For over a year now, our colleague Igor has been disseminating his deep knowledge of IDA & decompilers through “Igor’s tip of the week” blog posts. Those have received critical acclaim, and we’ve received a lot of very positive feedback during that time. This motivated us to find a way to improve the accessibility […]
Read MoreToday we’ll cover how keyboard modifiers (Ctr, Alt, Shift) can be used with some IDA actions to modify their behavior or provide additional functionality. Modifiers in shortcuts Obviously, some shortcuts already include modifiers as part of their key sequence, but some commonalities may be not immediately obvious. For example, the Search menu commands tend to use Alt-letter […]
Read MoreThis week we’ll cover another situation where shifted pointers can be useful.
Read MoreStrings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]
Read MoreIDA supports many file formats, among them the main ones used on the three major operating systems: PE (Portable Executable) on Windows; ELF (Executable and Linkable Format) on Linux; Mach-O (Mach object) on macOS. Symbols and debugging information Symbols associate locations inside the file (e.g. addresses of functions or variables) with textual names (usually the names used in the original source […]
Read MorePreviously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]
Read MoreIDA supports most of the switch patterns produced by major compilers out-of-box and usually you don’t need to worry about them. However, occasionally you may encounter a code which has been produced by an unusual or a very recent compiler version, or some peculiarity of the code prevented IDA from recognizing the pattern, so it […]
Read MoreIDA uses mostly standard C (and basic C++) syntax, but it also supports some extensions, in particular to represent low-level details which are not necessary for “standard” C code but are helpful for real-life binary code analysis. We’ve already covered custom types and calling conventions, but there are more extensions you may use […]
Read MoreThe Hex-Rays decompiler was originally created to deal with code produced by standard C compilers. In that world, everything is (mostly) nice and orderly: the calling conventions are known and standardized and the arguments are passed to function according to the ABI. However, the real life is not that simple: even in code coming […]
Read MoreAlthough nowadays most IDA users probably use the graph view, the text view can still be useful in certain situations. In case you haven’t noticed, it has a UI element which can help you visualize code flow even without the full graph and even outside of functions (the graph view is available only for […]
Read More