https://www.hex-rays.com/products/decompiler/manual/tricks.shtml

First of all, read the troubleshooting page. It explains how to deal with most decompilation problems.

Below is a mix of other useful information that did not fit into any other page:

Volatile memory

Sometimes the decompiler can be overly aggressive and optimize references to volatile memory completely away. A typical situation like the following:

                device_ready    DCD ? ; VOLATILE!

                                MOV     R0, =device_ready

                                LDR     R1, [R0]

                LOOP:

                                LDR     R2, [R0]

                                SUB     R2, R1

                                BEQ     LOOP

can be decompiled into

                while ( 1 )

                  ;

because the decompiler assumes that a variable can not change its value by itself and
it can prove that r0 continues to point to the same location during the loop.

To prevent such optimization, we need to mark the variable as volatile.
Currently the decompiler considers memory to be volatile if it belongs to a segment with one of the following names:

IO, IOPORTS, PORTS, VOLATILE.

The character case is not important.

Constant memory

Sometimes the decompiler does not optimize the code enough because it assumes that variables may change their values. For example, the following code:

                  LDR     R1, =off_45934

                  MOV     R2, #0

                  ADD     R3, SP, #0x14+var_C

                  LDR     R1, [R1]

                  LDR     R1, [R1]        ; int

                  BL      _IOServiceOpen

can be decompiled into

                IOServiceOpen(r0_1, *off_45934, 0)

but this code is much better:

                IOServiceOpen(r0_1, mach_task_self, 0)

because

                off_45934 DCD _mach_task_self

is a pointer that resides in constant memory and will never change its value.
 
The decompiler considers memory to be constant if one of the following conditions hold:

  1. the segment has access permissions defined but the write permission is not in the list
    (to change the segment permissions use the SetSegmentAttr built-in function)
  2. the segment type is CODE
  3. the segment name is one of the following (the list may change in the future):

    .text, .rdata, .got, .got.plt, __text, __const, __const_coal, __cstring, __literal4,
    __literal8, __pointers, __nl_symbol_ptr, __la_symbol_ptr,
    __objc_protorefs, __objc_selrefs, __objc_classrefs, __objc_superrefs, __objc_const,
    __message_refs, __cls_refs, __inst_meth, __cat_inst_meth, __cat_cls_meth.

CONTAINING_RECORD macro

The decompiler knows about the CONTAINING_RECORD macro and tries to use it in the output.
However, in most cases it is impossible to create this macro automatically,
because the information about the containing record is not available.
The decompiler uses three sources of information to determine if CONTAINING_RECORD should be used:

  1. If there is an assignment like this:

                v1 = (structype *)((char *)v2 - num);

    it can be converted into

                v1 = CONTAINING_RECORD(v2, structype, fieldname);

    by simply confirming the types of v1 and v2. 
    NOTE: the variables types must be specified explicitly.
    Even if the types are displayed as correct, the user should press Yfollowed by Enter to confirm the variable type.

  2. Struct offsets applied to numbers in the disassembly listing are used as a hint
    to create CONTAINING_RECORD. For example, applying structure offset to 0x41C in 
                sub     eax, 41Ch

    will have the same effect as in the previous point. Please note that it makes sense to confirm the variable types as explained earlier.

  3. Struct offsets applied to numbers in the decompiler output. For example, applying _DEVICE_INFO structure offset to-131 in the following code: 
                deviceInfo = (_DEVICE_INFO *)((char *)&thisEntry[-131] - 4);

    will convert it to:

                deviceInfo = CONTAINING_RECORD(thisEntry, _DEVICE_INFO, ListEntry);

    Please note that it makes sense to confirm the variable types as explained earlier.

Indirect calls

Since the arguments of indirect calls are collected before defining variables, specifying the type of the variable
that holds the function pointer may not be enough. The user have to specify the function type using other methods in this case.
The following methods exist (in the order of preference):

  1. For indirect calls of this form:

                call ds:funcptr

    If funcptr is initialized statically and points to a valid function, just ensure a correct function prototype. The decompiler will use it.

  2. For indirect calls of this form: 
                call [reg+offset]

    If reg points to a structure with a member that is a function pointer, just convert the operand into a structure offset (hotkey T):

                call [reg+mystruct.funcptr]

    and ensure that the type of mystruct::funcptr is a pointer to a function of the desired type.

  3. Specify the type of the called function using Edit, Operand type, Set operand type.
    If the first two methods can not be applied, this is the recommended method.
    The operand type has the highest priority, it is always used if present.
  4. If the address of the called function is known, use Edit, Plugins, Change the callee address (hotkey Alt-F11).
    The decompiler will use the type of the specified callee. This method is available only for x86.
    For other processors adding a code cross reference from the call instruction to the callee will help.

