LogoLogo
IDA 9.0
IDA 9.0
  • Welcome to Hex-Rays docs
    • What's new?
  • Getting Started
    • Install IDA
    • Licensing
    • Basic Usage
    • What's next?
  • User Guide
    • User Interface
      • Menu Bar
        • File
          • Load file
          • Script File
          • Script command
          • Produce output files
          • Invoke OS Shell
          • Take database snapshot
          • Save database
          • Save database as...
          • Abort IDA
          • Exit IDA
        • Edit
          • Export data
          • Undo an action
          • Redo an action
          • Clear undo history
          • Disable undo
          • Convert to instruction
          • Convert to data
          • Convert to string literal
          • Convert to array
          • Undefine a byte
          • Give Name to the Location
          • Operand types
            • Offset
            • Number
            • Perform en masse operation
            • Convert operand to character
            • Convert operand to segment
            • Complex Offset Expression
            • Convert operand to symbolic constant (enum)
            • Convert operand to stack variable
            • Change operand sign
            • Bitwise negate operand
            • User-defined operand
            • Set operand type
          • Comments
          • Functions
          • Structs
          • Segments
          • Patch core
          • Other
            • Rename Any Address
          • Plugins
        • Jump
          • Center current line in window
          • Problems List
        • Search
          • REGULAR EXPRESSION SYNTAX SUMMARY
        • View
          • Open subviews
          • Graphs
          • Message Window
          • Arrows window
          • Database snapshot manager
          • Highlighting identifiers
          • Browser options
          • Lumina options
          • Assembler level and C level types
          • C++ type details
          • Bookmarks window
          • Calculator
          • View segment registers
          • View Internal Flags
          • Hide
          • Unhide
          • Del hidden range
          • Hide all items
          • Unhide all items
          • Setup hidden items
        • Debugger
          • Debugger window
          • Process Control
            • Start process
            • Process options
            • Pause process
            • Terminate process
            • Step into
            • Step over
            • Run to cursor
            • Run until return
            • Attach to process
            • Detach from process
            • Set current ip
            • Show application screen
          • Breakpoints
          • Watches
          • Tracing
          • Source code view
            • Watch view (source level)
          • Process Memory
            • Take memory snapshot
            • Manual memory regions
            • Refresh memory
          • Thread list
          • Module list
          • Stack trace
          • Exceptions
          • Debugger options
          • Switch debugger
        • Lumina
        • Options
          • Low & High Suspicious Operand Limits
        • Windows
          • Rename a stack variable
          • Miscellanous Options
          • Environment variables
          • Reset Hidden Messages
          • Various dialog help messages
        • List of all menu options
      • Desktops
      • Command line
      • How To Use List Viewers in IDA
      • Licenses
        • Apache License for Ghidra
        • Apache License for LLVM
        • Common Public License Version 1.0
        • APPLE PUBLIC SOURCE LICENSE
        • PCRE2 LICENCE
        • GNU Lesser General Public License v2.1 for libiberty
      • Database conversion from idb to i64
    • Disassembler
      • Interactivity
      • Background Analysis
      • Graph view
        • Graphing tutorial
      • Proximity view
      • Navigation
        • Anchor
        • How to Enter a Segment Value
        • How to Enter a Number
        • How to Enter an Identifier
        • How to enter text
        • How to Enter an Address
      • Disassembly Gallery
        • Philips 51XA-G3
        • 6502 and 65C02 Disassembler
        • 6301, 6303, 6800, 6801 and 6803 Disassembler
        • 68040, Amiga
        • 6805 Disassembler
        • 6808 Disassembler
        • 6809 OS9 Flex Disassembler
        • 6809 Disassembler
        • 6811 Disassembler
        • 68HC12 Disassembler
        • 68HC16 Disassembler
        • 68k Amiga Disassembler
        • 68k Mac OS
        • 68k Palm Pilot
        • Unix COFF
        • NEC 78k0 and 78k0s Processor
        • 80196 Processor
        • 8051 Disassembler
        • Analog Devices 218x.
        • Alpha Processor – NT COFF
        • Alpha Processor – Unix ELF
        • Android ARM Executables (.elf)
        • ARC Processor
        • ARM Processor EPOC App
        • ARM Processor EPOC PE File
        • ARM Processor EPOC ROMFile
        • EPOC SIS File Handler
        • ARM Processor iOS (iPhone): Unlock
        • ARM Processor iOS (iPhone): Objective-C metadata
        • ARM Processor iOS (iPhone): Objective-C Instance variables
        • ARM Processor iOS (iPhone): Parameter Identification & Tracking (PIT)
        • ARM Processor iOS (iPhone): Start
        • ARM Processor iOS (iPhone): Switch statements
        • ARM Processor iOS (iPhone): C++ signatures
        • ARM Processor iOS (iPhone): Write
        • ARM Processor: Linux ELF
        • ARM Processor: AOF SDK
        • ARM Processor: Windows CE COFF Format
        • ARM Processor: Windows CE PE Format
        • ATMEL AVR Disassembler
        • C166 Processor
        • C166 Processor with ELF file
        • Rockwell C39
        • Microsoft .NET CLI Disassembler. VisualBasic library
        • CR16
        • Android Dalvik Executables (.dex)
        • Microsoft .NET CLI Disassembler
        • DSP56K
        • Fujitsu FR (.elf)
        • Gameboy
        • H8 300: COFF FILE Format
        • H8 300s: COFF FILE Format
        • H8 500
        • HPPA Risc Processor: HP-UX SOM
        • i51
        • i860
        • Intel i960
        • Intel IA-64 (Itanium)
        • Java Bytecode
        • Angstrem KR 1878
        • Renesas/Hitachi M16C
        • Renesas/Hitachi M32R
        • M740
        • M7700
        • M7900
        • MIPS Processor: Nintendo N64
        • MIPS R5900 Processor : Sony bin
        • MIPS Processor: Sony ELF
        • MIPS Processor: Sony PSX
        • MIPS Processor: Sony PSX
        • MIPS Processor: Unix COFF File Format
        • MIPS Processor: Unix ELF File Format
        • MIPS Processor: Windows CE PE File Format
        • MIPS Processor: Windows CE PE2 File Format
        • Panasonic MN102
        • Atmel OAK DSP
        • 80×86 Architecture: DOS Extender
        • 80×86 Architecture: Watcom Runtime
        • 80×86 Architecture: Geos APP
        • 80×86 Architecture: Geos DRV
        • 80×86 Architecture: Geos LIB
        • 80×86 Architecture: GNU COFF Format
        • 80×86 Architecture: OS/2 Linear Executable Format
        • 80×86 Architecture: Netware NLM
        • 80×86 Architecture: QNX Executable
        • 80×86 Architecture: Watcom Runtime
        • 80×86 Architecture: Windows OMF
        • 80×86 Architecture: Windows Portable Executable Format
