Sometimes in pseudocode you may encounter strange-looking code:
The code seems to dereference an array called
MEMORY and is highlighted in red. However, this variable is not defined anywhere. What is it?
Such notation is used by the decompiler when the code accesses memory addresses not present in the database. In most cases it indicates an error in the original source code. If we look at the disassembly for the example above, we’ll see this:
pfont is loaded into register
edx which is then compared against zero using
test edx, edx/jz sequence. The jump to
loc_4060D3 can only occur if
edx is zero, which means that the
mov eax, [edx+10h] instruction will try to dereference the address
0x10. Because the database does not contain the address
0x10, it can’t be represented as a normal or a dummy variable so the decompiler represents it as a pseudo-variable
MEMORY and uses the address as the index. The dereference is shown in red to bring attention to the potential error in the code. For example, judging by the assembly, in this binary the programmer tried reading a structure pointer even if it is NULL. A more modern compiler would probably even remove such code as dereferencing NULL pointer is undefined behavior.
In cases where such access is not an error (for example, the code directly accesses memory-mapped hardware registers), creating a new segment for the accessed address range is usually the correct approach.