Slashdot Mirror
Famous Last Words: You can't decompile a C++ program
The Great Jack Schitt writes "I've always heard that you couldn't decompile a program written with C++. This article describes how to do it. It's a bit lengthy and it doesn't seem like the author usually writes in English, but it might just work (haven't tried it, but will when I have time)."
you best leave it alone you source stealer.
your conscience betrays you. I'm tellin dad!
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
stealing source It's called 'research' :)
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
Simple, because it is fun !!
Don't Panic
It is not just you.
Information is lost in compilation. You can never reconstruct the exact original source. You end up with valid C++ that has no more human-understandable information than the equivilent machine code.
Like turning hamburgers into cows...
Surely he now understands the English infinitive "to be Slashdotted".
"Molest me not with this pocket calculator stuff."
- Deep Thought
I've always heard that you couldn't decompile a program written with C++.
;)
Well, you can decompile every binary programm at least to assembler code, so why shouldnt it possible with C++?
Maybe he ment "you can't decipher the source of a C++ programm"
--
One by one the penguins steal my sanity...
Because you lost the source and forgot to make a backup.
A c/c++ decompiler that totally worked would be the Holy Grail of crackers. Unfortunately it is actually impossible to get everything back because lots of info is lost on compilation.
Nevertheless there are tools out there that attempt to decompile programs; I think of them more as ways of making assembly more readable.
Note, a lot of them wouldn't work on hand-written assembly, because they rely on knowledge of how certain compilers compile various things- e.g. there was a Delphi decompile available.
graspee
I can't count the number of times I've been frustrated with the performance or process of an application that I had to interface with, and just wondered: *why* in god's name, or *what* in god's name are they doing in there.
Slashdot has DDoS'ed the damn thing into oblivion.
On the other hand, did anyone get to mirror it?
but it'll look like this
class a
{
public:
void b(int c);
void d(int e);
private:
int g;
int h;
};
int main()
{
a f;
f.b(23);
int x; x=0; x++;
if(x > 3) goto j;
f.d(x); x++
if(x > 3) goto j;
f.d(x); x++;
if(x > 3) goto j;
f.d(x);
j: f.b(42);
return 0;
}
Yeah, but they should know how to decompile the slasdot effect first... another one down. Anybody with a Mirror or Google Cache link ?
This sig can be distributed under the LGPL license
You need reasons?
1) Finding backdoors
2) Testing security
3) Fixing bugs
4) Adding features
5) Discovering copyright violations
6) Interfacing to non-supported clients
Pretty much anything and everything you would do if you had the source.
I would find both your educational background and the dictionary you're using very intresting.
*BBBRRRRTTTT*
Incorrect! Intresting is *NOT* in the dictionary. Interesting, however, is.
Check it out.
This is exactly why I love Java. I have even debugged Weblogic app server few times by decompiling the class files.. (You would be suprised to know what you can find in there :)
"There is a terrorist behind every bush"
*BBBBRRRRRRTTTT*
Incorrect! Spelling Nazi may have been the answer you're looking for.
You could be updating a program for your company for which the source is lost.
Paul Lenhart writes words!
Sure you can decompile an optimized and symbol-stripped C++ program, but you'd never have it the original compact form of the source as you do with the Java class file decompilers due to the heavy use of inline functions and templates used in C++. A C program, sure, but decompiling C++ is not terribly useful.
Its write hear in my Oxbrige Enlish Dictionairy. What are you on about?
Hell, I'd be happy if the people working for me could consistently compile their c/c++. I need a new job...
When you think about it, the higher level the language is, the easier it should be to "decompile". The closer the original source was to asm, the more the individual coder's style will be reflected in the asm - the higher level it is, the more the obvious patterns the compiler uses every time for given constructs will be present. Reverse engineering a program written in asm to human readale source is a nightmare, but if you knew for instance that the source was C++ and it was compiled by gcc 3.2 (easy enough to tell), it's probably pretty easy to see from the asm patterns the classes and whatnot, to see the structure of the source.. then you just have to comine that with what the program actually does to give human meaning ack to the variale and class names and whatnot.
11*43+456^2
Here is some code that supposedly decomplies... not that I've tried it.
Quote from the FAQ:
I would have posted AC but that have me blocked out for some reason...
Davak
dear anonymous c,
please stop breathing and kill any offspring you may have inexplicably fathered for the sake of our gene pool. Thanks.
Respectfully,
-- Human Race
why run from Vincenzo?
Well, it isn't. Sure, if you're so lazy uou want to have source rebuilt from binaries with one click, complete with comments, makefile and documentation, that's of no use. But imagine the program does some very clever trick. Something you ooh about, "How the hell does he do that? It's impossible?". You want to include that trick in your code. You need it. So - you have three options: 1) Try to design it from scratch. Helluva work, you don't know where to start. 2) Look into the binary. If you're ASM guru, you MAY succeed. But ASM from high-level languages is hell to read. 3) Decompile the puppy, look for that piece through what looks like piles of junk, but is way more readable than ASM and find it. Then just rewrite it in pretty fashion, changing variable names and functions to your needs and include in your own software. It's "the best of the worst", last resort at finding a solution to a small problem. Not a way to edit the source and add a single feature to the original program, like remove print protection from Acrobat Reader. The decompiled program most probably won't be possible to compile. You won't make a cow from hamburgers. But with some luck you may find out the cow was a bull and got killed by a truck.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Fastest /.ing ever. What a pain. I'm seriously tired of this.
Has anyone thought seriously about creating a proxy site for /. that automatically caches all the links? I think that if the site and caching was done as a proxy, there would be no copyright issues?
Heck, if anyone wants to put together a demo of this, I'd be willing to host it on an experimental basis. I've got access to a ton of free BW through my academic institution for non-profit stuff. My theory is that if the proxy becomes popular, we can bully VA into hosting it, like they should have done for the past several years...
Alternatively, and maybe even cooler, one could build a proxy that browses through the Google cache, to save bandwidth and storage and further blur the copyright question.
Any kind of software, modulated either by frequency or amplitude (program or progrfm)
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Not sure why this was modded 'funny' since I have encountered a few occasions when this would have been useful...
I damn well know computers. I have been working with them since 1904, when the Black Man made the first computer out of a peanut. I now work for Cray research making 18 figures.
I can scratch a superscalar CPU out of silicon with a pocket knife. I even have friends who can write major programs in binary code (yes, just 1s and 0s)... even though writing a simple "hello world" program can ammount to 92,752 bits. I fail to realize that this ability does not a good computer scientist make. Things like intelligent design and research make a CS good.
The parent post is fluff. It's stupid, the man is flamboyant and exagerating. He clearly has no real education of computer engineering and does not recognize that any executable code can be reverse-engineered or decompiled. Especially since every langage (save interpreted languages like Java) are compiled to machine code -- specific, unambiguous, structured code. "Decompiling" this is only really a matter of translating it into your langauge of choice.
So, Mr. Proud American, please get off your imaginary high horse. You're not fooling anyone.
I agree, that should have been modded insightful, not funny. We have a ton of in-house apps that we don't have source for anymore, and it would be really nice to be able to update them without having to rewrite the entire thing.
This space for rent, inquire within.
6 figures...riiight.
You don't even know what you are talking about.
Here's the text from the original article:
1. Make a copy of the program you want to decomplie. Let's assume it's PROG.EXE. Copy it to PROGBACK.EXE.
2. Copy PROGBACK.EXE to a DOS PC if you're not using one.
3. Type EDIT PROGBACK.EXE from C:\ (or where ever you copied it to).
4. Enjoy the source code! You can print it out or change it or just look at it.
5. If you change it, use FILE SAVE.
I've done some reverse-engineering on programs written in C/C++ (Intel x86). After a while you learn how to recognize different things like virtual function calls, while/for-loops, switch and stuff like that. However, it's a totally different thing to decompile to C++. It may be possible to decompile compiled code to C, but don't expect that it will look much like the original source, especially if the code was optimized by the compiler :)
[insert joke about it being hideously ugly with templates here.]
{I did not read the article itself because it is, of course, slashdotted)
The cake is a pie
all modern compilers are optimizing compilers, and they reorganize code completely to suit themselves in the most efficient manner. The compiler will reorganize modules and rewrite lines of code in order to make better use of registers, processor features/limitations that
You cannot really see a programmer's style as a result. When you decompile, you'll get it returned as whatever the compiler shifted the code around as.
-
Don't smart compilers change recursion to iteration automatically so how could it be the same source? That's all I know from my little java knowledge.
Anyone recommend a java decompiler known to work on the most recent versions of java, properly?
Something that will literally give me code I can re-compile immediately?
There seem to be a lot of people in this story saying "shame on you for reverse engineering". It has its uses, how else would viruses, worms, and trojans be analyzed to figure out what they do and how they do it.
well, when SGI lays you off this week, you're going to have plenty of time to learn how to create programs in binary, just like your friends.
scott king
Isn't stealing source reason enough?
A library we were basing a major portion of our code on had a bug in it (a Listener class failed to implement EventListener if I remember correctly) which kept our code from working. Removed offending classes from archive, decompiled, fixed, and recompiled.
It's educational...the ol' "how'd they do that?". I've never taken code and used it but I found it instructional to look at how someone made a Swing text area from scratch, e.g.
The challenge...one program I installed had a "enter registration key" and I was curious how that was handled (turned out to be a static string). Then there was this applet that was the the core of a company's business. Free, or pay and get more features. As it turns out the control of the features all resided in the applet, so change a couple of switch and if/then statements and voila, administrative privleges. Didn't use it for evil, much... :) They've since come out with a new version and I've been too busy using my mad java skillz on contract work to take a look at their code.
Looking at security was instructional too, though, for when I was project lead on a commercial Java app I knew what worked and what didn't (we ended up using the Wibu key).
not the source's lies.
Losing source code and var names (name spaced globals aka statics and scoped locals) allows the cracker (these are rarely hacking tools, they're mostly cracking tools,) to focus on what the machine actually was told to do instead of smothering it with shades of meaning which interfere with understanding the code.
C++ or Java or Smalltalk, or almost any highly structured language using machine code libraries or virtual machines result in structured blocks of code and heap and stack allocation.
A good decompiler can take the machine code, peel away the name spaces and code calls, extract the patterns in the code and the hacker/cracker can read the patterns instead of wasting time on the code.
Forensic analysis work is extremely useful at telling you what happened when something dies but it is no good at telling you how something worked. For that you need code traces.
Map those code traces onto the structure the decompiler reveals and you understand the program better than the authors/coders.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
What you need is a decent source control/backup system, not a decompiler.
Because you're one of the "innovators" at Micro$oft!
This might be useful for when trying to make apps run in Wine. Occasionally disassembly is the only way to figure out why the app crashes light years away from the nearest API call etc.
Source level access is at the core of the digital rights debate. I do not seek to recycle the arguments presented better elsewhere.
I highly recommend the following website for those seeking to investigate decompilation/reverse engineering.
FraviaEven with complete original source code, understanding a non-trivial C++ application is very difficult. Source derived from an optimized executable is going to be a LOT rougher. No real function names, module names, variable names, or comments. Use of standard libraries (STL, MFC, Boost) is likely highly obscured as well. A tool like this would probably produce source that looks more like a C/machine language hybrid rather than normal C++. The primary use of something like this is if you are looking for a very specific piece of logic such as a password check or an encryption operation or protocol details. When were these famous last words anyway?
...trying to rebuild a wrecked sand castle just by looking at the grains of sand. You can't. Compilers throw away a lot of information needed by people but not necessary for the machine. Compilers optimize the code to run more efficiently and that's a one-way street. Sorry to burst your bubble but trying to reconstruct original source is like trying to herd cats.
Thank you, thank you. I'm Mr. Metaphor and I'll be here all week.
Code or pseudocode is available free for many thousands of tough algorithmic problems which have been studied and published in the literature (e.g. Knuth et al) which is to be found in most good university libraries and/or the Internet.
Scroogle
shutting the barn door after the horse bolted?
Updating Total Annihilation to use opengl, increasing the number of weapons (currently 256), and increasing the weapon limit (3 per unit).
