Last week we started improving decompilation of a simple function. While you can go quite far with renaming and retyping, some things need more explanation than a simple renamng could provide.
Comments
When you can’t come up with a good name for a variable or a function, you can add a comment with an explanation or […]
Previously we’ve covered how to start using the decompiler, but unmodified decompiler output is not always easy to read, especially if the binary doesn’t have symbols or debug information. However, with just a few small amendments you can improve the results substantially. Let’s look at some basic interactive operations available in the pseudocode view.
Renaming
Although […]
The Hex-Rays decompiler is one of the most powerful add-ons available for IDA. While it’s quite intuitive once you get used to it, it may be non-obvious how to start using it.
Basic information
As of the time of writing (May 2021), the decompiler is not included with the standard IDA Pro license; some editions of IDA […]
Previously we’ve covered cross-references in the disassembly view but in fact you can also consult them in the decompiler (pseudocode) view.
Local cross-references
The most common shortcut (X) works similarly to disassembly: you can use it on labels, variables (local and global), function names, but there are some differences and additions:
for local variables, the list of […]
We’ve briefly covered batch mode last time but the basic functionality is not always enough so let’s discuss how to customize it.
Basic usage
To recap, batch mode can be invoked with this command line:
ida -B -Lida.log <other switches> <filename>
IDA will load the file, wait for the end of analysis, and write the full disassembly to […]
It is not a surprise to hear the IDA and Decompiler cannot handle all possible cases and eventually fail to recognize a construct, optimize an expression and represent it in its simplest form. It is perfectly understandable — nobody has resources to handle everything. This is why we publish a rich API that can be […]
Intended audience
IDA 7.2 users, who have experience with IDAPython and/or the decompiler.
The problem
As you may already know, the decompilers allow not only decompiling the current function (shortcut F5) but also all the functions in the database (shortcut Ctrl+F5).A somewhat less-well known feature of the “multiple” decompilation, is that if a range is selected (for example […]
We posted an addendum to the release notes for IDA 7.2: The Mac Rundown.
It dives much deeper into the Mac-specific features introduced in 7.2, and should be great reference material for users interested in reversing the latest Apple binaries. It’s packed full of hints, tricks, and workarounds.
We hope you will find it quite useful!
[…]
This is a guest entry written by Rolf Rolles from Mobius
Strip
Reverse
Engineering.
His views and opinions are his own, and not those of
Hex-Rays. Any technical or maintenance issues regarding the code herein should […]
A few days ago a customer sent us a sample file. The code he sent us was using a very simple technique to obfuscate string constants by building them on the fly and using ‘xor’ to hide the string contents from static disassembly:
The decompiler recovered most of the xor’ed values but some of them […]