Hex-Rays' blog

Igor’s tip of the week #35: Demangled names – Hex Rays

Written by Igor Skochinsky | Apr 15, 2021

Name mangling (also called name decoration) is a technique used by compilers to implement some of the features required by the language. For example, in C++ it is used to distinguish functions with the same name but different arguments (function overloading), as well as to support namespaces, templates, and other purposes.

Mangled names often end up in the final binary and, depending on the compiler, may be non-trivial to understand for a human (a simple example: “operator new” could be encoded as  ??2@YAPAXI@Z or _Znwm). While these cryptic strings can be decoded by a compiler-provided utility such as undname (MSVC) or c++filt (GCC/Clang), it’s much better if the disassembler does it for you (especially if you don’t have the compiler installed). This process of decoding back to a human-readable form is called demangling. IDA has out-of-box support for demangling names for the following compilers and languages:

  • Microsoft (Visual C++)
  • Borland (C++, Pascal, C++ Builder, Delphi)
  • Watcom (C++)
  • Visual Age (C++)
  • DMD (D language)
  • GNU mangling (GCC, Clang, some commercial compilers)
  • Swift

You do not need to pick the compiler manually; IDA will detect it from the name format and apply the corresponding demangler automatically.

Demangled name options

By default, IDA uses a comment to show the result of demangling, meaning that every time a mangled name is used, IDA will print a comment with the result of demangling. For example, ?FromHandle@CGdiObject@@SGPAV1@PAX@Z demangles to CGdiObject::FromHandle(void *), which is printed as a comment:

If you prefer, you can show the demangled result in place of the mangled name instead of just a comment. This can be done in the Options > Demangled names… dialog:

Short and long names

The buttons “Setup short names” and “Setup long names” allow you to modify the behavior of the built-in demangler in two common situations. The “short” names are used in contexts where space is at premium: references in disassembly, lists of functions and so on. “Long” names are used in other situations, for example when printing a comment at the start of the function. By using the additional options dialog, you can select what parts of the demangled name to show, hide, or shorten to make it either more compact or more verbose.

Name simplification

Some deceptively simple-looking names may end up very complicated after compilation, especially when templates are involved. For example, a simple std::string from STL actually expands to 

std::basic_string<char,std::char_traits<char>,std::allocator<char>>

To ensure interoperability, the compiler has to preserve these details in the mangled name, so they reappear on demangling; however, such implementation details are usually not interesting to a human reader who would prefer to see a simple std::string again. This is why IDA implements name simplification as a post-processing step. Using the rules in the file cfg/goodname.cfg, IDA applies them to transform a name like 

std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > & __thiscall std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >::erase(unsigned int,unsigned int)

into 

std::string & std::string::erase(unsigned int,unsigned int)

which is much easier to read and understand.

IDA ships with rules for most standard STL classes but you can add custom ones too. Read the comments inside goodname.cfg for the description of how to do it.

 

More info: Demangled names in IDA Help.