As I continue to explore NSA’s new reversing tool, Ghidra, one of the features that I heard about and was excited to see in action was the decompiler. So, in this entry in the series, I’ll start to delve into that some. In particular, I’ll look at one particular option that turned out to be more useful than I originally thought, though I’m still not entirely certain how I’ll use it going forward. I’ve long been a user of the Hex-Rays decompiler at $dayjob and I really like it, but I can’t afford it for use in my personal/Storm Center research and we don’t use it in FOR610, so I was really looking forward to giving the Ghidra one a try. I have to say, so far, I’m pretty impressed. As I explain to my FOR610 students, decompiling is a hard problem. A lot of context is lost during optimization, so except for very simple programs you shouldn’t expect the decompiler to give you C code that looks like the original source. Having said that, for someone like me who has been programming on-and-off for a very long time, I can usually grasp the purpose of a function much more quickly in a (pseudo-)high level language than I can in assembler. One place decompiling is extremely useful for, is showing the parameters to function calls (especially Windows API calls) in a way that isn’t as tedious (and potentially error prone) as scrolling up and counting the PUSH instructions (cdecl or stdcall) or trying to trace the contents of certain registers (fastcall). More on that in my next installment.