flat assembler
Message board for the users of flat assembler.

Index > Heap > does anyone know a good c-decompiler wich works on all exe

Author
Thread Post new topic Reply to topic
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
thats about it. because i want to decompile things to c but all i tried did not work realy well. i wanna make game modifications so it is more interesting.
Post 24 Jun 2013, 21:33
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
That's a wrong approach you're taking.

There's no way you can decompile code back to C. Only "frameworked" languages like .NET or JAVA can be decompiled to their original source.

Besides, you'd have to re-compile it to machine code after modifying the source code. So why not just modify the machine code instead. The are many ways to modify games. I suggest you do some research on game hacking. In general let's just call it reverse engineering

Some good places for you:

http://www.mpgh.net/

http://ghbsys.net/ (my fav)

http://gamehacking.org/

Good luck.
Post 24 Jun 2013, 21:57
View user's profile Send private message Reply with quote
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
hmm i just wanna make it more interesting and fix some problems. anyway now i see just wanted to post. after seing results of a good decompiler it is worse then assembly. it looks horrible and with all the lines left and right it will be full of errors if i would want to interpret it (more errors then assembly code).

a c decompile example....

#define __thiscall __cdecl // Test compile in C mode

int __cdecl main(int argc, const char **argv, const char **envp);
// int __userpurge sub_401020<eax>(int a1<esi>, int a2);
int __stdcall sub_4010B0(int a1);
int loc_401130(); // weak
int __cdecl sub_401150(int a1);
// int (*__usercall sub_4012E2<eax>(int a1<ebp>))();
int loc_401303(); // weak
int __thiscall sub_40130B(void *this, char a2);
// _DWORD __thiscall __report_gsfailure(_DWORD ecx0, _BYTE _4); weak
int (*__cdecl sub_4017DE())(void);
int (*__cdecl sub_401804())(void);
int __cdecl sub_401A35();
// int __usercall sub_401B10<eax>(int a1<ebp>);
// int __usercall sub_401B40<eax>(int a1<ebp>);
void __cdecl sub_401B4A();
// int __thiscall std__basic_ios_char_std__char_traits_char____setstate(_DWORD, _DWORD, _DWORD); weak
// int __thiscall std__basic_ostream_char_std__char_traits_char____flush(_DWORD); weak
// int __thiscall std__basic_streambuf_char_std__char_traits_char____sputc(_DWORD, _DWORD); weak
// int __thiscall std__basic_streambuf_char_std__char_traits_char_____Unlock(_DWORD); weak
// int __cdecl std__basic_streambuf_char_std__char_traits_char_____Lock(_DWORD); weak
// int __thiscall std__basic_ostream_char_std__char_traits_char_____Osfx(_DWORD); weak
// int __thiscall std__basic_streambuf_char_std__char_traits_char____sputn(_DWORD, _DWORD, _DWORD); weak
// int __cdecl std__uncaught_exception(_DWORD); weak


//----- (00401000) --------------------------------------------------------
int __cdecl main(int argc, const char **argv, const char **envp)
{
sub_401150((int)std__cout);
return 0;
}
// 402054: using guessed type void *std__cout;

//----- (00401020) --------------------------------------------------------
int __userpurge sub_401020<eax>(int a1<esi>, int a2)
{
int v2; // eax@3
int v3; // eax@4
unsigned int v5; // [sp-4h] [bp-14h]@1
char v6; // [sp+0h] [bp-10h]@1
int v7; // [sp+Ch] [bp-4h]@3

v5 = (unsigned int)&v6 ^ dword_403000;
*(_DWORD *)a2 = a1;
if ( *(_DWORD *)(*(_DWORD *)(*(_DWORD *)a1 + 4) + a1 + 40) )
std__basic_streambuf_char_std__char_traits_char_____Lock(v5);
v7 = 0;
v2 = a1 + *(_DWORD *)(*(_DWORD *)a1 + 4);
if ( !*(_DWORD *)(v2 + Cool )
{
v3 = *(_DWORD *)(v2 + 44);
if ( v3 )
std__basic_ostream_char_std__char_traits_char____flush(v3);
}
*(_BYTE *)(a2 + 4) = *(_DWORD *)(*(_DWORD *)(*(_DWORD *)a1 + 4) + a1 + Cool == 0;
return a2;
}
// 40203C: using guessed type int __thiscall std__basic_ostream_char_std__char_traits_char____flush(_DWORD);
// 402048: using guessed type int __cdecl std__basic_streambuf_char_std__char_traits_char_____Lock(_DWORD);
// 403000: using guessed type int dword_403000;

