State-of-the-art binary code analysis tools
We have covered basic usage of cross-references before, but there are situations where they may not behave as you may expect. Accessing large data items If there is a large structure or an array and the code reads or writes data deep inside it, you may not see cross-references from that code listed at the […]
A friendly heads-up to IDA users: we just published a vulnerability fix for a potential double-free during DWARF parsing. Please grab it from www.hex-rays.com/vulnfix/ and replace the original files with those you will find in the archive.
As we’ve mentioned before, the same numerical value can be used represented in different ways even if it’s the same bit pattern on the binary level. One of the representations used in IDA is offset. Offsets In IDA, an offset is a numerical value which is used as an address (either directly or as part of […]
Variable-sized structures is a construct used to handle binary structures of variable size with the advantage of compile-time type checking. In source code Usually such structures use a layout similar to following: struct varsize_t { // some fixed fields at the start int id; size_t datalen; //[more fields] unsigned char data[];// variable part }; In other words, a fixed-layout part at […]
This is a guest entry written by Elias Bachaalany. His views and opinions are his own, and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to him. ida-qscripts or QScripts is a productivity plugin for better/faster scripting and coding workflow/experience for IDA. IDA provides two […]
COM aka Component Object Model is the technology used by Microsoft (and others) to create and use reusable software components in a manner independent from the specific language or vendor. It uses a stable and well-defined ABI which is mostly compatible with Microsoft C++ ABI, allowing easy implementation and usage of COM components in C++. COM […]
The address details pane is a rather recent addition to IDA so probably not many users are familiar with it yet. However, it can be a quite useful addition to the standard workflow, permitting you to perform some common tasks faster. Address details view On invoking View > Open subview > Address details (you can also use […]
When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell […]
Although in general case the problem of correct disassembly is unsolvable, in practice it can get pretty close. IDA uses various heuristics to improve the disassembly and make it more readable, such as converting numerical values to offsets when it “looks plausible”. However, this is not always reliable or successful and it may miss some. […]
Last time we used operand types to make a function more readable and understand its behavior better. Converting operands one by one is fine if you need to do it a few times, but can quickly get tedious if you need to do it for a long piece of code. En masse operation To convert operands of […]