decompiler
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTrigger Intents
触发场景
Use this skill when user asks for:
- "decompile this function"
- pseudocode understanding or AST-level analysis
- local variable semantics in decompiled form
- decompiler-centric pattern mining (returns/calls/conditions)
Route to:
- for persistent comments/renames after interpretation
annotations - for struct/enum/type construction and application
types - when decompiler is unavailable or insufficient
disassembly
当用户提出以下需求时使用本技能:
- "反编译这个函数"
- 伪代码理解或AST层面分析
- 反编译结果中的局部变量语义分析
- 以反编译器为核心的模式挖掘(返回/调用/条件语句)
关联技能:
- :用于解读后添加持久化注释/重命名
annotations - :用于结构体/枚举/类型的构建与应用
types - :当反编译器不可用或功能不足时使用
disassembly
Do This First (Warm-Start Sequence)
初始操作流程(预热步骤)
sql
-- 1) Capability/profile probe
SELECT * FROM pragma_table_list WHERE name IN ('pseudocode', 'ctree', 'ctree_lvars');
-- 2) Pick one concrete function target
SELECT name, printf('0x%X', address) AS addr, size
FROM funcs
ORDER BY size DESC
LIMIT 10;
-- 3) View decompiled text via primary read surface
SELECT decompile(0x401000);Interpretation guidance:
- is primary display surface.
decompile(addr) - /
pseudocodeare structured query/edit surfaces.ctree*
sql
-- 1) 能力/配置探测
SELECT * FROM pragma_table_list WHERE name IN ('pseudocode', 'ctree', 'ctree_lvars');
-- 2) 选择一个具体的函数目标
SELECT name, printf('0x%X', address) AS addr, size
FROM funcs
ORDER BY size DESC
LIMIT 10;
-- 3) 通过主读取界面查看反编译文本
SELECT decompile(0x401000);解读指南:
- 是主显示界面。
decompile(addr) - /
pseudocode是结构化查询/编辑界面。ctree*
Global Constraint Reminder (Critical)
全局约束提醒(重要)
Always constrain decompiler tables by function:
sql
WHERE func_addr = 0x...Without this, decompiler tables may decompile every function and become extremely slow.
始终通过函数约束反编译器表:
sql
WHERE func_addr = 0x...如果不添加该约束,反编译器表会对所有函数进行反编译,导致速度极慢。
Failure and Recovery
故障与恢复
- No Hex-Rays/decompiler tables unavailable:
- Fall back to +
disassemblyworkflows.xrefs
- Fall back to
- Empty/partial rows:
- Confirm target exists and refresh decompile cache (
func_addrwhere supported).decompile(addr, 1)
- Confirm target
- Mutation did not appear:
- Run mandatory mutation loop (read -> edit -> refresh -> verify).
- 无Hex-Rays/反编译器表不可用:
- fallback到 +
disassembly工作流。xrefs
- fallback到
- 结果为空/不完整:
- 确认目标 存在,并刷新反编译缓存(支持的情况下使用
func_addr)。decompile(addr, 1)
- 确认目标
- 修改未生效:
- 执行强制修改循环(读取 -> 编辑 -> 刷新 -> 验证)。
Handoff Patterns
技能衔接模式
- ->
decompilerfor local type seeding and richer declarations.types - ->
decompilerfor persistent narrative and naming.annotations - ->
decompilerfor opcode-level validation.disassembly
- ->
decompiler:用于局部类型植入与更丰富的声明。types - ->
decompiler:用于添加持久化说明与命名。annotations - ->
decompiler:用于操作码层面的验证。disassembly
Decompiler Tables (Hex-Rays Required)
反编译器表(需Hex-Rays支持)
CRITICAL: Always filter by . Without constraint, these tables will decompile EVERY function - extremely slow!
func_addr重要提示: 始终通过 过滤。如果不添加约束,这些表会对所有函数进行反编译——速度极慢!
func_addrpseudocode
pseudocode
The table is a structured line-by-line pseudocode with writable comments. Use to view pseudocode; use this table only for surgical edits (comments) or structured queries.
pseudocodedecompile(addr)| Column | Type | Writable | Description |
|---|---|---|---|
| INT | No | Function address |
| INT | No | Line number |
| TEXT | No | Pseudocode text |
| INT | No | Corresponding assembly address (from COLOR_ADDR anchor) |
| TEXT | Yes | Decompiler comment at this ea |
| TEXT | Yes | Comment placement: |
Filter behavior:
- : best performance; iterates pseudocode for one function only.
