LogoLogo
IDA 9.1
IDA 9.1IDA 9.0sp1IDA 9.0IDA 8.5IDA 8.4
IDA 9.1
IDA 9.1IDA 9.0sp1IDA 9.0IDA 8.5IDA 8.4
  • Welcome to Hex-Rays docs
    • What's new?
  • Getting Started
    • Install IDA
    • Licensing
    • Basic Usage
    • What's next?
  • User Guide
    • User Interface
      • Menu Bar
        • File
          • Load file
          • Script File
          • Script command
          • Produce output files
          • Invoke OS Shell
          • Take database snapshot
          • Save database
          • Save database as...
          • Abort IDA
          • Exit IDA
        • Edit
          • Export data
          • Undo an action
          • Redo an action
          • Clear undo history
          • Disable undo
          • Convert to instruction
          • Convert to data
          • Convert to string literal
          • Convert to array
          • Undefine a byte
          • Give Name to the Location
          • Operand types
            • Offset
            • Number
            • Perform en masse operation
            • Convert operand to character
            • Convert operand to segment
            • Complex Offset Expression
            • Convert operand to symbolic constant (enum)
            • Convert operand to stack variable
            • Change operand sign
            • Bitwise negate operand
            • User-defined operand
            • Set operand type
          • Comments
          • Functions
          • Structs
          • Segments
          • Patch core
          • Other
            • Rename Any Address
          • Plugins
        • Jump
          • Center current line in window
          • Problems List
        • Search
          • REGULAR EXPRESSION SYNTAX SUMMARY
        • View
          • Open subviews
          • Graphs
          • Arrows window
          • Database snapshot manager
          • Highlighting identifiers
          • Browser options
          • Lumina options
          • Assembler level and C level types
          • C++ type details
          • Bookmarks window
          • Calculator
          • View segment registers
          • View Internal Flags
          • Hide
          • Unhide
          • Del hidden range
          • Hide all items
          • Unhide all items
          • Setup hidden items
        • Debugger
          • Debugger window
          • Process Control
            • Start process
            • Process options
            • Pause process
            • Terminate process
            • Step into
            • Step over
            • Run to cursor
            • Run until return
            • Attach to process
            • Detach from process
            • Set current ip
            • Show application screen
          • Breakpoints
          • Watches
          • Tracing
          • Source code view
            • Watch view (source level)
          • Process Memory
            • Take memory snapshot
            • Manual memory regions
            • Refresh memory
          • Thread list
          • Module list
          • Stack trace
          • Exceptions
          • Debugger options
          • Switch debugger
        • Lumina
        • Options
          • Low & High Suspicious Operand Limits
        • Windows
          • Rename a stack variable
          • Miscellanous Options
          • Environment variables
          • Reset Hidden Messages
          • Various dialog help messages
          • Output window
        • List of all menu options
      • Desktops
      • Command line
      • License Manager
      • How To Use List Viewers in IDA
      • Database conversion from idb to i64
    • Disassembler
      • Interactivity
      • Background Analysis
      • Graph view
        • Graphing tutorial
      • Proximity view
      • Navigation
        • Anchor
        • How to Enter a Segment Value
        • How to Enter a Number
        • How to Enter an Identifier
        • How to enter text
        • How to Enter an Address
      • Disassembly Gallery
        • Philips 51XA-G3
        • 6502 and 65C02 Disassembler
        • 6301, 6303, 6800, 6801 and 6803 Disassembler
        • 68040, Amiga
        • 6805 Disassembler
        • 6808 Disassembler
        • 6809 OS9 Flex Disassembler
        • 6809 Disassembler
        • 6811 Disassembler
        • 68HC12 Disassembler
        • 68HC16 Disassembler
        • 68k Amiga Disassembler
        • 68k Mac OS
        • 68k Palm Pilot
        • Unix COFF
        • NEC 78k0 and 78k0s Processor
        • 80196 Processor
        • 8051 Disassembler