//----- (004010B0) --------------------------------------------------------
int __stdcall sub_4010B0(int a1)
{
int result; // eax@3
int v2; // edx@3
char v3; // [sp+0h] [bp-10h]@1
int v4; // [sp+Ch] [bp-4h]@1

v4 = 0;
if ( !(unsigned __int8)std__uncaught_exception((unsigned int)&v3 ^ dword_403000) )
std__basic_ostream_char_std__char_traits_char_____Osfx(*(_DWORD *)a1);
v4 = -1;
v2 = *(_DWORD *)(**(_DWORD **)a1 + 4);
result = *(_DWORD *)(v2 + *(_DWORD *)a1 + 40);
if ( result )
result = std__basic_streambuf_char_std__char_traits_char_____Unlock(*(_DWORD *)(v2 + *(_DWORD *)a1 + 40));
return result;
}
// 402044: using guessed type int __thiscall std__basic_streambuf_char_std__char_traits_char_____Unlock(_DWORD);
// 40204C: using guessed type int __thiscall std__basic_ostream_char_std__char_traits_char_____Osfx(_DWORD);
// 402058: using guessed type int __cdecl std__uncaught_exception(_DWORD);
// 403000: using guessed type int dword_403000;

//----- (00401150) --------------------------------------------------------
int __cdecl sub_401150(int a1)
{
signed int v1; // eax@1
int v2; // ebx@1
unsigned int v3; // edi@1
int v4; // eax@8
char v5; // cl@8
int v6; // eax@8
int v7; // ecx@16
int v9; // eax@21
char v10; // cl@21
int v11; // eax@21
char v12; // [sp+0h] [bp-30h]@1
int v13; // [sp+10h] [bp-20h]@4
char v14; // [sp+14h] [bp-1Ch]@4
int v15; // [sp+18h] [bp-18h]@8
int v16; // [sp+1Ch] [bp-14h]@1
char *v17; // [sp+20h] [bp-10h]@1
int v18; // [sp+2Ch] [bp-4h]@4

v17 = &v12;
v2 = 0;
v16 = 0;
v3 = strlen("Hello World!");
v1 = *(_DWORD *)(*(_DWORD *)(*(_DWORD *)a1 + 4) + a1 + 24);
if ( v1 > 0 )
{
if ( v1 > (signed int)v3 )
v2 = v1 - v3;
}
sub_401020(a1, (int)&v13);
v18 = 0;
if ( v14 )
{
LOBYTE(v18) = 1;
if ( (*(_DWORD *)(*(_DWORD *)(*(_DWORD *)a1 + 4) + a1 + 16) & 0x1C0) == 64 )
goto LABEL_26;
while ( v2 > 0 )
{
v4 = *(_DWORD *)(*(_DWORD *)a1 + 4);
v5 = *(_BYTE *)(v4 + a1 + 4Cool;
v6 = *(_DWORD *)(a1 + v4 + 40);
LOBYTE(v15) = v5;
if ( std__basic_streambuf_char_std__char_traits_char____sputc(v6, v15) == -1 )
{
v16 |= 4u;
break;
}
--v2;
}
if ( !v16 )
{
LABEL_26:
if ( std__basic_streambuf_char_std__char_traits_char____sputn(
*(_DWORD *)(*(_DWORD *)(*(_DWORD *)a1 + 4) + a1 + 40),
"Hello World!",
v3) == v3 )
{
while ( v2 > 0 )
{
v9 = *(_DWORD *)(*(_DWORD *)a1 + 4);
v10 = *(_BYTE *)(v9 + a1 + 4Cool;
v11 = *(_DWORD *)(a1 + v9 + 40);
LOBYTE(v15) = v10;
if ( std__basic_streambuf_char_std__char_traits_char____sputc(v11, v15) == -1 )
{
v16 |= 4u;
break;
}
--v2;
}
}
else
{
v16 = 4;
}
}
*(_DWORD *)(a1 + *(_DWORD *)(*(_DWORD *)a1 + 4) + 24) = 0;
v18 = 0;
}
else
{
v16 = 4;
}
std__basic_ios_char_std__char_traits_char____setstate(a1 + *(_DWORD *)(*(_DWORD *)a1 + 4), v16, 0);
v18 = 3;
if ( !(unsigned __int8)std__uncaught_exception(*(_DWORD *)&v12) )
std__basic_ostream_char_std__char_traits_char_____Osfx(v13);
v18 = -1;
v7 = *(_DWORD *)(*(_DWORD *)(*(_DWORD *)v13 + 4) + v13 + 40);
if ( v7 )
std__basic_streambuf_char_std__char_traits_char_____Unlock(v7);
return a1;
}