WHERE func_addr = X - : decompiles only the containing function and returns matching lines for that EA.
WHERE ea = X - : scans functions and returns rows at that line index; use only when you need cross-function line alignment.
WHERE line_num = N
Comment placements: (after ), (own line above), , , , , , ,
semi;block1block2curly1curly2coloncaseelsedosql
-- VIEWING: Use decompile() function, NOT the pseudocode table
SELECT decompile(0x401000);
-- COMMENTING: Use pseudocode table to add/edit/delete comments
UPDATE pseudocode SET comment_placement = 'semi',
comment = 'buffer overflow here'
WHERE func_addr = 0x401000 AND ea = 0x401020;
-- Add block comment (appears on own line above the statement)
UPDATE pseudocode SET comment_placement = 'block1', comment = 'vulnerable call'
WHERE func_addr = 0x401000 AND ea = 0x401020;
-- Delete comments at a resolved unique anchor
UPDATE pseudocode SET comment = NULL
WHERE func_addr = 0x401000 AND ea = 0x401020;True function comments are not part of :
pseudocode- use for the regular function comment
UPDATE funcs SET comment = ... WHERE address = ... - use for the repeatable function comment
UPDATE funcs SET rpt_comment = ... WHERE address = ...
pseudocodedecompile(addr)| 列名 | 类型 | 是否可写 | 描述 |
|---|---|---|---|
| INT | 否 | 函数地址 |
| INT | 否 | 行号 |
| TEXT | 否 | 伪代码文本 |
| INT | 否 | 对应的汇编地址(来自COLOR_ADDR锚点) |
| TEXT | 是 | 该ea处的反编译器注释 |
| TEXT | 是 | 注释位置: |
过滤行为:
- :性能最优;仅遍历单个函数的伪代码。
WHERE func_addr = X - :仅反编译包含该EA的函数,并返回匹配该行的结果。
WHERE ea = X - :扫描所有函数并返回对应行索引的结果;仅在需要跨函数行对齐时使用。
WHERE line_num = N
注释位置选项: (后)、(单独一行在上方)、、、、、、、
semi;block1block2curly1curly2coloncaseelsedosql
-- 查看:使用decompile()函数,而非pseudocode表
SELECT decompile(0x401000);
-- 添加/编辑/删除注释:使用pseudocode表
UPDATE pseudocode SET comment_placement = 'semi',
comment = '此处存在缓冲区溢出'
WHERE func_addr = 0x401000 AND ea = 0x401020;
-- 添加块注释(显示在语句上方的单独一行)
UPDATE pseudocode SET comment_placement = 'block1', comment = '易受攻击的调用'
WHERE func_addr = 0x401000 AND ea = 0x401020;
-- 删除已解析唯一锚点处的注释
UPDATE pseudocode SET comment = NULL
WHERE func_addr = 0x401000 AND ea = 0x401020;真正的函数注释不属于 表:
pseudocode- 如需添加常规函数注释,使用
UPDATE funcs SET comment = ... WHERE address = ... - 如需添加可重复显示的函数注释,使用
UPDATE funcs SET rpt_comment = ... WHERE address = ...
pseudocode_orphan_comments
pseudocode_orphan_comments
Persisted Hex-Rays comments that no longer attach to the current decompiled output of a live function. Use it to inspect or delete stale comments.
| Column | Type | Writable | Description |
|---|---|---|---|
| INT | No | Function address |
| TEXT | No | Current function name for triage |
| INT | No | Stored orphan comment EA |
| TEXT | No | Stored |
| TEXT | Delete-only | Stored orphan comment text |
Rules:
- or
UPDATE ... SET orphan_comment = NULLdeletes that orphan comment.'' - Any non-empty write is rejected.
已持久化但不再关联到当前函数反编译输出的Hex-Rays注释。用于检查或删除过期注释。
| 列名 | 类型 | 是否可写 | 描述 |
|---|---|---|---|
| INT | 否 | 函数地址 |
| TEXT | 否 | 当前函数名称(用于分类排查) |
| INT | 否 | 存储的过期注释EA |
| TEXT | 否 | 存储的 |
| TEXT | 仅可删除 | 存储的过期注释文本 |
规则:
- 使用 或
UPDATE ... SET orphan_comment = NULL删除过期注释。'' - 任何非空写入操作都会被拒绝。
pseudocode_v_orphan_comment_groups
pseudocode_v_orphan_comment_groups
Grouped, read-only orphan triage surface. One row per function with orphan comments.
