vds21

summary: dynamically provide a custom call type

description:

This plugin can greatly improve decompilation of indirect calls:

call [eax+4]

For them, the decompiler has to guess the prototype of the called function. This has to be done at a very early phase of decompilation because the function prototype influences the data flow analysis. On the other hand, we do not have global data flow analysis results yet because we haven’t analyzed all calls in the function. It is a chicked-and-egg problem.

The decompiler uses various techniques to guess the called function prototype. While it works very well, it may fail in some cases.

To fix, the user can specify the call prototype manually, using “Edit, Operand types, Set operand type” at the call instruction.

This plugin illustrates another approach to the problem: if you happen to be able to calculate the call prototypes dynamically, this is how to inform the decompiler about them.

level: intermediate

Attributes

testing

Classes

`callinfo_provider_t`
`my_plugin_t`	Base class for all scripted plugins.

Functions

PLUGIN_ENTRY()

Module Contents

vds21.testing = False

class vds21.callinfo_provider_t(_flags: int = 0, _hkcb_flags: int = 1)

Bases: ida_hexrays.Hexrays_Hooks

build_callinfo(blk, type)

Analyzing a call instruction.

Parameters:

blk – (mblock_t *) blk->tail is the call.
type – (tinfo_t *) buffer for the output type.

class vds21.my_plugin_t

Bases: ida_idaapi.plugin_t

Base class for all scripted plugins.

flags = 16

wanted_name = 'Hex-Rays custom prototype provider (IDAPython)'

wanted_hotkey = ''

comment = 'Sample plugin21 for Hex-Rays decompiler'

help = ''

init()

term()

run(arg)

vds21.PLUGIN_ENTRY()