Basic usage
-
If there are no projects, create one
File > New Project
-
Select a project
-
Import file
File > Import File
-
Double-click the file to open it
-
If prompted to analyse, click Yes
Defaults should be fine in most cases
- Wait for the analysis to finish; see the status bar in the lower right
Functions
List functions
Window > Functions
Show functions for a specific type
Put the type name in the Filter box at the bottom of the Functions window
Find references to a function
- Select a function in the Functions window
- Go to the Decompile window and right-click the function name near the top > References > Find references to …
Location of function parameters
ⓘ Function parameters can be on the stack or in registers
To see the location of function parameters from within a function:
- Go to a function from the Functions window or by double-clicking on it in the Decompile window
-
Scroll to the top of the disassembly of the function in the Listing window. From here you can see the location of the parameters, for example:
Stack[0x4]4 this- The
thisparameter is on byte 4 of the stack ($esp+0x4) and is 4 bytes long
- The
If you look at where the function is called from other parts of the code, the parameters are typically set in the assembly instructions immediately prior to the CALL in reverse order, e.g.
MOVparameter 2 to $esp+0x4MOVparameter 1 to top of stack ($esp)CALL
👉 There may a discrepancy between the stack locations where a function is called and inside the function itself, because the address of the called function gets added to the stack. So a parameter at $esp+0x4 when called may end up at $esp+0x8 in the function.
Types
Show type information
Right-click a type or variable > Edit Data Type
Variables
Highlight a variable
ⓘ This makes it easier to see where a variable is used
Right-click > Secondary Highlight > Set Highlight
Rename a variable
ⓘ If you can figure out what a variable does, renaming it will make it much easier to understand the function
Right-click > Rename Variable