        • Analog Devices 218x.
        • Alpha Processor – NT COFF
        • Alpha Processor – Unix ELF
        • Android ARM Executables (.elf)
        • ARC Processor
        • ARM Processor EPOC App
        • ARM Processor EPOC PE File
        • ARM Processor EPOC ROMFile
        • EPOC SIS File Handler
        • ARM Processor iOS (iPhone): Unlock
        • ARM Processor iOS (iPhone): Objective-C metadata
        • ARM Processor iOS (iPhone): Objective-C Instance variables
        • ARM Processor iOS (iPhone): Parameter Identification & Tracking (PIT)
        • ARM Processor iOS (iPhone): Start
        • ARM Processor iOS (iPhone): Switch statements
        • ARM Processor iOS (iPhone): C++ signatures
        • ARM Processor iOS (iPhone): Write
        • ARM Processor: Linux ELF
        • ARM Processor: AOF SDK
        • ARM Processor: Windows CE COFF Format
        • ARM Processor: Windows CE PE Format
        • ATMEL AVR Disassembler
        • C166 Processor
        • C166 Processor with ELF file
        • Rockwell C39
        • Microsoft .NET CLI Disassembler. VisualBasic library
        • CR16
        • Android Dalvik Executables (.dex)
        • Microsoft .NET CLI Disassembler
        • DSP56K
        • Fujitsu FR (.elf)
        • Gameboy
        • H8 300: COFF FILE Format
        • H8 300s: COFF FILE Format
        • H8 500
        • HPPA Risc Processor: HP-UX SOM
        • i51
        • i860
        • Intel i960
        • Intel IA-64 (Itanium)
        • Java Bytecode
        • Angstrem KR 1878
        • Renesas/Hitachi M16C
        • Renesas/Hitachi M32R
        • M740
        • M7700
        • M7900
        • MIPS Processor: Nintendo N64
        • MIPS R5900 Processor : Sony bin
        • MIPS Processor: Sony ELF
        • MIPS Processor: Sony PSX
        • MIPS Processor: Sony PSX
        • MIPS Processor: Unix COFF File Format
        • MIPS Processor: Unix ELF File Format
        • MIPS Processor: Windows CE PE File Format
        • MIPS Processor: Windows CE PE2 File Format
        • Panasonic MN102
        • Atmel OAK DSP
        • 80×86 Architecture: DOS Extender
        • 80×86 Architecture: Watcom Runtime
        • 80×86 Architecture: Geos APP
        • 80×86 Architecture: Geos DRV
        • 80×86 Architecture: Geos LIB
        • 80×86 Architecture: GNU COFF Format
        • 80×86 Architecture: OS/2 Linear Executable Format
        • 80×86 Architecture: Netware NLM
        • 80×86 Architecture: QNX Executable
        • 80×86 Architecture: Watcom Runtime
        • 80×86 Architecture: Windows OMF
        • 80×86 Architecture: Windows Portable Executable Format
        • 80×86 Architecture: Windows Virtual Device Driver
        • 80×86 Architecture: Windows 16 bits DLL
        • X-Box Disassembler
        • PDP 11: SAV File
        • PIC
        • PIC 12xx
        • Power PC AIF ECOFF file Format
        • Power PC Linux ELF
        • Mac OS PEF File
        • Mac OS X File
        • Windows NT PE File
        • Hitachi SH-1 Processor
        • Hitachi SH-3 Processor: Windows CE COFF format
        • Hitachi SH-3 Processor: Windows CE PE format
        • Hitachi SH-4 Processor: ELF File Format
        • Hitachi SH-4 Processor: Windows CE PE File Format
        • Super Nintendo Entertainement System (SNES)
        • SPARC Solaris COFF
        • SPARC Solaris ELF
        • SPARC Sun ELF
        • SPARC Sun ELF SO
        • ST 20C4
        • ST 7
        • ST 9
        • Toshiba TLCS 900
        • TMS 320c2 COFF
        • TMS 320c5
        • TMS 320c54
        • TMS 320c6 COFF File Format
        • TRICORE
        • SunPlus unSP
        • NEC V850
        • Z180 COFF File Format
        • Z380 COFF File Format
        • Z8
        • Z80
      • Supported processors
      • Supported file formats
        • Windmp file loader
      • Bitfields
        • Bit Fields tutorial
      • Structures tutorial
      • Union tutorial
      • Variable length structures tutorial
      • Data types, operands and constructs
      • Packed executables
    • Decompiler
      • Prerequisites
      • Quick primer
      • Exception handler
      • Introduction to Decompilation vs. Disassembly
        • Comparisons of ARM disassembly and decompilation
        • Comparisons of PowerPC disassembly and decompilation
        • Comparisons of MIPS disassembly and decompilation
        • Hex-Rays v7.4 vs. v7.3 Decompiler Comparison Page
        • Hex-Rays v7.3 vs. v7.2 Decompiler Comparison Page
        • Hex-Rays v7.2 vs. v7.1 Decompiler Comparison Page
