State-of-the-art binary code analysis tools

The decompiler has a configuration file. It is installed into the 'cfg' subdirectory of the IDA installation. The configuration file is named 'hexrays.cfg'. It is a simple text file, which can be edited to your taste. Currently the following keywords are defined:

    Background color of local type declarations. Currently this color is not used.
    Default: default background of the disassembly view
    Background color of local variable declarations. It is specified as a hexadecimal number 0xBBGGRR where BB is the blue component, GG is the green component, and RR is the red component. Color -1 means the default background color (usually white).
    Default: default background of the disassembly view
    Background color of the function body. It is specified the same way as VARDECL_BGCOLOR.
    Default: default background of the disassembly view
    Background color of the function if it is marked as decompiled. It is specified the same way as VARDECL_BGCOLOR.
    Default: very light green
    Number of spaces to use for block indentations.
    Default: 2
    The position to start indented comments.
    Default: 48
    As soon as the line length approaches this value, the decompiler will try to split it. However, it some cases the line may be longer.
    Default: 120
    In order to keep the expressions relatively simple, the decompiler limits the number of comma operators in an expression. If there are too many of them, the decompiler will add a goto statement and replace the expression with a block statement. For example, instead of
      if ( cond || (x=*p,y=func(),x+y>0) )
    we may end up with:
      if ( cond )
        goto LABEL;
      x = *p;
      y = func();
      if ( x + y > 0 )

    Default: 8
    Specifies the default radix for numeric constants. Possible values: 0, 10, 16. Zero means "decimal for signed, hex for unsigned".
    Default: 0
    Specifies the maximal decompilable function size, in KBs. Only reachable basic blocks are taken into consideration.
    Default: 64
    Combination of various analysis and display options:

      If enabled, the decompiler will handle out-of-function jumps by generating a call to the JUMPOUT() function. If disables, such functions will not be decompiled.
      Default: enabled
      If enabled, the decompiler will display cast operators in the output listing.
      Default: enabled
      If enabled, the decompiler will hide unordered floating point comparisons. If this option is turned off, unordered comparisons will be displayed as calls to a helper function: __UNORDERED__(a, b)
      Default: enabled
      If enabled, the decompiler will generate intrinsic functions for SSE instructions that use XMM/MMX registers. If this option is turned off, these instructions will be displayed using inline assembly.
      Default: enabled
      If enabled, the decompiler will produce output even if the local variable allocation has failed. In this case the output may be wrong and will contain some overlapped variables.
      Default: enabled
      If enabled, fast structural analysis will be used. It generates less number of nested if-statements but may occasionally produce some unnecessary gotos. It is much faster on huge functions.
      Only print string literals if they reside in read-only memory (e.g. .rodata segment). When off, all strings are printed as literals. You can override decompiler's decision by adding 'const' or 'volatile' to the string variable's type declaration.
      Convert signed comparisons of unsigned variables with zero into bit checks.
      (signed int)x < 0
      (x & 0x80000000) != 0
      Reverse effects of branch tail optimizations: reduce number of gotos by duplicating code
      Keep curly braces for single-statement blocks
      Optimize away address comparisons.
      &a < &b
      will be replaced by 0 or 1.
      This optimization works only for non-relocatable files.
      Print casts from string literals to pointers to char/uchar. For example:
      (unsigned __int8 *)"Hello"
      Pressing Esc closes the pseudocode view

    Specifies the warning messages that should be displayed after decompilation. Please refer to hexrays.cfg file for the details.
    Default: all warnings are on
    Specified list of function names that are considered "strcmp-like". For them the decompiler will prefer to use comparison against zero like
    strcmp(a, b) == 0
    as a condition. Underscores, j_ prefixes and _NN suffixes will be ignored when comparing function names
  • MSVC Control Flow Guard names

      Name of Control Flow Guard check function. Calls of this function will not be included into the pseudocode.
      Default: "guard_check_icall_fptr"
      Name of Control Flow Guard dispatch function. Each call of this function will be replaced by 'call rax' instruction when generating pseudocode.
      Default: "guard_dispatch_icall_fptr"