Columns: , , ,
func_addrfunc_nameorphan_countorphan_comments_json分组的只读过期注释排查界面。每条记录对应一个存在过期注释的函数。
列:、、、
func_addrfunc_nameorphan_countorphan_comments_jsonComment Anchor Resolution (Critical)
注释锚点解析(重要)
Use this recipe before writing heading-style decompiler notes.
Rules:
- Do not assume .
ea == func_addr - The first displayed pseudocode row often has and is not the right write target.
ea = 0 - One can map to multiple rows (
ea, statement,{); prefer a unique non-brace anchor.} - For true function comments, update /
funcs.commentinstead offuncs.rpt_comment.pseudocode
sql
-- Resolve the first attachable non-brace row near function start
SELECT line_num, ea, line
FROM pseudocode
WHERE func_addr = 0x401000
AND ea != 0
AND TRIM(line) NOT IN ('{', '}')
AND ea IN (
SELECT ea
FROM pseudocode
WHERE func_addr = 0x401000 AND ea != 0
GROUP BY ea
HAVING COUNT(*) = 1
)
ORDER BY line_num
LIMIT 1;
-- Write a heading-style summary using the resolved ea
UPDATE pseudocode
SET comment_placement = 'block1',
comment = 'One-paragraph summary of the function.'
WHERE func_addr = 0x401000
AND ea = (
SELECT ea
FROM pseudocode
WHERE func_addr = 0x401000
AND ea != 0
AND TRIM(line) NOT IN ('{', '}')
AND ea IN (
SELECT ea
FROM pseudocode
WHERE func_addr = 0x401000 AND ea != 0
GROUP BY ea
HAVING COUNT(*) = 1
)
ORDER BY line_num
LIMIT 1
);在添加标题式反编译器注释前,请遵循以下步骤。
规则:
- 不要假设 。
ea == func_addr - 第一个显示的伪代码行通常 ,不是合适的写入目标。
ea = 0 - 一个 可能映射到多行(
ea、语句、{);优先选择唯一的非大括号锚点。} - 如需添加真正的函数注释,请更新 /
funcs.comment而非funcs.rpt_comment表。pseudocode
sql
-- 解析函数起始位置附近第一个可关联的非大括号行
SELECT line_num, ea, line
FROM pseudocode
WHERE func_addr = 0x401000
AND ea != 0
AND TRIM(line) NOT IN ('{', '}')
AND ea IN (
SELECT ea
FROM pseudocode
WHERE func_addr = 0x401000 AND ea != 0
GROUP BY ea
HAVING COUNT(*) = 1
)
ORDER BY line_num
LIMIT 1;
-- 使用解析得到的ea添加标题式摘要
UPDATE pseudocode
SET comment_placement = 'block1',
comment = '函数的一段摘要说明。'
WHERE func_addr = 0x401000
AND ea = (
SELECT ea
FROM pseudocode
WHERE func_addr = 0x401000
AND ea != 0
AND TRIM(line) NOT IN ('{', '}')
AND ea IN (
SELECT ea
FROM pseudocode
WHERE func_addr = 0x401000 AND ea != 0
GROUP BY ea
HAVING COUNT(*) = 1
)
ORDER BY line_num
LIMIT 1
);ctree
ctree
Full Abstract Syntax Tree of decompiled code.
| Column | Type | Description |
|---|---|---|
| INT | Function address |
| INT | Unique node ID |
| INT | 1=expression, 0=statement |
| TEXT | Node type ( |
| INT | Address in binary |
| INT | Parent node ID |
| INT | Tree depth |
| INT | Child node IDs |
| INT | Local variable index |
| TEXT | Variable name |
| INT | Target address |
| TEXT | Symbol name |
| INT | Numeric literal |
| INT | Label number when node defines a label |
| INT | Target label number for |
| TEXT | String literal |
反编译代码的完整抽象语法树。
| 列名 | 类型 | 描述 |
|---|---|---|
| INT | 函数地址 |
| INT | 唯一节点ID |
| INT | 1=表达式,0=语句 |
| TEXT | 节点类型( |
| INT | 二进制中的地址 |
| INT | 父节点ID |
| INT | 树深度 |
| INT | 子节点ID |
| INT | 局部变量索引 |
| TEXT | 变量名称 |
| INT | 目标地址 |
| TEXT | 符号名称 |
| INT | 数值字面量 |
| INT | 节点定义标签时的标签编号 |
| INT | |
| TEXT | 字符串字面量 |
ctree_lvars
ctree_lvars
Local variables from decompilation.
