Decompiler Overview
The Ghidra decompiler translates assembly code into high-level C-like pseudocode for easier analysis.Implemented by the
DecompilePlugin, the decompiler provides a high-level interpretation of assembly functions with interactive editing capabilities.Opening the Decompiler
Enable Decompiler Window
Access the decompiler view:
Window>Decompiler- Default: docked on right side
- Can float or dock to any location
Navigate to Function
The decompiler automatically displays:
- Current function at cursor location
- Updates when you navigate in listing
- Synchronized with Code Browser
Decompiler Interface
Main Components
- Decompiler View
- Function Signature
- Local Variables
Primary decompiled code display:
- C-like pseudocode representation
- Syntax highlighting
- Line numbers
- Collapsible code blocks
- Token-based navigation
Synchronization with Listing
Bidirectional Sync
Decompiler and listing stay synchronized:
- Click in decompiler → highlights assembly
- Click in assembly → highlights decompiled code
- Both views track same location
Token Highlighting
Clicking tokens highlights:
- All uses of the variable/function
- Related assembly instructions
- Data flow dependencies
Editing in the Decompiler
Renaming Variables
Retyping Variables
Function Signature Editing
Edit Signature
Modify function signature:
- Right-click function name >
Edit Function Signature - Or press
Ctrl + Shift + Gin listing
Modify Components
Change signature elements:
- Return type
- Parameter types and names
- Calling convention
- Varargs specification
Decompiler Features
Hover Tooltips
Multiple hover services provide information:- Data Type Hover
- Function Signature Hover
- Reference Hover
- Scalar Value Hover
Implemented by
DataTypeDecompilerHoverPlugin:- Shows full type definition
- Structure layouts
- Typedef resolution
Control Flow Visualization
The decompiler shows control structures:- If/Else: Conditional logic
- Loops: While, for, do-while patterns
- Switch: Case statement detection
- Goto: Remaining unconditional jumps
The decompiler attempts to structure all assembly into high-level constructs, but complex or obfuscated code may still contain goto statements.
Decompiler Options
Configuration Settings
Access Options
Open decompiler options:
Edit>Tool Options>Decompiler- Configure analysis and display
Analysis Options
Control decompilation behavior:
- Maximum instruction count
- Maximum payload bytes
- Simplification style
- Eliminate unreachable code
Language-Specific Settings
Decompiler uses processor specifications:- Calling conventions
- Register usage
- Stack frame layout
- Special instructions
Working with Complex Code
Structures and Arrays
Structure Access
Decompiler shows structure members:
struct->membernotation- Offset calculations converted to members
- Nested structure access
Array Indexing
Arrays displayed with brackets:
array[index]notation- Multi-dimensional arrays
- Pointer arithmetic simplified
Pointer Analysis
Decompiler handles pointers:- Dereference operators (
*ptr) - Address-of operators (
&var) - Pointer arithmetic
- Multi-level indirection
Function Pointers
Indirect calls are shown as:- Function pointer variables
- Casts to function types
- Indirect call notation
- Virtual function tables
Advanced Usage
Creating Disconnected Decompilers
Open Secondary Decompiler
Create additional decompiler views:
Window>Decompiler(creates new instance)- Independent navigation
- Compare different functions
Debugging Decompiler Output
If decompilation quality is poor:Check Function Boundaries
Ensure function is properly defined:
- Correct entry point
- All code included
- Return statements identified
Fix Data Flow
Improve analysis:
- Define parameter types
- Set return type
- Mark no-return functions
- Fix incorrect references
Exporting Decompiled Code
Copy to Clipboard
Copy decompiled code:
- Select code in decompiler
Ctrl + Cto copy- Paste into external editor
Export Function
Export single function:
- Right-click >
Export to C - Choose file location
- Includes function signature and body