State-of-the-art binary code analysis tools
Although the Hex-Rays decompiler was originally written to deal with compiler-generated code, it can still do a decent job with manually written assembly. However, such code may use non-standard instructions or use them in non-standard ways, in which case the decompiler may fail to produce equivalent C code and has to fall back to _asm […]
While using the decompiler, sometimes you may have seen the item named Split expression in the context menu. What does it do and where it can be useful? Let’s look at two examples where it can be applied. Structure field initialization Modern compilers perform many optimizations to speed up code execution. One of them is merging two […]
In compiled code, you can sometimes find instructions which do not directly represent the code written by the programmer but were added by the compiler for its own purposes or due to the requirements of the environment the program is executing in. Skippable instruction kinds Compiled functions usually have prolog instructions at the start which perform various […]
We’ve already described custom types used in the decompiled code, but you may also encounter some unusual keywords resembling function calls. They are used by the decompiler to represent operations which it was unable to map to nice C code, or just to make the output more compact. They are listed in the defs.h […]
When working with pseudocode in the decompiler, you may have noticed that variable declarations and hints have comments with somewhat cryptic contents. What do they mean? While meaning of some may be obvious, others less so, and a few appear only in rare situations. Variable location The fist part of the comment is the variable location. For stack […]
This week we’ll cover another situation where shifted pointers can be useful.
Strings in binaries are very useful for the reverse engineer: they often contain messages shown to the user, or sometimes even internal debugging information (function or variable names) and so having them displayed in the decompiled code is very helpful. However, sometimes you may see named variables in pseudocode even though the disassembly shows the string […]
Previously we briefly mentioned shifted pointers but without details. What are they? Shifted pointers is another custom extension to the C syntax. They are used by IDA and decompiler to represent a pointer to an object with some offset or adjustment (positive or negative). Let’s see how they work and several situations where they can […]
Hints (aka tooltips) are popup windows with text which appear when you hover the mouse cursor over a particular item in IDA. They are available in many situations.
In one of the previous posts, we’ve discussed how to edit types of functions and variables used in the pseudocode. In most cases, you can use the standard C types: char, int, long and so on. However, there may be situations where you need a more specific type. Decompiler may also generate such types […]