Hotkey: /

This command edits the indented comment for the current line or the current variable. It can be applied to the local variable definition area (at the top of the output) and to the function statement area (at the bottom of the output).

If applied to the local variable definition area, this command edits the comment for the current local variable. Otherwise the comment for the current line will be edited.

Please note that due to the highly dynamic nature of the output, the decompiler uses a rather complex coordinate system to attach comments. Some output lines will not have a coordinate in this system. You cannot edit comments for these lines. We will try to overcome this limitation in the future but it might take some time and currently we do not have a clear idea how to improve the existing coordinate system.

Each time the output text changes the decompiler will rearrange the entered comments so they are displayed close to their original locations. However, if the output changes too much, the decompiler could fail to display some comments. Such comments are called "orphan comments". All orphan comments are printed at the very end of the output text.

You can cut and paste them to the correct locations or you can delete them with the "Delete orphan comments" command using the right-click menu.

The starting line position for indented comments can be configured by the user. Please check the COMMENT_INDENT parameter in the configuration file.

See also: Edit block comment | Interactive operation

Hotkey: Y

The SetType command sets the type of the current item. It can be applied to the following things:

• Function

• Local variable

• Global item (function or data)

If the command is applied to the very first line of the output text, the decompiler will try to detect the current function argument. If the cursor is on an argument declaration, then the argument type will be modified. Otherwise, the current function type will be modified.

In all other cases the item under the cursor will be modified.

When modifying the prototype of the current function you may add or remove function arguments, change the return type, and change the calling convention. If you see that the decompiler wrongly created too many function arguments, you can remove them.

The item type must be specified as a C type declaration. All types defined in the loaded type libraries, all structures in the structure window, all enum definitions in the enum window can be used.

This is a very powerful command. It can change the output dramatically. Use it to remove cast operations from the output and to make it more readable. In some cases, you will need to define structure types in the structure window and only after that use them in the pseudocode window.

NOTE: since the arguments of indirect calls are collected before defining variables, specifying the type of the function pointer may not be enough. Please read this for more info.

Since variables and function types are essential, the decompiler uses colors to display them. By default, definite types (set by the user, for example) are displayed in blue while guessed types are displayed in gray. Please note that the guessed types may change if the circumstances change. For example, if the prototype of a called function is changed, the variable that holds its return value may change automatically, unless its type was set by the user.

This command does not rename the operated item, even if you specify the name in the declaration. Please use the rename command for that.

See also: interactive operation

Hotkeys

None

Split current expression

None

Unsplit current expression

This command splits the current expression into multiple expressions. It is available only for int16, int32, or int64 assignments or expressions which were combiled by the decompiler (e.g. 64bit comparison on 32bit platform). Splitting an assignment breaks it into two assignments: one for the low part and one for the high part. Other expressions can be splitted into more than two expressions.

This command is useful if the decompiler erroneously combines multiple unrelated expressions into one. In some cases the types of the new variables should be explicitly specified to get a nice listing. For example:

        __int64 v0;
        v0 = 0ui64;

can be split into two assignments:

        __int32 v0;
        __int32 v1;
        v0 = 0;
        v1 = 0;

by right clicking on the 64-bit assignment operation (the '=' sign) and selecting the 'Split' command.

The split expression can be unsplit using the unsplit command. Unsplitting removes all effects of the previous Split commands.

See also: interactive operation

Hotkeys:

• H - toggle between hexadecimal and decimal representations

• R - switch to character constant representation

• M - switch to enumeration (symbolic constant) representation

• _ - invert sign

• T - apply struct offset

This command allows the user to specify the desired form of a numeric constant. Please note that some constants have a fixed form and cannot be modified. This mainly includes constants generated by the decompiler on the fly.

The decompiler ties the number format information to the instruction that generated the constant. The instruction address and the operand number are used for that. If a constant, which was generated by a single instruction, is used in many different locations in the pseudocode, all these locations will be modified at once.

Using the 'invert sign' negates the constant and resets the enum/char flag if it was set.

