Hi Mychaela, Both IDA (proprietary, expensive) and ghidra (open-source, free) have the capability of generating C code from a x86 binary. Unfortunately the compilation process loses information in particular function names and types, so in the absence of debug information (.pdb) the result of the decompilation lacks a lot of the programmer's original meaning. Only human examination and understanding of each function can hope to restore some of that meaning, but it's a long and painstaking process. Please have a look at https://www.freecalypso.org/members/ds/ccdgen.exe.c which is the result of the whole executable decompilation. Thanks to some strings we can get a glimpse as what some functions do, but it's quite limited sadly.
I recommend you give ghidra a try nonetheless. It is a very powerful tool that can provide a lot of information. You can also try the IDA Free software, which however does not include a decompiler. Still, some consider it's user interface to be superior to ghidra: https://hex-rays.com/ida-free/ I would be surprised if either IDA's or ghidra output can be recompiled as-is. The result of the decompiler was not meant for recompilation, but rather to provide an easier to understand version of the code to the person trying to decipher a binary. In fact, having used both tools the result of the decompilation is often wrong. Hope this helps, --DS On Sun, Apr 30, 2023 at 04:47:30PM -0800, Mychaela Falconia wrote: > Hello FreeCalypso community, > > Do we have anyone here who is knowledgeable about the current state of > the art (and the state of readily available tools) in realm of static > reversing of Windows executable binaries? Right now I (and FC project) > could really benefit from a Windows binary decompiler - but let me > explain more specifically what is needed. > > In the days of Calypso and LoCosto, the part of TI that was previously > Condat had a tool called ccdgen. This tool reads a bunch of ASCII > text files in their own ad hoc language/format, performs some business > logic on the data, and then produces other ASCII text files (mostly C > headers, but seems to be capable of other output formats in other > modes of operation) as its output. The problem is that the source for > this ccdgen tool has been lost, and the only surviving form is a > Windows executable binary named ccdgen.exe - a Win32 console app that > runs just fine under Wine. Running strings on this binary, I see that > it was built with MS Visual C++ - but my general knowledge of how the > GSM Skunkworks division of TI/Condat worked strongly suggests that the > program was most likely written in plain C (C++ unlikely, but most > proprietary compilers including M$ have C++ in their name, even if > only C is actually used), and I also have every good reason to believe > that it was a "pure" ANSI C program, without any Windows specifics at > the source level, i.e., unlikely to have used any Windows-specific > headers or made any Win32 API calls. I have every reason to believe > that in its source form, ccdgen used only fopen() followed by stdio > functions, and it is the compiler's run-time library turning this > stdio into Win32 system calls. > > This ccdgen.exe binary weighs 262144 bytes, and does not show any signs > of obfuscation - the problem we are dealing with is purely one of lost > source code, NOT the kind of obfuscation (packers etc) that security- > oriented reversers typically have to deal with. Thus it appears to me > that the problem we have on our hands is exactly the kind for which > automated decompiler tools should be best suited. > > Hence my question to those who are more familiar with the "mainstream" > world of static reversing: are there any readily available Windows exe > decompilers that can turn the whole exe into recompilable C? Obviously > all original function and variable names have been lost, thus the > output of the decompiler can only contain functions and variables with > meaningless auto-generated names, but can a decompiler produce an > output that can be fed to a new C compiler, producing a new executable > that will function like the original? > > My hesitation comes from having passively observed the work of other > reversers in the past, and their workflow tends to be very different > from what I am seeking to do. It seems to me that the most common > static RE tools (IDA, Ghidra) operate interactively with GUIs, not > batch like I am seeking, and when reversers invoke the decompiler > function, the output is intended for human understanding, rather than > to be fed to a new run of a standard C compiler. Are there any > decompilers that operate differently? Are there any decompilers that > can be run in batch mode on a whole exe, as opposed to manually looking > at individual functions in a GUI? And can they produce output that is > valid C, suitable to be fed to a new run of a different standard C > compiler? > > It also appears that libc functions like stdio are linked statically > into the exe binary, thus the decompiler will need to be smart enough > to recognize those standard compiler run-time library functions and > exclude them from deeper analysis: for example, recognize calls to > fopen() and call it fopen(), rather than trying to decompile the > bodies of MSVC functions that implement stdio in terms of Win32. Are > any readily available decompilers smart enough to recognize such > standard boilerplate? > > The binary in question is here: > > https://www.freecalypso.org/hg/fc-tourmaline/raw-file/tip/winexe/ccdgen.exe > > and here is the standard invokation, serving as an example of how it > functions: > > https://www.freecalypso.org/hg/fc-tourmaline/file/tip/cdg-hybrid/makecdg.sh > > If anyone in our community (Das Signal maybe?) can take this exe and > produce the desired decompilation (i.e., produce a C source that can > be fed to a new compiler - e.g., native Linux gcc - yielding a new > executable program that functions like the original ccdgen, even if > all names in that generated C "source" are meaningless), that would be > awesome! But even if no one in our community can actually do it, if > anyone has pointers in the right direction, those would be helpful too. > > Hasta la Victoria, Siempre, > Mychaela aka The Mother > _______________________________________________ > Community mailing list > Community@freecalypso.org > https://www.freecalypso.org/mailman/listinfo/community _______________________________________________ Community mailing list Community@freecalypso.org https://www.freecalypso.org/mailman/listinfo/community