| Column | Type | Description |
|---|---|---|
| INT | Function address |
| INT | Variable index |
| TEXT | Variable name |
| TEXT | Type string |
| TEXT | Local-variable comment shown next to declaration |
| INT | Size in bytes |
| INT | 1=function argument |
| INT | 1=stack variable |
| INT | Stack offset |
Mutation guidance:
- Prefer -based updates for deterministic writes.
idx - updates map to Hex-Rays local-variable comments (
comment) and appear inlv.cmtoutput.decompile(...)
反编译得到的局部变量。
| 列名 | 类型 | 描述 |
|---|---|---|
| INT | 函数地址 |
| INT | 变量索引 |
| TEXT | 变量名称 |
| TEXT | 类型字符串 |
| TEXT | 显示在声明旁的局部变量注释 |
| INT | 字节大小 |
| INT | 1=函数参数 |
| INT | 1=栈变量 |
| INT | 栈偏移量 |
修改指南:
- 优先基于 进行更新,确保写入的确定性。
idx - 更新 会同步到Hex-Rays局部变量注释(
comment),并在lv.cmt输出中显示。decompile(...)
ctree_labels
ctree_labels
Decompiler control-flow labels. Supports UPDATE () and mirrors label facilities on .
namecfunc_t| Column | Type | RW | Description |
|---|---|---|---|
| INT | R | Function address |
| INT | R | Label number ( |
| TEXT | RW | Current label name |
| INT | R | Backing ctree item id for this label |
| INT | R | Address of label-bearing ctree item |
| INT | R | 1 if name differs from default |
反编译器控制流标签。支持更新(字段),并与的标签功能同步。
namecfunc_t| 列名 | 类型 | 读写权限 | 描述 |
|---|---|---|---|
| INT | 读 | 函数地址 |
| INT | 读 | 标签编号( |
| TEXT | 读写 | 当前标签名称 |
| INT | 读 | 该标签对应的ctree项ID |
| INT | 读 | 承载标签的ctree项地址 |
| INT | 读 | 1表示名称与默认 |
ctree_call_args
ctree_call_args
Flattened call arguments for easy querying.
| Column | Type | Description |
|---|---|---|
| INT | Function address |
| INT | Call node ID |
| INT | Call-site EA |
| TEXT | Callee object name |
| TEXT | Callee helper name |
| INT | Argument index (0-based) |
| INT | Argument expression item ID |
| TEXT | Argument type |
| TEXT | Variable name if applicable |
| INT | Numeric value |
| TEXT | String value |
扁平化的调用参数,便于查询。
| 列名 | 类型 | 描述 |
|---|---|---|
| INT | 函数地址 |
| INT | 调用节点ID |
| INT | 调用位置EA |
| TEXT | 被调用对象名称 |
| TEXT | 被调用辅助函数名称 |
| INT | 参数索引(从0开始) |
| INT | 参数表达式项ID |
| TEXT | 参数类型 |
| TEXT | 变量名称(如有) |
| INT | 数值 |
| TEXT | 字符串值 |
Decompiler Views
反编译器视图
Pre-built views for common patterns (always filter by ):
func_addr| View | Purpose |
|---|---|
| Function calls with callee info |
| Indirect/dynamic call sites for call-site typing |
| Grouped orphan comment triage |
| for/while/do loops |
| if statements |
| Comparisons with operands |
| Assignments with operands |
| Pointer dereferences |
| Return statements with value details |
| Calls inside loops (recursive) |
| Calls inside if branches (recursive) |
| Functions with no outgoing calls |
| Call chain paths up to depth 10 |
预构建的常用模式视图(始终通过过滤):
func_addr| 视图 | 用途 |
|---|---|
| 包含被调用方信息的函数调用 |
| 用于调用位置类型标注的间接/动态调用位置 |
| 分组的过期注释排查 |
| for/while/do循环 |
| if语句 |
| 包含操作数的比较语句 |
| 包含操作数的赋值语句 |
| 指针解引用 |
| 包含返回值详情的返回语句 |
| 循环内的调用(递归) |
| if分支内的调用(递归) |
| 无对外调用的函数 |
| 深度最多为10的调用链路径 |
Type Tables and Views
类型表与视图
For , , , schemas, type views, and type CRUD examples, see skill.
typestypes_memberstypes_enum_valuestypes_func_argstypes关于、、、的结构、类型视图及类型增删改查示例,请查看技能文档。
typestypes_memberstypes_enum_valuestypes_func_argstypesSQL Functions — Decompilation
SQL函数——反编译相关
When to use vs table:
decompile()pseudocode- Read/show pseudocode -> always start with . Returns full function as one text block with per-line prefixes.