Not quite - don't know who to credit with this quote:
"If you steal from one person its plagarism. Stealing from many is research."
The first thing we do, let's kill all the lawyers. Shakespeare, Henry VI, Part 2, Act 4, Scene 2
Shame on you Davak, you should go find honest code. There's nothing wrong with trying to understand how things work. Some people are stuck with legacy equipment or code they can't replace easily and this is their only option for improvement or even fixing it. Those people would be better off if free code were available. Sometimes the only way to make that free code is to understand the original code. There's nothing wrong with reverse engineering software, ever. Republishing someone else's binary is not legal, but it's not immoral. If the code were honest to begin with, the reverse engineer part would not be required. These days, it's cheaper to throw out the dis-honest code and hardware and buy some hardware that's well understood. If you make hardware or software, I hope you understand the implications for your product - I'm not buying it.
Friends don't help friends install M$ junk.
In europe it is legal to use reverse engineering for compatibility reasons enabling your software to work with others people software (mainly Microsoft)
If you make the reverse engineering in europe you could develop compatible software and then export it to US. So it may be great news for us. In fact it is becoming really complicated to develope software for/at US. Patents, legislation, compatibility. It seems that more lawers than programmers are needed to write something more complicated than HelloWorld.exe.
There is a need for tools that enable the compatibility of the programs or we will end with a monopoly of all kinds of progrmas (And it is illegal to use your O.S. monopoly to obtainthe monopoly of let say...web browsers).
Why would you want to do this unless you were stealing source?
nice try.
You must be either Bill Gates, Steve Ballmer or someone who works for the BSA.
How am I to tell if your close source program isn't full of my GPL code that you blatently stole and are trying to rob me blind by STEALING my IP? Being a closed source advocate as you seem to be you are for me trying to detect IP theft and the illegal STEALING of my code by PIRATES right?
Ok, I'm going overboard to make my point... I have EVERY right to use tools in a good and legal way. Why not outlaw hammers as anyone can perform a very grisly and horrible murder with one... Or better yet only allow licensed contractors to have hammers! as we know that the unlicensed public is only going to do very ewvil things with tools!
see my point now? A tool is exactly what it looks like.... a tool. it can be used for good and evil. and I dont have any respect for the self righteous like you condemning what I do before I even do it.
people with attitudes like you are what cause all the pain and suffering in this world...... STOP IT!
Do not look at laser with remaining good eye.
sick. DoT (Denial of Thought)
No, that's not a new evolution. It has been this way forever...
Indeed! You can teach yourself more engrish at www.engrish.com
Last time I checked 'Intresting' was in the English dictionary.
That would from the Engrish dictionary actually.
If this technique works (haven't read it, page is slashdotted), maybe it could be used to implement Java-style runtime reflection for C++, which would be extremely cool and useful. Get a pointer to a method, decompile it to find out the expected arguments and return type, and dynamically invoke it.
>;k
Why do people keep thinking that decompilation is possible? In short: decompiling a computer program is solving the halting problem. Period.
The long version: In a compiled computer program there is no distinction for either code or data. Every byte in memory can be data, but it can also be executed as valid computer code.
Now, the catch is that during compilation, data and code are mixed in the resulting binary. For instance take the compilation of a 'case' statement. There are several ways of compiling a case:
- you can write it as a list of IF's, which is perfectly fine decompilable
- you can write it as a jump, based on the case expression.
The fun part about the second possibility is that it's far more efficient, but it poses a problem: when decompiling this you have to know where the bounds of the case lie. What's the furthest jump that can be made? It's a jump based on a calculated value, so you should know which values are possible. But for that, you need to run the program, and more specifically, you must run all possible execution paths.
This can be rewritten as the instance of the halting problem: can a computer find out for any program whether or not it will halt? It is proven that a computer program cannot be written to do this task. Neither can a computer program decompile any other computer program.
--
If code was hard to write, it should be hard to read
You can decompile any program. A compiled program is just your high-level program translated into machine language. There is no sort of magical encryption or similar transformation that it undergoes once you compile it.
All you need to do is read in the bytes of any binary program, interpret the bytes as their machine language equivalents for whatever platform you are using, and then convert your MOV statements to assignment operators, JMP statemets to higher level loop structures, etc..
Of course, you won't retain the names of identifiers, which are referred to only by memory locations in a compiled program; and some control structures might be rearranged due to compiler optimization and the lack of machine language equivalents, but the meat and potatoes of it is all right there.
It's by no means easy to accomplish, especially with higher and higher level programming languages, but impossible? humbug! =)
Having finally gotten through to the server momentarily, it appears that the article in question only applies to MS Visual C++.
It all those "stand" things that make it work very well. yeah variable names can be helpful. But those standard calls give me allow of variables names of extact meaning. Very helpul.
Hmm... Sounds a lot like programming with batch files to me. Why don't you guys get with the program and dump C/C++ for smaller, faster, easy to understand programs that run on Windows and DOs! Batch files forever. I will personally growl at those who do not respect them. Click here if you don't know what Panthera leo means
i really disagree about the second one. mostly, because *gasp* not all algorithms people use come from comp sci books. people develop algorithms all the time, so looking into code for that specific reason might be extremely helpful.
BSD is for people who love UNIX. Linux is for those who hate Microsoft.
what a sick hack :-)
ever heard the term RTTI?
Cypher: Well you have to. The compilers work for the construct program. But there's way too much information to decode the Matrix. You get used to it. I...I don't even see the code. All I see is an array, function pointer, integer. Hey, you uh... want a drink?
Neo: Sure.
Cypher: You know, I know what you're thinking, because right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here. Why, oh why didn't I sell my VA Linux stock?... Good shit, huh? Cowboy Neal makes it. It's good for two things, degreasing Perl code and killing brain cells.
Of course, it would probably help if the new people actually have skills.
As I know else where it is easy to decompile the program. To think about one way - THAT IS WHAT THE COMPUTER DOES TO RUN IT.
It you write a program that simulates the functions of the processors. YOU KNOW THEY ARE WELL KNOWN ELSE NO COMPILERS. And load the program the way the load it. AGAIN WELL KNOWN. And now follow all the branches and data pointers, you have a ness map of the binary.
