Decompilation
Analysis
Decompilers convert assembly back to readable pseudo-code, dramatically speeding up analysis. While not perfect, modern decompilers like Ghidra and IDA's Hex-Rays are highly effective.
Ghidra Decompiler
c
// Ghidra decompiler output example
// Original function performs string decryption
void FUN_00401000(char *param_1, int param_2) {
int i;
char key;
key = 0x5a; // XOR key
for (i = 0; i < param_2; i++) {
param_1[i] = param_1[i] ^ key;
}
return;
}
// Ghidra tips:
// - Press 'L' to rename variables/functions
// - Press 'T' to change type
// - Right-click → Retype Variable for complex types
// - Window → Function Graph for visual flow
// - Use "Auto Analyze" for initial analysis
// Common decompiler artifacts:
// - uVar1, iVar2: unnamed local variables
// - FUN_00401000: unnamed functions
// - DAT_00404000: global data referencesImproving Decompiler Output
- Rename variables: Replace uVar1 with meaningful names
- Set types: Help decompiler understand struct layouts
- Create structs: Define data structures for cleaner output
- Apply signatures: Import function signatures from header files
- Fix calling conventions: Ensure correct parameter detection