CODEWITHSUNDEEP
reverse-engineeringida
Albert Rokii
Albert Rokii

Reputation: 11

IDA 6.5 show "??" in decompile

IDA pro 6.5 have trouble to decompile completely my file (binary.exe). from offset 00409400 to 00417000 "Hex view" tab show "??" as ASCII character.

screenshot

but when I try this file with hex workshop or other hex editors, all think is correct.

why IDA can`t decompile correctly my binary file?

Upvotes: 1

Views: 769

Answers (1)

user1354557
user1354557

Reputation: 2503

The short version

The ??s represent bytes that have no mapping in the executable file. In Windows, they will be initialized to zero when the image is loaded into memory. If this isn't clear, read on:

How sections work

(Based on the comments, I'm going to assume that you are looking at a PE file)

In the PE file format, a number of sections are defined. Each section describes a portion of the image loaded into memory and its properties. It is common to have an executable section for the code, a readable/writable section for global variables, a read-only section for constant values, and some others.

A simplified version of the section structure that defines a section looks something like this:

typedef struct _IMAGE_SECTION_HEADER {
  BYTE  Name[IMAGE_SIZEOF_SHORT_NAME];
  DWORD VirtualSize;
  DWORD VirtualAddress;
  DWORD SizeOfRawData;
  DWORD PointerToRawData;
  ...
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

The members PointerToRawData and SizeOfRawData describe the offsets within the executable file that contain the bytes for the section. The members VirtualAddress and VirtualSize describe the virtual addresses where the section is to be mapped in memory.

Note that there are separate fields for SizeOfRawData and VirtualSize. When SizeOfRawData < VirtualSize, the remaining bytes in the mapping are filled in with zeros. This is a useful optimization that allows the linker to designate memory for global variables whose contents do not need to be initialized without wasting space in the executable file.

So to be clear, a section has been defined for the addresses with ?? markings, but the contents of those addresses are uninitialized within the file. You can verify this with a PE viewer.

Upvotes: 2

Related Questions