Once you have that pattern matching and known funciton calls (say printf for example) you have map worked out quite well.
Add back know inputs and function symbolic names and the code appears.
One note: it is not the original code. But it the 100% functional equivilent.
Plagiarize,
Let no one else's work evade your eyes,
Remember why the good Lord made your eyes,
So don't shade your eyes,
But plagiarize, plagiarize, plagiarize...
Only be sure always to call it please, "research".
C decompilers exist; here's one. There are others. Most aren't very good. It's a hard problem.
Without debugging information, decompilation tends to result in code with arbitrary variable and function names, of course. But you get names when a DLL or .so is entered, so at least you get the program's major interfaces.
Minimal C++ decompilation could be done by adding vtable recognition to a C decompiler.
A more difficult problem is recognition of idioms. Things like "for" statements tend to decompile as lower level constructs. That's OK as a first step. You need some internal representation Initial decompilation might represent all transfers of control with "goto"; higher level recognition then deals with that.
The key to doing a good job is "optimization", finding more concise source code that will generate the object code. The key to this problem is defining an internal representation that can represent any valid machine-language program, and which can be modified as higher level information about the program is discovered. The first step is usually to start at the starting address and build a code tree by following calls, like a good debugger does. Then you start to improve on the code tree, doing things like this:
Decompilation won't always succeed. But you should find all the places where the code is doing something the compiler doesn't understand, and get code back for everything else.
It's a big job, and somebody ought to do it. Among other things, it would be a valuable tool for finding compiler bugs.
You have just proven my point. You need to write a program that simulates a process, and then run the program on that. Then you must run it using ALL POSSIBLE INPUTS.
Now, go study the halting problem, then write your reply again.
--
If code was hard to write, it should be hard to read
I haven't RTA, but how would you determine which code goes in what source files? On a per-class basis? And then end up with files like "a.hpp" "a.cpp" "aaa.hpp" etc.?
...
Or put them all into one big source dump, which would take an eternity to load up for any non-trivial program? Mind you, disassemblers tend to work this way
I think this would also be slow and horribly inefficient - ever tried to disassemble executables that are a hundred MB or so in size? Still waiting? Multiply that time ten fold as JMPs, JNZ and JZs are analyzed to determine whether something is a while, do-while or a for loop. Or to determine if a statement is a 'break' or a 'goto'.
All this before even mentioning the matter of different compilers - g++, msvc, borland c++, etc., etc. etc.
Ah I dunno, who cares - to ye who implements this shit: kudos, my friend, kudos.
Actually, IIRC, discovering copyright violations is easier done looking at the assembly code. Once you decompile, the C++ code will effectively do the same thing, but it will probably look nothing like the original source.
No comment.
First: There would be no private members. That is information that does not exist in the compiled code. Everything would be public, or just declared as a struct.
Second: The sequence starting from int x; going to j: would be optimized away to just:
f.d(1);
f.d(2);
f.d(3);
Third: Since class a, is a global name (which you can find by looking at the name-mangled a.b() and a.d(), the decompiler should be able to come up with the correct name.
Fourth: It might be too hard for the compiler to correctly guess the layout of class a, given that it has not virtual member functions (thus doesn't need a vtable), the default constructor is simple enough to be inlined, and that no heap allocation of a-objects occur. If the two member functions uses both g and h it should be able to find them both, but there might be friend functions elsewhere that uses more members, and that is again information that would be hard to infer from the binary code. It should guess this correctly, but it should also insert some warning that it wasn't really sure...
It looks like the author is decompiling simple C programs that are compiled using Visual C++. His sample programs consist of nothing more than a main() function, a global character array, and sometimes another global function or two. It does not address ANY features of C++, even fundamental ones like classes.
I do not see how this is decompiling C++. It is simply decompiling C.
Now, the catch is that during compilation, data and code are mixed in the resulting binary.
Not last time I checked. My compiler emits at least four segments in a compiled program: .text (program code), .rodata (initialized data marked as 'const'), .data (initialized data), and .bss (zero-filled data, which is run-length encoded). Segments .text and .rodata are also write-protected.
Yes, there is a halting problem, but this isn't it. Segments make distinguishing code from data straightforward. I understand that a few programs make platform-specific API calls that write-enable .text would be harder to disassemble (and subsequently decompile), but do most user programs make such calls?
Besides, even if the halting problem were relevant, the halting problem can be solved in a real computer, which has limited memory and is thus a linear bounded automaton rather than a Turing machine.
Will I retire or break 10K?
And it's perfectly fine for decompilation to be lossy. The point of decompilation is not to recover the original source code byte-for-byte but to recover something from which a programmer of ordinary skill can recover the gist of the algorithm.
Will I retire or break 10K?
I have worked on a few projects where I was asked to pick up in the middle of a project already started in c++ or c, and even with comments and full normal source... figuring out someone else's code for a project of any size is a big pain, I can't imagine how hard a decompiled source would be.
That list can also double as 6 things your vendors dont want you to be able to do.
I have always felt the greatest problem with closed source was it forced you to trust someone who you were fairly certain had only one skill and that was salesmanship.
It of course raises the interesting question of if you find a copyright violation, in commercial software is your evidence void because the license agreement usually excludes all reverse engineering ?
whenever someone told me my java source code is unreadable, I usually feed it into a decompiler, then send it back to the whiner. It usually fixes them up. (yes, the decompiled .java has no compile, but neither does the original source)
No its not.
It may be a violation of the license agreement which would be a violation of a civil contract The enforcibility and applicability of said agreements have been a point of contention for nearly 30 years now.
First off, there is no "decompiling" going on here. That would imply that you will end up with code having a semi-resemblence to the original code - which is certainly not happening. What is going on here is simply just another compilation phase. This time, instead of an object file target compliant with the system ABI, you are getting a C/C++ file target which should theoretically be compilable into a program that will generate the same output for the same runtime input. The scope of effort and implications barely overlap as they are so vastly different.
