[분석툴]Hex-Ray 1.2 Release

Hex-Ray 1.2 버전이 공개되었다.

Hex-Ray는 IDA 플러그인의 일종으로 IDA프로그램과 연동하여 어셈코드를 C코드로 변환해 주는 아주 좋은 프로그램이다^^

근데 유료다 ㅡ.ㅡ;; 

현재 쓰고 있는건 1.0 버전인데 ㅠ.ㅠ, 사고 싶어! 사고 싶어! 얼마인지만 물어볼까;;

Welcome to Hex-Rays v1.2, with intrinsic function support. This release adds all intrinsic functions defined by Microsoft and Intel (with some exceptions), SSE scalar floatiing point support, local cross references, and other improvements. Please refer to the comparison page for side-by-side examples.

BIG NEWS

• + SSE scalar floating point support
• + Support for intrinsic functions (the decompiler recognizes more than 500 intrinsic functions from Microsoft and Intel)
• + New microcode preoptimization algorithm with O(n) complexity. It is much faster, especially on long basic blocks. For long basic blocks, it really makes a big difference, the analysis can be faster hundreds of times because the long basic block immediately gets optimized into something small without using the main propagation mechanism, which has O(n**2) complexity.
• + Local cross reference commands

NITPICKY DETAILS

• + added 'split' command to split too wide assignments
• + added support for signed magic divisions
• + all useless mov instructions are optimized away (before movs of aliased memory were preserved)
• + better detection of function return types: floating point flags are assumed to be never returned by functions
• + equivalent table jump instructions are collapsed into one instruction: this reduces the code complexity and speeds up the decompilation
• + functions having no fpu insns but returning a fp value (for example, as the result of a call to another function) were not detected as fpval returning functions
• + improved recognition of smod_power2
• + improved the speed of decompilation
• + objc_msgSend() and similar function prototypes are hardcoded into the decompiler to make the initial output better
• + segments with predefined names (.rdata, __const, etc) and considered to be readonly and the decompiler replaces references to such segments with the constant values from them
• + series of xchg/fxch instructions are handled better
• + strcpy() inlined with series of mov's is recognized
• + superfluous LOBYTE() and similar macros are removed, like in LOBYTE(x) & 1
• + 'jump to xrefs' command supports structure fields, labels, statement types, local variables. For example, it is possible to get a list of all references to 'myvar':

  Type Line Col  Pseudocode line
  w    94     6  myvar = !(dwScanFlags & 1) && _this->m_dwStage != 1;
  r    95    14  var30 = myvar;
  r    96    11  if ( myvar )

FIXES

• BUGFIX: __thiscall calls in the very first block of a function that also had the __thiscall calling convention were not detected
• BUGFIX: bcc __fastcall functions returning a big structure were decompiled incorrectly (the hidden argument was located wrongly)
• BUGFIX: calls were sometimes propagated too far
• BUGFIX: could crash trying to decompile a fp constant reference
• BUGFIX: decompilation of fragmented functions with fpu instructions could fail in some cases
• BUGFIX: decompiler could interr because the type of the ternary operator was calculated inconsistently
• BUGFIX: decompiler could interr trying to handle 64-bit comparisons
• BUGFIX: decompiler could throw an exception if the cursor was positioned on some statement labels
• BUGFIX: decompiler would interr if fpu conditional jump was optimized into unconditional jump
• BUGFIX: div_power_2() rule could produce incorrect results
• BUGFIX: fcomi and similar instructions were decompiled incorrectly
• BUGFIX: fixed a quite subtle bug with nameless structs: a reference like p->gt;4.field (4 is the name of a nameless structure) could be split in the middle by the cpa module. this would lead to interr later because a reference like p->gt;4 is not good
• BUGFIX: fixed a rare interr that could happen on complex functions (interr 656)
• BUGFIX: functions tails belonging to multiple parents could cause an interr
• BUGFIX: it was impossible to specify the representation of case values for synthetic switches (converted from a sequence of if's)
• BUGFIX: it was still possible to convert numbers to 128-bit enums and get an interr
• BUGFIX: LODWORD/HIDWORD macros were not used by the decompiler
• BUGFIX: lvar allocation could crash
• BUGFIX: lvar allocation could incorrectly reuse an old variable instead of creating a new one (rarely happened upon partial references to wide variables)
• BUGFIX: non-zero deltas in user-defined offset were ignored by the decompiler
• BUGFIX: precedence rules for * and post ++/-- operators were incorrect. the decompiler would generate **x++ instead of *(*x)++
• BUGFIX: some 64-bit additions would be handled incorrectly (well, at least in theory)
• BUGFIX: some 64-bit casts were erroneously removed: int64(i32)*j32 =>gt; i32*j32
• BUGFIX: some nice constants that correspond to the assembly listing could still not be modified (converted to hex, etc)
• BUGFIX: some signed divisions by a negative constant were not recognized
• BUGFIX: the decompiler could use stale guessed type information because it was not updating its internal type storage on all database modifications
• BUGFIX: the propagation could yield an incorrect result in some rare cases
• BUGFIX: the representation of 'magic' division divisors could not be changed by the user