When this command is applied the first time to a negative constant, the output will seemingly stay the same. However, the list of symbolic constants available to the M hotkey changes. For example, if the constant is '-2', then before inverting the sign the symbolic constants corresponding to '-2' are available. After inverting the sign the symbolic constants corresponding to '2' are available.

The T hotkey applies the structure offset to the number. For positive numbers, it usually converts the number into offsetof() macro. For negative numbers, it usually converts the whole (var-num) expression into the CONTAINING_RECORD macro. By the way, the decompiler tries to use other hints to detect this macro. It checks if the number corresponds to a structure offset in the disassembly listing. For example, an expression like

        v1 = (structype *)((char *)v2 - num);

can be converted into

        v1 = CONTAINING_RECORD(v2, structype, fieldname);

where structype * is the type of v1 and offsetof(structype, fieldname) == num. Please note that v2 must be declared as a pointer to the corresponding structure field, otherwise the conversion may fail.

See also:

• interactive operation

• offsetof() and container_of() macros

Hotkey: N

The rename command renames the current item. It can be applied to the following things:

• Function

• Local variable

• Global item (function or data)

• Structure field

• Statement label

Normally the item under the cursor will be renamed. If the command is applied to the very first line of the output text and the decompiler cannot determine the item under the cursor, the current function will be renamed.

See also: interactive operation

Hotkeys

Keypad -

Hide current statement

Keypad +

Unhide current statement

This command collapses the current statement into one line. It can be applied to multiline statements (if, while, for, do, switch, blocks).

The hidden item can be uncollapsed using the unhide command.

See also: interactive operation

In some cases, especially for indirect calls, the decompiler cannot correctly detect call arguments. The 'Set call type' command sets the type of the function call at the current item without changing the prototype of the called function itself. So there is a difference between 'Set call type' and Set type commands. Let us assume that there is a call

        v1 = off_5C6E4(a1);

and that the decompiler erroneously detected one argument whereas four arguments actually are present. If the user sets the new call type as

        int (*)(int, int, int, int)

then the call will be transformed into

        v1 = ((int (__cdecl *)(int, int, int, int))off_5C6E4)(a1, a2, a3, a4);

and the type of off_5C6E4 will remain unchanged. Note that in this case the user can revert the call to the previous state using the Force call type command.

The Set type command will have a different effect:

        v1 = off_5C6E4(a1, a2, a3, a4);

It sets the new type for off_5C6E4 that will cause changes to all places where off_5C6E4 is called, including the current call.

This command also can be used to specify the __noreturn attribute of a call.

NOTE: Behind the scenes the 'Set call type' command, like Force call type, copies the entered type to the operand of the call instruction. Actually it is a shortcut to Edit, Operand type, Set operand type in the disassembly view while staying on the call instruction.

See also: interactive operation

Hotkeys

Numpad+

Add variadic argument

Numpad-

Delete variadic argument

This command adds or removes an argument of a variadic call. It is impossible to detect the correct number of variadic arguments in all cases, and this command can be used to fix wrongly detected arguments. It is available only when the cursor is located on a call to a variadic function (like printf). The decompiler automatically detects the argument locations, the user can only increase or decrease their number.

This command is useful if the decompiler determines the number of arguments incorrectly. For example:

        printf("This is a test call: %d\n");

apparently lacks an argument. Pressing Numpad+ modifies it:

        printf("This is a test call: %d\n", v1);

If too many arguments are added to a variadic call, decompilation may fail. Three methods to correct this situation exist:

• undo the last action (hotkey Ctrl-Z)

• position the cursor on the wrongly modified call and press Numpad-

• or use Edit, Other, Reset decompiler information to reset the forced varidic argument counts.

See also: interactive operation

The decompiler adds the following commands to the menus:

• View, Open subviews, Pseudocode

• Jump, Jump to pseudocode

• File, Produce file, Create C file

• Edit, Comment, Add pseudocode comments

• Edit, Comment, Delete pseudocode comments

• Edit, Other, Toggle skippable instructions

• Edit, Other, Reset decompiler information

• Edit, Other, Decompile as call

• Help, Send database

• Help, Extract function

View, Open subviews, Pseudocode (hotkey F5)

This command decompiles the current function. If the decompilation is successful, it opens a new window titled "Pseudocode" and places the generated C text in this window.