        • 80×86 Architecture: Windows Virtual Device Driver
        • 80×86 Architecture: Windows 16 bits DLL
        • X-Box Disassembler
        • PDP 11: SAV File
        • PIC
        • PIC 12xx
        • Power PC AIF ECOFF file Format
        • Power PC Linux ELF
        • Mac OS PEF File
        • Mac OS X File
        • Windows NT PE File
        • Hitachi SH-1 Processor
        • Hitachi SH-3 Processor: Windows CE COFF format
        • Hitachi SH-3 Processor: Windows CE PE format
        • Hitachi SH-4 Processor: ELF File Format
        • Hitachi SH-4 Processor: Windows CE PE File Format
        • Super Nintendo Entertainement System (SNES)
        • SPARC Solaris COFF
        • SPARC Solaris ELF
        • SPARC Sun ELF
        • SPARC Sun ELF SO
        • ST 20C4
        • ST 7
        • ST 9
        • Toshiba TLCS 900
        • TMS 320c2 COFF
        • TMS 320c5
        • TMS 320c54
        • TMS 320c6 COFF File Format
        • TRICORE
        • SunPlus unSP
        • NEC V850
        • Z180 COFF File Format
        • Z380 COFF File Format
        • Z8
        • Z80
      • Supported processors
      • Supported file formats
        • Windmp file loader
      • Bitfields
        • Bit Fields tutorial
      • Structures tutorial
      • Union tutorial
      • Variable length structures tutorial
      • Data types, operands and constructs
      • Packed executables
    • Decompiler
      • Prerequisites
      • Quick primer
      • Exception handler
      • Introduction to Decompilation vs. Disassembly
        • Comparisons of ARM disassembly and decompilation
        • Comparisons of PowerPC disassembly and decompilation
        • Comparisons of MIPS disassembly and decompilation
        • Hex-Rays v7.4 vs. v7.3 Decompiler Comparison Page
        • Hex-Rays v7.3 vs. v7.2 Decompiler Comparison Page
        • Hex-Rays v7.2 vs. v7.1 Decompiler Comparison Page
      • Interactive operation
        • Rename
        • Set type
        • Set number representation
        • Edit indented comment
        • Edit block comment
        • Hide/unhide C statements
        • Split/unsplit expression
        • Force call type
        • Set call type
        • Add/del variadic arguments
        • Del function argument
        • Add/delete function return type
        • Jump to cross reference
        • Jump to cross reference globally
        • Generate HTML file
        • Mark/unmark as decompiled
        • Copy to assembly
        • Show/hide casts
        • Reset pointer type
        • Convert to struct *
        • Create new struct type
        • Split variable
        • Select union field
        • Jump to paired paren
        • Collapse/uncollapse item
        • Map to another variable
      • Batch operation
      • Configuration
      • Third party plugins
      • Floating point support
      • Support for intrinsic functions
      • Overlapped variables
      • gooMBA
      • Failures and troubleshooting
      • FAQ
      • Limitations
      • Tips and tricks
    • Debugger
      • Instant debugger
      • Remote debugging
        • Remote iOS Debugger
        • Android debugger
        • Dalvik debugger
        • Remote GDB Debugger
          • Remote GDB Debugger options
          • Debugging with gdbserver
          • Debugging with VMWare
          • Debugging with OpenOCD
          • Debugging with QEMU
          • External programs and GDB Debugger
          • Debugging code snippets with QEMU
        • PIN debugger
          • Building the PIN tool
          • Connecting a remote PIN tool instance from IDA
          • PIN support for MacOSX
        • Replayer debugger
        • Bochs debugger
          • Bochs Disk Image operation mode
          • Bochs IDB operation mode
          • Bochs PE operation mode
          • Bochs debugger FAQ
      • Local debugging
        • WinDbg Debugger
        • Linux debugger
        • Intel/ARM macOS debugger
      • Debugger tutorials
        • Debugging Dalvik Programs
        • IDA Win32 Local Debugging
        • IDA Linux Local Debugging
        • IDA Linux to Win64 Debugging
        • IDA Win32 to Linux Debugging
        • Debugging Mac OSX Applications with IDA Pro
        • Debugging iOS Applications using CoreDevice (iOS 17 and up)
        • Debugging iOS Applications with IDA Pro
        • Debugging Linux Applications locally
        • Debugging Linux/Windows Applications with PIN Tracer module
        • Debugging Windows Applications with IDA Bochs Plugin
        • Debugging Windows Applications with IDA WinDbg Plugin
        • Using the Bochs debugger plugin in Linux
        • Debugging Windows Kernel with VMWare and IDA WinDbg Plugin
        • Debugging Linux Kernel under VMWare using IDA GDB debugger
        • Windows Debugger Hub
        • Linux Debugger
        • Debugging a Windows executable locally and remotely
        • Debugging the XNU Kernel with IDA Pro
        • Remote debugging with IDA Pro
        • IDA Scriptable Debugger: overview
          • IDA Scriptable Debugger: scriptability
        • Debugging code snippets with QEMU debugger (a la IDA Bochs debugger)
        • Trace Replayer and managing traces
        • Using IDA Pro's tracing features
        • Working with PIN
        • Appcall
    • Creating Signatures
      • FLIRT
        • IDA F.L.I.R.T. Technology: In-Depth
        • Generate FLIRT signature file
        • Supported Compilers
          • Turbo Pascal
          • Delphi
      • Makesig
    • Creating Type Libraries
      • IDAClang
      • TILIB
    • Configuration
      • Configuration files
      • Command line switches
      • Keyboard macros
      • UI/Fonts/Themes
      • Shortcuts
      • Customizing IDA
      • CSS-based styling
    • Teams
      • IDA Teams Licenses
      • Diffing and Merging Databases with IDA Teams
      • Teams lc command reference manual
      • hv command reference manual
      • Hex-Rays Vault’s visual client user manual
    • Lumina
      • lc command reference manual
    • Plugins
      • Open Plugin Architecture
      • Plugin options
      • Plugins Shipped with IDA
        • Swift plugin
        • Golang plugin
        • Rust plugin
        • picture_search
        • Objective-C Analysis Plugin
        • DYLD Shared Cache Utils
        • Borland RTTI descriptors plugin
        • DWARF plugin
        • Patfind plugin
        • IDA Feeds
          • FLIRT Signature Bundle
      • Plugin Contest
      • How to write your own plugin?
    • Helper Tools
    • idalib
  • Developer Guide
    • C++ SDK
      • Getting Started with C++ SDK
      • C++ SDK Reference
      • Using the Decompiler SDK: Decompiler plugin
      • C++ SDK examples
      • How to create a plugin in C++?
      • C++ SDK Porting Guide from IDA 8.x to 9.0
    • IDAPython
      • Getting started with IDAPython
      • IDAPython API Reference
      • IDAPython examples
      • How to create a plugin in IDAPython?
      • IDAPython Porting Guide from IDA 8.x to 9.0
    • IDC
      • Core concepts
        • Expressions
        • Statements
        • Functions
        • Variables
        • Constants
        • Exceptions
        • Classes
        • Predefined symbols
        • loader_input_t class
        • Slices
      • IDC API Reference
        • Index of debugger related IDC functions
        • Alphabetical list of IDC functions
          • is_member_id
          • load_type
          • get_member_by_idx
          • get_ordinal_limit
          • set_selector
          • enable_tracing
          • get_prev_fixup_ea
          • del_segm
          • get_bmask_cmt
          • end_type_updating
          • Find
          • toggle_bnot
          • patch_byte
          • get_module_info
          • set_member_name
          • create_float
          • del_struc_member
          • read_dbg_memory
          • get_enum_width
          • getn_thread_name
          • del_struc
          • filelength
          • set_manual_insn
          • is_value...() functions
          • get_ip_val
          • del_extra_cmt
          • create_insn
          • op_offset_high16
          • get_cmt
          • expand_struc
          • get_idb_path
          • set_frame_size
          • get_file_ext
          • has_value
          • readshort
          • sanitize_file_name
          • get_member_flag
          • create_struct
          • ARM specific
          • set_enum_member_cmt
          • rename
          • set_ida_state
          • get_member_size
          • msg
          • qbasename
          • get_enum_member_enum
          • auto_mark_range
          • plan_to_apply_idasgn
          • set_named_type
          • op_offset
          • rename_entry
          • strlen
          • get_extra_cmt
          • get_enum_flag
          • fgetc
          • op_stkvar
          • get_last_index
          • get_field_ea
          • get_struc_id
          • select_thread
          • create_array
          • get_struc_cmt
          • set_array_string
          • set_func_attr
          • set_storage_type
          • get_struc_size
          • demangle_name
          • get_next_fixup_ea
          • get_next_bmask
          • delattr
          • gen_simple_call_chart
          • patch_qword
          • get_enum_name
          • loader_input_t.getc
          • get_debugger_event_cond
          • read_dbg_qword
          • define_local_var
          • generate_disasm_line
          • add_idc_hotkey
          • tolower
          • del_selector
          • set_debugger_event_cond
          • get_imagebase
          • gen_file
          • get_entry
          • find_custom_data_format
          • get_debug_name_ea
          • add_default_til
          • set_func_end
          • exit_process
          • delete_array
          • xtol
          • get_exception_code
          • detach_process
          • set_enum_cmt
          • get_wide_word
          • put_bookmark
          • is_loaded
          • add_enum_member
          • parse_decls
          • readstr
          • get_entry_qty
          • ord
          • sprintf
          • get_root_filename
          • get_enum_member_cmt
          • create_word
          • set_func_flags
          • loader_input_t.tell
          • create_align
          • read_dbg_dword
          • next_addr
          • get_bytes
          • batch
          • start_process
          • process_config_line
          • del_user_info
          • qmakefile
          • set_struc_name
          • print_decls
          • create_custom_data
          • del_enum_member
          • format_cdata
          • get_fixup_target_sel
          • get_item_size
          • loader_input_t.gets
          • get_last_bmask
          • Step Tracing Options
          • selector_by_name
          • get_enum_cmt
          • next_not_tail
          • prev_head
          • set_color
          • set_numbered_type
          • get_member_name
          • auto_wait
          • get_enum_member_bmask
          • fseek
          • get_segm_start
          • attach_process
          • Trace file functions
          • get_enum_member_value
          • op_stroff
          • get_next_offset
          • set_processor_type
          • get_bookmark_desc
          • create_data
          • lastattr
          • get_operand_value
          • collect_stack_trace
          • toupper
          • get_fixup_target_dis
          • set_cmt
          • add_entry
          • set_segm_addressing
          • qmake_full_path
          • get_source_linnum
          • fputc
          • resume_thread
          • get_func_attr
          • get_first_enum_member
          • add_sourcefile
          • get_first_bmask
          • read_selection_start
          • hasattr
          • get_member_cmt
          • gen_flow_graph
          • get_array_element
          • get_tinfo
          • loader_input_t
          • tinfo_errstr
          • TRUNC
          • add_segm_ex
          • Local types information and manipulation helpers
          • set_source_linnum
          • get_next_enum_member
          • loader_input_t.readbytes
          • set_array_params
          • jumpto
          • get_bookmark
          • set_enum_bf
          • prev_not_tail
          • toggle_sign
          • loader_input_t.size
          • Trace events functions
          • get_func_flags
          • get_gotea
          • set_segm_attr
          • get_item_head
          • set_default_sreg_value
          • print_insn_mnem
          • set_member_cmt
          • get_ordinal_qty
          • set_target_assembler
          • add_user_stkpnt
          • set_local_type
          • Hidden ranges
          • del_items
          • compile_idc_text
          • Dalvik debugger extension functions
          • byte_value
          • create_dword
          • is_code
          • del_func
          • get_enum
          • make_array
          • rotate_left
          • recalc_spd
          • search_path
          • CommonBits
          • get_processor_name
          • set_func_cmt
          • get_prev_bmask
          • Hashes
          • split_sreg_range
          • process_ui_action
          • set_fixup
          • get_fixup_target_type
          • create_oword
          • get_flags
          • get_func_name
          • create_strlit
          • add_struc
          • atol
          • load_debugger
          • mkdir
          • sizeof
          • get_enum_member_by_name
          • save_database
          • guess_type
          • get_segm_name
          • print_operand
          • qisabspath
          • get_member_qty
          • set_struc_cmt
          • get_fixup_target_flags
          • idadir
          • object.retrieve
          • add_auto_stkpnt
          • get_numbered_type_name
          • get_enum_member_name
          • get_next_index
          • prev_addr
          • get_name_ea
          • get_sp_delta
          • set_bmask_cmt
          • readlong
          • set_segm_name
          • get_prev_offset
          • set_segm_alignment
          • get_strlit_contents
          • forget_exception
          • get_item_end
          • add_func
          • get_name
          • Asks
          • get_spd
          • Debugger: control
          • get_wide_byte
          • plan_and_wait
          • set_enum_flag
          • RunPythonStatement
          • del_sourcefile
          • find_selector
          • get_frame_regs_size
          • op_num
          • define_exception
          • create_double
          • create_byte
          • read_selection_end
          • OpTypes
          • op_plain_offset
