top of page
  • Writer's pictureInfosec In the City (IIC)

Maximise the Power of Hex-Rays Decompiler — by Igor Kirillov

Updated: Jun 19, 2020

#IICSG2018 Conference Deep-Tech Track

Day 1 (24 May 2018)


@ Stamford Ballroom (Olivia)


IDA Pro Hex-Rays decompiler serves as a perfect abstraction producer over assembly language.

Its main advantage is that it gives an opportunity to modify the pseudo-code, making it as transparent and clear as possible. However, the process is extremely laborious, time-consuming, and even tedious, because, as a rule, the original code is a complete mash of standard types and variables. Standard functionality IDA Pro is equipped with are not of much help either. A major stumbling block all researchers come across in the process is structure recovery. In a decompiled code, field references look like pointer dereferences with some offset. The core feature of HexRaysPyTools plugin enables its user to collect the references of the code in a semi-automatic mode. After that, the information gathered in the GUI may be corrected and transformed into a complete structure.

Also, the plugin adds cross-refs by structure fields, helping to identify the purposes they serve much easier. Along with that, the plugin is equipped with a wide range of features that simplify the process of reverse engineering:

  • Symbols and RTTI information are used to create names of virtual tables and classes

  • Assert functions can be used to automatically rename functions

  • The GUI for classes and their methods

  • Makes structure graphs

  • Negative offsets handling

  • Makes recasts and changes names. Simplifies the process of changing names and types

  • Cross-references to virtual functions

  • Modifies and hides “if-then” branches. Hides switch-branches separately

About Igor Kirillov

Security researcher, reverse engineer. At first, researching was just a hobby: he developed and supported a bot for an online game while researching security mechanisms that would prevent the bot from executing. Then, it became his profession and life-long passion. He is also a C and Python programmer at Embedi interested in automatization of reverse engineering and searching for vulnerabilities in IoT devices.
229 views0 comments


Post: Blog2_Post
bottom of page