目前 9 SP1 没有泄露的 hexrays sdk
最新的 hexrays sdk 是 9 beta 的 sdk

Primer(2009):https://hex-rays.com/blog/hex-rays-decompiler-primer

microcode

microcode 是第一层

使用 Lucid 来可视化查看 microcode

microcode 代码的定义在 hexrays.hpp 的 enum mcode_t

最低一级的 microcode 是 generated level

ctree

microcode 会被转化为 ctree，即 ast

citem_t 得到 c_expr_t 和 c_insn_t

使用 HRDevHelper 来可视化浏览 ctree

操作 ctree

学过 js 逆向的可能比较熟悉，对于 ast 我们使用 visitor 进行遍历，对于 ctree 的 visitor 是 ctree_visitor_t

  /// Visit a statement.
  /// This is a visitor function which should be overridden by a derived
  /// class to do some useful work.
  /// This visitor performs pre-order traserval, i.e. an item is visited before
  /// its children.
  /// \return 0 to continue the traversal, nonzero to stop.
  virtual int idaapi visit_insn(cinsn_t *) {return 0;}

  /// Visit an expression.
  /// This is a visitor function which should be overridden by a derived
  /// class to do some useful work.
  /// This visitor performs pre-order traserval, i.e. an item is visited before
  /// its children.
  /// \return 0 to continue the traversal, nonzero to stop.
  virtual int idaapi visit_expr(cexpr_t *) {return 0;}

会逐步调用这两个虚函数

toolbox

Find Patterns
https://github.com/patois/HexraysToolbox