The following commands can be used in the pseudocode window:

• Rename

• Set type

• Set number representation

• Edit indented comment

• Edit block comment

• Hide/unhide statements

• Split/unsplit expression

• Force call type

• Set call type

• Add/del variadic arguments

• Del function argument

• Add/delete function return type

• Jump to cross reference

• Jump to cross reference globally

• Generate HTML file

• Mark/unmark as decompiled

• Copy to assembly

• Show/hide casts

If the current item is a local variable, additional items may appear in the context menu:

• Reset pointer type

• Convert to struct *

• Create new struct type

• Map to another variable

• Unmap variable(s)

• Split variable

• Unsplit variable

If the current item is a union field, an additional item may appear in the context menu:

• Select union field

If the current item is a parenthesis, bracket, or a curly brace, the following hotkey is available:

• Jump to paired paren

The user can also select text and copy it to the clipboard with the Ctrl-C combination.

If the current item is C statement keyword, an additional item may appear in the context menu:

• Collapse/uncollapse item

The user can also select text and copy it to the clipboard with the Ctrl-C combination.

Pressing Enter on a function name will decompile it. Pressing Esc will return to the previously decompiled function. If there is no previously decompiled function, the pseudocode window will be closed.

Ctrl-Enter or Ctrl-double click on a function name will open a new pseudocode window for it.

Pressing F5 while staying in a pseudocode window will refresh its contents. Please note that the decompiler never refreshes pseudocode by itself because it can take really long.

The user can use the mouse right click or keyboard hotkeys to access the commands. Please check the command descriptions for the details.

Jump, Jump to pseudocode (hotkey Tab)

This command toggles between the disassembly view and pseudocode view. If there is no pseudocode window, a new window will be created.

Pressing Tab while staying in the pseudocode window will switch to the disassembly window. The Tab key can be used to toggle pseudocode and disassembly views.

See above the Open pseudocode command for more details.

File, Produce file, Create C file (hotkey Ctrl-F5)

This command decompiles the selected functions or the whole application. It will ask for the name of the output .c file.

If there is a selected area in the disassembly view, only the selected functions will be decompiled. Otherwise, the whole application will be decompiled.

When the whole application is decompiled, the following rules apply:

• the order of decompilation is determined by the decompiler. It will start with the leaf functions and will proceed in the postnumbering order in the call graph. This order makes sure that when we decompile a function, we will have all information about the called functions. Obviously, for recursive functions some information will be still missing.

• the library (light blue) functions will not be decompiled. By the way, this is a handy feature to exclude functions from the output.

• A decompilation failure will not stop the analysis but the internal errors will. The decompiler generates #error directives for failed functions.

Edit, Comments, Add pseudocode comments

This command decompiles the current function and copies the pseudocode to the disassembly listing in the form of anterior comments. If the current function already has a pseudocode window, its contents are used instead of decompiling the function anew.

This menu item performs exactly the same actions as the Copy to assembly command.

Edit, Comments, Delete pseudocode comments

This command deletes all anterior comments created by the previous command. Its name is a slight misnomer because it does not verify the comment origin. In fact, all anterior comments within the current function are deleted.

Edit, Other, Toggle skippable instructions

This command marks/unmarks instructions to be skipped by the decompiler. It is useful if some prolog/epilog instructions were missed by IDA. If such instructions were not detected and marked, the decompilation may fail (most frequently the call analysis will fail).

The decompiler skips the prolog, epilog, and switch instructions. It relies on IDA to mark these instructions. Sometimes IDA fails to mark them, and this command can be used to correct the situation.

If the command is applied to marked instructions, it will unmark them.

By default, the skipped instructions are not visualized. To make them visible, edit the IDA.CFG file and uncomment the following lines:

 PROLOG_COLOR = 0xE0E0E0            // grey
 EPILOG_COLOR = 0xE0FFE0            // light green
 SWITCH_COLOR = 0xE0E0FF            // pink

Edit, Other, Reset decompiler information

This command deletes decompiler information.

