State-of-the-art binary code analysis tools
We’ve already covered simple offsets, where an operand value or a data value matches an address in the program and so can be directly converted to an offset. However, programs may also employ more complex, or indirect ways of referring to a location. One common approach is using a small offset from some predefined […]
Variadic functions are functions which accept different number of arguments depending on the needs of the caller. Typical examples include printf and scanf in C and C++ but there are other functions, or even some custom ones (specific to the binary being analyzed). Because each call of a variadic function may have a different […]
When working with big functions in the decompiler, it may be useful to temporarily hide some parts of the pseudocode to analyze the rest. While currently it’s not possible to hide arbitrary lines like in disassembly, you can hide specific sections of it. Collapsing local variable declarations While the local variable declarations are useful to see […]
In IDA, an enum (from “enumeration”) is a set of symbolic constants with numerical values. They can be thought of as a superset of C/C++ enum types and preprocessor defines. These constants can be used in disassembly or pseudocode to replace specific numbers or their combinations with symbolic names, making the listing more readable and understandable. Creating […]
Variable-sized structures is a construct used to handle binary structures of variable size with the advantage of compile-time type checking. In source code Usually such structures use a layout similar to following: struct varsize_t { // some fixed fields at the start int id; size_t datalen; //[more fields] unsigned char data[];// variable part }; In other words, a fixed-layout part at […]
When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell […]
Last time we used operand types to make a function more readable and understand its behavior better. Converting operands one by one is fine if you need to do it a few times, but can quickly get tedious if you need to do it for a long piece of code. En masse operation To convert operands of […]
We’ve mentioned operand representation before but today we’ll use a specific one to find the Easter egg hidden in the post #85. More specifically, it was this screenshot: The function surprise calls printf, but the arguments being passed to it seem to all be numbers. Doesn’t printf() usually work with strings? What’s going on? Numbers and characters As […]
We’ve covered function chunks last week and today we’ll show an example of how to use them in practice to handle a common compiler optimization. Shared function tail optimization When working with some ARM firmware, you may sometimes run into the following situation: We have decompilation of sub_8098C which ends with a strange JUMPOUT statement and if […]
In IDA, function is a sequence of instructions grouped together. Usually it corresponds to a high-level function or subroutine: it can be called from other places in the program, usually using a dedicated processor instruction; it has an entry and one or more exits (instruction(s) which return to the caller); it can accept arguments (in registers or […]