Hex-Rays Decompiler Tips and tricks Volatile memory的更多相关文章

  1. Matlab tips and tricks

    matlab tips and tricks and ... page overview: I created this page as a vectorization helper but it g ...

  2. Android Studio tips and tricks 翻译学习

    Android Studio tips and tricks 翻译 这里是原文的链接. 正文: 如果你对Android Studio和IntelliJ不熟悉,本页提供了一些建议,让你可以从最常见的任务 ...

  3. Nginx and PHP-FPM Configuration and Optimizing Tips and Tricks

    原文链接:http://www.if-not-true-then-false.com/2011/nginx-and-php-fpm-configuration-and-optimizing-tips- ...

  4. (转) How to Train a GAN? Tips and tricks to make GANs work

    How to Train a GAN? Tips and tricks to make GANs work 转自:https://github.com/soumith/ganhacks While r ...

  5. LoadRunner AJAX TruClient协议Tips and Tricks

    LoadRunner AJAX TruClient协议Tips and Trickshttp://automationqa.com/forum.php?mod=viewthread&tid=2 ...

  6. Tips and Tricks for Debugging in chrome

    Tips and Tricks for Debugging in chrome Pretty print On sources panel ,clicking on the {} on the bot ...

  7. [转]Tips——Chrome DevTools - 25 Tips and Tricks

    Chrome DevTools - 25 Tips and Tricks 原文地址:https://www.keycdn.com/blog/chrome-devtools 如何打开? 1.从浏览器菜单 ...

  8. 10 Essential TypeScript Tips And Tricks For Angular Devs

    原文: https://www.sitepoint.com/10-essential-typescript-tips-tricks-angular/ ------------------------- ...

  9. WWDC笔记:2011 Session 125 UITableView Changes, Tips and Tricks

    What’s New Automatic Dimensions - (CGFloat)tableView:(UITableView *)tableView heightForHeaderInSect ...

随机推荐

  1. 嵌入式 hi3518平台获取网络环境中的ip、netmask、broadcast等信息

    <span style="font-family:Courier New;"> /********************************** (C) COPY ...

  2. DBus学习笔记

    摘要:DBus作为一个轻量级的IPC被越来越多的平台接受,在MeeGo中DBus也是主要的进程间通信方式,这个笔记将从基本概念开始记录笔者学习DBus的过程 [1] DBus学习笔记一:DBus学习的 ...

  3. [Papers]NSE, $u$, Lorentz space [Bjorland-Vasseur, JMFM, 2011]

    $$\bex \int_0^T\frac{\sen{\bbu}_{L^{q,\infty}}^p}{\ve+\ln \sex{e+\sen{\bbu}_{L^\infty}}}\rd s<\in ...

  4. selenium webdriver+windows+python+chrome遇见的问题

    win7系统,在python中调用ChromeDriver 一直报错 “ selenium.common.exceptions.WebDriverException: Message: 'Chrome ...

  5. Windows下配置使用WinPcap

     0.前提 windows: win7 x64 WinPcap版本:4.1.3 WinPcap开发包:4.1.2 目标:在VS2010中配置使用winpcap 获取目标计算机中安装的网卡列表  1.下 ...

  6. Spring框架入门:(非原著,转载)

    1.1.      耦合性和控制反转: 对象之间的耦合性就是对象之间的依赖性.对象之间的耦合越高,维护成本越高.因此,对象的设计应使类和构件之间的耦合最小. 例: public interface I ...

  7. effective c++:对象的赋值运算

    operator 中处理”自我赋值“ operator=操作符缺省情况下返回引用——TYPE& TYPE::operator=(const TYPE&),原因很简单,operator= ...

  8. Yii 1.11 获取当前的模块名 控制器名 方法名

    $this->module->id; #模块名$this->action->id; #方法名$this->uniqueId; #控制器名称 Yii: 获取当前模块名.控制 ...

  9. 把数组A的奇数放在左边,偶数放在右边

    这也是一道面试题,是不是easy到爆,但是渣渣我面试时一点算法状态都没有 这道题和上一篇博客里那道题的解法一模一样 # include <iostream> using namespace ...

  10. POJ 2395 Out of Hay(MST)

    [题目链接]http://poj.org/problem?id=2395 [解题思路]找最小生成树中权值最大的那条边输出,模板过的,出现了几个问题,开的数据不够大导致运行错误,第一次用模板,理解得不够 ...