Igor’s tip of the week #76: Quick rename

One of the features added in IDA 7.6 was automatic renaming of variables in the decompiler.  Unlike PIT, it is not limited to stack variables but also handles variables stored in registers and not just calls but also assignments and some other expressions. It also tries to interpret function names which include a verb […]

Igor’s tip of the week #75: Working with unions

In C, union is a type similar to a struct but in which all members (possibly of different types) occupy the same memory, overlapping each other. They are used, for example, when there is a need to interpret the same data in different ways, or to save memory when storing data of different types […]

Igor’s tip of the week #71: Decompile as call

Although the Hex-Rays decompiler was originally written to deal with compiler-generated code, it can still do a decent job with manually written assembly. However, such code may use non-standard instructions or use them in non-standard ways, in which case the decompiler may fail to produce equivalent C code and has to fall back to _asm […]

Igor’s tip of the week #69: Split expression

While using the decompiler, sometimes you may have seen the item named Split expression in the context menu. What does it do and where it can be useful? Let’s look at two examples where it can be applied. Structure field initialization Modern compilers perform many optimizations to speed up code execution. One of them is merging two […]

Igor’s tip of the week #68: Skippable instructions

In compiled code, you can sometimes find instructions which do not directly represent the code written by the programmer but were added by the compiler for its own purposes or due to the requirements of the environment the program is executing in. Skippable instruction kinds Compiled functions usually have  prolog instructions at the start which perform various […]

Igor’s tip of the week #56: String literals in pseudocode

Strings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]

Igor’s tip of the week #54: Shifted pointers

Previously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]

Igor’s tip of the week #51: Custom calling conventions

The Hex-Rays decompiler was originally created to deal with code produced by standard C compilers. In that world, everything is (mostly) nice and orderly: the calling conventions are known and standardized and the arguments are passed to function according to the ABI. However, the real life is not that simple: even in code coming […]