After some weeks of hard work in understanding IDA Pro sdk, I finally managed to finish the INQUISITION Plugin.

INQUISITION is a complex plugin which will translate the assembler listing of a subroutine into it's pseudoC equivalent.

Current features:

- 1-2-1 translation for most opcodes
- Jump rebuilder

Download site:

http://polaris.kcmo.net

Byeez

Hi Polaris,
thx for this nice plugin.

I tried your new plugin and I found a bug for you. The plugin seems to have problems with mul instructions. Here are the instructions I tried:
imul eax
mul eax
imul eax, edx

Another little thing; we suppose to have:
push 17h
xor ecx, ecx
pop ecx
add ebx, ecx

Your plugin shows (correctly):
( 17h );
ecx = 0;
) ecx (;
ebx = (ebx + ecx);

Is it possible to have: ebx = ebx + 17h ?
This type of substitution may be useful (even if not easy to implement I suppose...)

Thx again,
ZaiRoN

Hi there ZaiRoN,

the *mul family of instruction is still unsupported (basicly because INQUISITION analizer need to know operand's size). Don't fear.... Next release will support *mul & *div families.

Please note that the "// Please report me to the author" message means that the current ins is not supported: bug messages are really more SCARY than this! Try to find them out!

For your request: recovering ebx = ebx + 17h is possible, but requires DATA FLOW analisys on the current basic block. It will be (hopely) implemented in future versions of INQUISITION.

Next features will (probably) be:
- GUI (INQUISITION sends data to a new window with save capability)
- IDIOM RECOGNIZER ENGINE/DB (Before translating, INQUISITION checks for IDIOM existence)
- Operands will be cleaned (no more 406123loc_406123)

However, to suggest new features/point out bugs just drop me a line!

Byeeez

Has anyone of you guys have ever heard about Desquirr - decompilation plugin for IDA 4.3/4.5?

INQUISITION for IDA Pro 4.30 had finally have been updated

New features:
- Killed an enormous bug list
- Added the idiom recognizer engine (with 4 idiom known)
- more support for instruction (mul/imul...)

If anybody is interested, download at: http://polaris.kcmo.net

Byyezzz

Polaris

Note: If anybody does know about idioms, just drop me a line: I will add soon to INQUISITION "database".

Hi there!!

INQUISITION v2.0 beta has been released...

INQUISITION v2.0 beta
INQUISITION has been heavily improved, by adding the
Call Decompiler Engine, for both functions & external
symbols (_dllcalls).

Now, plugin output will produce this:

; int __stdcall sub_401203(int nWidth,int nHeight)
sub_401203 proc near ; CODE XREF: sub_401C74+137p

nWidth = dword ptr 4
nHeight = dword ptr 8

push 1 ; bErase
mov eax, hWnd
push 0 ; lpRect
push eax ; hWnd
call ds:InvalidateRect
push 1 ; bRepaint
push [esp+4+nHeight] ; nHeight
push [esp+8+nWidth] ; nWidth
push 0 ; Y
push 0 ; X
push hWnd ; hWnd
call ds:MoveWindow
retn 8

sub_401203 endp

/**
* This is the translated output for subroutine sub_401203
* Generated AUTOMATICALLY by the INQUISITION plugin by Polaris
*/

sub_401203:
eax = hWnd;
ds:004064E8InvalidateRect(eax,0,1);
ds:004064ECMoveWindow(hWnd,0,0,[esp+8+nWidth],
[esp+4+nHeight],1);
return;

I hope you will like it!!!

News:
- INQUISITION decompiles correctly nested call statements,
by stack emulation
- Now you don't have to go to function's first instruction,
just invoke INQUISITION anywhere inside the sub
- Idiom engine has been updated. Some idioms were
taken from David Eriksson's thesis on decompilation
(desquirr Master Thesis). Thanks David!
- Another horde of bugs was corrected.

As ever, download site at: http://polaris.kcmo.net

Byeeezzz

Polaris

Hi Polaris,

I've tried you plugin and it seems that it does not handle 'if then else'.

As an example take this code (from Qt 3.1.2 trial) :

39D1F267 cmp word_3A200B2C, 0
39D1F26E jnz short loc_39D1F27A
39D1F270 mov dword_3A200B2C, 3C25h

39D1F27A loc_39D1F27A:

39D1F27A mov eax, dword_3A200B2C

this can be translated to :
if (dword_3A200B2C ==0) dword_3A200B2C = 0x3C25;

The plugin output is :


if( dword_3A200B2C != 0 ) goto loc_39D1F27A;
dword_3A200B2C = 3C25h;
loc_39D1F27A:
eax = dword_3A200B2C;

bravo and good luck.

Hi there!

I am sorry, but INQUISITION is not intended to perform control flow analisys. What it does is backward analisys for CC killing. I think that you should re-structure assembler by hand.

But maybe in the future...

Byeeezzzz