HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin:
- Automatic type REconstruction for C++ objects.
- C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works.
- Navigation through virtual function calls in HexRays Pseudocode window.
- Object Explorer - useful interface for navigation through virtual tables (VTBL) structures.
In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.
13. Data Types Being Used: Vectors
structVECTOR
{
void *vTable;// pointer to the table
intNumberOfItems;// self-explanatory
intMaxSize;// self-explanatory
void *vector;// pointer to buffer with elements
};
oUsed to handle the objects:
tasks
triggers
etc.
17. Data Types Being Used: Strings
structUSTRING_STRUCT
{
void *vTable;// pointer to the table
intRefNo;// reference counter
intInitialized;
wchar_t*UnicodeBuffer;// pointer to unicodestring
char *AsciiBuffer;// pointer to ASCII string
intAsciiLength;// length of the ASCII string
intReserved;
intLength;// Length of unicodestring
intLengthMax;// Size of UnicodeBuffer
};
26. HexRaysCodeXplorerFeatures
oHex-Rays decompilerplugin
oThe plugin was designed to facilitate static analysis of:
object oriented code
position independent code
oThe plugin allows to:
navigate through decompiled virtual methods
partially reconstruct object type
27. Hex-Rays DecompilerPlugin SDK
oAt the heart of the decompilerlies ctreestructure:
syntax tree structure
consists of citem_tobjects
there are 9 maturity levels of the ctreestructure
28. Hex-Rays DecompilerPlugin SDK
oAt the heart of the decompilerlies ctreestructure:
syntax tree structure
consists of citem_tobjects
there are 9 maturity levels of the ctreestructure
29. Hex-Rays DecompilerPlugin SDK
oType citem_tis a base class for:
cexpr_t–expression type
cinsn_t–statement type
oExpressions have attached type information
oStatements include:
block, if, for, while, do, switch, return, goto, asm
oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure:
ctree_visitor_t
ctree_parentee_t
citem_tcexpr_tcinsn_t
30. Hex-Rays Decompiler Plugin SDK
o Type citem_t is a base class for:
cexpr_t – expression type
cinsn_t – statement type
o Expressions have attached type information
o Statements include:
block, if, for, while, do, switch, return, goto, asm
o Hex-Rays provides iterators for traversing the citem_t objects within ctree
structure:
ctree_visitor_t
ctree_parentee_t
citem_t
cexpr_t cinsn_t
36. HexRaysCodeXplorer: Object Type REconstruction
oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor)
oInput:
pointer to the object instance
object initialization routine entry point
oOutput:
C structure-like object representation
40. HexRaysCodeXplorerv1.5 [H2HC Edition]
oNew citem_tobjects to monitor:
memptr
idx
memref
call (LOBYTE, etc.)
ptr, asg, …
oType propagation for nested function calls
41. HexRaysCodeXplorerv1.5 [H2HC Edition]
oFeatures of v1.5 [H2HC Edition] :
Better Type Reconstruction
•Improvements for parsing citem_tobjects with PTR andASG statements
•Recursive traversal of Ctreeto reconstruct Types hierarchy
Navigate from Pseudo code window to Disassembly line
Hints for Ctreeelements which point to Disassembly line
Support for x64 version of Hex-Rays Decompiler
Some bug fixes by user requests
43. HexRaysCodeXplorer: -> What are the next goals?
oDevelop the next version on IdaPython
oFocus on the following features:
Type reconstruction(C++, Objective-C)
Type Navigation (C++, Objective-C)
Vtablesparsing based on Hex-Rays API
Ctreegraph navigation improvements
Patterns for possible vulndetection