While working with decompiled code and retyping variables (or sometimes when they get typed by the decompiler automatically), you might be puzzled by the discrepancies between pseudocode and disassembly.
Consider the following example:
We see that X22
is accessed with offset 0x10 (16) in the disassembly but 2 in the pseudocode. Is there a bug in the decompiler?
In fact, there is no bug. The difference is explained by the C/C++pointer/array referencing rules: the array indexing or integer addition operation advances the pointer value by the value of index multiplied by the element size. In this case, the type of v4
is _QWORD*
, which means that elements are _QWORD
s (64-bit or 8-byte integers). Thus, 2*8=16(0x10), which matches the assembly code.
To confirm what’s really going on, you can do “Reset pointer type” on the variable so that it reverts to the generic integer variable and the decompiler is forced to use raw byte offsets:
See also:
Igor’s Tip of the Week #117: Reset pointer type
Igor’s tip of the week #42: Renaming and retyping in the decompiler
Igor’s Tip of the Week #118: Structure creation in the decompiler