Hex blog

Some functions are neater than the decompiler thinks

Wed, 09 Apr 2008 22:22:07 +0100

The decompiler makes some assumptions about the input code. Like that call instructions usually return, the memory model is flat, the function frame is set properly, etc. When these assumptions are correct, the output is good. When they are wrong, well, the output does not correspond to the input. Take, for example, the following snippet:

The decompiler produces the following pseudocode:

Apparently, the v3 variable (it corresponds to edx) is not initialized at all. Why?

Symbian debugger

Tue, 08 Apr 2008 19:02:06 +0100

It works! There are lots of limitations but it is alive, handles breakpoints, exceptions, and even some limited tracing is available. It is possible to launch processes and attach to them. Here is just one screenshot:

Expect many limitations in the first version (no hardware bpts, limited multithread support, etc). One of the most annoying shortcomings is that the memory layout is not determined automatically - we had to introduce 'manual memory regions' window to overcome this.

Since it is a new beast and many aspects need polishing, beta testers are welcome!

Symbian AppTRK

Sat, 29 Mar 2008 02:06:06 +0100

Things are quite easy with the Symbian TRK! Today I decided to write a small program to interact with it and everything worked extremely smoothly. My driver program can download a SIS file to the phone, automatically install and run it. It reacts to debugging events and gracefully closes the connection when the application terminates. Below are just a few pictures for the curious.

Hello Symbian!

Wed, 26 Mar 2008 11:30:21 +0100

Yesterday I created my first Symbian program :) Sure enough, it was a "hello world" and to tell the truth I did not write it myself. But it still took me 3 (three) hours to get it running on Nokia E51. The good side is that I learned a lot about possible failures with Symbian applications (there are quite many of them, some of them with cryptic error messages like "install failed").

New Hex-Rays Demo

Wed, 12 Mar 2008 18:36:55 +0100

This has been online for a while now, I just had no time to announce it properly: a new thorough demo of the decompiler by ccso.com, our US distributor:

This demo is not just a teaser like the previous one. It is much deeper and shows many decompiler aspects in detail: it starts with the plugin configuration, shows a couple of simple decompilation cases, and then moves on to more complex functions. If you wondered how to improve the resulting pseudocode and handle typical cases, this video is for you!

Pythonic way

Fri, 07 Mar 2008 00:22:10 +0100

A brilliant blog post by Ero Carrera: IDAPython in action:

http://blog.dkbza.org/2008/03/digging-up-system-call-ordinals.html

Just note how concise and powerful is the script!

Tricky jump tables

Tue, 04 Mar 2008 16:25:57 +0100

Just a quick post to announce that we have published a small plugin to specify jump table information. When IDA misses them, the flow charts are virtually useless - they fall apart into several loosely connected components and the logic is completely hidden. This plugin is especially useful for rarely used processors with unusual switch idioms.

The plugin and its source code can be found on our forum.

Easy structure types

Mon, 18 Feb 2008 13:45:36 +0100

I'm happy to tell you that a new build of the decompiler is ready! It introduces new easily accessible commands to manipulate structure pointers. First, a variable can be converted into a structure pointer with one click. Also, new the structure types can be build on the fly by the decompiler. As usual, any type or name can be modified any time. All this makes using the decompiler really agreeable. Please watch a short demo:

MRXDAV.SYS and Hex-Rays Decompiler

Wed, 13 Feb 2008 02:18:29 +0100

I wanted to present you a new plugin today. It was about switch idioms (jump tables). I spent a few hours trying to find a problematic x86 sample file but could not locate anything impressive. All jump tables were nicely recognized. This certainly does not mean that IDA handles them perfectly, but rather that my search methods must be improved.

Anyway, things were going nowhere and I decided to make a micro-break. It really helps to unblock the thought process (sometimes my entire working day consists of innumerable micro-breaks :)

Debugger and process memory

Sun, 03 Feb 2008 17:02:35 +0100

Just a small note about the debugger plugins and events. Many users who try to develop a plugin for the debugger notice that IDA behaves slightly differently in the notification callbacks than anywhere else.

