State-of-the-art binary code analysis tools

Let's start with a very short and simple function:

We decompile it with View, Open subviews, Pseudocode (hotkey F5):

While the generated C code makes sense, it is not pretty. There are many cast operations cluttering the text. The reason is that the decompiler does not perform the type recovery yet. Apparently, the a1 argument points to a structure but the decompiler missed it. Let us add some type information to the database and see what happens. For that we will open the Structure window (Shift-F9) and add a new structure type:

After that, we switch back to the pseudocode window and specify the type of a1. We can do it by positioning the cursor on any occurrence of a1 and pressing Y:

When we press Enter, the decompilation output becomes much better:

But there is some room for improvement. We could rename the structure fields and specify their types. For example, field_6B1 seems to be used as a counter and field_6B5 is obviously a function pointer. We can do all this without switching windows now. Only the initial structure definition required the Structure window1. Here is how we specify the type of the function pointer field:

The final result looks like this:

Please note that there are no cast operations in the text and overall it looks much better than the initial version.

1. This is not completely true. In fact, we could enter the full structure definition in the type dialog box, but it is difficult because the input field consists of a single line. We could also define new types with the File, Load file, Parse C header file command.