Igor’s Tip of the Week #141: Parsing C files

Previosuly, we’ve covered creating structures from C code using the Local Types window, however this may be not very convenient when you have complex types with many dependencies (especially of scattered over several fiels or depending on preprocessor defines). In such case it may be nore convenient to parse the original header file(s) on […]

Igor’s Tip of the Week #138: Pointer math in the decompiler

While working with decompiled code and retyping variables (or sometimes when they get typed by the decompiler automatically), you might be puzzled by the discrepancies between pseudocode and disassembly. Consider the following example: We see that X22 is accessed with offset 0x10 (16) in the disassembly but 2 in the pseudocode. Is there a bug in the […]

Igor’s Tip of the Week #120: Set call type

Previously we’ve described how to use available type info to make decompilation of calls more precise when you have type information, but there may be situations where you don’t have it or the existing type info does not quite match the actual call arguments, and you still want to adjust the decompiler’s guess. One common […]

Igor’s Tip of the Week #119: Force call type

When dealing with compile binary code, the decompiler lacks information present in the source code, such as function prototypes and so must guess it or rely on the information provided by the user (where its interactive features come handy). One especially tricky situation is indirect calls: without exact information about the destination of the call, the […]

Igor’s Tip of the Week #117: Reset pointer type

While currently (as of version 8.1) the Hex-Rays decompiler does not try to perform full type recovery, it does try to deduce some types based on operations done on the variables, or using the type information for the API calls from type libraries. One simple type deduction performed by the decompiler is creation of typed […]

Igor’s tip of the week #108: Raw memory accesses in pseudocode

Sometimes in pseudocode you may encounter strange-looking code: The code seems to dereference an array calledMEMORY and is highlighted in red. However, this variable is not defined anywhere. What is it? Such notation is used by the decompiler when the code accesses memory addresses not present in the database. In most cases it indicates an error in […]

Igor’s tip of the week #107: Multiple return values

The Hex-Rays decompiler was initially created to decompile C code, so its pseudocode output uses (mostly) C syntax. However, the input binaries may be compiled using other languages: C++, Pascal, Basic, ADA, and many others. While the code of most of them can be represented in C without real issues, some have peculiarities which require […]

Igor’s tip of the week #106: Outlined functions

The release notes for IDA 8.0 mention outlined functions. What are those and how to deal with them in IDA? Function outlining is an optimization that saves code size by identifying recurring sequences of machine code and replacing each instance of the sequence with a call to a new function that contains the identified sequence […]