I have a problem with decompiling an obfuscated switch
After decompiling it, I get strange results like this:
Also, when I click Other → Specify Switch Idiom and change the input register from the correct one (rax) to any other, I get good switch, but it uses the wrong variable for it.
I checked the microcode, and it’s simply optimizing it from a jtbl into a set of gotos at the stage from MMAT_PREOPTIMIZED to MMAT_LOCOPT
How to make IDA show the correct switch?
Hi @DiveriX,
Could you share the sample IDB with us? (You can send it through our support channel).
It would help us give you some more tailored advice.
We cannot repro “while (1);”.
There is “while(1) {…}” but it seems to be correct.
Could you tell me if you have any plugins installed that may alter the decompiler output?
No, I absolutely have no plugins, except preinstalled
Could you post the decompiler output for the function in question? I wonder why we cannot repro your case.
For example this function, same problem, no switch
// attributes: thunk
__int64 __fastcall sub_661AACF0(__int64 a1, __int64 a2, __int64 a3, unsigned __int8 a4)
{
return a4 + 12LL;
}
Sorry for the delay. The problem occurs because of this instruction:
00000000661AAEDA 2F8 mov eax, 1Ah
Here EAX is overwritten with a constant value. On the other hand, EAX is marked as the input register for the table jump:
00000000661AAEE9 2F8 jmp r8 ; switch jump
Because of this the decompiler assumes that we always jump to the case 0x1A and removes all other code.
There is no solution to the problem now, but you can mark the instruction at 00000000661AAEDA as belonging to the switch and the switch statement will be visible in the output. You can do that with the following menu item: Edit, Other, Toggle skippable instruction. While not ideal, it seems to work.