It can delete information about global objects (functions, static data, structure/enum types) and/or information local to the current function.

Use this command if you inadvertently made some change that made decompilation impossible.

It can also be used to reset other information types used by the decompiler. For example, the forced variadic arguments or split expression can be reset.

Edit, Other, Decompile as call

This commands configures a function call the current instruction should be replaced by in the pseudocode output.

Special names can be used to access operands of the current instructions: __OP1, __OP2, ... for first, second, etc. operands. Each function argument having a name like that will be replaced in the call by the value of the corresponding operand of the instruction. Also if the function name has this format, a call to the location pointed by the corresponding operand will be generated. Other arguments and the return value will be placed into locations derived from the function prototype according to the current compiler, calling convention, argument and return types. You can use IDA-specific __usercall calling convention to specify arbitrary locations independently of platform and argument/return types (read IDA help pages about the user defined calling conventions for more info).

Examples

• We could ask to replace the following instruction:

  by specifying the following prototype:

  which would lead to the following decompiler output:

  where v1 is mapped to ax.

• The following prototype:

  applied to the second instruction in the following piece of code:

  Copy

  <!-- --

  will generate the following pseudocode:

  where v1, v2, v3 are mapped to R0, R1, R2 respectively

Help, Send database

This command packs and sends the current database to our server. The user can specify his/her email and add notes about the error. This is the preferred way of filing bugreports because it is virtually impossible to do anything without a database. The database will also contain the internal state of the decompiler, which is necessary to reproduce the bug.

The database is sent in the compressed form to save the bandwidth. An encrypted connection (SSL) is used for the transfer.

Help, Extract function

This command deletes all code and data from the current idb extract the current function. It can be used to reduce the database size before sending a bug report. Please note that deleting information from the database may make the bug irreproducible, so please verify it after applying this command.

This command generates an HTML file with the pseudocode of the current function. It is available from the popup menu if the mouse is clicked on the very first line of the pseudocode text.

This command also works on the selected area. The user can select the area that will be saved into HTML file. This is useful if only a small code snippet is needed to be saved instead of the entire function body.

See also: interactive operation

Hotkey: Ctrl-Shift-R

This command removes the return type from the function prototype. It is applied to the prototype of the current function.

It is available anywhere in the pseudocode window, regardless where exactly the cursor is positioned. This command is not visible in the context sensitive popup menu.

If applied to a function without the return type, it will add the previously removed return type to the function prototype.

This command is available starting from v7.5.

See also: interactive operation, Del function argument.

In some cases, especially for indirect calls, the decompiler cannot correctly detect call arguments. For a call like

        push something
        mov  eax, [ecx]
        call [eax+8]

it is very difficult to determine where are the input arguments. For example, it is unclear if ECX is used by the call or not.

However, the number of arguments and their types can become available at later stages of decompilation. For example, the decompiler may determine that ECX points to a class with a table of virtual functions. If the user specifies the vtable layout, the output may become similar to

        ((int (*__stdcall)(DWORD))ptr-vftable-somefunc)(v1);

If the user declares somefunc as a pointer to a function like this:

        int __thiscall (*somefunc)(myclass *obj, int arg);

then the code is incorrect. The decompiler detected only one argument and missed the one in ECX.

The 'force call type' command instructs the decompiler not to perform the call argument analysis but just use the type of the call object. For the above example, the call will be transformed into something like

        ptr-vftable-somefunc(obj, v1);  // obj is in ECX

In other words, this command copies the call type from the call object to the call instruction. The call object may be any expression, the only requirement is that it must be a pointer to a function.

There is a more general command Set call type that allows the user to set any type for a call instruction.

NOTE: Behind the scenes the 'force call' command copies the desired type to the operand of the call instruction. To revert the effects of 'force call' or to fine tune the forced type please use the Edit, Operand type, Set operand type in the disassembly view while staying on the call instruction.

See also: interactive operation

Hotkey: \

This command hides all cast operators from the output listing. Please note that the output may become more difficult to understand or even lose its meaning without cast operators. However, since in some cases it is desirable to temporarily hide them, we provide the end user with this command.

The initial display of cast operators can be configured by the user. Please check the HO_DISPLAY_CASTS bit in the HEXOPTIONS parameter in the configuration file.

See also: interactive operation

This command copies the pseudocode text to the disassembly window. It is available from the popup right-click menu.

Please note that only "meaningful" lines are copied. Lines containing curly braces, else/do keywords will be omitted.

The copied text is represented as anterior comments in the disassembly. Feel free edit them the way you want. The copied text is static and will not change if the pseudocode text changes.

See also: interactive operation

This command marks the current function as decompiled. It is a convenient way to track decompiled functions. Feel free to use it any way you want.

Marking a function as decompiled will change its background color to the value specified by the MARK_BGCOLOR parameter in the configuration file. The background color will be used in the pseudocode window, in the disassembly listing, and in the function list.

See also: interactive operation

Hotkey: none

This convenience command allows the user to specify a pointer to structure type in a quick and efficient manner. The list of the local structure types will be displayed. The type of the current variable will be set as a pointer to the selected structure type.

This is just a convenience command. Please use the set type command in order to specify arbitrary variable types.

This command is available only when the decompiler is used with recent IDA versions.

See also: interactive operation

Hotkey: Shift-S

Sometimes a stack slot is used for two completely different purposes during the lifetime of a function. While for the unaliased part of the stack frame the decompiler can usually sort things out, it cannot do much for the aliased part of the stack frame. For the aliased part, it will create just one variable even if the corresponding stack slot is used for multiple different purposes. It happens so because the decompiler cannot prove that the variable is used for a different purpose, starting from a certain point.

The split variable command is designed to solve exactly this problem.

This command allows the user to force the decompiler to allocate a new variable starting from the current point. If the current expression is a local variable, all its subsequent occurrences will be replaced by a new variable up to the end of the function or the next split variable at the same stack slot. If the cursor does not point to a local variable, the decompiler will ask the user about the variable to replace.

In the current statement, only the write accesses to the variable will be replaced. In the subsequent statements, all occurrences of the variable will be replaced. We need this logic to handle the following situation:

        func(var, &var);

where only the second occurrence of the variable should be replaced. Please note that in some cases it makes sense to click on the beginning of the line with the function call, rather than on the variable itself.

Please note that in the presence of loops in the control flow graph it is possible that even the occurrences before the current expression will be replaced by the new variable. If this is not desired, the user should split the variable somewhere else.

The very first and the very last occurrences of a variable cannot be used to split the variable because it is not useful.

The decompiler does not verify the validity of the new variable. A wrong variable allocation point may render the decompiler output incorrect.

Currently, only aliasable stack variables can be split.

A split variable can be deleted by right clicking on it and selecting 'Unsplit variable'.

See also: interactive operation

Hotkey: none

This convenience command allows the user to convert the current local variable from a non-pointer type to a pointer to a newly created structure type. It is available from the context menu if the current variable is used a pointer in the pseudocode.

The decompiler scans the pseudocode for all references to the variable and tries to deduce the type of the pointed object. Then the deduced type is displayed on the screen and the user may modify it to his taste before accepting it. When the user clicks OK, the new type is created and the type of the variable is set as a pointer to the newly created type.

In simple cases (for example, when the variable is used as a simple character pointer), the decompiler does not display any dialog box but directly changes the variable type. In such cases, no new type will be created.

This is just a convenience command. Please use the set type command in order to specify arbitrary variable types.

This command is available only when the decompiler is used with recent IDA versions.

See also: interactive operation

This command opens the standard dialog box with the cross references to the current item. The user may select a cross reference and jump to it. If the cross-reference address belongs to a function, it will be decompiled. Otherwise, IDA will switch to the disassembly view.

For local variables, the following cross reference types are defined:

  r  Read
  w  Write
  rw Read/Write
  o  Reference

It is also possible to jump to structure fields. All local references to a field of a structure type will be displayed.