Of course, with C++, being a strongly typed language that resolves so many things at compile time, decompilation is not possible for any non-trivial example (which all the examples in the link were- indeed they didn't use any C++ features at all). This is even ignoring the effects of compiler optimizations. The C++ language is far more expressive than the output dialects of the compiler making the whole idea of decompiling silly. C, on the other hand, is basically a platform-independent assembly language which is why the one-to-one examples of C and asm output seem to imply one can move back and forth between the two at will. Still this is a mistaken impression.
Now - is compilation from object code to (non-equivilent but functionaly similar) C code useful and interesting? Certainly. And all compiler developers and most hard core debuggers can do this pretty much at will. Its the only way to check the correctness of your compiler and its generated code and, in desperate circumstances, can give you some clue as to what an existing application for which you have no source to, is doing. This is called reverse engineering, btw, NOT decompilation. Unfortunately the material pointed to here provides absolutely no new insights and is quite rudimentary at best. Anyone intimately familiar with their compiler and environment already has more knowledge than this paper provides. Really doesn't justify a slashdot posting but I guess whomever posted it simply isn't a C/C++ developer.
For those who don't know about it already: The Decompilation Page
A friend of mine work(ed) with a company in Kingston, ON that was spun off from Queens University. Their sole purpose and business model is to take whatever binaries and source a company has available, run it through their cluster of analysis systems, and produce a "clean" update of the system. As per usual, there is about 10-15% of the produced code that needs some hand inspection and tweaking to complete the task.
Their "big" business was the Y2K work, as their software isn't limited to just reverse-engineering, but can also refactor the re-engineered code (e.g. change all "year" values in the system from 2 digit to 4 digit, updating all related I/O formatting functions, overlay structures, etc.)
On the flip side, their stuff involves complex pattern matching and heuristics that put any other system I've heard of to shame. It requires clusters of systems running for days to do the initial code analysis. (OTOH, it probably took years to create the original code.)
I can't provide more specifics on the company because they're having some legal issues with co-investors.
I do not fail; I succeed at finding out what does not work.
(Yes, I know the author's native language probably isn't English. But I couldn't resist.)
Laura
Well that would make sure the cows didn't follow the horse..
Hi, the URL posted is obviously wrong.
There's an extra "/" character that breaks the link. Here's the article.
Loop unrolling is only one heuristic for optimizing, and it's something many programmers do by hand to tweak performance. For example, you could do one of the following:
Alternatively, many programmers would realize they're dealing with constant values (most compilers won't recognize that strlen() as producing a constant), and write:
An ideal optimizing compiler would produce the latter code from the first. How in the world would a reverse-engineering tool recognize those two forms as equivalent?
I do not fail; I succeed at finding out what does not work.
Nope. It (probably) wouldn't be admissible because of the part that says no reverse compiling. Reverse engineering is something totally different.
Reverse engineering is taking a black box and figuring out what it contains by giving it test inputs and watching the outputs. There are a few other things considered reverse engineering, but that describes most of it.
Of course, all of this ignores the fact that EULAs have never been tested in court. They could be proven invalid as contracts fairly easily since the exchange of goods occurs before you ever see the EULA and most stores don't accept returns of opened software. Therefore, if you don't agree to the EULA, you still have the right to use what you purchased.
On an interesting side note, various free trade laws specifically protect reverse engineering.
It's not slashdotted. In fact, the guy probably hasn't gotten many extra hits at all, because the posted URL is wrong.
The article (link provided for those who don't read URLs) is wrong, even in the first section.
The title of the first "chapter" is "Why is c++ Decompiling possible?". But immediately he lists "what is totally loss when you compile a program and what stays there".
In the Lost column he puts templates and classes. The remains list has things like function calls and local variables.
Well, guess what? Those things are are "lost" are everything that distinguishes C++ from C. If you don't have classes (meaning no inheritance or virtual functions either) and don't have templates either, then you're really just programming in "a better C", not C++.
So all his approach can hope to "decompile" is C code. Which is something we've seen done in various forms for decades.
Finally, somebody can reverse eng. SCO and rewrite the parts that are the same or similar as Linux before the damned lawsuit is finished. Mootify it!
Table-ized A.I.
It's a shame that nobody mentioned IDA yet -- an interactive decompiler that does not restore the source code but instead tries to work with the human to figure out what parts of machine code do and mean by splitting data and code and giving readable names to functions and variables to start with.
I haven't seen any comments on the linked "book" itself yet. In short: it sucks hard. Go take a look and try not to laugh.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Unfortunately, the user interface left a lot to be desired, owing to the authors peculiar, um, tastes in UI design. And it never produced assembly that could be fed back into an assembler after modification, which would've been most useful. It did, however, come with a fairly detailed analysis of the Mac roms (back in the day ;-) and so was invaluable in learning the secrets of the Mac toolbox. Anybody know of a similar product for linux/windows/os x?
As an aside, the parent article is complete crap written at a high school level by someone that recently learned that what you put in the compiler vaugly resembles what you can see from the debug prompt. I kept waiting for the "here's my magic algorithm that allows me to trace object usage accross appearent compilation units", but this pointless article didn't even come close.
There's a branch of archaeology where researchers reverse-engineer ancient technologies and actually build the tools and techniques in a historically authentic manner. There are many such studies building and testing things like medieval siege engines, ancient Greek warships, Polynesian transoceanic sailboats, stone-age tools and weapons, and Egyptian pyramids. It's one of the most fascinating areas of archaeological research today.
By your logic, these researchers are merely IP thieves.
While complete decompilation is impossible, if any data has been thrown away, partial translation into a form that is more useful may be possible: when many ask for a "decompiler", they really want that useful translation instead, though may not know it -- knowing only that a complete decompilation would be such a useful translation.
IOW, "You can't always get what you want, but you might just find, you can get what you need."
The real danger here are people (think PHBs) who can't tell the difference between a translation and a complete decompilation, see that the former is possible, think it is the same as the latter, and INSIST, on pain of being fired, that a tool be developed to produce the latter. A little knowledge is a dengerous thing in that context.
You could've hired me.
I have done quite a lot of reverse-engineering stuff. Assembler really isn't that hard, nor is reading disassembled programs. Just use a debugger or string-search in the disassembled code to find the place you want to modify. Study the piece a bit and change it. What makes it _really_ easy is library calls, that will show in the code as "call printf". With this technique i have added, removed and patched a lot of features in different programs (removed splash-screens(yes, some legal apps use this annoying feature), removing ugly skinning of programs windows etc.).
