Igor’s tip of the week #41: Binary file loader

IDA supports more than 40 file formats out of box. Most of them are structured file formats – with defined headers and metadata – so they’re recognized and handled automatically by IDA. However, there are times when all you have is just a piece of a code without any headers (e.g. shellcode or raw firmware) which you want to analyze in IDA. In that case, you can use the binary loader. It is always available even if the file is recognized as another file format.

 

Processor selection

Since raw binaries do not have metadata, IDA does not know which processor module to use for it, so you should pick the correct one. By default, the metapc (responsible for x86 and x64 disassembly) is selected, but you can choose another one from the list (double-click to change).

Memory loading address

Without metadata, IDA also does not know at which address to place the loaded data, so you may need to help it. The Loading segment and Loading offset fields are valid for the x86 family only. If the code being loaded uses a flat memory model (such as 32-bit protected mode or 64-bit long mode), Loading segment should be left at 0 and the address specified in the Loading offset field.

Other processors such as ARM, MIPS, or PPC, do not use these fields but prompt for memory layout after you confirm the initial selection.

In this dialog you can specify where to place the data and whether to create an additional RAM section. By default the whole file is placed at address 0 in the ROM segment but you can specify a different one or load only a part of the file by changing the file offset and loading size.

Code bitness

For processors where instruction decoding changes depending on current mode, such as PC (16-bit mode, 32-bit protected mode, or 64-bit long mode)  or ARM (AArch32 or AArch64), you may get one more additional question.

Start disassembling

Finally, the file is loaded, but IDA can’t decide how to disassemble it on its own.

As suggested by the dialog, you can use C (make code) to try decoding at locations which look like valid instructions. Typically, shellcode will have valid instructions at the beginning, and firmware for most processors either starts at the lowest address or uses a vector table (a list of addresses) pointing to code.


 

 

In addition to shellcode or firmware, the binary file loader can be used to analyze other kinds of files using IDA’s powerful features for marking up and labeling data and code. For example, here’s a PNG file labeled and commented in IDA:

Article Link: https://hex-rays.com/blog/igors-tip-of-the-week-41-binary-file-loader/