| Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente |
| back2root:reverse-engineering:disassembler_decompilier [2023/02/18 20:19] – [Common Decompilers] frater | back2root:reverse-engineering:disassembler_decompilier [2023/02/18 20:30] (Version actuelle) – [Further reading] frater |
|---|
| * [[http://www.hex-rays.com/products/decompiler/index.shtml|Hex-Rays Decompiler]] : Hex-Rays is a commercial decompiler. It is made as an extension to popular IDA-Pro disassembler. It is currently the only viable commercially available decompiler which produces usable results. It supports both x86 and ARM architecture. | * [[http://www.hex-rays.com/products/decompiler/index.shtml|Hex-Rays Decompiler]] : Hex-Rays is a commercial decompiler. It is made as an extension to popular IDA-Pro disassembler. It is currently the only viable commercially available decompiler which produces usable results. It supports both x86 and ARM architecture. |
| * [[https://github.com/icsharpcode/ILSpy|ILSpy]] : ILSpy is an open source .NET assembly browser and decompiler. | * [[https://github.com/icsharpcode/ILSpy|ILSpy]] : ILSpy is an open source .NET assembly browser and decompiler. |
| * DCC: DCC is likely one of the oldest decompilers in existence, dating back over 20 years. It serves as a good historical and theoretical frame of reference for the decompilation process in general (Mirrors: [[http://htmlpreview.github.io/?https://github.com/jcdutton/reference/blob/master/Cristina-Cifuentes/dcc.html]] | * [[https://github.com/nemerle/dcc|DCC]]: DCC is likely one of the oldest decompilers in existence, dating back over 20 years. It serves as a good historical and theoretical frame of reference for the decompilation process in general ([[http://htmlpreview.github.io/?https://github.com/jcdutton/reference/blob/master/Cristina-Cifuentes/dcc.html|Mirrors]],[[https://web.archive.org/web/20131209235003/http://itee.uq.edu.au/~cristina/dcc.html|Archive.org]]). Some of the latest changes include fixes for longstanding memory leaks and a more modern Qt5-based front-end. |
| [[https://web.archive.org/web/20131209235003/http://itee.uq.edu.au/~cristina/dcc.html]]). As of 2015, DCC is an [[https://github.com/nemerle/dcc|active project]]. Some of the latest changes include fixes for longstanding memory leaks and a more modern Qt5-based front-end. | |
| * [[https://retdec.com/|RetDec]]: The Retargetable Decompiler is a freeware web decompiler that takes in ELF/PE/COFF binaries in Intel x86, ARM, MIPS, PIC32, and PowerPC architectures and outputs C or Python-like code, plus flow charts and control flow graphs. It puts a running time limit on each decompilation. It produces nice results in most cases. | * [[https://retdec.com/|RetDec]]: The Retargetable Decompiler is a freeware web decompiler that takes in ELF/PE/COFF binaries in Intel x86, ARM, MIPS, PIC32, and PowerPC architectures and outputs C or Python-like code, plus flow charts and control flow graphs. It puts a running time limit on each decompilation. It produces nice results in most cases. |
| * [[https://github.com/uxmal/reko|Reko]]: a modular open-source decompiler supporting both an interactive GUI and a command-line interface. Its pluggable design supports decompilation of a variety of executable formats and processor architectures (8- , 16- , 32- and 64-bit architectures as of 2015). It also supports running unpacking scripts before actual decompilation. It performs global data and type analyses of the binary and yields its results in a subset of C++. [[http://sourceforge.net/projects/decompiler|historic link]] | * [[https://github.com/uxmal/reko|Reko]]: a modular open-source decompiler supporting both an interactive GUI and a command-line interface. Its pluggable design supports decompilation of a variety of executable formats and processor architectures (8- , 16- , 32- and 64-bit architectures as of 2015). It also supports running unpacking scripts before actual decompilation. It performs global data and type analyses of the binary and yields its results in a subset of C++. [[http://sourceforge.net/projects/decompiler|historic link]] |
