Igor’s Tip of the Week #177: Unused argument attribute

In one of the past tips we mentioned the __unused attribute which can be applied to function arguments. When can it be useful?  Let’s consider this code from Apple’s dyld: v19 is passed as fist argument to dyld4::ProcessConfig::PathOverrides::setString(). Since its name looks like a class method, the decompiler assigned the class type to the first argument […]

Igor’s Tip of the Week #166: Dealing with “too big function”

Occasionally you may run into the following error message: To ensure that the decompilation speed remains acceptable and does not block IDA, especially when using batch decompilation, by default the decompiler refuses to decompile the functions over 64 kilobytes (0x10000 bytes). But here we have function which is 3x as large: In such case you can manually […]

Igor’s Tip of the Week #164: Where’s my code? The case of missing function arguments

Let’s consider this snippet from decompilation of an x86 Windows binary: The same function is called twice with the same argument and the last one doesn’t seem to use the result of the GetComputerNameExW call. By switching to disassembly, we can see that eax is initialized before each call with a string address: However the decompiler does not […]

Igor’s Tip of the Week #160: Hiding casts in the decompiler

In order to faithfully represent the behavior of the code and to conform to the rules of the C language, the decompiler may need to add casts in the pseudocode. A few examples: a variable has been detected to be unsigned but participates in a signed comparison: An argument being passed to a function does not match […]

Igor’s Tip of the Week #159: Where’s my code? The case of not-so-constant data

In order to show the user only the most relevant code and hide the unnecessary clutter, the decompiler performs various optimizations before displaying the pseudocode. Some of these optimizations rely on various assumptions which are usually correct in well-behaved programs. However, in some situations they may be incorrect which may lead to wrong output, so […]

Igor’s Tip of the Week #158: Refreshing pseudocode

When working with the decompiler, you probably spend most of the time in the pseudocode view, since most interactive operations (e.g. renaming, retyping and commenting) can be done right there. IDA is usually smart enough to detect important changes during such actions and update the pseudocode as necessary. However, occasionally you may perform actions […]