          • move_segm
          • get_member_id
          • set_segm_combination
          • get_current_thread
          • trim
          • Debugger: options
          • getn_thread
          • get_frame_id
          • typeinfo.print
          • to_ea
          • rebase_program
          • add_struc_member
          • get_exception_qty
          • get_first_index
          • import_type
          • set_segm_type
          • find_custom_data_type
          • get_next_seg
          • find_func_end
          • get_last_enum_member
          • getattr
          • get_frame_size
          • get_screen_ea
          • loader_input_t.read
          • set_reg_value
          • Debugger: modules
          • create_pack_real
          • writestr
          • exec_idc
          • get_enum_size
          • set_enum_name
          • create_tbyte
          • sel2para
          • atoa
          • loader_input_t.close
          • add_enum
          • ltoa
          • substr
          • del_idc_hotkey
          • Breakpoint handling functions
          • loader_input_t.seek
          • cleanup_appcall
          • object.store
          • get_type
          • qexit
          • get_debug_name
          • get_array_id
          • Can't Open File
          • suspend_process
          • process_config_directive
          • get_entry_name
          • get_last_member
          • get_struc_name
          • clear_selection
          • fclose
          • firstattr
          • create_yword
          • dbg_appcall
          • get_qword
          • patch_dword
          • begin_type_updating
          • read_dbg_byte
          • get_fpnum
          • qsleep
          • get_first_member
          • get_nsec_stamp
          • del_stkpnt
          • eval
          • savefile
          • eval_python
          • Xrefs
          • strstr
          • writeshort
          • get_sreg
          • get_segm_end
          • get_func_off_str
          • set_func_start
          • del_array_element
          • get_full_flags
          • set_exception_flags
          • rename_array
          • get_frame_args_size
          • op_flt
          • get_min_spd_ea
          • apply_type
          • get_prev_index
          • loadfile
          • retrieve_input_file_md5
          • get_wide_dword
          • patch_dbg_byte
          • Functions provided by the WinDbg debugger
          • get_original_byte
          • get_member_strid
          • call_system
          • writelong
          • get_thread_qty
          • nextattr
          • send_dbg_command
          • get_first_seg
          • get_processes
          • patch_word
          • get_manual_insn
          • ftell
          • get_entry_ordinal
          • set_array_long
          • delete_all_segments
          • TO_LONG
          • Function chunk related functions
          • Debugger: events
          • get_prev_func
          • op_seg
          • validate_idb_names
          • fprintf
          • fopen
          • strfill
          • del_fixup
          • get_bmask_name
          • inf_attr
          • is_bf
          • read_dbg_word
          • qdirname
          • get_segm_attr
          • func_contains
          • del_source_linnum
          • get_sourcefile
          • clr_database_flag
          • set_name
          • Refresh Screen
          • op_enum
          • getn_enum
          • get_db_byte
          • setattr
          • get_forced_operand
          • op_bin
          • Functions provided by the replayer debugger
          • prevattr
          • update_extra_cmt
          • get_str_type
          • op_man
          • choose_func
          • set_bmask_name
          • get_curline
          • decode_insn
          • set_segment_bounds
          • set_segm_class
          • write_dbg_memory
          • get_exception_name
          • get_enum_member
          • is_mapped
          • del_enum
          • get_frame_lvar_size
          • get_operand_type
          • set_root_filename
          • compile_idc_file
          • typeinfo.size
          • get_local_tinfo
          • get_fixup_target_off
          • is_union
          • unlink
          • get_segm_by_sel
          • set_enum_width
          • take_memory_snapshot
          • exec_python
          • get_next_func
          • get_member_offset
          • get_func_cmt
          • parse_decl
          • create_qword
          • next_head
          • suspend_thread
          • loader_input_t.getz
          • get_color
          • get_reg_value
          • load_and_run_plugin
          • set_database_flag
          • set_enum_member_name
          • set_member_type
          • get_prev_enum_member
      • IDC examples
        • Analyzing encrypted code
  • Admin Guide
    • Lumina server
    • Teams server
    • License server
      • Hex-Rays License Server Migration Guide
  • Release Notes
    • IDA 9.0
    • IDA 8.4sp2
    • IDA 8.4sp1
    • IDA 8.4
    • IDA 8.3
    • IDA 8.2sp1
    • IDA 8.2
    • IDA 8.1
    • IDA 8.0sp1
    • IDA 8.0
    • IDA 7.7sp1
    • IDA 7.7
    • IDA 7.6sp1
    • IDA 7.6
    • IDA 7.5sp3
    • IDA 7.5sp2
    • IDA 7.5sp1
    • IDA 7.5
    • IDA 7.4sp1
    • IDA 7.4
    • IDA 7.3
      • IDA 7.3 Undo: IDA can do it
    • IDA 7.2
      • IDA 7.2 The Mac Rundown
    • IDA 7.1
      • IDA 7.1 Debugger API 7.1 Porting Guide
    • IDA 7.0sp1
    • IDA 7.0
      • Internationalization (i18n)
      • Automatic discovery of string literals
      • API 7.0 Porting Guide
      • IDAPython backward compatibility
    • IDA 6.95
    • IDA 6.9
    • IDA 6.8
    • IDA 6.7
    • IDA 6.6
    • IDA 6.5
    • IDA 6.4
    • IDA 6.3
    • IDA 6.2
    • IDA 6.1
    • IDA 6.0
    • IDA 5.7
    • IDA 5.6
    • IDA 5.5
      • 5.5 Gallery
      • 5.5 Comparison
    • IDA 5.4
    • IDA 5.3
    • IDA 5.2
    • IDA 5.1
    • IDA 5.0
    • IDA 4.9SP
    • IDA 4.9
    • IDA 4.8
    • IDA 4.7
    • IDA 4.6
    • IDA 4.x
    • IDA 3.x
    • Cumulative bugfix for IDA
  • Archive
    • IDA’s Windbg plugin
    • IDA’s Bochs debugger plugin
    • IDA’s Bochs debugger plugin 2
    • DosWin32
    • Hex-Rays v1.1 vs. v1.0 Decompiler Comparison Page
    • Hex-Rays v1.2 vs. v1.1 Decompiler Comparison Page
    • Hex-Rays v1.3 vs. v1.2 Decompiler Comparison Page
    • Hex-Rays v1.6 vs. v1.5 Decompiler Comparison Page
    • Hex-Rays v1.7 vs. v1.6 Decompiler Comparison Page
    • Costly Greetings – An Adventure In Hostile Code Analysis
    • An Adventure In Hostile Code Analysis: Description
    • An Adventure In Hostile Code Analysis: Disassembly
    • Improved code flow analysis
    • Program Navigation Bar
    • IDA Home Contest
    • Pimp My IDA: vote results
    • Turning off IDA 6.x compatibility in IDAPython
    • Porting guide for IDA 7.4 turning off IDA 6.x API backwards-compatibility by default
    • Porting guide for IDA 7.4 IDAPython and Python 3
    • IDAPython and Python 3
    • Porting guide for changes in IDAPython-on-Python-3 APIs
    • Debugging iOS Applications With IDA
    • IDA Win32 to Win32 Debugging
    • IDA Win32 to Win64 Debugging
    • Legacy license server: Floating Licenses
      • Installing on Linux
      • Installing on Windows
      • Installing on OS X
    • Decompiler Installation
    • Enumerated types tutorial
  • Bug Bounty
Powered by GitBook
LogoLogo

