Jump tables

It is an endless story: regardless of how many different jump table types IDA supports, there will be a new unhandled twist. Be it the instruction scheduler, which rearranged the instructions in an unexpected manner, or the compiler, which learned a new optimization trick, it is the same for IDA: jump tables are missed and functions boundaries are wrong. What’s worse, the graph view, so loved by IDA users, displays a trimmed graph without jump tables, virtually useless for any analysis.

That’s why we strive to add support for new jump tables to IDA, and since it can not be done for all of them, we focus on compiler generated jump tables for popular processors. Take ARM, for example. The ARM processor module have been improved a lot in v5.2, but yet we received a report with a bunch of new patterns. So expect even better support for ARM in the near future ??

If you are interested in improving the jump table handling for a rarely used processor, here are the explanations how to do it.

Continue reading Jump tables

Better user interface for decompiler

We are glad to release a new version of the Hex-Rays decompiler!
Highlights of this build:

  • improved usability
  • support for unusual calling conventions
  • better handling of obfuscated code

The most important improvement is the user interface. Now the decompiler is
at your fingertips at all times, the same way as the graph view.
Remember that you can toggle graph-text views in IDA with one keyboard hit?
For the decompiler you can use the Tab key: it toggles between
the disassembly and pseudocode views.

For those of you who prefer to see both the decompiler output and disassembler output
in the same window, we added the “copy to disassembly” command. It just does what
its names says: copies the pseudocode text to the disassembly window. You can
see both outputs simultaneously: mapping of low level assembly idioms to high
level constructs is made as transparent as possible.

With this build, you will be able to open multiple pseudocode windows.
This will be especially useful for long functions: just open a separate window
for each called function by Ctrl-double clicking on function names. The long
function will stay intact in its own window and you won’t lose time by
reanalyzing it upon each return.

One more command to handle code complexity: ability to hide parts of code.
The new hide/unhide command allows you to collapse a multiline statement into
just one line. Collapsing unimportant sub-statements reveals
the global structure of the decompiled function.

We also added other things to make the life easier: the command to jump to xrefs,
better status line information, support for the __spoiled keyword, and more
heuristic rules to the analyzer.

Here’s a short video:

The detailed list of changes can be accessed here

Nice analysis!