PDA

View Full Version : Decompiler C++ , Binary


jackall
May 21st, 2008, 09:29
A decompiler converts the executable code, to source code in a higher level language such as C or C++.

i did the source file in c++. And iam attaching the compiled .exe file with this post.

How does one go about decompiling it?
A few general suggestions and may be the tools required to go with it would be constructive.
and..
I will post the source later on, if ever it is needed.
Or better …
Someone decompile it …display source code and probably give a short description of the process involved in.

Warning: the code is workable in the strictest sense; but, it could be of the sloppiest and inferior coding that you have ever seen. it needs to be improved and that is plainly one of the aims of this theme.

Regards.

Arcane
May 21st, 2008, 09:42
1) your request sucks... but ill give you some pointers

there are several tools youd wanna check out ... IDA and Hex-rays , Ida makes bytes into Assembly code ..and hexrays makes assembly in C pseudo code ..so you can get an idea of what you might need from there , now if your looking for a Dissassembler ..id suggest you check out Distorm64 which is a nice open-source dissassembler library...

Jakor
May 21st, 2008, 12:32
aaa
bcd


password is:
first letter + 1 on the ascii chart
second letter + 2 on the ascii chart
third letter + 3 on the ascii chart

deroko
May 21st, 2008, 12:48
Yes, but he asked for decompilation process

jackall
May 21st, 2008, 13:47
Thank you deroko ..for steering the question to appropriate anticipated direction.

Well ! jakor .. You have come with the encryption (if ever one can use that term; it is that basic) part.i appreciate your almost immediate response.

As deroko pointed out i was keen to know the decompilation process.

Regards..

Jakor
May 25th, 2008, 00:04
Run Olly Debug
drag Decompile.exe into ollydbg to load it
rightclick -> Search For -> All referenced text strings

First four referenced text strings are all interesting. First two are prompts which are passed to the display string function. The second two are the possible outputs based on if the comparison is correct. Double click "Right" and you will be in the area you need to be in. You will notice a jnz above this reference which is the check.
Code:
0040149A |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0040149D |. 3B45 C8 CMP EAX,DWORD PTR SS:[EBP-38]
004014A0 |. 75 16 JNZ SHORT decompil.004014B8
004014A2 |. C74424 04 2500>MOV DWORD PTR SS:[ESP+4],decompil.004400>; ASCII "Right"


Now look to see where "EBP-34" is written two as this hold the key value.

(NOTE: By stepping over this section of code we can see when text is displayed (aka: the print function) and when it doesn't return because it's getting input (aka: the input function))

Code:
004013DC |. E8 D3BA0300 CALL <decompil.Input>
004013E1 |. E8 9AEB0200 CALL decompil.0042FF80 ; mov eax, -1
004013E6 |. 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
004013EA |. C74424 04 0100>MOV DWORD PTR SS:[ESP+4],1
004013F2 |. C70424 6034440>MOV DWORD PTR SS:[ESP],decompil.00443460
004013F9 |. E8 F2530200 CALL decompil.004267F0
004013FE |. 0FB645 E8 MOVZX EAX,BYTE PTR SS:[EBP-18]
00401402 |. FEC0 INC AL
00401404 |. 8845 D7 MOV BYTE PTR SS:[EBP-29],AL
00401407 |. 0FB645 E9 MOVZX EAX,BYTE PTR SS:[EBP-17]
0040140B |. 04 02 ADD AL,2
0040140D |. 8845 D6 MOV BYTE PTR SS:[EBP-2A],AL
00401410 |. 0FB645 EA MOVZX EAX,BYTE PTR SS:[EBP-16]
00401414 |. 04 03 ADD AL,3
00401416 |. 8845 D5 MOV BYTE PTR SS:[EBP-2B],AL
00401419 |. 0FBE55 D7 MOVSX EDX,BYTE PTR SS:[EBP-29]
0040141D |. 0FBE45 D6 MOVSX EAX,BYTE PTR SS:[EBP-2A]
00401421 |. 01C2 ADD EDX,EAX
00401423 |. 0FBE45 D5 MOVSX EAX,BYTE PTR SS:[EBP-2B]
00401427 |. 8D0402 LEA EAX,DWORD PTR DS:[EDX+EAX]
0040142A |. 8945 CC MOV DWORD PTR SS:[EBP-34],EAX


As we see "EBP-34" is written out of the first input ("enter a 3 letter word" We can step through this and watch it increment/add all the characters together. (the "encryption". Now the other part that we are checking, "EBP-38" we see is from this code after "enter password"