;)
Yes, when i last checked this was all legal in Finland.
For bigger patching this could be really useful.. but for that purpose there are open source programs
I can tell you. Blow your head off with a suitably powerful firearm. Tie a cinderblock around your legs and throw it off a bridge. Use your tiny imagination. Do whatever it is you did to those animals you most likely tortured when you where younger. See you on the other side, worthless.
why run from Vincenzo?
No its not.
It may be a violation of the license agreement which would be a violation of a civil contract The enforcibility and applicability of said agreements have been a point of contention for nearly 30 years now.
This sureley doesn't sound illegal to me. But then, neither does just about anything that's prohibited by the DMCA. What does the DMCA have, if anything, to say about this practice? If it doesn't, how long, one might wonder, until it does?
Quod scripsi, scripsi.
Since when was taking apart my car ilegal? "trade secrets" and lisence agreements that demand you give up your right to take apart a piece of software are hogwash and total BS. I have the right to know what my computer is doing, because it's mine, and besides, I can still take apart the cotton gin and rigure out how it works, the same applies to software. Just becuase it's a computer and has thousands of magical circuts doesn't mean I can't learn how it ticks.
Removing one of the barriers that keeps people from learning what a program does is a great idea.
Candy-Coated Knowledge
Hey, didn't you "research" that verse from Tom Lehrer?
I'm curious how this works. I hear about it all the time, that some company or other has ripped off a piece of someone else's code and they're suing. The thing is, if I understand this correctly, a number of modern compilers optimize the executable to such an extent that t's theoretically possible that two completely different pieces of code employing the same algorithm will end up with an extremely similar executable. Unless your algorithm was unique, how can you possibly prove definitively that someone ripped off your code.
Anyway i seen alot of people saying decompiling is impossible or at least not practical, well that is not true. Decompiling c++ is very practical because of high level keywords(if,while,for) ,local variables, and parameters. All of these generate certain instruction similer on every platform and just about every proccesser.
I also extending the artical to contain 92 pages in total which will cover OOP, and crt, and a whole bunch of other stuff
A coding sequence cannot be revised once it's been established.
Why not?
Because by the second day of compilation, any objects that have undergone reversion compilations give rise to revertant binary like rats leaving a sinking ship. Then the ship sinks.
What about C decompilation?
I've already tried it. Reverse disassembly, templates as an decoding agent and potent mutagen. It created a virus so lethal the system was dead before it left the startup sequence.
Then a repressive extension that blocks the operating code?
Wouldn't obstruct replication, but it does give rise to an era in replication so that the newly formed code carries the mutation and you've got a virus again. But this-- all of this is academic. The code was made as well as we could make it.
Guys, Tyrell knows....
Well, duh. You asked for a variable that was a pointer, you got it. If you used an int, it wouls hold a value. Understand the language before reverse-engineering it!
Well, you can decompile every binary programm at least to assembler code, so why shouldnt it possible with C++?
There's a huge difference between disassembling and decompiling. With assembly, you generally have a 1 to 1 correspondence between machine language instructions and assembly instructions. That is, one specific instruction you feed to the assembler becomes one specific assembled instruction. Sometimes it's more complicated than this, but only slightly.
Now look at c, where one line of code could be arbitrarily many opcodes, depending on the complexity of the logic within that line (and the length of the line). Now suddenly, instead of looking at one instruction and translating it back to it's equivalent, your decompiler has to look at possibly hundreds of instructions, parse them logically and figure out where each line starts, and ends, and what the logical purpose of each set of instructions is. Then dealing with structures (or in C++, objects) where you have to come up with a definition for how data is laid out based solely on the instructions for dealing with that data.
That's quite a bit more complicated. I sure as hell couldn't do it. I know I could write an assembler or disassembler, I might be able to write a simple compiler, but there's no way in hell I could write a functional decompiler.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Something that will literally give me code I can re-compile immediately?
If you're going to re-compile it immediately, it sounds like you really don't have a use for a decompiler =)
Write a program which will loop until any key is pressed. When will it halt?
Interactive input is outside the parameters of a Turing machine and thus not related to the halting problem. Besides, in modern operating systems, input is an API call, and API calls are ridiculously easy to handle correctly in a disassembler.
Will I retire or break 10K?
The previous reply wasn't me, Ping.
It was Wilson Mizner (1876-1933). He was an American screenwriter who co-wrote, among other things, the script to Hard to Handle (1933) starring James Cagney.
:)
There's your answer - and it only took ten seconds' plagiarism with Google.
JAD is a wonderous tool, isn't it?
OK, my statement may have been a bit misleading. By definition of an LBA (linear bounded automaton), the input for an LBA is the contents of its memory when it is powered on; an LBA has no "input registers", that is, addresses whose contents will change other than by a write to memory by the CPU. Because every LBA has an equivalent (but humongous) finite state machine, it is possible to determine whether any LBA will halt or loop by running it for n cycles where n is the number of states of the machine's memory (n = 2^m where m is the number of bits in the machine's memory). In practice, two identical machines are run in a tortoise-hare configuration (one cycle of the tortoise to two cycles of the hare), and the machine has halted or looped when both machines are in the same state.
Take interactivity into account, and programs that run on real computers will always eventually halt because if nothing else, the power will die, or the CPU will melt, or something.
Will I retire or break 10K?
But I don't see any reason to justify my claims either.
All PSPACE-complete problems are decidable by a machine running algorithm that uses P space. This PDF states that the acceptance problem (equivalent to the halting problem) for linear bounded automata (which it calles "linear bounded deterministic Turing machines") is PSPACE-complete. Here's an algorithm that decides it.
Will I retire or break 10K?
They forgot to remove debugging symbols. Then it's really easy. :)
First he crows about MS Visual C++, then says It's harder to reverse engineer something created than to create it in the first place..
Who is this, the King of Trolls?
I want to delete my account but Slashdot doesn't allow it.