If the item under the cursor is a label, a list of all references to the label will be displayed.

Finally, xrefs to statment types are possible too. For example, a list of all return statements of the current function can be obtained by pressing X on a return statment. All statements with keywords are supported.

See also: interactive operation

Hotkey: Alt-Y

This command allows the user to select the desired union field. In the presence of unions, the decompiler cannot always detect the correct union field.

The decompiler tries to reuse the union selection information from the disassembly listing. If there is no information in the disassembly listing, the decompiler uses an heuristic rule to choose the most probable union field based on the field types. However, it may easily fail in the presence of multiple union fields with the same type or when there is no information how the union field is used.

If both the above methods of selecting the union field fail, then this command can be used to specify the desired field. It is especially useful for analyzing device drivers (I/O request packets are represented with a long union), or COM+ code that uses VARIANT data types.

See also: interactive operation

Hotkey: Ins

This command edits the block comment for the current line. The entered comment will be displayed before the current line.

Please note that due to the highly dynamic nature of the output, the decompiler uses a rather complex coordinate system to attach comments. Some output lines will not have a coordinate in this system. You cannot edit comments for these lines. Also, some lines have the same coordinate. In this case, the comment will be attached to the first line with the internal coordinate. We will try to overcome this limitation in the future but it might take some time and currently we do not have a clear idea how to improve the existing coordinate system.

Each time the output text changes the decompiler will rearrange the entered comments so they are displayed close to their original locations. However, if the output changes too much, the decompiler could fail to display some comments. Such comments are called "orphan comments". All orphan comments are printed at the very end of the output text.

If applied to the function declaration line, this command edits the function comment. This comment is shared with IDA: it is the same as the function comment in IDA.

You can cut and paste them to the correct locations or you can delete them with the "Delete orphan comments" command using the right-click menu.

See also: Edit indented comment | Interactive operation

Hotkey: none

This command resets the type of the current local variable from a pointer type to an integer type. This is just a convenience command. Please use the set type command in order to specify arbitrary variable types.

See also: interactive operation

This command jumps to the matching parenthesis. It is available only when the cursor is positioned on a parenthesis, bracket, or curly brace.

The default hotkey is '%'.

See also: interactive operation

This command collapses the selected multiline C statement into one line. It can be applied to if, while, for, switch, do keywords. The collapsed item will be replaced by its keyword and "..."

It can also be applied to the local variable declarations. This can be useful if there are too many variables and they make the output too long. All variable declarations will be replaced by just one line:

        // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

See also: interactive operation

Hotkey: =

This command allows the user to replace all occurrences of a variable by another variable. The decompiler will propose a list of variables that may replace the current variable. The list will include all variables that have exactly the same type as the current variable. Variables that are assigned to/from the current variable will be included too.

Please note that the decompiler does not verify the mapping. A wrong mapping may render the decompiler output incorrect.

The function arguments and the return value cannot be mapped to other variables. However, other variable can be mapped to them.

A mapping can be undone by right clicking on the target variable and using the 'unmap variable' command.

See also: interactive operation

Hotkey: Shift-Del

This command removes an argument or the return type from a function prototype. It can be applied to the prototype of the current function as well as to any called function.

It is available only when the cursor is on a function argument or on the return type. As a result of this command, the function prototype is modified: the selected argument is removed from the argument list. If necessary, the calling convention is replaced by a new one.

Please note that other register arguments do not change their locations. This logic ensures that a stray argument in the argument list can be deleted with a keypress.

When applied to the function return type it will convert it to "void".

This command is available starting from v7.5.

See also: interactive operation, Add/delete function return type.

This command decompiles all non-trivial functions in the database and looks for xrefs in them. Library and thunk functions are skipped. The decompilation results are cached in memory, so only the first invocation of this command is slow.

Cross references to the current item are looked up in the decompilation results. A list of such xrefs is formed and displayed on the screen. Currently the following item types are supported:

• a structure field

• a enumeration member (symbolic constant)

This action is also available (only by hotkey) in the struct view and local types view.

See also: interactive operation