We’ve covered splitting expressions before, but there may be situations where it can’t be used.
For example, consider following situation:
The decompiler decided that the function returns a 64-bit integer and allocated a 64-bit stack varible for it. For example, the code may be manipulating a register pair commonly used for 64-bit variables (eax:edx) which triggers […]
When working with a binary in IDA, most of the time you probably use one of the main views: disassembly (IDA View) or decompilation (Pseudocode). If you need to switch between the two, you can use the Tab key – usually it jumps to the the same location in the other view. If you […]
When using the decompiler, you probably spend most of the time in the Pseudocode view. In case you need to consult the corresponding disassembly, it’s a quick Tab away. However, if you actually prefer the disassembly, there is another option you can try.
Copy to assembly
This action is available in the pseudocode view’s context menu […]
Previously, we’ve run into a function which produces a cryptic error if you try to decompile it:
In such situations, you need to go back to disassembly to see what could be wrong. More specifically, check the stack frame layout by double-clicking a stack variable or pressing Ctrl–K.
On the first glance it looks normal:
However, […]
When you open a decompilable file in IDA, you get this somewhat mysterious item in the Help menu:
And if you invoke it, it shows an even more mysterious dialog:
So, what is it and when it is useful?
Originally this feature was added to the decompiler to make decompiler bug reporting easier: oftentimes. a decompiler issue cannot really […]
We’ve covered the usage of symbolic constants (enums) in the disassembly. but they are also useful in the pseudocode view.
Reusing constants from disassembly
If a number has been converted to a symbolic constant in the disassembly and it is present in unchanged form in pseudocode, the decompiler will use it in the output. For example, […]
This error is not very common but may appear in some situations.
Such errors happen when there is a function call in the code, but the decompiler fails to convert it to a high-level function call, e.g.:
the target function’s prototype is wrong;
the decompiler failed to figure out the function arguments: how many of them, or how […]
The Hex-Rays decompiler has been designed to decompile compiler-generated code, so while it can usually handle hand-written or unusual assembly, occasionally you may run into a failure, especially if the code has been modified to hinder decompilation. Here is one of such errors:
If you have a genuine function with a huge stack frame, you’ll probably […]
When decompiling code without high-level metadata (especially firmware), you may observe strange-looking address expressions which do not seem to make sense.
What are these and how to fix/improve the pseudocode?
Because on the CPU level there is no difference between an address and a simple number, distinguishing addresses and plain numbers is a difficult task which […]