{"id":3441,"date":"2015-12-21T15:27:32","date_gmt":"2015-12-21T15:27:32","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3441"},"modified":"2019-07-04T23:08:27","modified_gmt":"2019-07-04T23:08:27","slug":"idapython-making-strings-decompiler-friendly","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/12\/21\/idapython-making-strings-decompiler-friendly\/","title":{"rendered":"IDAPython – making strings decompiler-friendly"},"content":{"rendered":"

Update<\/strong><\/p>\n

As pointed out by 0stracon<\/a> there is an option in Hexrays that actually enables it to print all strings. Go to Hex-Rays Decompiler Analysis Options and untick ‘Print only constant string literals’.<\/p>\n

To make it permanent, enable it in hexrays.cfg:<\/p>\n

#define HO_CONST_STRINGS\u00a0\u00a0 0x0040\u00a0\u00a0 \/\/ Only print string literals if they reside\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ in read-only memory (e.g. .rodata segment).\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ When off, all strings are printed as literals.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ You can override decompiler's decision by\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ adding 'const' or 'volatile' to the\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ string variable's type declaration\r\nHEXOPTIONS               = 0x....   \/\/ Combination of HO_... bits<\/pre>\n
I was not aware of this option and reinvented the wheel \ud83d\ude42<\/p>\n
Old post<\/strong><\/p>\n
One of the features of IDA is its ability to recognize strings. This is a great feature, especially useful when you combine it with a power of HexRays decompiler – together they can produce a very nice pseudocode.<\/p>\n
There is only one annoying bit there: if strings are recognized and defined inside a writable segment, they will not be presented by the decompiler as strings, but as variable names referring to strings.<\/p>\n
Let’s have a look at the example.<\/p>\n
In the below example (Dexter sample) IDA recognizes the string “UpdateMutex:”<\/p>\n
\"strings_1\"<\/a>When we now switch to the decompiler view, we will see that the decompiler changes it to s__Updatemutex:<\/p>\n
\"strings_1a\"<\/a><\/p>\n
(the ‘s__’ prefix comes from the string prefix I typically use i.e. ‘s->’ which decompiler ‘flattens’ to ‘s__’). The s__Updatemutex refers to a string as shown below i.e. “UpdateMutex:” :<\/p>\n
\"strings_2\"<\/a>Obviously, a\u00a0 decompiled code that refers to the actual string is much more readable – see the same piece of code as shown above where data is referred to by actual strings:<\/p>\n
\"strings_2a\"<\/a>In order to make the decompiler use these actual strings (not the reference) we have two options:<\/p>\n