When you need to change the prototype of a function in the decompiler, the standard way is to use the “Set item type…” action (shortcut Y).
One case where you may need to do it is to add or remove arguments. Especially in embedded code or when decompiling variadic functions, the decompiler may deduce the argument […]
We’ve covered splitting expressions before, but there may be situations where it can’t be used.
For example, consider following situation:
The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
When working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you […]
When using the decompiler, you probably spend most of the time in the Pseudocode view. In case you need to consult the corresponding disassembly, it’s a quick Tab away. However, if you actually prefer the disassembly, there is another option you can try.
Copy to assembly
This action is available in the pseudocode view’s context menu […]
Previously, we’ve run into a function which produces a cryptic error if you try to decompile it:
In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K.
On the first glance it looks normal:
However, […]
We’ve covered the usage of symbolic constants (enums) in the disassembly. but they are also useful in the pseudocode view.
Reusing constants from disassembly
If a number has been converted to a symbolic constant in the disassembly and it is present in unchanged form in pseudocode, the decompiler will use it in the output. For example, […]
This error is not very common but may appear in some situations.
Such errors happen when there is a function call in the code, but the decompiler fails to convert it to a high-level function call, e.g.:
the target function’s prototype is wrong;
the decompiler failed to figure out the function arguments: how many of them, or how […]
The Hex-Rays decompiler has been designed to decompile compiler-generated code, so while it can usually handle hand-written or unusual assembly, occasionally you may run into a failure, especially if the code has been modified to hinder decompilation. Here is one of such errors:
If you have a genuine function with a huge stack frame, you’ll probably […]
When decompiling code without high-level metadata (especially firmware), you may observe strange-looking address expressions which do not seem to make sense.
What are these and how to fix/improve the pseudocode?
Because on the CPU level there is no difference between an address and a simple number, distinguishing addresses and plain numbers is a difficult task which […]