Need Help?

  • FAQs
  • Support

Community

  • Forum
  • Plugins

Resources

  • Blog
  • Download center

© 2025 Copyright Hex-Rays

On this page
  • Side-by-side comparisons of disassembly and decompilation
  • Division by two
  • Simple enough?
  • Where's my variable?
  • Arithmetics is not a rocket science
  • Sample window procedure
  • Short-circuit evaluation
  • Inlined string operations

Was this helpful?

Export as PDF
  1. User Guide
  2. Decompiler

Introduction to Decompilation vs. Disassembly

A decompiler represents executable binary files in a readable form. More precisely, it transforms binary code into text that software developers can read and modify. The software security industry relies on this transformation to analyze and validate programs. The analysis is performed on the binary code because the source code (the text form of the software) traditionally is not available, because it is considered a commercial secret.

Programs to transform binary code into text form have always existed. Simple one-to-one mapping of processor instruction codes into instruction mnemonics is performed by disassemblers. Many disassemblers are available on the market, both free and commercial. The most powerful disassembler is our own IDA Pro. It can handle binary code for a huge number of processors and has open architecture that allows developers to write add-on analytic modules.

Decompilers are different from disassemblers in one very important aspect. While both generate human readable text, decompilers generate much higher level text which is more concise and much easier to read.

Compared to low level assembly language, high level language representation has several advantages:

  • It is consise.

  • It is structured.

  • It doesn't require developers to know the assembly language.

  • It recognizes and converts low level idioms into high level notions.

  • It is less confusing and therefore easier to understand.

  • It is less repetitive and less distracting.

  • It uses data flow analysis.

Let's consider these points in detail.

Usually the decompiler's output is five to ten times shorter than the disassembler's output. For example, a typical modern program contains from 400KB to 5MB of binary code. The disassembler's output for such a program will include around 5-100MB of text, which can take anything from several weeks to several months to analyze completely. Analysts cannot spend this much time on a single program for economic reasons.

The decompiler's output for a typical program will be from 400KB to 10MB. Although this is still a big volume to read and understand (about the size of a thick book), the time needed for analysis time is divided by 10 or more.

The second big difference is that the decompiler output is structured. Instead of a linear flow of instructions where each line is similar to all the others, the text is indented to make the program logic explicit. Control flow constructs such as conditional statements, loops, and switches are marked with the appropriate keywords.

The decompiler's output is easier to understand than the disassembler's output because it is high level. To be able to use a disassembler, an analyst must know the target processor's assembly language. Mainstream programmers do not use assembly languages for everyday tasks, but virtually everyone uses high level languages today. Decompilers remove the gap between the typical programming languages and the output language. More analysts can use a decompiler than a disassembler.

Decompilers convert assembly level idioms into high-level abstractions. Some idioms can be quite long and time consuming to analyze. The following one line code

x = y / 2;

can be transformed by the compiler into a series of 20-30 processor instructions. It takes at least 15- 30 seconds for an experienced analyst to recognize the pattern and mentally replace it with the original line. If the code includes many such idioms, an analyst is forced to take notes and mark each pattern with its short representation. All this slows down the analysis tremendously. Decompilers remove this burden from the analysts.

The amount of assembler instructions to analyze is huge. They look very similar to each other and their patterns are very repetitive. Reading disassembler output is nothing like reading a captivating story. In a compiler generated program 95% of the code will be really boring to read and analyze. It is extremely easy for an analyst to confuse two similar looking snippets of code, and simply lose his way in the output. These two factors (the size and the boring nature of the text) lead to the following phenomenon: binary programs are never fully analyzed. Analysts try to locate suspicious parts by using some heuristics and some automation tools. Exceptions happen when the program is extremely small or an analyst devotes a disproportionally huge amount of time to the analysis. Decompilers alleviate both problems: their output is shorter and less repetitive. The output still contains some repetition, but it is manageable by a human being. Besides, this repetition can be addressed by automating the analysis.

Repetitive patterns in the binary code call for a solution. One obvious solution is to employ the computer to find patterns and somehow reduce them into something shorter and easier for human analysts to grasp. Some disassemblers (including IDA Pro) provide a means to automate analysis. However, the number of available analytical modules stays low, so repetitive code continues to be a problem. The main reason is that recognizing binary patterns is a surprisingly difficult task. Any "simple" action, including basic arithmetic operations such as addition and subtraction, can be represented in an endless number of ways in binary form. The compiler might use the addition operator for subtraction and vice versa. It can store constant numbers somewhere in its memory and load them when needed. It can use the fact that, after some operations, the register value can be proven to be a known constant, and just use the register without reinitializing it. The diversity of methods used explains the small number of available analytical modules.

The situation is different with a decompiler. Automation becomes much easier because the decompiler provides the analyst with high level notions. Many patterns are automatically recognized and replaced with abstract notions. The remaining patterns can be detected easily because of the formalisms the decompiler introduces. For example, the notions of function parameters and calling conventions are strictly formalized. Decompilers make it extremely easy to find the parameters of any function call, even if those parameters are initialized far away from the call instruction. With a disassembler, this is a daunting task, which requires handling each case individually.

Decompilers, in contrast with disassemblers, perform extensive data flow analysis on the input. This means that questions such as, "Where is the variable initialized?"" and, "Is this variable used?" can be answered immediately, without doing any extensive search over the function. Analysts routinely pose and answer these questions, and having the answers immediately increases their productivity.

