Results 1 to 1 of 1

Thread: [IDA Pro] Add C structures for HexRays decompiler

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts

    [IDA Pro] Add C structures for HexRays decompiler

    A) View -> Open subviews -> Structures

    Click image for larger version. 

Name:	a.png 
Views:	43 
Size:	20.8 KB 
ID:	1075

    B) Gonna see this window:

    Click image for larger version. 

Name:	b.png 
Views:	45 
Size:	17.9 KB 
ID:	1076

    C) Edit -> Add struct type

    Click image for larger version. 

Name:	c.png 
Views:	47 
Size:	13.2 KB 
ID:	1077

    D) Just enter a name, e.g. msg_t

    Click image for larger version. 

Name:	d.png 
Views:	43 
Size:	10.3 KB 
ID:	1078

    E) Now we have this empty structure, we can't work further on it in "Local Types" window, so we need to add at least one element to it.

    Add one element by clicking once on msg_t and press d multiple times (it will circle 1, 2, 4 bytes iirc, just let it on 4 bytes e.g.)

    Click image for larger version. 

Name:	e_1.png 
Views:	51 
Size:	16.6 KB 
ID:	1079

    If you don't add an element, the "Local Types" window will show this (or I fucked up my IDA on some previous attempts...):

    Click image for larger version. 

Name:	e_2.png 
Views:	45 
Size:	6.9 KB 
ID:	1080

    F) Should look like this now:

    Click image for larger version. 

Name:	f.png 
Views:	47 
Size:	18.0 KB 
ID:	1081

    G) Now go to "Local Types" window

    Click image for larger version. 

Name:	g.png 
Views:	51 
Size:	32.6 KB 
ID:	1082

    H) Right-click on msg_t and click "Edit..."

    Click image for larger version. 

Name:	h.png 
Views:	45 
Size:	8.9 KB 
ID:	1083

    I) It will look like this first:

    Click image for larger version. 

Name:	i.png 
Views:	45 
Size:	13.1 KB 
ID:	1084

    J) Just enter the structure as in Quake3 or RTCW/ET:

    Click image for larger version. 

Name:	j.png 
Views:	56 
Size:	14.8 KB 
ID:	1085

    K) Now it will look like this:

    Click image for larger version. 

Name:	k.png 
Views:	49 
Size:	7.2 KB 
ID:	1086

    L) Decompile some function using msg_t, e.g. MSG_WriteByte:

    Click image for larger version. 

Name:	l.png 
Views:	49 
Size:	6.1 KB 
ID:	1087

    Click once on a1, press y, and change the type to msg_t *msg.

    M) Tada, we have some nicely decompiled function, way easier to read:

    Click image for larger version. 

Name:	m.png 
Views:	49 
Size:	5.5 KB 
ID:	1088
    timescale 0.01

  2. The Following 4 Users Say Thank You to kung foo man For This Useful Post:

    BratokHR (10th December 2016),kubislav23 (24th December 2017),Mitch (12th April 2016),voron00 (12th April 2016)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •