Hex-Rays v7.3 vs. v7.2 Decompiler Comparison Page

Below you will find side-by-side comparisons of v7.2 and v7.3 decompilations. Please maximize the window too see both columns simultaneously.

The following examples are displayed on this page:

NOTE: these are just some selected examples that can be illustrated as side-by-side differences. There are many other improvements and new features that are not mentioned on this page. We just got tired selecting them. Some of the improvements that did not do to this page:

  • objc-related improvements

  • value range analysis can eliminate more useless code

  • better resolving of got-relative memory references

  • too big shift amounts are converted to lower values (e.g. 33->1)

  • more for-loops

  • better handling of fragemented variables

  • many other things...


More hexadecimal numbers in the output

When a constant looks nicer as a hexadecimal number, we print it as a hexadecimal number by default. Naturally, beauty is in the eye of the beholder, but the new beahavior will produce more readable code, and less frequently you will fell compelled to change the number representation. By the way, this tiny change is just one of numerious improvements that we keep adding in each release. Most of them go literally unnoticed. It is just this time we decided to talk about them

bool __fastcall ge_100000001(__int64 a1)
{
  return a1 >= 0x100000001LL;
}

Support for variable size structures

EfiBootRecord points to a structure that has RecordExtents[0] as the last member. Such structures are considered as variable size structures in C/C++. Now we handle them nicely.

BlockNumber = EfiBootRecord->RecordExtents[ExtentIndex64].BlockNumber;
BlockCount = EfiBootRecord->RecordExtents[ExtentIndex64].BlockCount;

UTF-32 strings are printed inline

We were printing UTF-8 and other string types, UTF-32 was not supported yet. Now we print it with the 'U' prefix.

v3 = std::operator<<<std::char_traits<char>>(&std::cout, U"This is U\"Hello\"

Better argument detection for printf

The difference between these outputs is subtle but pleasant. The new version managed to determine the variable types based on the printf format string. While the old version ended up with int a2, int a3, the new version correctly determined them as one __int64 a2.

int __fastcall ididi(int a1, __int64 a2, int a3, __int64 a4, int a5)
{
  int varg_r0; // [sp+28h] [bp-10h]
  __int64 varg_r2; // [sp+30h] [bp-8h]

  varg_r0 = a1;
  varg_r2 = a2;
  my_print("d=%I64d\n", a2);
  my_print("d1=%I64d\n", a4);
  my_print("%d-%I64d-%d-%I64d-%d\n", varg_r0, varg_r2, a3, a4, a5);
  return 0;
}

Better argument detection for scanf

A similar logic works for scanf-like functions. Please note that the old version was misdetecting the number of arguments. It was possible to correct the misdetected arguments using the Numpad-Minus hotkey but it is always better when there is less routine work on your shoulders, right?

scanf("8: %d%i %x%o %s%s %C%c", &v12, &v7, &v3, &v4, &v2, &v9, &v8, &v13);
scanf("8:   %[ a-z]%c %2c%c %2c%2c %[ a-z]%c", &v12, &v7, &v3, &v4, &v2, &v9, &v8, &v13);

Resolved TEB references

While seasoned reversers know what is located at fs:0, it is still better to have it spelled out. Besides, the type of v15 is automatically detected as struct _EXCEPTION_REGISTRATION_RECORD *.

v15 = NtCurrentTeb()->NtTib.ExceptionList;

Better automatic selection of union fields

Again, the user can specify the union field that should be used in the output (the hotkey is Alt-Y) but there are situations when it can be automatically determined based on the access type and size. The above example illustrates this point. JFYI, the type of entry is:

union __XmStringEntryRec
{
  _XmStringEmptyHeader empty;
  _XmStringOptSegHdrRec single;
  _XmStringUnoptSegHdrRec unopt_single;
  _XmStringArraySegHdrRec multiple;
};
struct __XmStringEmptyHeader
{
  unsigned __int32 type : 2;
};
struct __XmStringOptSegHdrRec
{
  unsigned __int32 type : 2;
  unsigned __int32 text_type : 2;
  unsigned __int32 tag_index : 3;
  unsigned __int32 rend_begin : 1;
  unsigned __int8 byte_count;
  unsigned __int32 rend_end : 1;
  unsigned __int32 rend_index : 4;
  unsigned __int32 str_dir : 2;
  unsigned __int32 flipped : 1;
  unsigned __int32 tabs_before : 3;
  unsigned __int32 permanent : 1;
  unsigned __int32 soft_line_break : 1;
  unsigned __int32 immediate : 1;
  unsigned __int32 pad : 2;
};

While we can not handle bitfields yet, their presence does not prevent using other, regular fields, of the structure.

if ( entry->single.byte_count )

Yet one more example of union fields

I could not resist the temptation to include one more example of automatic union selection. How beautiful the code on the right is!