Code:
0040144F |. E8 60BA0300 CALL <decompil.Input>
00401454 |. E8 27EB0200 CALL decompil.0042FF80
00401459 |. 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
0040145D |. C74424 04 0100>MOV DWORD PTR SS:[ESP+4],1
00401465 |. C70424 6034440>MOV DWORD PTR SS:[ESP],decompil.00443460
0040146C |. E8 7F530200 CALL decompil.004267F0
00401471 |. 0FB645 D8 MOVZX EAX,BYTE PTR SS:[EBP-28]
00401475 |. 8845 D4 MOV BYTE PTR SS:[EBP-2C],AL
00401478 |. 0FB645 D9 MOVZX EAX,BYTE PTR SS:[EBP-27]
0040147C |. 8845 D3 MOV BYTE PTR SS:[EBP-2D],AL
0040147F |. 0FB645 DA MOVZX EAX,BYTE PTR SS:[EBP-26]
00401483 |. 8845 D2 MOV BYTE PTR SS:[EBP-2E],AL
00401486 |. 0FBE55 D4 MOVSX EDX,BYTE PTR SS:[EBP-2C]
0040148A |. 0FBE45 D3 MOVSX EAX,BYTE PTR SS:[EBP-2D]
0040148E |. 01C2 ADD EDX,EAX
00401490 |. 0FBE45 D2 MOVSX EAX,BYTE PTR SS:[EBP-2E]
00401494 |. 8D0402 LEA EAX,DWORD PTR DS:[EDX+EAX]
00401497 |. 8945 C8 MOV DWORD PTR SS:[EBP-38],EAX


it looks identical without the increments. Therefore the increments are what changes the "word" from the "password". It may be interesting to note that while the encryption works the way I said. there is a flaw in this method as you could take any of them and add 6 characters to any (one) of them and it will work. because "aaa" -> "bcd" == "aaa" -> "aag" for this encryption.

jackall
May 26th, 2008, 02:22
Jakor ..thank you ..you have explained the assembly part in detail.
Being an entry level enthusiast ( ME ) , may i request for little more clarification in this matter .

For e.g. :
in the source the input is processed like this:
x = nme[0]+1;
y = nme[1]+2;
z = nme[2]+3;
processed = x+y+z;

if the name entered is ‘aaa’ then a+a+a becomes:
b+c+d which is equal to ox0129


Code:
1-00401497 |. 8945 C8 MOV DWORD PTR SS: [EBP-38], EAX
2-0040149A |. 8B45 CC MOV EAX, DWORD PTR SS: [EBP-34]
3-0040149D |. 3B45 C8 CMP EAX, DWORD PTR SS: [EBP-38]
4-004014A0 |. 75 16 JNZ SHORT decompil.004014B8
5-004014A2 |. C74424 04 250> MOV DWORD PTR SS: [ESP+4],decompil.00440025
; ASCII "Right"


in line 2-above:
A value is copied from SS:[EBP-34] to EAX ; Olly comments that value to be 0129

Could you please provide information to let me understand:
How did the processed input value in the first place reach SS: [EBP-34] ?

Regards ..

Jakor
May 26th, 2008, 15:04
EBP "-" is local variables for the function.

EBP "+" is arguments.

They store "a+a+a" into a local variable, and then they store "b+c+d" into another local variable and then they compare them.

deroko
May 26th, 2008, 18:00
Sorry to spoil all the fun, but decompilng process is restoring binary code into some high level code like C. I guess this is what author of this thread wanted.

xenakis
May 26th, 2008, 20:32
As deroko pointed out, don't confuse decompiling and disassembling. Kwazy Webbit from reteam wrote an interesting article you may want to read, http://www.reteam.org/papers/e57.pdf .

jackall
May 27th, 2008, 03:42
Code:
A decompiler converts the executable code, to source code in a higher level
language such as C or C++.

This is the first line of this thread captioned -Decompiler C++, binary- and there is another line as seen below:

Code:
Someone decompile it …display source code and probably give a short description
of the process involved in.

There are many highly developed brainpowers here that are more than capable of resolving this issue. This thread below is an indicator to that account. http://www.woodmann.com/forum/showthread.php?t=10565

Yet there was no constructive suggestion specific to the request.
So generalization stepped in...

i assume that assembly is a phase that exists between Binary and high-level; and trying to understand that stage in between, is a great learning experience by itself ; an experience that could make the whole exercise many fold meaningful .This may appear to be a slight departure from the stated course but the prime objective continues unchanged: LEARN.

i welcome suggestions given by deroko and xenakis .
i value the information provided by jakor ..
your offerings in whatever level that may be, could be of great help to me and to many more like me..

Regards…