looks horrible, im better off with a debugger anyway to interpret things runtime. well there are some good data or what interpreted perhaps but here only few.. nothing to be expected from a game decompilation.
Post 24 Jun 2013, 22:20
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1409
Location: Toronto, Canada
AsmGuru62
This code is cool!
Smile
Post 25 Jun 2013, 12:24
View user's profile Send private message Send e-mail Reply with quote
Bob++



Joined: 12 Feb 2013
Posts: 92
Bob++
If it's so easy, probably haven't too many open source
Post 25 Jun 2013, 15:21
View user's profile Send private message Reply with quote
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
yes. does anyone know some good disassembler debugger disassembler like thing wich produces fasm syntax? also whats the 10 MB something limit with FASM? i remember i wanted to create awefully large initialized variables.. and then some 10 MB memory limit thing and would not compile. i have no idea why is sucha a thing.
Post 25 Jun 2013, 15:34
View user's profile Send private message Reply with quote
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
if no such thing i would have to make a code synthas translator.
Post 25 Jun 2013, 15:35
View user's profile Send private message Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest
Quote:
Only "frameworked" languages like .NET or JAVA can be decompiled to their original source.

There are some ways to make all java-decompilers throw an exception, while code will remain valid.Smile

Quote:
does anyone know a good c-decompiler wich works on all exe

The best decompiler I know is IDA Pro. Of course in many cases it produces invalid code (or doesn't produce anything at all).
There is no general way to decompile code. For example, there is no way to decompile this:
Code:
; eax is parameter of function
...
cmp eax, 1
jz .one
  push eax
  push ebx
  push ecx
.one:
mov eax, 2 ; result
ret
    

While executing, function will always get 1, but decompiler must test all cases. But if eax != 1 the stack will be corrupted, decompiler will fail.
One more sample of code:
Code:
; ebx is parameter of function
cmp ebx, 1
jz .one
  push ebx
.one:
mov eax, 2 ; result
cmp ebx, 1
jnz .two
.three:
ret
.two:
pop ebx
jmp .three
    

In any case code will run ok, but there is no general way for decompiler to trace such code, so it will test all 4 variants of execution; 2 of them will ba invalid (e.g. first condition is Not OK and second is Not OK - default way of first cycle of code analyzing - will be invalid).
Sometimes it is very hard to detect virtual functions tables. Sometimes disassembler just cannot find all code, because some instructions are considered as data.
At least, asm-code is modifiable while running (e.g. UPX), C-code is not.
While reversing one game I've found many different cases, when decompilation isn't possible at all.
Quote:
does anyone know some good disassembler debugger disassembler like thing wich produces fasm syntax?

Unfortunately I don't know such disassembler. But it will be very useful, so if you find one - please post a link.Smile
Post 25 Jun 2013, 17:31
View user's profile Send private message Reply with quote
matefkr



Joined: 02 Sep 2007
Posts: 1291
Location: Ukraine, Beregovo
matefkr
But debuggers work neat at least.. sometimes. if something reaches a point then it must then be certain what can be run or not.
But the code is disassemblerable always in a way wich will make the code assemblable.. only it wont be so much readable. but have to take not of asssemblers.. because there are shorter jumps. and so it should be noted. it is short. or wich version at least in case something funky was used. debugger can track selfmodification of code take note of it and thingy.. so the first version is needed to be saved.
anyway, ollydbg might be good enough (for something) and then some software translating ollydbg syntax will be the way to proceed.
Post 25 Jun 2013, 17:43
View user's profile Send private message Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest
Quote:
But the code is disassemblerable always in a way wich will make the code assemblable.. only it wont be so much readable.

You can always write asm-code as
Code:
db 0xEB, 0x80 0x00, 0x40, 0x00, ...
    

and it would compile to a file with same checksum, but it is not readable at all.Smile Some blocks of code are often written this way in many disassemblers, when they cannot define wether it is code or data.
Post 25 Jun 2013, 18:14
View user's profile Send private message Reply with quote
malpolud



Joined: 18 Jul 2011
Posts: 344
Location: Broken hippocampus
malpolud
Bargest: nice examples!
Post 26 Jun 2013, 14:24
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.