exact information about the destination of the call, the […]