State-of-the-art binary code analysis tools
When working with pseudocode in the decompiler, you may have noticed that variable declarations and hints have comments with somewhat cryptic contents. What do they mean? While meaning of some may be obvious, others less so, and a few appear only in rare situations. Variable location The fist part of the comment is the variable location. For stack […]
While not commonly used, full-screen mode can be useful on complex IDA layouts when working with a single monitor or on a laptop, for example when you need to read a long listing line but are tired of scrolling around. The feature is somewhat hidden, but the action is present in the View menu. By pressing F11, […]
Type libraries are collections of high-level type information for selected platforms and compilers which can be used by IDA and the decompiler. A type library may contain: function prototypes, e.g.: void *__cdecl memcpy(void *, const void *Src, size_t Size); BOOL __stdcall EnumWindows(WNDENUMPROC lpEnumFunc, LPARAM lParam); typedefs, e.g.: typedef unsigned long DWORD; BOOL (__stdcall *WNDENUMPROC)(HWND, LPARAM); standard structure and enum definitions, e.g.: struct tagPOINT { LONG […]
Today we’ll cover how keyboard modifiers (Ctr, Alt, Shift) can be used with some IDA actions to modify their behavior or provide additional functionality. Modifiers in shortcuts Obviously, some shortcuts already include modifiers as part of their key sequence, but some commonalities may be not immediately obvious. For example, the Search menu commands tend to use Alt-letter […]
We covered how to search for things in choosers (list views), but what if you need to look for something elsewhere in IDA?
As we’ve mentioned before, the I in IDA stands for interactive, and we already covered some of the disassembly view’s interactive features like renaming or commenting. However, other changes are possible too. For example, you can change the operand representation (sometimes called operand type in documentation). What is it about? Most assemblers […]
Last week we started improving decompilation of a simple function. While you can go quite far with renaming and retyping, some things need more explanation than a simple renamng could provide. Comments When you can’t come up with a good name for a variable or a function, you can add a comment with an explanation […]
Previously we’ve covered how to start using the decompiler, but unmodified decompiler output is not always easy to read, especially if the binary doesn’t have symbols or debug information. However, with just a few small amendments you can improve the results substantially. Let’s look at some basic interactive operations available in the pseudocode […]
The Hex-Rays decompiler is one of the most powerful add-ons available for IDA. While it’s quite intuitive once you get used to it, it may be non-obvious how to start using it. Basic information As of the time of writing (May 2021), the decompiler is not included with the standard IDA Pro license; some editions of IDA […]
The Edit > Export Data command (Shift+E) offers you several formats for extracting the selected data from the database: hex string (unspaced): 4142434400 hex string (spaced): 41 42 43 44 00 string literal: ABCD C unsigned char array (hex): unsigned char aAbcd[] = { 0x41, 0x42, 0x43, 0x44, 0x00 }; C unsigned char array (decimal): unsigned char aAbcd[] = { 65, 66, […]