State-of-the-art binary code analysis tools
Last time we used operand types to make a function more readable and understand its behavior better. Converting operands one by one is fine if you need to do it a few times, but can quickly get tedious if you need to do it for a long piece of code. En masse operation To convert operands of […]
We’ve mentioned operand representation before but today we’ll use a specific one to find the Easter egg hidden in the post #85. More specifically, it was this screenshot: The function surprise calls printf, but the arguments being passed to it seem to all be numbers. Doesn’t printf() usually work with strings? What’s going on? Numbers and characters As […]
We’ve covered function chunks last week and today we’ll show an example of how to use them in practice to handle a common compiler optimization. Shared function tail optimization When working with some ARM firmware, you may sometimes run into the following situation: We have decompilation of sub_8098C which ends with a strange JUMPOUT statement and if […]
In IDA, function is a sequence of instructions grouped together. Usually it corresponds to a high-level function or subroutine: it can be called from other places in the program, usually using a dedicated processor instruction; it has an entry and one or more exits (instruction(s) which return to the caller); it can accept arguments (in registers or […]
We’ve covered the major pseudocode formatting options previously but there is one more option which can influence the output. It is the radix used for printing numbers in the pseudocode. In a positional numeral system, the radix or base is the number of unique digits, including the digit zero, used to represent numbers. For example, for […]
In addition to comments, IDA offers a few more features for annotating and quickly navigating in the database. Today we’ll cover bookmarks. Adding bookmarks Bookmarks can be added at most locations in the address-based views (disassembly listing, Hex View, Pseudocode), as well as Structures and Enums. This can be done via the Jump > Mark position… […]
Previously we’ve discussed how to reduce the number of variables used in pseudocode by mapping copies of a variable to one. However, sometimes you may run into an opposite problem: a single variable can be used for different purposes. Reused stack slots One common situation is when the compiler reuses a stack location of either a […]
During the work with binaries, IDA sometimes shows warnings to inform the user about unusual or potentially dangerous behavior or asks questions: Hiding messages For some of such messages there is a checkbox “Don’t Display this message again”. If you enable it before answering or confirming the message (hint: you can press ‘D’ to
Quick rename can be useful when you have code which copies data around so the variable names stay the same or similar. However, sometimes there is a way to get rid of duplicate variables altogether. Reasons for duplicate variables Even if in the source code a specific variable may appear only once, on the machine code […]
One of the features added in IDA 7.6 was automatic renaming of variables in the decompiler. Unlike PIT, it is not limited to stack variables but also handles variables stored in registers and not just calls but also assignments and some other expressions. It also tries to interpret function names which include a verb […]