One really good reason I haven't seen mentioned yet is writing a Linux driver for a piece of hardware only supported in Windows, such as the DXR3/Hollywood+ or the MyHD/WinTV-HD/etc. For these projects where the hardware manufacturers either can't or won't offer any help, the only way to support the hardware is by disassembling the Windows driver and figuring out the algorithms used by reading the disassembly and/or watching the interactions between the driver and the code. Fortunately for the MyHD driver project, the MyHD software is distributed without any EULA.
BTW: Nice job getting all those responses with two lines...
A solution to the problem with music today
Not only does the author completely fail to realize that the technique he is describing doesn't remotely qualify as decompilation, and is is nothing but normal reverse engineering, but he figures that the appropriate response to negative criticism is to remove evidence of it rather than attempt to intelligently respond. I noticed that my vote of 1 of 5 was still intact on his voting page, though.
I was originally surprised when I first read the article that someone would think it had merit enough to write about, but having some insight into the mindset of the author that I did not have before (offered by his rapid censorship of my remarks), my surprise has waned completely.
File under 'M' for 'Manic ranting'
Sounds perfect for all the Comp Sci students out there.
"to be Slashdotted" is not an infinitive...
You might be doing digital forensics. It could well be your job to poke about at the lowest level. Part of a lawsuit, for example.
You may have a hard performance or space requirement, and need to dig just a little deeper...
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Sorry I missed you on IRC (if that was you). Hanging a closet door...
It's a full-fledged IP network, not a p2p app. Hundreds, if not thousands, of IP apps will work on it with no modification whatsoever. You're not relying on the assumption that someone won't declare your freenet node illegal, either. For that matter, there is no certainty that you are even connecting to Meta... for all you know, you're just VPNing to some friend you met online. It may not be the original "MetaNET", or even a metanet at all...
I like DNS, the web, ftp, email, irc, im... I don't see why it's necessary to reinvent the wheel, if that is indeed what freenet is trying to do. For myself, at least, freenet simply is the wrong approach. I want a true internet, just a non-shitty one. And the idea of IP-over-freenet must have had something to do with smoking crack...
I know this guy. A sad thing is, lives in the US, and as far as I know, he's a native english speaker, I just can't understand a thing he says. I read this "book" week or two ago when he finished it. I thought this was a very rough draft, but I guess not. I couldn't help but laugh at some things, like it's irrelevance to C++ in general. He should have just used C, since he never even mentions a class.... Well, to be fair, he did mention classes when he describes what is lost in the compilation process, which is untrue, especially if it is a polymorphic class. In fact, I didn't see one thing in this article that would set it apart from one written on the same subject, except using C.
For a laugh, look at his other tutorials. Surprisingly, his "book" here is among some of the better material. Most have to do with C++, and some assembly, and some even cover the same material in this lengthy and pointless article. I especially like his tutorial on using Macros in C++, a concept so backwards and wrong it shouldn't even have to be mentioned. Sure, macros have uses, but with C++, you have real inline functions and constant variables, so why use them for anything besides #include? Anyway, his other works can be found on pscode.com.
What all this boils down to here, is that nothing new is said here. Not only that, but what is said is presented and worded so poorly that anyone reading it is either going to die of laughter or confusion. If you want to read something on reverse engineering, pick up the dragon book, an assembly book, a good disassembler, and some of the very nice documents on cracking software. Many of these are written by people who will be years ahead of you no matter how hard you work, people who actually know what they're talking about.
- Mik Mifflin
If SCO commits perjury and puts linux into unix we will know instantly and can throw these guys in the slammer.
http://saveie6.com/
You know, I used to read Fravia when I was in junior high. I strongly dislike the way the GNU philosophy is associated with "warez" and software cracking on that site. Yes, reverse engineering and disassembling are important tools, but they are not to be used to steal software, but to understand how software works, and thereby implement a free version using similar but superior algorithms and ideas.
A solution to the problem with music today
If you take a binary image and compile (back) into C code, that C code will be very different then the original code. As the artical says there will be things lost, classes become dynamic function calls etc.
The new C code would in effect be a different expression of the same idea would it? Doesn't that make it copyrightable in it's own right?
If you make a copy note for note of a public doman piece, and publish it, that is a copyrightable work, since it is one rendering of the work. Someone else could make the same copy of the original, and copyright it and as it is a different layout etc, it is copyrightable as well.
I think this is the same type of thing.
Am I wrong?
Should I be asking Slashdot? (of course, slashdot is, as we all know full of lawyers!)
Been doing it for twenty years. It is easy to do.
Stop trying to use logic... actually do it.
It may be a violation of the license agreement
But then again such a license agreement could be a violation of the copyright law. In the country where I live, the law explicitly says the user has the right to decompile if that is the only way to find the necesarry information to make a program you are developing interoperable. And the law says that right cannot be given up by agreement.
Do you care about the security of your wireless mouse?
Reverse engineering as I understood is that you have 2 sets of programmers, the frist set disassemble the code and write a specification that contains no source.
The second set of programmers code from that spceification.
For this to be leagal, the must not be any contact or mixing of the 2 sets of programmers other than the specification.
Hi, the URL posted is obviously wrong.
Is this a new approach to prevent slashdoting?
Do you care about the security of your wireless mouse?
Before you use a nice algorithm that you lifted from decompiling the ASM, make sure you do your research.
It just takes intelligence and insight. Frankly many things aren't that hard- I remember reading some 'essays' about this topic when I was studying. Do a google search for 'fravia' '+orc' and tutorial- You'll find some mirrors. There's even some essays on how to add new functions to notepad given the binary only... which goes to show decompiling a c++ (or any, really) program isn't new.
Please make some observation that can't be deduced from half of a Computer Architecture course.
In your examples, don't use the same variable name in the original source. For example in one of your original sources you used s1 as a variable name. When you were decompiling this, you stated So let's create an alias for the address's 0000:0000 - 0000:0003, which will be s1. which amazing is the same varable name.
Please try to pick non-trival examples to highlight you decompilation acume.
The tool argument is interesting : what if I choose to use an uzi as a hammer, does that allow me to possess an uzi ?
The practical use of a tool is not the only thing to consider; we have to think about the purpose of it also. That said, I don't believe that decompilers are purposely made to harm.
