State-of-the-art binary code analysis tools
Continuing from last week, let’s discuss other disassembly options you may want to change. Here’s the options page again: Disassembly line parts This group is for options which control the content of the main line itself. Here is an example of a line with all options enabled: The marked up parts are: The line prefix (address of […]
By default IDA’s disassembly listing shows the most essential information: disassembled instructions with operands, comments, labels. However, the layout of this information can be tuned, as well as additional information added. This can be done via the Disassembly Options tab available via Options > General… menu (or Alt–O, G). Text and Graph views options If you open […]
While register highlighting can help tracking how a register is used in the code, sometimes it’s not quite sufficient, especially if multiple registers are used by a complicated piece of code. In such situation you can try register renaming. To rename a register: place the cursor on it and press N or Enter, or double-click it A dialog […]
Graph view is the default disassembly representation in IDA GUI and is probably what most IDA users use every day. However, it has some lesser-known features that can improve your workflow. Parts of the graph The graph consists of nodes (blocks) and edges (arrows between blocks). Each node roughly corresponds to a basic block. a basic block is a straight-line […]
When reverse-engineering, sometimes you need to perform some simple calculations. While you can always use an external calculator program, IDA has a built-in one. You can invoke it by pressing ? or via View > Calculator. The calculator shows the result in hex, decimal, octal, binary and as a character constant. This information is also duplicated […]
Even if you prefer to move around IDA by clicking, the G shortcut should be the one to remember. The action behind it is called simply “Jump to address” but it can do many more things than what can be guessed from the name. Jump to address First up is the actual jumping to an address: enter an […]
Previously we’ve covered cross-references in the disassembly view but in fact you can also consult them in the decompiler (pseudocode) view. Local cross-references The most common shortcut (X) works similarly to disassembly: you can use it on labels, variables (local and global), function names, but there are some differences and additions: for local variables, the list of […]
Cross references view The jump to xref actions are good enough when you have a handful of cross-references but what if you have hundreds or thousands? For such cases, the Cross references view may be useful. You can open it using the corresponding item in the View > Open Subviews menu. IDA will gather cross-references to […]
cross-reference, n. A reference or direction in one place in a book or other source of information to information at another place in the same work (from Wiktionary) To help you during analysis, IDA keeps track of cross-references (or xrefs for short) between different parts of the program. You can inspect them, navigate them […]
The “I” in IDA stands for interactive, and one of the most common interactive actions you can perform is adding comments to the disassembly listing (or decompiler pseudocode). There are different types of comments you can add or see in IDA. Regular comments These comments are placed at the end of the disassembly line, delimited by an […]