IDA/HexRays: how do I retrieve the memory address associated with a given line of decompiled code?
Reverse Engineering Asked by TFD on November 27, 2020
I’m trying to programmatically link decompiled code generated by HexRays with the disassembly code of a given binary by mapping memory addresses between the two. The mapping exists, as I can see view it through IDA on a case by case basis (see the line of decompiled code in green, associated with the memory address in gold, which lets me reference the disassembly. Clicking through different decompiled source lines links to different memory addresses/sets of disassembly lines). But I can’t find any way to get at these associations via scripting (IDC, IDAPython, etc) or via the command line. This strikes me as strange, as I can’t imagine that this functionality hasn’t been sought out or used before.
My end goal is to be able to read in a set of decompiled code line numbers, then return all the lines of disassembly which map to those decompiled code lines.
Thanks!
One Answer
In hexrays.hpp, citem_t is the base class for both cinsn_t ("instructions", such as for loops, if statements, etc.) and cexpr_t ("expressions", such as addition, memory dereference, function calls, etc.) citem_t has a field ea_t ea;. That field stores the address of the corresponding line in the assembly language (unless it's BADADDR, in which case, the decompiler machinery lost track of the address).
To accomplish your goal specifically, you're going to want to get your hands on the cinsn_t objects on certain lines in the decompilation listing. Here are three separate ideas for how to accomplish this:
- Grab the function body directly out of the
cfunc_tand process it yourself; - Use a
ctree_visitor_tobject to visit allcinsn_tobjects within the decompilation listing; - Call
kernwin.hpp::read_selectionto get a selection of lines within the decompilation listing (there will be some work to do in mapping these back to positions within the decompiled function body).
Answered by Rolf Rolles on November 27, 2020
Add your own answers!
Ask a Question
Get help from others!
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?