And yet some tools ARE naturally dangerous if left in the hands of the irresponsible.
Shall I leave a hand grenade to be used as a baby's teething ring?
What about rat poison as a sandbox filler?
Some tools have an inherently high danger potential for casual misuse and others have a high danger potential even with exceptionally proper usage. Nukes for clearing mountain ranges anyone? The waste would be vast in the result, but this once was proposed as a reasonable civilian use of nuclear bomb tech.
Nobody sane would fear the misuse that a single hammer alone would kill millions or level mountains. The casual misuse COULD accomplish these goals, but the time and energy required would be enormous compared to the casual misuse of a nuclear bomb.
"Face it, a nation that maintains a 72% approval rating on George W. Bush is a nation with a very loose grip on reality.
It's relatively easy to come up with the set of C statements that would mimick a particular set of asm statements that you wish to decompile, but the end result would be a C program that was not much easier to read to the original asm was. Changing various assembly operations into C operations does get you back the information you really need.
// do a bunch of stuff using x
// do stuff with temp
The symbolic names make up the bulk of the lost information, but often times programmers will organize a sequence of code in a certain way to make it easier to understand. The compiler will often rearrange that code in a manner that makes it easier for the computer to understand. Compilers will do screwy things like increment a variable on the stack, while holding the original in a register for later usage. Where the original C code might have had the variable increment at the end like this:
while (x 10)
{
x++;
}
The way the compiler optimizes register usage may cause the assembly to actually increment x just after doing the conditional, then hold the non-incremented value in a register for use down below. The decompiled asm might look like this:
while (x 10)
{
int temp = x;
x++;
}
While this may seem like a trivial difference in the C code, it can often distort the intent of the algorithm. When a C programmer sees a construct like the latter, they naturally assume that the temp variable was used because more natural constructs would not. The C programmer then wastes time mulling it over only to discover that it was just dumb.
I am currently on a project where I am maintaining some pretty poorly written code. I can't tell you how much time I waste looking at a particularly ugly algorithm trying to figure out why they are doing all these screwy things, only to discover they were just idiots.
My point is, that the compiler and optimizer are going to mangle the logical order of the code in such a manner that it will be far more difficult to read.
Like I said at the beginning, simple translation of assembly to C is easy, getting back the meaning that gives the endeavor any value at all is much more difficult.
Nukes for clearing mountain ranges anyone?
:-)
Nobody sane would fear the misuse that a single hammer alone would kill millions
What if I use the hammer to detonate the nuke?
I know it's not supposed to work... But has anyone tried it?
main(char O){O++&&(((O-291)*O+27788)*O-868020?1:putchar(O++
As last words go, "You can't decompile a C++ program" can't hold a candle to, "Hey Honey, watch this!"
Go ahead and mod me off-topic, but it had to be said.
A huge portion of the benefit of the "ugly" solution is that the overhead of invoking memcpy() as a function far exceeds the execution of the byte assignments. If your compiler is smart enough to unroll memcpy(), it would produce the output I described.
I do not fail; I succeed at finding out what does not work.
because Its written in pig latin and I havn't read it myself so it might suck, but read it anyway...
This is just as bad as those people at work that are constantly forwarding news stories with the proprity flag set.
All your base are belong to us!
Sorry about that. And I apologize for being rude.
You know, it's funny how you can take a common sample of performance tweaked code and turn it into a personal attack. Think I'll skip the many snarling replies that come to mind, and just remind myself you have no idea who I am or what my skills are.
Get out of the research labs and start creating and maintaining code that has to run on old hardware, old compilers, old third-party products, and has no upgrade budget. You go and explain to the management that performance tweaks would make the code "unmaintainable", and I'll stand by and have a chuckle while interviewing your replacement.
Real production code has tweaked segments. It's not "pretty", it's not as "readable" as some would like, but it is functionally equivalent. Odds are that if you're trying to reverse-engineer code, it's going to be old code that has been hacked and tweaked to keep it going after being rushed into production.
But hey, what do I know? I've only been programming for about 20 years, so obviously some prof saddled with the first year classes must have more insight. I humbly bow before the wisdom of one who preaches source code style while discussing decompilers...
I do not fail; I succeed at finding out what does not work.
I read carefully and noticed that the only sentences that were Davak's bitched about AC posting. Because he had nothing else to offer, I imagined he agreed with what he posted from the FAQ. Once again, I can thank him for nothing. Next time he might add some commentary to the FAQ or just say it ain't so.
Friends don't help friends install M$ junk.
No you can't dissassenble every assenbly binary into the source code. I've worked with self modifying code, which actually writes itself on the fly, sometimes in compelx ways. (fortunatly modern operating systems technically don't allow this, but once in a while you still run across it) I've also worked with hand written machine language. You can't get assembly because there never was any, and the author took advantage of variable instruction lenght so that a JMP to $200 or JMP to $201 is valid, but the results are vastly different. Makes for some really small code, but it is difficult to write, and debug, bordering on impossibal.
The tool argument is interesting : what if I choose to use an uzi as a hammer, does that allow me to possess an uzi ?
dont be an idiot. has an Uzi ever been marketed for anything other than causing the rapid fire of lead projectiles? do you know of anyone good enough to use an Uzi correctly to shoot a nail into a board?
No.
So let's go on your gun theory... damn... Nail guns are fricking evil... I coult kill and maim more people with it than your uzi.
An Uzi has never been made for or represented as a tool for anything but killing of people. They were not built for hunting exactly like an atomic bomb... (New from RonCo.. the deer aniliator! kill entire acres of deer easily!)
show me something that is sold as a utility item or tool.. like a rifle, bow and arrow, Bowie knife. THOSE are tools. an UZI has never been a tool.
so yes, the pourpose of the tool is to be considered.. and I have yet to see a de-compiler that is designed specific for wanton stealing.
Hmmm... kinda like the DeCSS case... it was not written for copying.. it was written for viewing, can it be used to copy? I am pretty sure it can be a part of a copy process. just like lead can be forged into a bullet that can be coated in teflon to create a cop-killer bullet.
I dont think that Dow-corning invented teflon to murder police.
Do not look at laser with remaining good eye.