Side-by-side comparisons of disassembly and decompilation

Below you will find side-by-side comparisons of disassembly and decompilation outputs. The following examples are available:

The following examples are displayed on this page:

Division by two

Just note the difference in size! While the disassemble output requires you not only to know that the compilers generate such convoluted code for signed divisions and modulo operations, but you will also have to spend your time recognizing the patterns. Needless to say, the decompiler makes things really simple.

; =============== S U B R O U T I N E =======================================
; int __cdecl sub_4061C0(char *Str, char *Dest)
sub_4061C0      proc near               ; CODE XREF: sub_4062F0+15p
                                        ; sub_4063D4+21p ...
Str             = dword ptr  4
Dest            = dword ptr  8
                push    esi
                push    offset aSmtp_   ; "smtp."
                push    [esp+8+Dest]    ; Dest
                call    _strcpy
                mov     esi, [esp+0Ch+Str]
                push    esi             ; Str
                call    _strlen
                add     esp, 0Ch
                xor     ecx, ecx
                test    eax, eax
                jle     short loc_4061ED
loc_4061E2:                             ; CODE XREF: sub_4061C0+2Bj
                cmp     byte ptr [ecx+esi], 40h
                jz      short loc_4061ED
                inc     ecx
                cmp     ecx, eax
                jl      short loc_4061E2
loc_4061ED:                             ; CODE XREF: sub_4061C0+20j
                                        ; sub_4061C0+26j
                dec     eax
                cmp     ecx, eax
                jl      short loc_4061F6
                xor     eax, eax
                pop     esi
                retn
; ---------------------------------------------------------------------------
loc_4061F6:                             ; CODE XREF: sub_4061C0+30j
                lea     eax, [ecx+esi+1]
                push    eax             ; Source
                push    [esp+8+Dest]    ; Dest
                call    _strcat
                pop     ecx
                pop     ecx
                push    1
                pop     eax
                pop     esi
                retn
sub_4061C0      endp
signed int __cdecl sub_4061C0(char *Str, char *Dest)
{
  int len; // eax@1
  int i; // ecx@1
  char *str2; // esi@1
  signed int result; // eax@5
  strcpy(Dest, "smtp.");
  str2 = Str;
  len = strlen(Str);
  for ( i = 0; i < len; ++i )
  {
    if ( str2[i] == 64 )
      break;
  }
  if ( i < len - 1 )
  {
    strcat(Dest, &str2[i + 1]);
    result = 1;
  }
  else
  {
    result = 0;
  }
  return result;
}

Simple enough?

Questions like

  • What are the possible return values of the function?

  • Does the function use any strings?

  • What does the function do?

can be answered almost instantaneously looking at the decompiler output. Needless to say that it looks better because I renamed the local variables. In the disassembler, registers are renamed very rarely because it hides the register use and can lead to confusion.

; =============== S U B R O U T I N E =======================================
; int __cdecl sub_4061C0(char *Str, char *Dest)
sub_4061C0      proc near               ; CODE XREF: sub_4062F0+15p
                                        ; sub_4063D4+21p ...
Str             = dword ptr  4
Dest            = dword ptr  8
                push    esi
                push    offset aSmtp_   ; "smtp."
                push    [esp+8+Dest]    ; Dest
                call    _strcpy
                mov     esi, [esp+0Ch+Str]
                push    esi             ; Str
                call    _strlen
                add     esp, 0Ch
                xor     ecx, ecx
                test    eax, eax
                jle     short loc_4061ED
loc_4061E2:                             ; CODE XREF: sub_4061C0+2Bj
                cmp     byte ptr [ecx+esi], 40h
                jz      short loc_4061ED
                inc     ecx
                cmp     ecx, eax
                jl      short loc_4061E2
loc_4061ED:                             ; CODE XREF: sub_4061C0+20j
                                        ; sub_4061C0+26j
                dec     eax
                cmp     ecx, eax
                jl      short loc_4061F6
                xor     eax, eax
                pop     esi
                retn
; ---------------------------------------------------------------------------
loc_4061F6:                             ; CODE XREF: sub_4061C0+30j
                lea     eax, [ecx+esi+1]
                push    eax             ; Source
                push    [esp+8+Dest]    ; Dest
                call    _strcat
                pop     ecx
                pop     ecx
                push    1
                pop     eax
                pop     esi
                retn
sub_4061C0      endp
signed int __cdecl sub_4061C0(char *Str, char *Dest)
{
  int len; // eax@1
  int i; // ecx@1
  char *str2; // esi@1
  signed int result; // eax@5
  strcpy(Dest, "smtp.");
  str2 = Str;
  len = strlen(Str);
  for ( i = 0; i < len; ++i )
  {
    if ( str2[i] == 64 )
      break;
  }
  if ( i < len - 1 )
  {
    strcat(Dest, &str2[i + 1]);
    result = 1;
  }
  else
  {
    result = 0;
  }
  return result;
}

Where's my variable?

IDA highlights the current identifier. This feature turns out to be much more useful with high level output. In this sample, I tried to trace how the retrieved function pointer is used by the function. In the disassembly output, many wrong eax occurrences are highlighted while the decompiler did exactly what I wanted.

; =============== S U B R O U T I N E =======================================
; int __cdecl myfunc(wchar_t *Str, int)
myfunc          proc near               ; CODE XREF: sub_4060+76p
                                        ; .text:42E4p
Str             = dword ptr  4
arg_4           = dword ptr  8
                mov     eax, dword_1001F608
                cmp     eax, 0FFFFFFFFh
                jnz     short loc_10003AB6
                push    offset aGetsystemwindo ; "GetSystemWindowsDirectoryW"
                push    offset aKernel32_dll ; "KERNEL32.DLL"
                call    ds:GetModuleHandleW
                push    eax             ; hModule
                call    ds:GetProcAddress
                mov     dword_1001F608, eax
loc_10003AB6:                           ; CODE XREF: myfunc+8j
                test    eax, eax
                push    esi
                mov     esi, [esp+4+arg_4]
                push    edi
                mov     edi, [esp+8+Str]
                push    esi
                push    edi
                jz      short loc_10003ACA
                call    eax ; dword_1001F608
                jmp     short loc_10003AD0
; ---------------------------------------------------------------------------
loc_10003ACA:                           ; CODE XREF: myfunc+34j
                call    ds:GetWindowsDirectoryW
loc_10003AD0:                           ; CODE XREF: myfunc+38j
                sub     esi, eax
                cmp     esi, 5
                jnb     short loc_10003ADD
                pop     edi
                add     eax, 5
                pop     esi
                retn
; ---------------------------------------------------------------------------
loc_10003ADD:                           ; CODE XREF: myfunc+45j
                push    offset aInf_0   ; "\\inf"
                push    edi             ; Dest
                call    _wcscat
                push    edi             ; Str
                call    _wcslen
                add     esp, 0Ch
                pop     edi
                pop     esi
                retn
myfunc          endp
size_t __cdecl myfunc(wchar_t *buf, int bufsize)
{
  int (__stdcall *func)(_DWORD, _DWORD); // eax@1
  wchar_t *buf2; // edi@3
  int bufsize; // esi@3
  UINT dirlen; // eax@4
  size_t outlen; // eax@7
  HMODULE h; // eax@2
  func = g_fptr;
  if ( g_fptr == (int (__stdcall *)(_DWORD, _DWORD))-1 )
  {
    h = GetModuleHandleW(L"KERNEL32.DLL");
    func = (int (__stdcall *)(_DWORD, _DWORD))
                GetProcAddress(h, "GetSystemWindowsDirectoryW");
    g_fptr = func;
  }
  bufsize = bufsize;
  buf2 = buf;
  if ( func )
    dirlen = func(buf, bufsize);
  else
    dirlen = GetWindowsDirectoryW(buf, bufsize);
  if ( bufsize - dirlen >= 5 )
  {
    wcscat(buf2, L"\\inf");
    outlen = wcslen(buf2);
  }
  else
  {
    outlen = dirlen + 5;
  }
  return outlen;
}