For example, IDA might claim that EIP points to an address without a segment, or none of exported names of a loaded DLL are available.

Jump tables

Thu, 31 Jan 2008 11:21:45 +0100

It is an endless story: regardless of how many different jump table types IDA supports, there will be a new unhandled twist. Be it the instruction scheduler, which rearranged the instructions in an unexpected manner, or the compiler, which learned a new optimization trick, it is the same for IDA: jump tables are missed and functions boundaries are wrong. What's worse, the graph view, so loved by IDA users, displays a trimmed graph without jump tables, virtually useless for any analysis.

That's why we strive to add support for new jump tables to IDA, and since it can not be done for all of them, we focus on compiler generated jump tables for popular processors. Take ARM, for example. The ARM processor module have been improved a lot in v5.2, but yet we received a report with a bunch of new patterns. So expect even better support for ARM in the near future :)

If you are interested in improving the jump table handling for a rarely used processor, here are the explanations how to do it.

Better user interface for decompiler

Wed, 02 Jan 2008 16:24:58 +0100

We are glad to release a new version of the Hex-Rays decompiler! Highlights of this build:

improved usability
support for unusual calling conventions
better handling of obfuscated code

The most important improvement is the user interface. Now the decompiler is at your fingertips at all times, the same way as the graph view. Remember that you can toggle graph-text views in IDA with one keyboard hit? For the decompiler you can use the Tab key: it toggles between the disassembly and pseudocode views.

For those of you who prefer to see both the decompiler output and disassembler output in the same window, we added the "copy to disassembly" command. It just does what its names says: copies the pseudocode text to the disassembly window. You can see both outputs simultaneously: mapping of low level assembly idioms to high level constructs is made as transparent as possible.

With this build, you will be able to open multiple pseudocode windows. This will be especially useful for long functions: just open a separate window for each called function by Ctrl-double clicking on function names. The long function will stay intact in its own window and you won't lose time by reanalyzing it upon each return.

One more command to handle code complexity: ability to hide parts of code. The new hide/unhide command allows you to collapse a multiline statement into just one line. Collapsing unimportant sub-statements reveals the global structure of the decompiled function.

We also added other things to make the life easier: the command to jump to xrefs, better status line information, support for the __spoiled keyword, and more heuristic rules to the analyzer.

Here's a short video:

The detailed list of changes can be accessed here

Nice analysis!

Decompiler output ctree

Wed, 28 Nov 2007 00:28:00 +0100

The upcoming version of the decompiler SDK adds some nice features.
First, we created a reference manual. It is in doxygen format: cross references make it really easy to browse. Second, the SDK is compatible with both IDA v5.1 and v5.2. Third, we added functions to retrieve and modify all user-defined attributes like variable names, types, and comments. Fourth, we added more sample plugins. And fifth, our forum is open. All your decompiler and SDK related questions can be asked there.

Since the "show, don't tell" rule applies to everyone, here's a short video demonstrating one of the new sample plugins (it displays the decompiler output as a graph):

Hopefully the new version will be available this week, as soon as the regression tests are over.

Hex-Rays SDK is ready!

Tue, 30 Oct 2007 22:08:26 +0100

A binary analysis tool like a decompiler is incomplete without a programming interface. Sure, decompilers tremendously facilitate binary analysis. You can concentrate of the program logic expressed in a familiar way. Just add comments, rename variables and functions to get almost the original source code, almost perfect. However, quite often there is a small ugly detail and the output falls short of being satisfactory.

IDA and Microcontrollers

Mon, 15 Oct 2007 14:52:30 +0100

If you ever used IDA to analyze embedded stuff, you would immediately notice its pc-centric nature. While any embedded SDK targets specific devices with real-world part numbers, IDA just provides you with a universal analysis framework. You are supposed to know how the device works, its idiosyncrasies, programming model, memory organization, and all other practical stuff. If there is an automatic way to determine the entry point or interrupt vectors, IDA will use it but in general you will have to find out the correct parameters yourself.

The following tutorial fills the gap for C166 (and explains many other things!):

http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/Default.aspx

Thanks, Andy!