Hex-Rays' blog

Unveiling IDA Pro 9.0: C++ Exceptions Support in the Decompiler

Written by Alex Petrov | Sep 4, 2024

One of the more challenging parts of reverse engineering programs written in C++ is the accurate extraction of exception information. Due to the complexity of the languageā€™s features and runtime behavior, recovering the missing information currently requires a lot of manual work and considerable effort.

However, with the release of IDA Pro 9.0, a significant advancement has been introduced to tackle this issue: the decompiler now supports the emission of try/catch blocks, starting with the C++ exception scheme for x64 binaries compiled with the Microsoft Visual C++ compiler.

IDA Pro 9.0 provides more accurate decompilation by presenting exception-handling structures as they appear in the source code. This helps reverse engineers better understand how the program handles exceptions and error states, reducing the manual reconstruction time of such code paths.

The introduction of high-level try/catch blocks greatly enhances the readability of decompiled code. Instead of creating separate functions for exception handlers and thus splitting off important information from the decompiled code, users can now see the intended error-handling code in a familiar C++ form, making the code easier to comprehend and analyze. The image below shows the difference between decompiling a function with and without the support of try/catch blocks. It nicely illustrates how the error-handling code hidden earlier is now part of try/catch constructs.

This can be especially helpful in more complex scenarios, where the creator of some binary relied on exception handling to obfuscate code to make analysis tedious and difficult. The ability to decode and visualize such code structures provides a powerful tool for malware analysts trying to unravel complex and obfuscated control flows

Whether performing vulnerability research, malware analysis, or software auditing, the option to accurately reflect exception-handling mechanisms in decompiled output will undoubtedly save time and effort while offering a more complete understanding of the code at hand. 

This enhancement, introduced with the September 30th release of IDA Pro 9.0, sets the stage for even more sophisticated decompilation features in the future as IDA Pro continues to evolve alongside the complexity of modern software development.