Reverse engineering binaries often involves hand tracing through code in order to develop an understanding of how a function behaves. In order to do this, you need a solid understanding of the instruction set you are analyzing and a handy reference to refresh your memory when you encounter an instruction that doesn’t look familiar. An instruction emulator can be a useful tool to track all of the register and CPU state changes that take place over a series of instructions. The ida-x86emu plug-in, which was discussed in detail in Chapter 21 and whose information is shown again here, is one such emulator.

This plug-in is distributed in source and binary form and is compatible with IDA SDK versions 4.6 and later. The plug-in is distributed with build scripts and project files to facilitate building with MinGW tools or Microsoft Visual Studio on Windows platforms and g++ on non-Windows platforms. A precompiled binary version of the plug-in for use with IDA freeware is included in the distribution. ida-x86emu is compatible with all Qt-based versions of IDA; however, prior to IDA 6.0, the plug-in is compatible with only the Windows GUI version of IDA.

The plug-in was developed with self-modifying code in mind and operates by reading instruction bytes from the current IDA database, decoding the instruction, and performing the associated operation. Operations may involve updating the emulator’s internal register variables or writing back to the database in the case of self-modifying code. A simulated stack and a heap are implemented by allocating new IDA segments that are read and written as appropriate. For more detailed information on using ida-x86emu, please refer to Chapter 21.