SELECT decompile(addr) - Local declaration hints -> declaration lines include compact local-variable index hints () so rename operations can target
[lv:N]safely.UPDATE ctree_lvars ... WHERE func_addr = ... AND idx = N - Need fresh output after edits -> use to force re-decompilation.
SELECT decompile(addr, 1) - Need structured line access or comment CRUD -> query/update the table.
pseudocode
| Function | Description |
|---|---|
| PREFERRED -- Full pseudocode with line prefixes |
| Same output but forces re-decompilation |
| Apply a prototype to one call site |
| Read explicit call-site prototype when present |
| Read persisted argument-loader addresses as JSON |
| Set/clear union selection path at EA |
| Set/clear union selection path by |
| PREFERRED call-arg targeting helper |
| Resolve call-arg coordinate to explicit |
| Resolve generic expression coordinate to explicit |
| Set/clear union selection via generic expression coordinate |
| Read union selection path JSON at EA |
| Read union selection path JSON by |
| Read union selection JSON via call-arg coordinate |
| Read union selection JSON via generic expression coordinate |
| Set/clear numform directly by EA + operand index |
| Read numform JSON directly by EA + operand index |
| Set/clear numform by explicit ctree item id |
| Read numform JSON by explicit ctree item id |
| Set/clear numform via call-arg coordinate |
| Read numform JSON via call-arg coordinate |
| Set/clear numform via generic expression coordinate |
| Read numform JSON via generic expression coordinate |
Targeting guidance:
- Use helpers for repeated callees and call-site arguments.
*_ea_arg - Use plus
ctree_item_at(..., op_name, nth)helpers for non-call expressions and assignment-side struct/union population stores.*_ea_expr
何时使用 vs 表:
decompile()pseudocode- 读取/展示伪代码 -> 始终从 开始。返回带行前缀的完整函数文本块。
SELECT decompile(addr) - 局部声明提示 -> 声明行包含紧凑的局部变量索引提示(),因此重命名操作可以安全地使用
[lv:N]。UPDATE ctree_lvars ... WHERE func_addr = ... AND idx = N - 编辑后需要刷新输出 -> 使用 强制重新反编译。
SELECT decompile(addr, 1) - 需要结构化行访问或注释增删改查 -> 查询/更新表。
pseudocode
| 函数 | 描述 |
|---|---|
| 推荐使用 -- 带行前缀的完整伪代码 |
| 输出内容相同,但强制重新反编译 |
| 为单个调用位置应用原型 |
| 读取调用位置的显式原型(如有) |
| 以JSON格式读取持久化的参数加载地址 |
| 在EA位置设置/清除联合体选择路径 |
| 通过 |
| 推荐使用 的调用参数定位辅助函数 |
| 将调用参数坐标解析为明确的 |
| 将通用表达式坐标解析为明确的 |
| 通过通用表达式坐标设置/清除联合体选择路径 |
| 读取EA位置的联合体选择路径JSON |
| 通过 |
| 通过调用参数坐标读取联合体选择路径JSON |
| 通过通用表达式坐标读取联合体选择路径JSON |
| 通过EA + 操作数索引直接设置/清除数值格式 |
| 通过EA + 操作数索引直接读取数值格式JSON |
| 通过明确的ctree项ID设置/清除数值格式 |
| 通过明确的ctree项ID读取数值格式JSON |
| 通过调用参数坐标设置/清除数值格式 |
| 通过调用参数坐标读取数值格式JSON |
| 通过通用表达式坐标设置/清除数值格式 |
| 通过通用表达式坐标读取数值格式JSON |
定位指南:
- 对于重复调用的被调用方和调用位置参数,使用辅助函数。
*_ea_arg - 对于非调用表达式和赋值侧结构体/联合体赋值操作,使用搭配
ctree_item_at(..., op_name, nth)辅助函数。*_ea_expr
SQL Functions — Modification
SQL函数——修改相关
For , , , and name writes via /, see skill.
