State-of-the-art binary code analysis tools
Some functions in programs do not return to caller: well-known examples include C runtime functions like exit(), abort(), assert() but also many others. Modern compilers can exploit this knowledge to optimize the code better: for example, the code which would normally follow such a function call does not need to be generated which decreases the […]
When performing a search in IDA, it by default starts from the current position and continues up to the maximum address in the database (or to the minimal for searches “Up”). This works well enough for small to average files, but can get pretty slow for big ones, or especially in case of debugging […]
Cross-references is one of the most useful features of IDA. For example, they allow you to see where a particular function is being called or referenced from, helping you to see how the function is used and understand its behavior better or discover potential bugs or vulnerabilities. For direct calls, IDA adds cross-references automatically, […]
Many keyboard shortcuts have been described on this blog, but they may be difficult to retain, especially if you don’t use them every day. To remedy that, we have been publishing a cheat sheet with the most common ones. You can find it linked from our documentation page in HTML or PDF […]
We’ve already covered simple offsets, where an operand value or a data value matches an address in the program and so can be directly converted to an offset. However, programs may also employ more complex, or indirect ways of referring to a location. One common approach is using a small offset from some predefined […]
Variadic functions are functions which accept different number of arguments depending on the needs of the caller. Typical examples include printf and scanf in C and C++ but there are other functions, or even some custom ones (specific to the binary being analyzed). Because each call of a variadic function may have a different […]
When working with big functions in the decompiler, it may be useful to temporarily hide some parts of the pseudocode to analyze the rest. While currently it’s not possible to hide arbitrary lines like in disassembly, you can hide specific sections of it. Collapsing local variable declarations While the local variable declarations are useful to see […]
In IDA, an enum (from “enumeration”) is a set of symbolic constants with numerical values. They can be thought of as a superset of C/C++ enum types and preprocessor defines. These constants can be used in disassembly or pseudocode to replace specific numbers or their combinations with symbolic names, making the listing more readable and understandable. Creating […]
Variable-sized structures is a construct used to handle binary structures of variable size with the advantage of compile-time type checking. In source code Usually such structures use a layout similar to following: struct varsize_t { // some fixed fields at the start int id; size_t datalen; //[more fields] unsigned char data[];// variable part }; In other words, a fixed-layout part at […]
When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell […]