Search code examples
ida

IDA Free truncated strings?


I'm trying to analyste a game in IDA Free. I see some weird behaviour that I don't understand how to fix. Why are these strings truncated? You can see that in the RIP-view that in the .rdata section string literals have the first character chopped off.

enter image description here

And this is also seen in the Pseudocode view:

enter image description here

Why and how do I change that?


Solution

  • It shows it like that because it is done like that. From what you have shown it looks like they are actually offsetting these string offsets. In the source code that was probably some macro what does this offsetting under the hood. Either via +1 for some reason, or maybe they assume string literals are at least 2-aligned and use |1 as a flag for something. Impossible to say without looking at that function that accepts the strings.

    This is why. As for how to fix that... In assembly, you can manually fix up the reference via Ctrl-R (set Target Delta to 1). That will give you proper reference and auto-comment. I don't know how to automatically fix up all the assembly references like that though (except for writing an IDA script). Note that fixed up reference doesn't get translated to decompilation output (that is still truncated).

    For decompiler, in theory one should be able to annotate type of that function's argument as __shifted or __offset and that should take care of it. In reality though, when I tried __shifted it didn't change anything at call site so string literal still looked truncated, and I couldn't get __offset to parse (maybe my IDA is too old, or maybe it doesn't work with function arguments). So you might be out of luck for decompilation (short of writing decompiler plugin to fix it in low-level decompiler ast).