                        

Arithmetics is not a rocket science

Arithmetics is not a rocket science but it is always better if someone handles it for you. You have more important things to focus on.

; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; sgell(__int64, __int64)
                public @sgell$qjj
@sgell$qjj      proc near
arg_0           = dword ptr  8
arg_4           = dword ptr  0Ch
arg_8           = dword ptr  10h
arg_C           = dword ptr  14h
                push    ebp
                mov     ebp, esp
                mov     eax, [ebp+arg_0]
                mov     edx, [ebp+arg_4]
                cmp     edx, [ebp+arg_C]
                jnz     short loc_10226
                cmp     eax, [ebp+arg_8]
                setnb   al
                jmp     short loc_10229
; ---------------------------------------------------------------------------
loc_10226:                          ; CODE XREF: sgell(__int64,__int64)+Cj
                setnl   al
loc_10229:                          ; CODE XREF: sgell(__int64,__int64)+14j
                and     eax, 1
                pop     ebp
                retn
@sgell$qjj      endp
bool __cdecl sgell(__int64 a1, __int64 a2)
{
  return a1 >= a2;
}

Sample window procedure

The decompiler recognized a switch statement and nicely represented the window procedure. Without this little help the user would have to calculate the message numbers herself. Nothing particularly difficult, just time consuming and boring. What if she makes a mistake?...

; =============== S U B R O U T I N E =======================================
wndproc         proc near               ; DATA XREF: sub_4010E0+21o
Paint           = tagPAINTSTRUCT ptr -0A4h
Buffer          = byte ptr -64h
hWnd            = dword ptr  4
Msg             = dword ptr  8
wParam          = dword ptr  0Ch
lParam          = dword ptr  10h
                mov     ecx, hInstance
                sub     esp, 0A4h
                lea     eax, [esp+0A4h+Buffer]
                push    64h             ; nBufferMax
                push    eax             ; lpBuffer
                push    6Ah             ; uID
                push    ecx             ; hInstance
                call    ds:LoadStringA
                mov     ecx, [esp+0A4h+Msg]
                mov     eax, ecx
                sub     eax, 2
                jz      loc_4013E8
                sub     eax, 0Dh
                jz      loc_4013B2
                sub     eax, 102h
                jz      short loc_401336
                mov     edx, [esp+0A4h+lParam]
                mov     eax, [esp+0A4h+wParam]
                push    edx             ; lParam
                push    eax             ; wParam
                push    ecx             ; Msg
                mov     ecx, [esp+0B0h+hWnd]
                push    ecx             ; hWnd
                call    ds:DefWindowProcA
                add     esp, 0A4h
                retn    10h
; ---------------------------------------------------------------------------
loc_401336:                             ; CODE XREF: wndproc+3Cj
                mov     ecx, [esp+0A4h+wParam]
                mov     eax, ecx
                and     eax, 0FFFFh
                sub     eax, 68h
                jz      short loc_40138A
                dec     eax
                jz      short loc_401371
                mov     edx, [esp+0A4h+lParam]
                mov     eax, [esp+0A4h+hWnd]
                push    edx             ; lParam
                push    ecx             ; wParam
                push    111h            ; Msg
                push    eax             ; hWnd
                call    ds:DefWindowProcA
                add     esp, 0A4h
                retn    10h
; ---------------------------------------------------------------------------
loc_401371:                             ; CODE XREF: wndproc+7Aj
                mov     ecx, [esp+0A4h+hWnd]
                push    ecx             ; hWnd
                call    ds:DestroyWindow
                xor     eax, eax
                add     esp, 0A4h
                retn    10h
; ---------------------------------------------------------------------------
loc_40138A:                             ; CODE XREF: wndproc+77j
                mov     edx, [esp+0A4h+hWnd]
                mov     eax, hInstance
                push    0               ; dwInitParam
                push    offset DialogFunc ; lpDialogFunc
                push    edx             ; hWndParent
                push    67h             ; lpTemplateName
                push    eax             ; hInstance
                call    ds:DialogBoxParamA
                xor     eax, eax
                add     esp, 0A4h
                retn    10h
; ---------------------------------------------------------------------------
loc_4013B2:                             ; CODE XREF: wndproc+31j
                push    esi
                mov     esi, [esp+0A8h+hWnd]
                lea     ecx, [esp+0A8h+Paint]
                push    ecx             ; lpPaint
                push    esi             ; hWnd
                call    ds:BeginPaint
                push    eax             ; HDC
                push    esi             ; hWnd
                call    my_paint
                add     esp, 8
                lea     edx, [esp+0A8h+Paint]
                push    edx             ; lpPaint
                push    esi             ; hWnd
                call    ds:EndPaint
                pop     esi
                xor     eax, eax
                add     esp, 0A4h
                retn    10h
; ---------------------------------------------------------------------------
loc_4013E8:                             ; CODE XREF: wndproc+28j
                push    0               ; nExitCode
                call    ds:PostQuitMessage
                xor     eax, eax
                add     esp, 0A4h
                retn    10h
wndproc         endp

