State-of-the-art binary code analysis tools
We’ve covered simple enums previously, but there is a different kind of enum that you may sometimes encounter or need to create manually. They are used to represent various bits (or flags) which may be set in an integer value. For example, the file mode on Unix filesystems contains Access Permission bits (you can […]
Previously, we discussed a situation where the decompiler wrongly used a combined stack slot for two separate variables. We could solve it because each variable had a distinct stack location, so editing the stack frame to split them worked. However, modern optimizing compilers can actually reuse the same stack location for different variables active at […]
Previously we’ve seen how to do small edits to types directly from the pseudocode view. While this is enough for minor edits, sometimes you still need to use the full editor. Of course, it is always possible to open Structures, Enums, or Local Types and look for your type there, but what if you have […]
We already know that user-defined types such as structures and enums can be created and edited through the corresponding views, or the Local Types list. However, some small edits can be performed directly in the pseudocode view: structure fields can be renamed using the “Rename” action (shortcut N): you can also quickly retype them using […]
We’ve seen how custom structures can be used to format data tables nicely, but sometimes you can improve your understanding even further with small adjustments. For example, in the structure we created, the first member (nMessage) is printed as a simple integer: If you know Win32 API well, you may recognize that these numbers correspond […]
Creating user-defined structures can be quite useful both in disassembly and pseudocode when dealing with code using custom types. However, they can be useful not only in code but also data areas. MFC message maps As an example, let’s consider an MFC program which uses message maps. These maps are present in the constant […]
IDA supports different representations for the instruction operands and data items. However, only the most common of them are listed in the context menu or have hotkeys assigned. Let’s imagine that you’ve discovered an area in a firmware binary which looks like a table of floating-point values: You can confirm that it looks plausible by […]
In order to faithfully represent the behavior of the code and to conform to the rules of the C language, the decompiler may need to add casts in the pseudocode. A few examples: a variable has been detected to be unsigned but participates in a signed comparison: An argument being passed to a function does not match […]
In order to show the user only the most relevant code and hide the unnecessary clutter, the decompiler performs various optimizations before displaying the pseudocode. Some of these optimizations rely on various assumptions which are usually correct in well-behaved programs. However, in some situations they may be incorrect which may lead to wrong output, so […]
When working with the decompiler, you probably spend most of the time in the pseudocode view, since most interactive operations (e.g. renaming, retyping and commenting) can be done right there. IDA is usually smart enough to detect important changes during such actions and update the pseudocode as necessary. However, occasionally you may perform actions […]