9

I've got a program that i'm trying to debug a little bit by trying to make sense of a function or two, there's already some info that i've downloaded via a idb file and it's helped me get somewhere. But i'm kind of stuck on a part where i've got something like this:

BYTE3(v1) = 0;

This is from the ida hex-rays plugin which has made some nice c-pseudo code for me. I can't double click the function and get it translated in some way so i don't really know how to understand what it does, my guess is that it takes either the third or fourth byte of an int. So my question is, how would i be able to find this function and look at it's disassembly at least if it can't be translated by hex-rays? The signature if that helps at all looks like this according to ida: _BYTE __fastcall(int)

lfxgroove
  • 369
  • 4
  • 13
  • 4
    Yes, it sets the fourth byte of v1. Place your cursor inside the expression BYTE3(v1), hit Tab, it'll switch to the corresponding place in the disassembly view. – DCoder Aug 18 '13 at 10:18
  • Oh, didn't know about that, thanks alot! – lfxgroove Aug 18 '13 at 10:20

1 Answers1

15

All Hex-Rays macros are defined in <IDA directory>\plugins\defs.h. It's also available at https://github.com/nihilus/hexrays_tools/blob/master/code/defs.h

For BYTE3(x):

...
#define BYTEn(x, n)   (*((_BYTE*)&(x)+n))
...
#define BYTE3(x)   BYTEn(x,  3)
...

So BYTE3(x) yields (*((_BYTE*)&(x)+3)), which effectively means the fourth byte of the value x.

caot
  • 103
  • 4
Jason Geffner
  • 20,681
  • 1
  • 36
  • 75