Maximise the Power of Hex-Rays Decompiler — by Igor Kirillov
Updated: Jun 19, 2020
#IICSG2018 Conference Deep-Tech Track
Day 1 (24 May 2018)
@ Stamford Ballroom (Olivia)
IDA Pro Hex-Rays decompiler serves as a perfect abstraction producer over assembly language.
Its main advantage is that it gives an opportunity to modify the pseudo-code, making it as transparent and clear as possible. However, the process is extremely laborious, time-consuming, and even tedious, because, as a rule, the original code is a complete mash of standard types and variables. Standard functionality IDA Pro is equipped with are not of much help either. A major stumbling block all researchers come across in the process is structure recovery. In a decompiled code, field references look like pointer dereferences with some offset. The core feature of HexRaysPyTools plugin enables its user to collect the references of the code in a semi-automatic mode. After that, the information gathered in the GUI may be corrected and transformed into a complete structure.
Also, the plugin adds cross-refs by structure fields, helping to identify the purposes they serve much easier. Along with that, the plugin is equipped with a wide range of features that simplify the process of reverse engineering:
Symbols and RTTI information are used to create names of virtual tables and classes
Assert functions can be used to automatically rename functions
The GUI for classes and their methods
Makes structure graphs
Negative offsets handling
Makes recasts and changes names. Simplifies the process of changing names and types
Cross-references to virtual functions
Modifies and hides “if-then” branches. Hides switch-branches separately