State-of-the-art binary code analysis tools

In some cases the decompiler cannot produce nice output because the variable allocation fails. It happens because the input contains overlapped variables (or the decompiler mistakenly lumps together memory reads and writes). Overlapped variables are displayed in red so they conspicuously visible. Let us consider some typical situations.

  • There are read/write accesses that involve two or more variables

    For example, consider the following output:
    __int64 v1; // qax@2 OVERLAPPED int v2; // ecx@2 OVERLAPPED __int64 result; // qax@4 if ( *(_BYTE *)(a1 + 5) & 1 ) { HIDWORD(v1) = *(_DWORD *)(a1 + 7); v2 = *(_DWORD *)(a1 + 11); } else { HIDWORD(v1) = 0; v2 = 0; } v1 = *(__int64 *)((char *)&v1 + 4); // ODD ASSIGNMENT!
    The last assignment to v1 reads beyond v1 boundaries. In fact, it also reads v2. See the assembly code:
    test byte ptr [eax+5], 1 jz short loc_409521 mov edx, [eax+7] mov ecx, [eax+0Bh] jmp short loc_409525 loc_409521: xor edx, edx xor ecx, ecx loc_409525: mov eax, edx mov edx, ecx
    Unfortunately the decompiler cannot handle this case and reports overlapped variables.
  • There is an array function argument

    Arrays cannot be passed to functions by value, so this will lead to a warning. Just get rid of such an array (embed it into a structure type, for example)
  • There are too many function arguments

    The decompiler can handle up to 64 function arguments. It is very unlikely to encounter a function with a bigger number of arguments. If so, just embed some of them into a structure passed by value.
The corrective actions include:
  • Check the stack variables and fix them if necessary. A wrongly variable can easily lead to a lvar allocation failure.
  • Define a big structure that covers the entire stack frame or part of it. Such a big variable will essentially turn off variables lumping (if you are familiar with compiler jargon, the decompiler builds a web of lvars during lvar allocation and some web elements become too big, this is why variable allocation fails). Instead, all references will be done using the structure fields.
  • Check the function argument area of the stack frame and fix any wrong variables. For example, this area should not containt any arrays (arrays cannot be passed by value in C). It is ok to pass structures by value, the decompiler accepts it.