type_at()set_type()parse_decls()namesfuncstypesPreferred SQL write surface for function metadata:
UPDATE funcs SET name = '...', prototype = '...', comment = '...', rpt_comment = '...' WHERE address = ...- maps to
prototypebehavior and invalidates decompiler cache.type_at/set_type - /
commentmap torpt_comment/get_func_cmt().set_func_cmt()
关于、、及通过/修改名称的内容,请查看技能文档。
type_at()set_type()parse_decls()namesfuncstypes函数元数据的推荐SQL写入方式:
UPDATE funcs SET name = '...', prototype = '...', comment = '...', rpt_comment = '...' WHERE address = ...- 与
prototype行为同步,并会使反编译器缓存失效。type_at/set_type - /
comment与rpt_comment/get_func_cmt()行为同步。set_func_cmt()
Performance Rules
性能规则
| Table | Architecture | Key Constraint | Notes |
|---|---|---|---|
| Cached | | Lazy per-function cache, freed after query |
| Cached | | Query-scoped orphan rows; writable delete-only |
| Cached | | Query-scoped grouped orphan triage; start broad with |
| Generator | | Lazy streaming, never materializes full result, respects LIMIT |
| Cached | | Lazy per-function cache, freed after query |
| Generator | | Lazy streaming, respects LIMIT |
Critical rules:
- ALL decompiler tables require constraint. Without it, every function is decompiled.
func_addr - Generator tables (,
ctree) stream rows lazily and stop at LIMIT.ctree_call_args - Decompiler views (,
ctree_v_calls,ctree_v_indirect_calls, etc.) inherit thectree_v_loopsconstraint -- always filter.func_addr - Hex-Rays cfunc cache: is internally cached.
decompile(addr)forces a full re-decompilation -- only use when you need to see effects of a mutation.decompile(addr, 1)
Cost model:
decompile(addr) -> ~50-200ms first call, ~0ms cached
decompile(addr, 1) -> ~50-200ms always (forces re-decompile)
ctree WHERE func_addr=X -> one decompilation + streaming rows
ctree (no constraint) -> one decompilation per row in funcs| 表 | 架构 | 关键约束 | 说明 |
|---|---|---|---|
| 缓存型 | | 懒加载的单函数缓存,查询后释放 |
| 缓存型 | | 查询范围内的过期注释行;仅支持删除操作 |
| 缓存型 | | 查询范围内的分组过期注释排查;使用 |
| 生成器型 | | 懒加载流式返回,不会生成完整结果集,遵循LIMIT限制 |
| 缓存型 | | 懒加载的单函数缓存,查询后释放 |
| 生成器型 | | 懒加载流式返回,遵循LIMIT限制 |
重要规则:
- 所有反编译器表都需要约束。 没有该约束时,会对所有函数进行反编译。
func_addr - 生成器型表(、
ctree)懒加载流式返回行,并在达到LIMIT时停止。ctree_call_args - 反编译器视图(、
ctree_v_calls、ctree_v_indirect_calls等)继承ctree_v_loops约束——始终进行过滤。func_addr - Hex-Rays cfunc缓存: 内部会缓存结果。
decompile(addr)强制完全重新反编译——仅在需要查看修改效果时使用。decompile(addr, 1)
成本模型:
decompile(addr) -> 首次调用约50-200ms,缓存后约0ms
decompile(addr, 1) -> 始终约50-200ms(强制重新反编译)
ctree WHERE func_addr=X -> 一次反编译 + 流式返回行
ctree (无约束) -> 对funcs表中的每个函数各进行一次反编译Additional Resources
额外资源
- For detailed workflows (capability probing, mutation loop, call-site typing, local type seeding, fallback patterns, full worked examples): references/decompiler-workflows.md
- For detailed view schemas (ctree_v_indirect_calls, ctree_v_returns): references/decompiler-views.md
- For ctree node types, manipulation patterns, and advanced CTEs: references/ctree-manipulation.md
- 详细工作流(能力探测、修改循环、调用位置类型标注、局部类型植入、 fallback模式、完整示例):references/decompiler-workflows.md
- 详细视图结构(ctree_v_indirect_calls、ctree_v_returns):references/decompiler-views.md
- ctree节点类型、操作模式及高级CTE:references/ctree-manipulation.md