Although IDA has been created first and foremost to analyze binaries in “black box” mode, i.e. without any symbols or debug information, it does have the ability to consume such information when available. The debugger functionality was also initially optimized to debug binaries on the assembly level, but nowadays can work with source code too. Source-level […]
Read MoreWe’ve covered arrays previously, but one feature briefly mentioned there is worth a separate highlight. Complex programs may use arrays of data, either of items such as integers or floats, or of complex items such as structures. When the arrays are small, it’s not too difficult to make sense of them, but what to do […]
Read MoreWe’ve covered the major pseudocode formatting options previously but there is one more option which can influence the output. It is the radix used for printing numbers in the pseudocode. In a positional numeral system, the radix or base is the number of unique digits, including the digit zero, used to represent numbers. For example, for […]
Read MoreThe default output of the Hex-Rays decompiler tries to strike a balance between conciseness and readability. However, everyone has different preferences so it offers a few options to control the layout and formatting of the pseudocode. Accessing the options Because of its origins as a third-party plugin for IDA, the decompiler options are accessible not through IDA’s […]
Read MoreThere are multiple ways of annotating IDA databases: renaming, commenting, or adding bookmarks. However, sometimes there is a need for general notes for the database as a whole, not tied to specific locations. Notepad window The database notepad is a text input box which can store arbitrary text within the database, so you can add […]
Read MoreIn addition to comments, IDA offers a few more features for annotating and quickly navigating in the database. Today we’ll cover bookmarks. Adding bookmarks Bookmarks can be added at most locations in the address-based views (disassembly listing, Hex View, Pseudocode), as well as Structures and Enums. This can be done via the Jump > Mark position… […]
Read MorePreviously we’ve discussed how to reduce the number of variables used in pseudocode by mapping copies of a variable to one. However, sometimes you may run into an opposite problem: a single variable can be used for different purposes. Reused stack slots One common situation is when the compiler reuses a stack location of either a […]
Read MoreDuring the work with binaries, IDA sometimes shows warnings to inform the user about unusual or potentially dangerous behavior or asks questions: Hiding messages For some of such messages there is a checkbox “Don’t Display this message again”. If you enable it before answering or confirming the message (hint: you can press ‘D’ to Read More
Quick rename can be useful when you have code which copies data around so the variable names stay the same or similar. However, sometimes there is a way to get rid of duplicate variables altogether. Reasons for duplicate variables Even if in the source code a specific variable may appear only once, on the machine code […]
Read MoreOne of the features added in IDA 7.6 was automatic renaming of variables in the decompiler. Unlike PIT, it is not limited to stack variables but also handles variables stored in registers and not just calls but also assignments and some other expressions. It also tries to interpret function names which include a verb […]
Read More