LRESULT __stdcall wndproc(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{
  LRESULT result; // eax@4
  HWND h; // esi@10
  HDC dc; // eax@10
  CHAR Buffer; // [sp+40h] [bp-64h]@1
  struct tagPAINTSTRUCT Paint; // [sp+0h] [bp-A4h]@10
  LoadStringA(hInstance, 0x6Au, &Buffer, 100);
  switch ( Msg )
  {
    case 2u:
      PostQuitMessage(0);
      result = 0;
      break;
    case 15u:
      h = hWnd;
      dc = BeginPaint(hWnd, &Paint);
      my_paint(h, dc);
      EndPaint(h, &Paint);
      result = 0;
      break;
    case 273u:
      if ( (_WORD)wParam == 104 )
      {
        DialogBoxParamA(hInstance, (LPCSTR)0x67, hWnd, DialogFunc, 0);
        result = 0;
      }
      else
      {
        if ( (_WORD)wParam == 105 )
        {
          DestroyWindow(hWnd);
          result = 0;
        }
        else
        {
          result = DefWindowProcA(hWnd, 0x111u, wParam, lParam);
        }
      }
      break;
    default:
      result = DefWindowProcA(hWnd, Msg, wParam, lParam);
      break;
  }
  return result;
}

Short-circuit evaluation

loc_804BCC7:                            ; CODE XREF: sub_804BB10+A42j
                mov     [esp+28h+var_24], offset aUnzip ; "unzip"
                xor     eax, eax
                test    esi, esi
                setnz   al
                mov     edx, 1
                mov     ds:dword_804FBAC, edx
                lea     eax, [eax+eax+1]
                mov     ds:dword_804F780, eax
                mov     eax, ds:dword_804FFD4
                mov     [esp+28h+var_28], eax
                call    _strstr
                test    eax, eax
                jz      loc_804C4F1
loc_804BCFF:                            ; CODE XREF: sub_804BB10+9F8j
                mov     eax, 2
                mov     ds:dword_804FBAC, eax
loc_804BD09:                            ; CODE XREF: sub_804BB10+9FEj
                mov     [esp+28h+var_24], offset aZ2cat ; "z2cat"
                mov     eax, ds:dword_804FFD4
                mov     [esp+28h+var_28], eax
                call    _strstr
                test    eax, eax
                jz      loc_804C495
loc_804BD26:                            ; CODE XREF: sub_804BB10+99Cj
                                        ; sub_804BB10+9B9j ...
                mov     eax, 2
                mov     ds:dword_804FBAC, eax
                xor     eax, eax
                test    esi, esi
                setnz   al
                inc     eax
                mov     ds:dword_804F780, eax
  .............................. SKIP ............................
loc_804C495:                            ; CODE XREF: sub_804BB10+210j
                mov     [esp+28h+var_24], offset aZ2cat_0 ; "Z2CAT"
                mov     eax, ds:dword_804FFD4
                mov     [esp+28h+var_28], eax
                call    _strstr
                test    eax, eax
                jnz     loc_804BD26
                mov     [esp+28h+var_24], offset aZcat ; "zcat"
                mov     eax, ds:dword_804FFD4
                mov     [esp+28h+var_28], eax
                call    _strstr
                test    eax, eax
                jnz     loc_804BD26
                mov     [esp+28h+var_24], offset aZcat_0 ; "ZCAT"
                mov     eax, ds:dword_804FFD4
                mov     [esp+28h+var_28], eax
                call    _strstr
                test    eax, eax
                jnz     loc_804BD26
                jmp     loc_804BD3D
; ---------------------------------------------------------------------------
loc_804C4F1:                            ; CODE XREF: sub_804BB10+1E9j
                mov     [esp+28h+var_24], offset aUnzip_0 ; "UNZIP"
                mov     eax, ds:dword_804FFD4
                mov     [esp+28h+var_28], eax
                call    _strstr
                test    eax, eax
                jnz     loc_804BCFF
                jmp     loc_804BD09
dword_804F780 = 2 * (v9 != 0) + 1;
  if ( strstr(dword_804FFD4, "unzip") || strstr(dword_804FFD4, "UNZIP") )
    dword_804FBAC = 2;
  if ( strstr(dword_804FFD4, "z2cat")
    || strstr(dword_804FFD4, "Z2CAT")
    || strstr(dword_804FFD4, "zcat")
    || strstr(dword_804FFD4, "ZCAT") )
  {
    dword_804FBAC = 2;
    dword_804F780 = (v9 != 0) + 1;
  }

Inlined string operations

The decompiler tries to recognize frequently inlined string functions such as strcmp, strchr, strlen, etc. In this code snippet, calls to the strlen function has been recognized.

 mov     eax, [esp+argc]
                sub     esp, 8
                push    ebx
                push    ebp
                push    esi
                lea     ecx, ds:0Ch[eax*4]
                push    edi
                push    ecx             ; unsigned int
                call    ??2@YAPAXI@Z    ; operator new(uint)
                mov     edx, [esp+1Ch+argv]
                mov     ebp, eax
                or      ecx, 0FFFFFFFFh
                xor     eax, eax
                mov     esi, [edx]
                add     esp, 4
                mov     edi, esi
                repne scasb
                not     ecx
                dec     ecx
                cmp     ecx, 4
                jl      short loc_401064
                cmp     byte ptr [ecx+esi-4], '.'
                jnz     short loc_401064
                mov     al, [ecx+esi-3]
                cmp     al, 'e'
                jz      short loc_401047
                cmp     al, 'E'
                jnz     short loc_401064
loc_401047:                             ; CODE XREF: _main+41j
                mov     al, [ecx+esi-2]
                cmp     al, 'x'
                jz      short loc_401053
                cmp     al, 'X'
                jnz     short loc_401064
loc_401053:                             ; CODE XREF: _main+4Dj
                mov     al, [ecx+esi-1]
                cmp     al, 'e'
                jz      short loc_40105F
                cmp     al, 'E'
                jnz     short loc_401064
loc_40105F:                             ; CODE XREF: _main+59j
                mov     byte ptr [ecx+esi-4], 0
loc_401064:                             ; CODE XREF: _main+32j _main+39j ... 
                mov     edi, esi
                or      ecx, 0FFFFFFFFh
                xor     eax, eax
                repne scasb
                not     ecx
                add     ecx, 3
                push    ecx             ; unsigned int
                call    ??2@YAPAXI@Z    ; operator new(uint)
                mov     edx, eax

Last updated 7 months ago

Was this helpful?

This is an excerpt from a big function to illustrate . Complex things happen in long functions and it is very handy to have the decompiler to represent things in a human way. Please note how the code that was scattered over the address space is concisely displayed in two if statements.

short-circuit evaluation
Division by two
Simple enough?
Where's my variable?
Arithmetics is not a rocket science
Sample window procedure
Short-circuit evaluation
Inlined string operations
IDA disassembler output
IDA decompiler output