      • Interactive operation
        • Rename
        • Set type
        • Set number representation
        • Edit indented comment
        • Edit block comment
        • Hide/unhide C statements
        • Split/unsplit expression
        • Force call type
        • Set call type
        • Add/del variadic arguments
        • Del function argument
        • Add/delete function return type
        • Jump to cross reference
        • Jump to cross reference globally
        • Generate HTML file
        • Mark/unmark as decompiled
        • Copy to assembly
        • Show/hide casts
        • Reset pointer type
        • Convert to struct *
        • Create new struct type
        • Split variable
        • Select union field
        • Jump to paired paren
        • Collapse/uncollapse item
        • Map to another variable
      • Batch operation
      • Configuration
      • Third party plugins
      • Floating point support
      • Support for intrinsic functions
      • Overlapped variables
      • gooMBA
      • Failures and troubleshooting
      • FAQ
      • Limitations
      • Tips and tricks
    • Debugger
      • Instant debugger
      • Remote debugging
        • Remote iOS Debugger
        • Android debugger
        • Dalvik debugger
        • Remote GDB Debugger
          • Remote GDB Debugger options
          • Debugging with gdbserver
          • Debugging with VMWare
          • Debugging with OpenOCD
          • Debugging with QEMU
          • External programs and GDB Debugger
          • Debugging code snippets with QEMU
        • PIN debugger
          • Building the PIN tool
          • Connecting a remote PIN tool instance from IDA
          • PIN support for MacOSX
        • Replayer debugger
        • Bochs debugger
          • Bochs Disk Image operation mode
          • Bochs IDB operation mode
          • Bochs PE operation mode
          • Bochs debugger FAQ
      • Local debugging
        • WinDbg Debugger
        • WinDbg: Time Travel Debugging
        • Linux debugger
        • Intel/ARM macOS debugger
      • Debugger tutorials
        • Debugging Dalvik Programs
        • IDA Win32 Local Debugging
        • IDA Linux Local Debugging
        • IDA Linux to Win64 Debugging
        • IDA Win32 to Linux Debugging
        • Debugging Mac OSX Applications with IDA Pro
        • Debugging iOS Applications using CoreDevice (iOS 17 and up)
        • Debugging iOS Applications with IDA Pro
        • Debugging Linux Applications locally
        • Debugging Linux/Windows Applications with PIN Tracer module
        • Debugging Windows Applications with IDA Bochs Plugin
        • Debugging Windows Applications with IDA WinDbg Plugin
        • Using the Bochs debugger plugin in Linux
        • Debugging Windows Kernel with VMWare and IDA WinDbg Plugin
        • Debugging Linux Kernel under VMWare using IDA GDB debugger
        • Windows Debugger Hub
        • Linux Debugger
        • Debugging a Windows executable locally and remotely
        • Debugging the XNU Kernel with IDA Pro
        • Remote debugging with IDA Pro
        • IDA Scriptable Debugger: overview
          • IDA Scriptable Debugger: scriptability
        • Debugging code snippets with QEMU debugger (a la IDA Bochs debugger)
        • Trace Replayer and managing traces
        • Using IDA Pro's tracing features
        • Working with PIN
        • Appcall
    • Creating Signatures
      • FLIRT
        • IDA F.L.I.R.T. Technology: In-Depth
        • Generate FLIRT signature file
        • Supported Compilers
          • Turbo Pascal
          • Delphi
      • Makesig
    • Types
      • Creating Type Libraries
        • IDAClang
        • TILIB
    • Configuration
      • Configuration files
      • Command line switches
      • Keyboard macros
      • UI/Fonts/Themes
      • Shortcuts
      • Customizing IDA
      • CSS-based styling
    • Teams
      • Diffing and Merging Databases with IDA Teams
      • Teams lc command reference manual
      • hv command reference manual
      • Hex-Rays Vault’s visual client user manual
    • Lumina
      • lc command reference manual
    • Plugins
      • Open Plugin Architecture
      • Plugin options
      • Plugins Shipped with IDA
        • Swift plugin
        • Golang plugin
        • Rust plugin
        • picture_search
        • Objective-C Analysis Plugin
        • DYLD Shared Cache Utils
        • Borland RTTI descriptors plugin
        • DWARF plugin
        • Patfind plugin
        • IDA Feeds
          • FLIRT Signature Bundle
