We’ve covered structure creation using disassembly or Local Types, but there is also a way of doing it from the decompiler, especially when dealing with unknown, custom types used by the program.
Whenever you see code dereferencing a variable with different offsets, it is likely a structure pointer and the function is accessing different fields of it.
You can, of course, create the structure manually and change the variable’s type, but it is also possible to ask the decompiler to come up with a suitable layout. For this, use “Create new struct type…” from the context menu on the variable:
If you don’t see the action, you may need to reset the pointer type first. After you invoke it, the decompiler will analyze accesses to the variables and come up with a candidate structure type which matches them:
You can accept the suggestion as-is, or make any suitable adjustments (for example, change the structure name, or edit some of the fields). After confirming, the structure is added to Local Types and the variable is converted to the corresponding pointer type:
You can, of course, keep refining the structure as you continue with your analysis and discover how the fields are used in other functions and what they mean. Renaming fields can be done directly from the pseudocode view, while for adding or rearranging them you’ll likely need to use Local Types or Structures window.
See also: Hex-Rays interactive operation: Create new struct type
Article Link: Igor’s Tip of the Week #118: Structure creation in the decompiler – Hex Rays