Log in

View Full Version : Interesting decompiler (yes, to (pseudo) source), RecStudio

dELTA
June 20th, 2007, 03:24
This decompiler (RecStudio) looks a little interesting at first glance, I wonder how this measures to the new IDA decompiler functionality:

http://www.backerstreet.com/rec/rec.htm

Anyone worked with it much?
Polaris
June 20th, 2007, 03:49
I have been looking at the recstudio when it was released (that is a while ago). Basically, it is the same engine as the previous REC wrapped in a more "usable" interface. The REC engine is fairly good at decompilation (it uses standard dataflow + controlflow analysis), and with the use of symbol files you can make it fairly usable.

However, Ilfak's decompiler looks definetely better, mostly because it relies on IDA as a disassembler, that is way more advanced that REC's one. I, however, have the feeling that if IDA's licenses are somewhat restricted, the ones for the decompiler will be even more so.

In my opinion, however, one of the best decompilers around is this:

http://sourceforge.net/projects/exetoc/

It is a pity that is no more under development.
blabberer
June 20th, 2007, 04:04
some one actually posted a recced c? asm? mixed ? asking it to be converted to C# :eek

http://www.woodmann.com/forum/showthread.php?t=10202
Shub-nigurrath
June 20th, 2007, 10:10
what about boomerang? It's always reported as "one of" or even "the" best
Polaris
June 20th, 2007, 13:47
Quote:
[Originally Posted by Shub-nigurrath;66536]what about boomerang? It's always reported as "one of" or even "the" best


Boomerang is for sure really advanced. However, it is still not ready for the real world - the analysis phase is really cool (the transformation into Single Static Assignment form makes the analysis excellent in most cases), but especially the frontend needs a lot of work. In my experience with it, Boomerang has several problems: for example, decompiling MSVC executables always require you to provide entrypoints manually. Another not-so-small problem with it is also that the original authors did quit the project, and I fear that the current admin may not have enough time to push the project further.

However, it is still an amazing effort to produce a working decompiler - and that is not little
LLXX
June 20th, 2007, 17:40
This is part of a source code for an MSN client I'm writing:
Code:
int CALLBACK dlg_login(int hwndDlg, int Msg, int wParam, int lParam) {

 int a,hinternet,hurl;

 char b[4096];

 char c[512];

 char d[256];

 char pploginurl[64];



 switch(Msg) {

  case WM_COMMAND:

   switch(wParam) {

    case 1: case 2:

    case 1001:

     EndDialog(hwndDlg,0);

     break;

    case 1000: /* login */

     EnableWindow(GetDlgItem(hwndDlg,1002),0);

     EnableWindow(GetDlgItem(hwndDlg,1003),0);

     EnableWindow(GetDlgItem(hwndDlg,1000),0);

     GetDlgItemText(hwndDlg,1002,&username,64);

     GetDlgItemText(hwndDlg,1003,&password,16);

     if((ns_ip=inet_addr(&ns_name))==-1) {

      wsprintf(b,"Resolving %s...",ns_name);
Here's what REC21 thinks of the same code:
Code:
L004026d9(A8, Ac, A10, A14, A16)

struct HWND__ * A8; /* totally failed to identify local variables correctly */

/* unknown */ void  Ac;

/* unknown */ void  A10;

char  * A14;

/* unknown */ void  A16;

{



    eax = 0x1340;

    L00404DB0();

    (save)ebx;

    (save)esi;

    (save)edi;

    if(!(eax = Ac - 0x110)) {

        if(!(eax = eax - 1)) { /* ... WTF? */

            if(!(eax = eax - 32495)) {

                if(eax = eax - 1) {

                    goto L00402f18;

                }

                eax = A14 >> 0x10;

                A14 = eax;

                == ? L00402744 : ; /* this is not even valid C */
...and here is the actual code for the two switch() cases above:
Code:
        if(eax > 0) {

            if(eax > 2) {

                if(eax != 0x3e8) {

                    if(eax == 0x3e9) {

                        goto L00402ee1;

                    }

                } else {

                    esi = __imp__GetDlgItem; /* it recognised this ... */

                    (save)ebx; /* ... this is supposed to be a parameter, so it resulted in */

                    EnableWindow(GetDlgItem(A8, 0x3ea)); /* ...WRONG number of parameters */

                    (save)ebx;

                    (save)0x3eb;

                    EnableWindow( *esi(), A8); /* ...then failed to see what esi is even though it recognised it above */

                    (save)ebx;

                    (save)0x3e8;

                    EnableWindow( *esi(), A8);

                    edi = A8;

                    GetDlgItemTextA(edi, 0x3ea, 4228736, 0x40);

                    GetDlgItemTextA(edi, 0x3eb, 4228256, 0x10);

                    esi = 0x40112c;

                    (save)0x40112c;

                    eax = L00404D4E();

                    M00408660 = eax;

                    if(eax == -1) {

                        wsprintfA(ebp + -4672, "Resolving %s...", esi); /* this is almost acceptable. */

                        SetDlgItemTextA(edi, 0x3ec, ebp + -4672);

                        (save)0x400;

                        (save)4228896;

                        (save)esi;

                        (save)32768;

                        (save)edi;

                        L00404D48();

                    } else {

                        SendMessageA(edi, 32768, ebx, ebx); /* Registers in function calls? I thought this was supposed to be C. */

                    }
- can't identify switch() properly
- function parameters are completely absent except for a few cases...
- ...same goes for register value retention within the same continous block
- code is laced with gotos even when there were no jumps in the Asm (?)
- lack of back/forward buttons.

For some reason Exe2c seems to pagefault with every EXE I give it...
Polaris
June 21st, 2007, 09:14
Yeah, that output from REC is really horrible. To improve the output you can try starting REC using a cmd file, containing symbol definition for known functions and data elements: using REC/RECSTUDIO without initial definitions is basically a waste of time. Whenever I used REC or Boomerang, I always used IDA Pro to do a manual analysis, and progressively build a command file to eventually feed the decompiler.

Regarding ExeToC, you are right - it crashes a lot and is nearly unusable (I did my tests only on the provided test application). Consider anyway that the program is open source and this is the first (sadly seems also the last) release...
FrankRizzo
June 21st, 2007, 18:24
That sounds like a good use for an IDA plug-in. If someone could make one that would generate the necessary CMD file for REC/RECStudio.

Anyone bored, and knowledgeable enough to do it?
LLXX
June 21st, 2007, 22:00
IMHO fixing the open-source Exetoc would be effort better spent. The bulk of the decompiler engine is already written, and it's only a matter of tracking down some bugs.
Polaris
June 22nd, 2007, 01:22
FrankRizzo:

Yeah, that could be a good idea... Consider however that the commands for REC are usually not so well documented and their behaviour sometimes is funny - I think that could be an adventure. However, I would wait for Ilfak's decompiler, it'll probably give better results anyway .

LLXX:

I do completely agree. It would be great to remove first the crashes, and then slowly improving the thing.