void __fastcall h_generic_calc_Perm32x8(V256 *res, V256 *argL, V256 *argR)
{
  res->w32[0] = argL->w32[argR->w32[0] & 7];
  res->w32[1] = argL->w32[argR->w32[1] & 7];
  res->w32[2] = argL->w32[argR->w32[2] & 7];
  res->w32[3] = argL->w32[argR->w32[3] & 7];
  res->w32[4] = argL->w32[argR->w32[4] & 7];
  res->w32[5] = argL->w32[argR->w32[5] & 7];
  res->w32[6] = argL->w32[argR->w32[6] & 7];
  res->w32[7] = argL->w32[argR->w32[7] & 7];
}

Improved support for EABI helpers

No comments needed, we hope. The new decompiler managed to fold constant expressions after replacing EABI helpers with corresponding operators.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  printf("r = %d == 42\n", 42);
  printf("r = %lld == 42\n", 42LL);
  printf("ABORT %d\n", 0x40000001);
  return 0;
}

Improved local variable allocation

Now it works better especially in complex cases.

tbd

Better recognizition of string references

In this case too, the user could set the prototype of sub_1135FC as accepting a char * and this would be enough to reveal string references in the output, but the new decompiler can do it automatically.

  sub_1135FC(-266663568, "This is a long long long string");
  if ( v2 > 0x48u )
  {
    sub_108998("Another str");

Better handling of structures returned by value

The code on the left had a very awkward sequence to copy a structure. The code on the right eliminates it as unnecessary and useless.

  _BYTE v1[12]; // rax
  ...
  return *(mystruct *)v1;
}

More while loops

Do you care about this improvement? Probably you do not care because the difference is tiny. However, in additon to be simpler, the code on the right eliminated a temporary variable, v5. A tiny improvement, but an improvement it is.

while ( *++v4 )
    ;

Shorter code

Another tiny improvement made the output considerably shorter. We like it!

unsigned __int8 *__fastcall otp_memset(unsigned __int8 *pDest, unsigned __int8 val, int size)
{
  unsigned __int8 *i; // r3

  for ( i = pDest; (unsigned int)size-- >= 1; ++i )
    *i = val;
  return pDest;
}

Improved recognition of magic divisions

This is a very special case: a division that uses the rcr instruction. Our microcode does not have the opcode for it but we implemented the logic to handle some special cases, just so you do not waste your time trying to decipher the meaning of convoluted code (yes, rcr means code that is difficult to understand).

unsigned __int64 __fastcall konst_mod251_shr3(unsigned __int64 a1)
{
  return (a1 >> 3) % 0xFB;
}

Less gotos

Well, we can not say that we produce less gotos in all cases, but there is some improvement for sure. Second, note that the return type got improved too: now it is immediately visible that the function returns a boolean (0/1) value.

_BOOL8 __fastcall sub_0(__int64 a1, int *a2)
{
  int v2; // eax
  int v3; // eax
  int v4; // eax

  v2 = *a2;
  if ( *a2 > 522 )
  {
    v4 = v2 - 4143;
    return !v4 || v4 == 40950;
  }
  if ( v2 != 522 )
  {
    v3 = v2 - 71;
    if ( v3 )
    {
      if ( (unsigned int)(v3 - 205) >= 2 )
        return 0;
    }
  }
  return 1;
}

Division may generate an exception

What a surprise, the code on the right is longer and more complex! Indeed, it is so, and it is because now the decompiler is more careful with the division instructions. They potentially may generate the zero division exception and completely hiding them from the output may be misleading. If you prefer the old behaviour, turn off the division preserving in the configuration file.

__int64 __fastcall sub_4008C0(int a1)
{
  int v1; // ecx
  int v2; // edx
  int v4; // [rsp+0h] [rbp-4h]

  v1 = 2;
  if ( a1 > 2 )
  {
    do
    {
      nanosleep(&rmtp, &rqtp);
      v2 = a1 % v1++;
      v4 = 1 / v2;
    }
    while ( v1 != a1 );
  }
  return 0LL;
}

Order of variadic arguments

Do you notice the difference? If not, here is a hint: the order of arguments of sub_88 is different. The code on the right is more correct because the the format specifiers match the variable types. For example, %f matches float a. At the first sight the code on the left looks completely wrong but (surprise!) it works correctly on x64 machines. It is so because floating point and integer arguments are passed at different locations, so the relative order of floating/integer arguments in the call does not matter much. Nevertheless, the code on the right causes less confusion.

int __cdecl func1(const float a, int b, void *c)
{
  return sub_88("%f, %d, %p\n", a, (unsigned int)b, c);
}

Improved division recognition

This is a never ending battle, but we advance!

int int_h_mod_m32ui64(void)
{
  return h() % 32;
}

Last updated