| * [[http://www.c4decompiler.com|C4Decompiler]]: C4Decompiler is an interactive, static decompiler under development (Alpha in 2013). It performs global analysis of the binary and presents the resulting C source in a Windows GUI. Context menus support navigation, properties, cross references, C/Asm mixed view and manipulation of the decompile context (function ABI). | * [[http://www.c4decompiler.com|C4Decompiler]]: C4Decompiler is an interactive, static decompiler under development (Alpha in 2013). It performs global analysis of the binary and presents the resulting C source in a Windows GUI. Context menus support navigation, properties, cross references, C/Asm mixed view and manipulation of the decompile context (function ABI). |
| * [[http://boomerang.sourceforge.net/|Boomerang Decompiler Project]]: Boomerang Decompiler is an attempt to make a powerful, retargetable decompiler. So far, it only decompiles into C with moderate success. | * [[http://boomerang.sourceforge.net/|Boomerang Decompiler Project]]: Boomerang Decompiler is an attempt to make a powerful, retargetable decompiler. So far, it only decompiles into C with moderate success. |
| | * [[http://www.backerstreet.com/rec/rec.htm|Reverse Engineering Compiler]] (REC): REC is a powerful "decompiler" that decompiles native assembly code into a ''C-like'' code representation. The code is half-way between assembly and C, but it is much more readable than the pure assembly is. Unfortunately the program appears to be rather unstable. |
| | * [[http://sourceforge.net/projects/exetoc|ExeToC]]: ExeToC decompiler is an interactive decompiler that boasted pretty good results in the past. |
| | * [[https://derevenets.com|snowman]]: Snowman is an open source native code to C/C++ decompiler. Supports ARM, x86, and x86-64 architectures. Reads ELF, Mach-O, and PE file formats. Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch. Has a nice graphical user interface with one-click navigation between the assembler code and the reconstructed program. Has a command-line interface for batch processing. |
| | * [[Ghidra]]: Ghidra is a reverse engineering package that includes a decompiler. It was written by the NSA for internal work, and apparently released because they didn't want to have to re-train every new person they hired. It is written in Java. |
| |
| ;Reverse Engineering Compiler (REC): REC is a powerful "decompiler" that decompiles native assembly code into a ''C-like'' code representation. The code is half-way between assembly and C, but it is much more readable than the pure assembly is. Unfortunately the program appears to be rather unstable. | *[[http://decompile-it.com|Decompile-It]] <Dead Link>: Decompile-It was a web-based decompiler for 32-bit Linux x86 executables compiled with -g, i.e. debug symbols. |
| :http://www.backerstreet.com/rec/rec.htm | |
| | |
| ;ExeToC: ExeToC decompiler is an interactive decompiler that boasted pretty good results in the past. | |
| :http://sourceforge.net/projects/exetoc | |
| | |
| ;snowman: Snowman is an open source native code to C/C++ decompiler. Supports ARM, x86, and x86-64 architectures. Reads ELF, Mach-O, and PE file formats. Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch. Has a nice graphical user interface with one-click navigation between the assembler code and the reconstructed program. Has a command-line interface for batch processing. | |
| :https://derevenets.com | |
| | |
| ;Ghidra: Ghidra is a reverse engineering package that includes a decompiler. It was written by the NSA for internal work, and apparently released because they didn't want to have to re-train every new person they hired. It is written in Java. | |
| |
| <!-- DEAD! ;Decompile-It: Decompile-It was a web-based decompiler for 32-bit Linux x86 executables compiled with -g, i.e. debug symbols. | === A General view of Disassembling === |
| :http://decompile-it.com {{dead link}} --> | |
| | |
| == A General view of Disassembling == | |
| === 8 bit CPU code === | === 8 bit CPU code === |
| Most embedded CPUs are 8-bit CPUs. | Most embedded CPUs are 8-bit CPUs. |
| The technique may make disassembly more difficult. | The technique may make disassembly more difficult. |
| |
| A simple example of this is the <code>write()</code> procedure implemented as follows: | A simple example of this is the ''write()'' procedure implemented as follows: |
| <syntaxhighlight lang=asm> | |
| | <code asm> |
| ; assume ds = cs, e.g like in boot sector code | ; assume ds = cs, e.g like in boot sector code |
| start: | start: |
| write endp | write endp |
| end start | end start |
| </syntaxhighlight> | </code> |
| |
| A macro-assembler like TASM will then use a macro like this one: | A macro-assembler like TASM will then use a macro like this one: |
| <syntaxhighlight lang=asm> | <code asm> |
| _write macro message | _write macro message |
| call write | call write |
| db 0 | db 0 |
| _write endm | _write endm |
| </syntaxhighlight> | </code> |
| |
| From a human disassembler's point of view, this is a nightmare, although this is straightforward to read in the original Assembly source code, as there is no way to decide if the db should be interpreted or not from the binary form, and this may contain various jumps to real executable code area, triggering analysis of code that should never be analysed, and interfering with the analysis of the real code (e.g. disassembling the above code from 0000h or 0001h won't give the same results at all). | From a human disassembler's point of view, this is a nightmare, although this is straightforward to read in the original Assembly source code, as there is no way to decide if the db should be interpreted or not from the binary form, and this may contain various jumps to real executable code area, triggering analysis of code that should never be analysed, and interfering with the analysis of the real code (e.g. disassembling the above code from 0000h or 0001h won't give the same results at all). |
| |
| === 32 bit CPU code === | === 32 bit CPU code === |
| Most 32-bit CPUs use the ARM instruction set.<ref name=turley /><ref> | Most 32-bit CPUs use the ARM instruction set. |
| Mark Hachman. | Mark Hachman. |
| [http://www.extremetech.com/extreme/52180-arm-cores-climb-into-3g-territory "ARM Cores Climb Into 3G Territory"]. | |
| | [[http://www.extremetech.com/extreme/52180-arm-cores-climb-into-3g-territory|ARM Cores Climb Into 3G Territory]] |
| 2002. | 2002. |
| | |
| "Although Intel and AMD receive the bulk of attention in the computing world, ARM’s embedded 32-bit architecture, ... has outsold all others." | "Although Intel and AMD receive the bulk of attention in the computing world, ARM’s embedded 32-bit architecture, ... has outsold all others." |
| </ref><ref> | |
| Tom Krazit. | Tom Krazit. |
| [http://news.cnet.com/ARMed-for-the-living-room/2100-1006_3-6056729.html "ARMed for the living room"]. | |
| "ARM licensed 1.6 billion cores [in 2005]". | [[http://news.cnet.com/ARMed-for-the-living-room/2100-1006_3-6056729.html|ARMed for the living room]] |
| | |
| | |
| | "ARM licensed 1.6 billion cores [in 2005]" |
| 2006. | 2006. |
| </ref> | |
| |
| Typical ARM assembly code is a series of subroutines, with literal constants scattered between subroutines. | Typical ARM assembly code is a series of subroutines, with literal constants scattered between subroutines. |
| The [[Embedded_Systems/Mixed_C_and_Assembly_Programming#ARM | standard prolog and epilog]] for subroutines is pretty easy to recognize. | |
| |
| === A brief list of disassemblers === | === A brief list of disassemblers === |
| * [http://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html ciasdis] "an assembler where the elements opcode, operands and modifiers are all objects, that are reusable for disassembly." For 8080 8086 80386 Alpha 6809 and should be usable for Pentium 68000 6502 8051. | * [[http://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html|ciasdis]] "an assembler where the elements opcode, operands and modifiers are all objects, that are reusable for disassembly." For 8080 8086 80386 Alpha 6809 and should be usable for Pentium 68000 6502 8051. |
| * [http://radare.org/ radare, the reverse engineering framework] includes open-source tools to disassemble code for many processors including x86, ARM, PowerPC, m68k, etc. several virtual machines including java, msil, etc., and for many platforms including Linux, BSD, OSX, Windows, iPhoneOS, etc. | * [[http://radare.org/|radare, the reverse engineering framework]] includes open-source tools to disassemble code for many processors including x86, ARM, PowerPC, m68k, etc. several virtual machines including java, msil, etc., and for many platforms including Linux, BSD, OSX, Windows, iPhoneOS, etc. |
| * IDA, the Interactive Disassembler ( [http://www.hex-rays.com/idapro/ IDA Pro] ) can disassemble code for a huge number of processors, including ARM Architecture (including Thumb and Thumb-2), ATMEL AVR, INTEL 8051, INTEL 80x86, MOS Technologies 6502, MC6809, MC6811, M68H12C, MSP430, PIC 12XX, PIC 14XX, PIC 18XX, PIC 16XXX, Zilog Z80, etc. | * IDA, the Interactive Disassembler ( [[http://www.hex-rays.com/idapro/|IDA Pro]] ) can disassemble code for a huge number of processors, including ARM Architecture (including Thumb and Thumb-2), ATMEL AVR, INTEL 8051, INTEL 80x86, MOS Technologies 6502, MC6809, MC6811, M68H12C, MSP430, PIC 12XX, PIC 14XX, PIC 18XX, PIC 16XXX, Zilog Z80, etc. |
| * objdump, part of the GNU binutils, can disassemble code for several processors and platforms. binutils is an important part of the toolchain as it provides the linker, assembler and other utilties (like objdump) to manipulate executables on the target platform, and is available for most popular platforms. | * objdump, part of the GNU binutils, can disassemble code for several processors and platforms. binutils is an important part of the toolchain as it provides the linker, assembler and other utilties (like objdump) to manipulate executables on the target platform, and is available for most popular platforms. |
| **For OS X/BSD systems, there is a rough equivalent called otool in the XCode kit. | * For OS X/BSD systems, there is a rough equivalent called otool in the XCode kit. |
| *{{DMOZ|Computers/Programming/Disassemblers/|Disassemblers}} lists a huge number of disassemblers | * [[http://www.program-transformation.org/Transform/DisAssembly|Program transformation wiki: disassembly]] lists many highly recommended disassemblers |
| * [http://www.program-transformation.org/Transform/DisAssembly Program transformation wiki: disassembly] lists many highly recommended disassemblers | * [[http://sourceforge.net/search/?words=disassemble|search for "disassemble" at SourceForge]] shows many disassemblers for a variety of CPUs. |
| * [http://sourceforge.net/search/?words=disassemble search for "disassemble" at SourceForge] shows many disassemblers for a variety of CPUs. | * [[http://hopperapp.com|Hopper]] is a disassembler that runs on OS-X and disassembles 32/64-bit OS-X and windows binaries. |
| * [http://hopperapp.com Hopper] is a disassembler that runs on OS-X and disassembles 32/64-bit OS-X and windows binaries. | * The [[http://www.cs.tufts.edu/~nr/cs257/archive/cristina-cifuentes/computer00.pdf|University of Queensland Binary Translator (UQBT)]] is a reusable, component-based binary-translation framework that supports CISC, RISC, and stack-based processors. |
| * The [http://www.cs.tufts.edu/~nr/cs257/archive/cristina-cifuentes/computer00.pdf University of Queensland Binary Translator (UQBT)] is a reusable, component-based binary-translation framework that supports CISC, RISC, and stack-based processors. | |
| | === Further reading ==== |
| |
| == Further reading == | * [[http://www.crackmes.de/]] : reverse engineering challenges |
| {{reflist}} | * "A Challengers Handbook" by Caesum [[http://www.caesum.com/handbook/contents.htm]] has some tips on reverse engineering programs in JavaScript, Flash Actionscript (SWF), Java, etc. |
| * http://www.crackmes.de/ : reverse engineering challenges | * the Open Source Institute occasionally has reverse engineering challenges among its other brainteasers.[[http://www.osix.net/]] |
| * "A Challengers Handbook" by Caesum [http://www.caesum.com/handbook/contents.htm] has some tips on reverse engineering programs in JavaScript, Flash Actionscript (SWF), Java, etc. | * The Program Transformation wiki has a [[http://www.program-transformation.org/Transform/ReengineeringWiki|Reverse engineering and Re-engineering Roadmap]], and discusses disassemblers, decompilers, and tools for translating programs from one high-level language to another high-level language. |
| * the Open Source Institute occasionally has reverse engineering challenges among its other brainteasers.[http://www.osix.net/] | * [[http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-second-to-ida|Other disassemblers with multi-platform support]] |
| * The Program Transformation wiki has a [http://www.program-transformation.org/Transform/ReengineeringWiki Reverse engineering and Re-engineering Roadmap], and discusses disassemblers, decompilers, and tools for translating programs from one high-level language to another high-level language. | |
| * [http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-second-to-ida Other disassemblers with multi-platform support] | |
| |
| {{TopNav|prev=Assemblers and Compilers|next=Disassembly Examples}} | |
| |
