Ida Extract Hashab Algorithm records

The idea is that Ida F5 is really powerful, and will later use F5 to extract the code and record the ideas in the process of extracting the code.

The first thing to note is that the local variables in the pseudo-code function generated by F5 are all 1-byte aligned, and F5 corresponds to a variable on the address in the stack used by a function. The pseudo-code generated by Ida often assigns and copies subsequent data on a variable basis. You can use the following methods to resolve them. Then use the Replace all to add data before all the variables.

#pragma pack (1)
struct data_t
{
signed int v3; [Email protected]
signed int v4; [Email protected]
__INT16 V6; [SP+8H] [bp-198h]@1
Char V7; [Sp+ah] [bp-196h]@1
int V8; [Sp+ch] [bp-194h]@1
__int16 V9; [SP+10H] [bp-190h]@1
Char V10; [SP+12H] [bp-18eh]@1
int v11; [SP+14H] [bp-18ch]@1
int V12; [sp+18h] [bp-188h]@1
int v13; [Sp+1ch] [bp-184h]@1
Char V14; [SP+20H] [bp-180h]@1
Char V15; [sp+24h] [bp-17ch]@1
Char V16; [sp+25h] [bp-17bh]@1
int v17; [SP+26H] [bp-17ah]@1
int v18; [Sp+2ah] [bp-176h]@1
int v19; [Sp+2eh] [bp-172h]@1
Char V20; [SP+32H] [bp-16eh]@1
__int16 v21; [SP+33H] [bp-16dh]@1
Char v22; [SP+35H] [bp-16bh]@1
int v23; [SP+36H] [bp-16ah]@1
__int16 v24; [Sp+3ah] [bp-166h]@1
Char v25; [Sp+3ch] [bp-164h]@1
Char v26[31]; [SP+3DH] [bp-163h]@3
Char v27; [Sp+5ch] [bp-144h]@5
}data;
#pragma pack ()

2. It is important to note that some of the variables in the local variables of the generated pseudo-code are in the wrong size, and have suffered from this in the process of extracting the algorithm.

For example, in the above code, the last two local variables of the pseudo-code generated by F5 are likely to be:

Char v26; [SP+3DH] [bp-163h]@3
Char v27; [Sp+5ch] [bp-144h]@5

It is generally necessary to check the size of the local variables, a good thing is that Ida generated pseudo-code behind the comments, will tell us the size of the variable, the above code should be modified to

Char v26[31]; [SP+3DH] [bp-163h]@3
Char v27; [Sp+5ch] [bp-144h]@5

If the address alignment of the local variable and the size of the variable are modified, the extracted function basically has no big problem.

3. It is important to note that the pseudocode generated by IDA will need to be supplemented by some macros

#define _HIDWORD (x) (((_dword*) &x) [1])
#define _LODWORD (x) (((_dword*) &x) [0])
#define _HIWORD (x) (((_word*) &x) [1])
#define _LOWORD (x) (((_word*) &x) [0])
#define __PAIR__ (x, Y) (((unsigned long) (x) << +) + (y))
#define _LOBYTE (x) (((_byte*) &x) [0])
#define BYTE1 (x) (((_byte*) &x) [1])
#define BYTE2 (x) (((_byte*) &x) [2])
#define BYTE3 (x) (((_byte*) &x) [3])

All of this needs to be done yourself.

4.ida generated pseudo-code part of the problem, mainly reflected in a * (B/C) Such expressions written a * b/c, such problems need to be specific tracking to find out, there is such a problem will be more time-consuming, in fact, I do not want to say that I have been a lot of time in this problem in the pit.

In general, when using the IDA extraction algorithm, pay attention to the above points, it will save a lot of time.

Finally, I used the IDA extracted Hashab algorithm to share, I put the code to calculate offset address offset data deleted, if a bit needs to use to calculate the offset address to use the offset data, not many only need to change one line of code.

Http://files.cnblogs.com/xiaoshame/hashab.zip

Ida Extract Hashab Algorithm records