State-of-the-art binary code analysis tools
In addition to the disassembly and decompilation (Pseudocode) views, IDA also allows you to see the actual, raw bytes behind the program’s instructions and data. This is possible using the Hex view, one of the views opened by default (or available in the View > Open subviews menu). Even if you’ve used it before, there may […]
List views (also called choosers or table views) are used in many places in IDA to show lists of different kind of information. For example, the Function list we’ve covered previously is an example of a list view. Many windows opened via the View > Open subviews menu are list views: Exports Imports Names Strings Segments Segment registers Selectors Signatures Type libraries Local […]
Scripting allows you to automate tasks in IDA which can be repetitive or take a long time to do manually. We previously covered how to run them in batch (headless) mode, but how can they be used interactively? Script snippets File > Script Command… (Shift+F2) Although this dialog is mainly intended for quick prototyping […]
You may have come across the menu items View > Hide, Unhide but possibly never used them. These commands allow you to hide, or collapse and unhide/uncollapse parts of IDA’s output. They can be used in the following situations: Hiding instructions or data items To make your database more compact and reduce clutter, you can opt to hide […]
The Functions list is probably one of the most familiar features of IDA’s default desktop layout. But even if you use it every day, there are things you may not be aware of. Modal version Available via Jump > Jump to function… menu, or the Ctrl–P shortcut, the modal dialog lets you see the full width of the […]
As explained in Simplex method in IDA Pro, having correct stack change information is essential for correct analysis. This is especially important for good and correct decompilation. While IDA tries its best to give good and correct results (and we’ve made even more improvements since 2006), sometimes it can still fail (often due to […]
Continuing from last week, let’s discuss other disassembly options you may want to change. Here’s the options page again: Disassembly line parts This group is for options which control the content of the main line itself. Here is an example of a line with all options enabled: The marked up parts are: The line prefix (address […]
By default IDA’s disassembly listing shows the most essential information: disassembled instructions with operands, comments, labels. However, the layout of this information can be tuned, as well as additional information added. This can be done via the Disassembly Options tab available via Options > General… menu (or Alt–O, G). Text and Graph views options If you open […]
While register highlighting can help tracking how a register is used in the code, sometimes it’s not quite sufficient, especially if multiple registers are used by a complicated piece of code. In such situation you can try register renaming. To rename a register: place the cursor on it and press N or Enter, or double-click it A […]
Graph view is the default disassembly representation in IDA GUI and is probably what most IDA users use every day. However, it has some lesser-known features that can improve your workflow. Parts of the graph The graph consists of nodes (blocks) and edges (arrows between blocks). Each node roughly corresponds to a basic block. a basic block is a straight-line […]