      • Plugin Contest
      • How to write your own plugin?
    • Helper Tools
    • idalib
    • Third-Party Licenses
      • Apache License for Ghidra
      • Apache License for LLVM
      • Common Public License Version 1.0
      • APPLE PUBLIC SOURCE LICENSE
      • PCRE2 LICENCE
      • GNU Lesser General Public License v2.1 for libiberty
    • Floating licenses
  • Developer Guide
    • C++ SDK
      • Getting Started
      • Reference
      • Using the Decompiler SDK: Decompiler plugin
      • Examples
      • How to create a plugin?
      • Porting Guide from IDA 8.x to 9.0
    • IDAPython
      • Getting Started
      • Reference
      • Examples
      • How to create a plugin?
      • Porting Guide from IDA 8.x to 9.0
    • IDC
      • Core concepts
        • Expressions
        • Statements
        • Functions
        • Variables
        • Constants
        • Exceptions
        • Classes
        • Predefined symbols
        • loader_input_t class
        • Slices
      • Reference
      • Examples
        • Analyzing encrypted code
  • Admin Guide
    • Lumina server
    • Teams server
    • License server
      • Hex-Rays License Server Migration Guide
      • Hex-Rays License Server on WSL
  • Release Notes
    • IDA 9.1
    • IDA 9.0sp1
    • IDA 9.0
    • IDA 8.5
    • IDA 8.4sp2
    • IDA 8.4sp1
    • IDA 8.4
    • IDA 8.3
    • IDA 8.2sp1
    • IDA 8.2
    • IDA 8.1
    • IDA 8.0sp1
    • IDA 8.0
    • IDA 7.7sp1
    • IDA 7.7
    • IDA 7.6sp1
    • IDA 7.6
    • IDA 7.5sp3
    • IDA 7.5sp2
    • IDA 7.5sp1
    • IDA 7.5
    • IDA 7.4sp1
    • IDA 7.4
    • IDA 7.3
      • IDA 7.3 Undo: IDA can do it
    • IDA 7.2
      • IDA 7.2 The Mac Rundown
    • IDA 7.1
      • IDA 7.1 Debugger API 7.1 Porting Guide
    • IDA 7.0sp1
    • IDA 7.0
      • Internationalization (i18n)
      • Automatic discovery of string literals
      • API 7.0 Porting Guide
      • IDAPython backward compatibility
    • IDA 6.95
    • IDA 6.9
    • IDA 6.8
    • IDA 6.7
    • IDA 6.6
    • IDA 6.5
    • IDA 6.4
    • IDA 6.3
    • IDA 6.2
    • IDA 6.1
    • IDA 6.0
    • IDA 5.7
    • IDA 5.6
    • IDA 5.5
      • 5.5 Gallery
      • 5.5 Comparison
    • IDA 5.4
    • IDA 5.3
    • IDA 5.2
    • IDA 5.1
    • IDA 5.0
    • IDA 4.9SP
    • IDA 4.9
    • IDA 4.8
    • IDA 4.7
    • IDA 4.6
    • IDA 4.x
    • IDA 3.x
    • Cumulative bugfix for IDA
  • Archive
    • IDA’s Windbg plugin
    • IDA’s Bochs debugger plugin
    • IDA’s Bochs debugger plugin 2
    • DosWin32
    • Hex-Rays v1.1 vs. v1.0 Decompiler Comparison Page
    • Hex-Rays v1.2 vs. v1.1 Decompiler Comparison Page
    • Hex-Rays v1.3 vs. v1.2 Decompiler Comparison Page
    • Hex-Rays v1.6 vs. v1.5 Decompiler Comparison Page
    • Hex-Rays v1.7 vs. v1.6 Decompiler Comparison Page
    • Costly Greetings – An Adventure In Hostile Code Analysis
    • An Adventure In Hostile Code Analysis: Description
    • An Adventure In Hostile Code Analysis: Disassembly
    • Improved code flow analysis
    • Program Navigation Bar
    • IDA Home Contest
    • Pimp My IDA: vote results
    • Turning off IDA 6.x compatibility in IDAPython
    • Porting guide for IDA 7.4 turning off IDA 6.x API backwards-compatibility by default
    • Porting guide for IDA 7.4 IDAPython and Python 3
    • IDAPython and Python 3
    • Porting guide for changes in IDAPython-on-Python-3 APIs
    • Debugging iOS Applications With IDA
    • IDA Win32 to Win32 Debugging
    • IDA Win32 to Win64 Debugging
    • Legacy license server: Floating Licenses
      • Installing on Linux
      • Installing on Windows
      • Installing on OS X
    • Decompiler Installation
    • Enumerated types tutorial
  • Bug Bounty
Powered by GitBook
LogoLogo

Need Help?

  • FAQs
  • Support

Community

  • Forum
  • Plugins

Resources

  • Blog
  • Download center

© 2025 Copyright Hex-Rays

On this page

Was this helpful?

Export as PDF
  1. Archive

Costly Greetings – An Adventure In Hostile Code Analysis

Last updated 1 month ago

Was this helpful?

[analysis by , reviewed by ]

In March 2003, many netizens were spammed by a seemingly innocuous Yahoo! greeting card. The goal of the spammers was simple: empty the wallets of their victims. For us, this incident was a good opportunity to exercise our and some of the proprietary hostile code analysis tools we are currently developing.

Read a

Have a look at the

Ilfak Guilfanov
Pierre Vandevenne
IDA Disassembler
plain text description of this incident.
low-level analysis and the disassemblies.