Igor’s tip of the week #105: Offsets with custom base

We’ve already covered simple offsets, where an operand value or a data value matches an address in the program and so can be directly converted to an offset. However, programs may also employ more complex, or indirect ways of referring to a location. One common approach is using a small offset from some predefined […]

Igor’s tip of the week #100: Collapsing pseudocode parts

When working with big functions in the decompiler, it may be useful to temporarily hide some parts of the pseudocode to analyze the rest. While currently it’s not possible to hide arbitrary lines like in disassembly, you can hide specific sections of it.   Collapsing local variable declarations While the local variable declarations are useful to see […]

Igor’s tip of the week #99: Enums

In IDA, an enum (from “enumeration”) is a set of symbolic constants with numerical values. They can be thought of as a superset of C/C++ enum types and preprocessor defines. These constants can be used in disassembly or pseudocode to replace specific numbers or their combinations with symbolic names, making the listing more readable and understandable.  Creating […]

Igor’s tip of the week #94: Variable-sized structures

Variable-sized structures is a construct used to handle binary structures of variable size with the advantage of compile-time type checking. In source code Usually such structures use a layout similar to following: struct varsize_t { // some fixed fields at the start int id; size_t datalen; //[more fields] unsigned char data[];// variable part }; In other words, a fixed-layout part at […]

Igor’s tip of the week #91: Item flags

When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell […]

Igor’s tip of the week #89: En masse operations

Last time we used operand types to make a function more readable and understand its behavior better. Converting operands one by one is fine if you need to do it a few times, but can quickly get tedious if you need to do it for a long piece of code. En masse operation To convert operands of […]

Igor’s tip of the week #87: Function chunks and the decompiler

We’ve covered function chunks last week and today we’ll show an example of how to use them in practice to handle a common compiler optimization.   Shared function tail optimization When working with some ARM firmware, you may sometimes run into the following situation: We have decompilation of sub_8098C which ends with a strange JUMPOUT statement and if […]

Igor’s tip of the week #86: Function chunks

In IDA, function is a sequence of instructions grouped together. Usually it corresponds to a high-level function or subroutine: it can be called from other places in the program, usually using a dedicated processor instruction; it has an entry and one or more exits (instruction(s) which return to the caller); it can accept arguments (in registers or […]