if you are very used to 32-bit IDA you may sometimes find yourself in a blind alley when you try to port your working solution to IDA 64-bit. This was the case with my old batch decompilation script. <\/p>\n\n\n\n
The way it works is very simple – for every <file> in a folder, run IDA in its automation\/batch mode mode, decompile the <file>, and finally save it in a <file>.c file – more or less like the below (I am omitting the loop):<\/p>\n\n\n\n
c:\\Ida\\idaw.exe -A -Ohexrays:-new:%%k.c:ALL “%%k”<\/p><\/blockquote>\n\n\n\n
Nothing could be simpler.<\/p>\n\n\n\n
Until you run it with the 64-bit idaw64.exe:<\/p>\n\n\n\n
c:\\Ida\\idaw64.exe -A -Ohexrays:-new:%%k.c:ALL “%%k”<\/p><\/blockquote>\n\n\n\n
It doesn’t work. It loads idaw64 and just stays there.<\/p>\n\n\n\n
The gotcha is in a plug-in name. The 64-bit decompiler’s plugin name is not hexrays<\/em>, it’s not hexrays64<\/em> either. It is actually hexx64.dll<\/em>. <\/p>\n\n\n\n
So, you have to run this instead:<\/p>\n\n\n\n
c:\\Ida\\idaw64.exe -A -Ohexx64:-new:%%k.c:ALL “%%k” <\/p><\/blockquote>\n\n\n\n
It’s ridiculously trivial, but it’s always the little things. <\/p>\n\n\n\n
Also, interestingly, when you google hexx64.dll<\/em> or hexx64.p64<\/em> you only get a few hits. As if not too many ppl ever came across the issue.<\/p>\n\n\n\n
Another gotcha is that if you run it with too many files, your system’s performance will deteriorate quickly. I don’t know if it is memory fragmentation\/leaks, or something else, but after running the script on a number of samples I observed my VM dying on me and requiring a restart due to low memory (despite no other process running on a 2G RAM guest). If you know what causes it I would be grateful if you could let me know.<\/p>\n\n\n\n
The third gotcha is to rely on the text version of IDA for this task – it is faster than the GUI version. At least in my experience.<\/p>\n\n\n\n
Finally, the last gotcha is to remove all the other plugins from the IDA’s Plugins directory, other than the one you are using e.g. hexrays<\/em>. Why? This may look like nothing, but IDA enumerates and loads all of them _each_ time it starts.<\/p>\n","protected":false},"excerpt":{"rendered":"
if you are very used to 32-bit IDA you may sometimes find yourself in a blind alley when you try to port your working solution to IDA 64-bit. This was the case with my old batch decompilation script. The way … Continue reading