Maximize the power of hex-rays decompiler - Igor Kirillov

Insomni'hack 2018
Title: Maximize the power of hex-rays decompiler
Speaker: Igor Kirillov

IDA Pro Hex-Rays decompiler serves as a perfect abstraction producer over assembly language.
Its main advantage is that it gives an opportunity to modify the pseudo-code, making it as transparent and clear as possible. However, the process is extremely laborious, time-consuming, and even tedious, because, as a rule, the original code is a complete mash of standard types and variables. Standard functionality IDA Pro is equipped with are not of much help either. A major stumbling block all researchers come across in the process is structure recovery. In a decompiled code, field references look like pointer dereferences with some offset. The core feature of HexRaysPyTools plugin enables its user to collect the references of the code in a semi-automatic mode. After that, the information gathered in the GUI may be corrected and transformed into a complete structure.

Also, the plugin adds cross-refs by structure fields, helping to identify the purposes they serve much easier. Along with that, the plugin is equipped with a wide range of features that simplify the process of reverse engineering:
- Symbols and rtti information are used to create names of virtual tables and classes
- Assert functions can be used to automatically rename functions
- The GUI for classes and their methods
- Makes structure graphs
- Negative offsets handling
- Makes recasts and changes names. Simplifies the process of changing names and types
- Cross-references to virtual functions
- Modifies and hides “if – then” branches. Hides switch-branches separately