State-of-the-art binary code analysis tools
Previously we’ve talked about using type libraries shipped with IDA, but what can be done when dealing with uncommon or custom APIs or SDKs not covered by them? In such situation it is possible to use the tilib utility available for IDA Pro users from our download center. Creating type libraries tilib is a powerful command-line […]
Many of IDA’s windows have status bars and they contain useful information and functionality which may not be always obvious. Main window status bar The status bar at the bottom of IDA’s main window contains: Autoanalysis progress indicator. See IDA Help: Analysis options for possible values you may see there. Search direction indicator for “Next search” commands […]
Type libraries are collections of high-level type information for selected platforms and compilers which can be used by IDA and the decompiler. A type library may contain: function prototypes, e.g.: void *__cdecl memcpy(void *, const void *Src, size_t Size); BOOL __stdcall EnumWindows(WNDENUMPROC lpEnumFunc, LPARAM lParam); typedefs, e.g.: typedef unsigned long DWORD; BOOL (__stdcall *WNDENUMPROC)(HWND, LPARAM); standard structure and enum definitions, e.g.: struct tagPOINT { LONG […]
You may have observed that IDA knows about standard APIs or library functions and adds automatic function comments for the arguments passed to them. For example, here’s a fragment of disassembly with commented arguments to Win32 APIs CreateFileW and ReadFile: This works well when functions are imported in a standard way and are known at load time. […]
Today we’ll cover how keyboard modifiers (Ctr, Alt, Shift) can be used with some IDA actions to modify their behavior or provide additional functionality. Modifiers in shortcuts Obviously, some shortcuts already include modifiers as part of their key sequence, but some commonalities may be not immediately obvious. For example, the Search menu commands tend to use Alt-letter […]
This week we’ll cover another situation where shifted pointers can be useful.
Strings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]
IDA supports many file formats, among them the main ones used on the three major operating systems: PE (Portable Executable) on Windows; ELF (Executable and Linkable Format) on Linux; Mach-O (Mach object) on macOS. Symbols and debugging information Symbols associate locations inside the file (e.g. addresses of functions or variables) with textual names (usually the names used in the original source […]
Previously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]
IDA supports most of the switch patterns produced by major compilers out-of-box and usually you don’t need to worry about them. However, occasionally you may encounter a code which has been produced by an unusual or a very recent compiler version, or some peculiarity of the code prevented IDA from recognizing the pattern, so it […]