all InfoSec news
Igor’s Tip of the Week #138: Pointer math in the decompiler
Malware Analysis, News and Indicators - Latest topics malware.news
While working with decompiled code and retyping variables (or sometimes when they get typed by the decompiler automatically), you might be puzzled by the discrepancies between pseudocode and disassembly.
Consider the following example:
We see that X22
is accessed with offset 0x10 (16) in the disassembly but 2 in the pseudocode. Is there a bug in the decompiler?
In fact, there is no bug. The difference is explained by the C/C++pointer/array referencing rules: the array indexing operation advances the pointer …
array bug c++ code decompiler disassembly explained fact malware analysis math pseudocode rules value working