Results 1 to 10 of 10

Thread: Interesting decompiler (yes, to (pseudo) source), RecStudio

  1. #1
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

    Interesting decompiler (yes, to (pseudo) source), RecStudio

    This decompiler (RecStudio) looks a little interesting at first glance, I wonder how this measures to the new IDA decompiler functionality:

    http://www.backerstreet.com/rec/rec.htm

    Anyone worked with it much?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  2. #2
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    I have been looking at the recstudio when it was released (that is a while ago). Basically, it is the same engine as the previous REC wrapped in a more "usable" interface. The REC engine is fairly good at decompilation (it uses standard dataflow + controlflow analysis), and with the use of symbol files you can make it fairly usable.

    However, Ilfak's decompiler looks definetely better, mostly because it relies on IDA as a disassembler, that is way more advanced that REC's one. I, however, have the feeling that if IDA's licenses are somewhat restricted, the ones for the decompiler will be even more so.

    In my opinion, however, one of the best decompilers around is this:

    http://sourceforge.net/projects/exetoc/

    It is a pity that is no more under development.
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    some one actually posted a recced c? asm? mixed ? asking it to be converted to C# :eek

    http://www.woodmann.com/forum/showthread.php?t=10202

  4. #4
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    what about boomerang? It's always reported as "one of" or even "the" best
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  5. #5
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Quote Originally Posted by Shub-nigurrath View Post
    what about boomerang? It's always reported as "one of" or even "the" best
    Boomerang is for sure really advanced. However, it is still not ready for the real world - the analysis phase is really cool (the transformation into Single Static Assignment form makes the analysis excellent in most cases), but especially the frontend needs a lot of work. In my experience with it, Boomerang has several problems: for example, decompiling MSVC executables always require you to provide entrypoints manually. Another not-so-small problem with it is also that the original authors did quit the project, and I fear that the current admin may not have enough time to push the project further.

    However, it is still an amazing effort to produce a working decompiler - and that is not little
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  6. #6

    Needs more work.

    This is part of a source code for an MSN client I'm writing:
    Code:
    int CALLBACK dlg_login(int hwndDlg, int Msg, int wParam, int lParam) {
     int a,hinternet,hurl;
     char b[4096];
     char c[512];
     char d[256];
     char pploginurl[64];
    
     switch(Msg) {
      case WM_COMMAND:
       switch(wParam) {
        case 1: case 2:
        case 1001:
         EndDialog(hwndDlg,0);
         break;
        case 1000: /* login */
         EnableWindow(GetDlgItem(hwndDlg,1002),0);
         EnableWindow(GetDlgItem(hwndDlg,1003),0);
         EnableWindow(GetDlgItem(hwndDlg,1000),0);
         GetDlgItemText(hwndDlg,1002,&username,64);
         GetDlgItemText(hwndDlg,1003,&password,16);
         if((ns_ip=inet_addr(&ns_name))==-1) {
          wsprintf(b,"Resolving %s...",ns_name);
    Here's what REC21 thinks of the same code:
    Code:
    L004026d9(A8, Ac, A10, A14, A16)
    struct HWND__ * A8; /* totally failed to identify local variables correctly */
    /* unknown */ void  Ac;
    /* unknown */ void  A10;
    char  * A14;
    /* unknown */ void  A16;
    {
    
        eax = 0x1340;
        L00404DB0();
        (save)ebx;
        (save)esi;
        (save)edi;
        if(!(eax = Ac - 0x110)) {
            if(!(eax = eax - 1)) { /* ... WTF? */
                if(!(eax = eax - 32495)) {
                    if(eax = eax - 1) {
                        goto L00402f18;
                    }
                    eax = A14 >> 0x10;
                    A14 = eax;
                    == ? L00402744 : ; /* this is not even valid C */
    ...and here is the actual code for the two switch() cases above:
    Code:
            if(eax > 0) {
                if(eax > 2) {
                    if(eax != 0x3e8) {
                        if(eax == 0x3e9) {
                            goto L00402ee1;
                        }
                    } else {
                        esi = __imp__GetDlgItem; /* it recognised this ... */
                        (save)ebx; /* ... this is supposed to be a parameter, so it resulted in */
                        EnableWindow(GetDlgItem(A8, 0x3ea)); /* ...WRONG number of parameters */
                        (save)ebx;
                        (save)0x3eb;
                        EnableWindow( *esi(), A8); /* ...then failed to see what esi is even though it recognised it above */
                        (save)ebx;
                        (save)0x3e8;
                        EnableWindow( *esi(), A8);
                        edi = A8;
                        GetDlgItemTextA(edi, 0x3ea, 4228736, 0x40);
                        GetDlgItemTextA(edi, 0x3eb, 4228256, 0x10);
                        esi = 0x40112c;
                        (save)0x40112c;
                        eax = L00404D4E();
                        M00408660 = eax;
                        if(eax == -1) {
                            wsprintfA(ebp + -4672, "Resolving %s...", esi); /* this is almost acceptable. */
                            SetDlgItemTextA(edi, 0x3ec, ebp + -4672);
                            (save)0x400;
                            (save)4228896;
                            (save)esi;
                            (save)32768;
                            (save)edi;
                            L00404D48();
                        } else {
                            SendMessageA(edi, 32768, ebx, ebx); /* Registers in function calls? I thought this was supposed to be C. */
                        }
    - can't identify switch() properly
    - function parameters are completely absent except for a few cases...
    - ...same goes for register value retention within the same continous block
    - code is laced with gotos even when there were no jumps in the Asm (?)
    - lack of back/forward buttons.

    For some reason Exe2c seems to pagefault with every EXE I give it...

  7. #7
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Yeah, that output from REC is really horrible. To improve the output you can try starting REC using a cmd file, containing symbol definition for known functions and data elements: using REC/RECSTUDIO without initial definitions is basically a waste of time. Whenever I used REC or Boomerang, I always used IDA Pro to do a manual analysis, and progressively build a command file to eventually feed the decompiler.

    Regarding ExeToC, you are right - it crashes a lot and is nearly unusable (I did my tests only on the provided test application). Consider anyway that the program is open source and this is the first (sadly seems also the last) release...
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  8. #8
    That sounds like a good use for an IDA plug-in. If someone could make one that would generate the necessary CMD file for REC/RECStudio.

    Anyone bored, and knowledgeable enough to do it?

  9. #9
    IMHO fixing the open-source Exetoc would be effort better spent. The bulk of the decompiler engine is already written, and it's only a matter of tracking down some bugs.

  10. #10
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    FrankRizzo:

    Yeah, that could be a good idea... Consider however that the commands for REC are usually not so well documented and their behaviour sometimes is funny - I think that could be an adventure. However, I would wait for Ilfak's decompiler, it'll probably give better results anyway .

    LLXX:

    I do completely agree. It would be great to remove first the crashes, and then slowly improving the thing.
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

Similar Threads

  1. x64 decompiler not far away
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: April 1st, 2014, 10:48
  2. where can i find tutorial for ida pseudo code
    By alim2201 in forum The Newbie Forum
    Replies: 3
    Last Post: April 9th, 2010, 14:51
  3. Anybody know a decompiler for...
    By bobets in forum The Newbie Forum
    Replies: 1
    Last Post: May 22nd, 2007, 17:06
  4. need vb3 decompiler
    By Xybyre in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: April 26th, 2002, 01:40
  5. msi decompiler
    By pm in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: October 30th, 2000, 21:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •