Famous Last Words: You can't decompile a C++ program

The Great Jack Schitt writes "I've always heard that you couldn't decompile a program written with C++. This article describes how to do it. It's a bit lengthy and it doesn't seem like the author usually writes in English, but it might just work (haven't tried it, but will when I have time)."

hmm

[Graspee_Leemoor]

A c/c++ decompiler that totally worked would be the Holy Grail of crackers. Unfortunately it is actually impossible to get everything back because lots of info is lost on compilation.

Nevertheless there are tools out there that attempt to decompile programs; I think of them more as ways of making assembly more readable.

Note, a lot of them wouldn't work on hand-written assembly, because they rely on knowledge of how certain compilers compile various things- e.g. there was a Delphi decompile available.

graspee

Re:Why

[Morologous]

I can't count the number of times I've been frustrated with the performance or process of an application that I had to interface with, and just wondered: *why* in god's name, or *what* in god's name are they doing in there.

sure you can go from asm - c++

but it'll look like this

class a
{
public:
void b(int c);
void d(int e);
private:
int g;
int h;
};

int main()
{
a f;
f.b(23);

int x; x=0; x++;
if(x > 3) goto j;
f.d(x); x++
if(x > 3) goto j;
f.d(x); x++;
if(x > 3) goto j;
f.d(x);
j: f.b(42);

return 0;
}

Spectulation Code

[Davak]

Considering the entire post is evidently based on speculation...

Here is some code that supposedly decomplies... not that I've tried it.

Quote from the FAQ:

[35.4] How can I decompile an executable program back into C++ source code?

You gotta be kidding, right?

Here are a few of the many reasons this is not even remotely feasible:
* What makes you think the program was written in C++ to begin with?
* Even if you are sure it was originally written (at least partially) in C++,
which one of the gazillion C++ compilers produced it?
* Even if you know the compiler, which particular version of the compiler was
used?
* Even if you know the compiler's manufacturer and version number, what
compile-time options were used?
* Even if you know the compiler's manufacturer and version number and
compile-time options, what third party libraries were linked-in, and what
was their version?
* Even if you know all that stuff, most executables have had their debugging
information stripped out, so the resulting decompiled code will be totally
unreadable.
* Even if you know everything about the compiler, manufacturer, version
number, compile-time options, third party libraries, and debugging
information, the cost of writing a decompiler that works with even one
particular compiler and has even a modest success rate at generating code
would be significant -- on the par with writing the compiler itself from
scratch.

But the biggest question is not how you can decompile someone's code, but why
do you want to do this? If you're trying to reverse-engineer someone else's
code, shame on you; go find honest work. If you're trying to recover from
losing your own source, the best suggestion I have is to make better backups
next time.

I would have posted AC but that have me blocked out for some reason...

Davak

Re:You can't

[antis0c]

What's to say you need something as readable as the original? I worked at InterAct Accessories/GameShark for a few years before they went under as essentially a 'reverse engineer'. Without getting yet another CND from them in the mail due to a post on Slashdot (I don't even think they could send one now they're out of business?), all I can say is sometimes when hacking a game it benefits an engineer to decompile the application and be able to set breakpoints and watch execution flow while the game is running on for example a PlayStation 2. Sure it's going to be a lot of nearly unreadable C++ mixed with Assembly, but if you can watch the execution flow as you do something, it can be useful.

Of course a lot of naive people think decompiling would allow you to take an application and start writing patches for it, in that case you are right, it's going to be pretty useless. However it's not entirely useless for all situations. I'm sure the WINE guys might get some use out of it.

Templates

[ucblockhead]

He won't be able to regenerate any templates. If a program makes heavy use of templates, the "C++" he "decompiles" to is going to be hideously ugly.

[insert joke about it being hideously ugly with templates here.]

{I did not read the article itself because it is, of course, slashdotted)

Re:Why

[Call+Me+Black+Cloud]

As a Java programmer I find it very useful to decompile class files from time to time. Reasons I've done so:

A library we were basing a major portion of our code on had a bug in it (a Listener class failed to implement EventListener if I remember correctly) which kept our code from working. Removed offending classes from archive, decompiled, fixed, and recompiled.

It's educational...the ol' "how'd they do that?". I've never taken code and used it but I found it instructional to look at how someone made a Swing text area from scratch, e.g.

The challenge...one program I installed had a "enter registration key" and I was curious how that was handled (turned out to be a static string). Then there was this applet that was the the core of a company's business. Free, or pay and get more features. As it turns out the control of the features all resided in the applet, so change a couple of switch and if/then statements and voila, administrative privleges. Didn't use it for evil, much... :) They've since come out with a new version and I've been too busy using my mad java skillz on contract work to take a look at their code.

Looking at security was instructional too, though, for when I was project lead on a commercial Java app I knew what worked and what didn't (we ended up using the Wibu key).

misleading...

[bismarck2]

Even with complete original source code, understanding a non-trivial C++ application is very difficult. Source derived from an optimized executable is going to be a LOT rougher. No real function names, module names, variable names, or comments. Use of standard libraries (STL, MFC, Boost) is likely highly obscured as well. A tool like this would probably produce source that looks more like a C/machine language hybrid rather than normal C++. The primary use of something like this is if you are looking for a very specific piece of logic such as a password check or an encryption operation or protocol details. When were these famous last words anyway?

Of course you can decompile C++

[TapeLeg]

You can decompile any program. A compiled program is just your high-level program translated into machine language. There is no sort of magical encryption or similar transformation that it undergoes once you compile it.

All you need to do is read in the bytes of any binary program, interpret the bytes as their machine language equivalents for whatever platform you are using, and then convert your MOV statements to assignment operators, JMP statemets to higher level loop structures, etc..

Of course, you won't retain the names of identifiers, which are referred to only by memory locations in a compiled program; and some control structures might be rearranged due to compiler optimization and the lack of machine language equivalents, but the meat and potatoes of it is all right there.

It's by no means easy to accomplish, especially with higher and higher level programming languages, but impossible? humbug! =)

Re:Decompilation = halting problem == boloney

[jackb_guppy]

Been doing it for twenty years. It is easy to do.

Stop trying to use logic... actually do it.