Ghidra: Structure Decompilation

Created on 16 Sep 2019 · 5Comments · Source: NationalSecurityAgency/ghidra

When decompiling a class function (__thiscall) and a virtual base's member is accessed it gets represented as accessing the _vptr field with a negative index.
ex:
*(undefined4 *)(this->_vptr[-1].~H + &this->field_0xc) = 2;

disassembly output:

MOV        RAX,qword ptr [RAX]  ; RAX = address of vftable
SUB        RAX,0x18 ; RAX = address of offset_to_E
MOV        RAX,qword ptr [RAX] ; load 0x10 (offset_to_E) into RAX
MOV        RDX, RAX ; move offset_to_E into RDX
MOV        RAX,qword ptr [RBP + local_20] ; move H *this back into RAX
ADD        RAX,__type ; add offset_to_E to this
MOV        dword ptr [RAX + 0xc],0x2 ; super_E.e_data = 2

Is there a way that I can override the offset of the structure component being accessed here?
I know through RTTI analysis that the offset at [-1] produces offset_to_E. I would like to give the decompiler the appropriate information so that it just produces:
this->super_E.e_data = 2;

Decompiler Question

Source

astrelsky

All 5 comments

I guess a better question would be how does the decompiler get the offset of the member being accessed and is it possible to override this through java?

astrelsky on 16 Sep 2019

I think it needs a feature like this: https://www.hex-rays.com/products/ida/support/idadoc/1695.shtml

paulsapps on 4 Oct 2019

👍1

If the decompiler has access to the listing then a constant value pointer would suffice.

astrelsky on 4 Oct 2019

I think, that fixing of issue #573 can help you resolve the issue.

saruman9 on 5 Feb 2020

👍1

I think, that fixing of issue #573 can help you resolve the issue.

Yes this would do exactly what is necessary. I forgot this question was still open. I know for a fact there is currently no way to do what I was asking so I'll close this.

astrelsky on 5 Feb 2020

Was this page helpful?

0 / 5 - 0 ratings