We are glad to release a new version of the Hex-Rays decompiler! Highlights of this build:
improved usability
support for unusual calling conventions
better handling of obfuscated code
The most important improvement is the user interface. Now the decompiler is at your fingertips at all times, the same way as the graph view. Remember that you can toggle graph-text views in IDA with one keyboard hit? For the decompiler you can use the Tab key: it toggles between the disassembly and pseudocode views.
For those of you who prefer to see both the decompiler output and disassembler output in the same window, we added the "copy to disassembly" command. It just does what its names says: copies the pseudocode text to the disassembly window. You can see both outputs simultaneously: mapping of low level assembly idioms to high level constructs is made as transparent as possible.
With this build, you will be able to open multiple pseudocode windows. This will be especially useful for long functions: just open a separate window for each called function by Ctrl-double clicking on function names. The long function will stay intact in its own window and you won't lose time by reanalyzing it upon each return.
One more command to handle code complexity: ability to hide parts of code. The new hide/unhide command allows you to collapse a multiline statement into just one line. Collapsing unimportant sub-statements reveals the global structure of the decompiled function.
We also added other things to make the life easier: the command to jump to xrefs, better status line information, support for the __spoiled keyword, and more heuristic rules to the analyzer.
Better user interface and improved robustness (click for more info)
+ multiple pseudocode windows can be opened
+ new command: copy c text to disassembly window (available from the right-click menu)
+ new command: the tab key toggles between the disassembly and pseudocode windows
+ new command: hide/unhide statements (if,loops,switch,blocks)
+ new command: jump to xref; since the pseudocode addresses do not map exactly to disassembly addresses, the decompiler jump to the nearest address if an exact match can not be found
+ status line of pseudocode window displays the name of the current function
+ spoiled<> keyword is supported by the decompiler (maybe there are some cases when it is ignored, requires more thourough testing)
+ more intelligent handling of tail calls
+ more intelligent detection of thiscall/fastcall function types
+ improved detection of saved eax/edx pairs: now such functions are correctly detected as returning 'void'
bugfix: delieberately obfucsated code could cause interrs
bugfix: wrong sp trace could lead to interr; now it leads to 'lvar allocation failure'
bugfix: output code for the SF flag was incorrect. the code was "x<y" while it must be "(x-y)<0"
bugfix: attempt to decompile an uncompletely analyzed function could lead to interr (because of incorrect sp values); now decompiler gracefully fails in the situation
bugfix: function pointers can not be subtracted or compared but hexrays was doing it; added necessary casts to the output
bugfix: some linux calls (accepting arrays as parameters) could cause interr
bugfix: if the decompiled code was accessing undefined registers, the decompiler could interr
