The decompiler adds the following commands to the menus:
- View, Open subviews, Pseudocode
- Jump, Jump to pseudocode
- File, Produce file, Create C file
- Edit, Comment, Add pseudocode comments
- Edit, Comment, Delete pseudocode comments
- Edit, Other, Toggle skippable instructions
- Edit, Other, Reset decompiler information
- Edit, Other, Decompile as call
- Help, Send database
- Help, Extract function
This command decompiles the current function. If the decompilation is successful, it opens a new window titled "Pseudocode" and places the generated C text in this window.The following commands can be used in the pseudocode window:
If the current item is a local variable, additional items may appear in the context menu:
- Set type
- Set number representation
- Edit indented comment
- Edit block comment
- Hide/unhide statements
- Split/unsplit expression
- Force call type
- Set call type
- Add/del variadic arguments
- Del function argument
- Add/delete function return type
- Jump to cross reference
- Jump to cross reference globally
- Generate HTML file
- Mark/unmark as decompiled
- Copy to assembly
- Show/hide casts
If the current item is a union field, an additional item may appear in the context menu:
- Reset pointer type
- Convert to struct *
- Create new struct type
- Map to another variable
- Unmap variable(s)
- Split variable
- Unsplit variable
This command toggles between the disassembly view and pseudocode view. If there is no pseudocode window, a new window will be created. Pressing Tab while staying in the pseudocode window will switch to the disassembly window. The Tab key can be used to toggle pseudocode and disassembly views. See above the Open pseudocode command for more details.
This command decompiles the selected functions or the whole application. It will ask for the name of the output .c file. If there is a selected area in the disassembly view, only the selected functions will be decompiled. Otherwise, the whole application will be decompiled. When the whole application is decompiled, the following rules apply:
- the order of decompilation is determined by the decompiler. It will start with the leaf functions and will proceed in the postnumbering order in the call graph. This order makes sure that when we decompile a function, we will have all information about the called functions. Obviously, for recursive functions some information will be still missing.
- the library (light blue) functions will not be decompiled. By the way, this is a handy feature to exclude functions from the output.
- A decompilation failure will not stop the analysis but the internal errors will. The decompiler generates #error directives for failed functions.
This command decompiles the current function and copies the pseudocode to the disassembly listing in the form of anterior comments. If the current function already has a pseudocode window, its contents are used instead of decompiling the function anew. This menu item performs exactly the same actions as the Copy to assembly command.
This command deletes all anterior comments created by the previous command. Its name is a slight misnomer because it does not verify the comment origin. In fact, all anterior comments within the current function are deleted.
This command marks/unmarks instructions to be skipped by the decompiler. It is useful if some prolog/epilog instructions were missed by IDA. If such instructions were not detected and marked, the decompilation may fail (most frequently the call analysis will fail). The decompiler skips the prolog, epilog, and switch instructions. It relies on IDA to mark these instructions. Sometimes IDA fails to mark them, and this command can be used to correct the situation. If the command is applied to marked instructions, it will unmark them. By default, the skipped instructions are not visualized. To make them visible, edit the IDA.CFG file and uncomment the following lines:PROLOG_COLOR = 0xE0E0E0 // grey EPILOG_COLOR = 0xE0FFE0 // light green SWITCH_COLOR = 0xE0E0FF // pink
This command deletes decompiler information. It can delete information about global objects (functions, static data, structure/enum types) and/or information local to the current function. Use this command if you inadvertently made some change that made decompilation impossible. It can also be used to reset other information types used by the decompiler. For example, the forced variadic arguments or split expression can be reset.
This commands configures a function call the current instruction should be replaced by in the pseudocode output. Special names can be used to access operands of the current instructions: __OP1, __OP2, ... for first, second, etc. operands. Each function argument having a name like that will be replaced in the call by the value of the corresponding operand of the instruction. Also if the function name has this format, a call to the location pointed by the corresponding operand will be generated. Other arguments and the return value will be placed into locations derived from the function prototype according to the current compiler, calling convention, argument and return types. You can use IDA-specific __usercall calling convention to specify arbitrary locations independently of platform and argument/return types (read IDA help pages about the user defined calling conventions for more info). Examples
- We could ask to replace the following instruction:
out 2b, axby specifying the following prototype:
void OUT(unsigned int8 __OP1, int16 __OP2)which would lead to the following decompiler output:
OUT(0x2b, v1);where v1 is mapped to ax.
- The following prototype:
int __usercall syscall@<R0>(int code@<R12>, void *a1@<R0>, void *a2@<R1>)applied to the second instruction in the following piece of code:
mov r12, #0x148
svc 0x80will generate the following pseudocode:
v3 = syscall(328, v1, v2);where v1, v2, v3 are mapped to R0, R1, R2 respectively
This command packs and sends the current database to our server. The user can specify his/her email and add notes about the error. This is the preferred way of filing bugreports because it is virtually impossible to do anything without a database. The database will also contain the internal state of the decompiler, which is necessary to reproduce the bug. The database is sent in the compressed form to save the bandwidth. An encrypted connection (SSL) is used for the transfer.
This command deletes all code and data from the current idb extract the current function. It can be used to reduce the database size before sending a bug report. Please note that deleting information from the database may make the bug irreproducible, so please verify it after applying this command.