After the visualization improvements introduced in IDA 5.0, we’ll focus on enhancing the brain of IDA 5.1. Here is a first, very preliminary example, of one of the enhancements that will be introduced in our next releases. In its initial analysis, IDA follows, somewhat blindly, the natural flow of the code it examines. The result of such an analysis is shown below, on the left pane. What would happen if IDA discovered that call sub_2128C never returned? The sequence in red would not be created in the first code analyzer passes. It is not before its final pass, when IDA systematically attempts to convert unvisited bytes in the code segments to meaningful opcodes that this bogus code would show up, only to see its arpl instructions rejected as non-sensical by IDA’s heuristics. At this point, another of IDA’s heuristics would be free to reveal the string that’s actually hiding in the code segment, as shown below on the right pane.
The astute reader will probably notice that there is still room for improvements. Check back later to discover how IDA 5.1 will deal with this less obviously rotten code…
