As covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items. However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed: 00000000 Context […]
Read MoreHalloween is approaching, and we’ve decided to celebrate it by launching the #MyCreepyCodeContest. Whether you are a seasoned reverser or just an enthusiast, our #MyCreepyCodeContest invites you to dig up and share the most spine-chilling pieces of code you’ve encountered in the wild. Everyone is welcome to participate, regardless of experience. The goal is to…well, to […]
Read MoreThis is a guest entry written by Sergejs Harlamovs from IKARUS Security Software GmbH. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. IdaClu: Finding clues without knowing what to seek IdaClu, as the name suggests, is about […]
Read MoreIn order to faithfully represent the behavior of the code and to conform to the rules of the C language, the decompiler may need to add casts in the pseudocode. A few examples: a variable has been detected to be unsigned but participates in a signed comparison: An argument being passed to a function does not match […]
Read MoreIn order to show the user only the most relevant code and hide the unnecessary clutter, the decompiler performs various optimizations before displaying the pseudocode. Some of these optimizations rely on various assumptions which are usually correct in well-behaved programs. However, in some situations they may be incorrect which may lead to wrong output, so […]
Read MoreWhen working with the decompiler, you probably spend most of the time in the pseudocode view, since most interactive operations (e.g. renaming, retyping and commenting) can be done right there. IDA is usually smart enough to detect important changes during such actions and update the pseudocode as necessary. However, occasionally you may perform actions […]
Read MoreWelcome to a new chapter of Igor’s invaluable insights! At Hex-Rays, we understand the importance of continuous learning in our ever-evolving field. Therefore, we are thrilled to introduce you to Igor’s Tip of the Week – Season 3. Three years ago, we embarked on a mission to empower IDA’s […]
Read MoreWhen you need to change the prototype of a function in the decompiler, the standard way is to use the “Set item type…” action (shortcut Y). One case where you may need to do it is to add or remove arguments. Especially in embedded code or when decompiling variadic functions, the decompiler may deduce the argument […]
Read MoreFirmware binaries often use raw binary file format without any metadata so they have to be loaded manually into IDA. You can do it interactively using the binary file loader, but if you have many files to disassemble it can quickly get boring. If you already know some information about the files you’re disassembling, […]
Read MoreWe’ve covered splitting expressions before, but there may be situations where it can’t be used. For example, consider following situation: The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
Read More