Decompilation with IDA Pro - For free!
Posted on January 25, 2008 by Univ.-Doz. Dr. Schneider
Filed Under IITAC Security Blog
Decompilation is the reverse process of compilation i.e. creating high level language code from machine/assembly language code. At the basic level, it just requires to understand the machine/assembly code and rewrite it into a high level language, but things are not as simple as they seem, particularly when it comes to implementing a decompiler.
Ever wanted to decompile your analysis with IDA Pro? One way is to use the Hex-Rays decompiler. Unfortunatly it costs around 1500-1700 Euro… Just have a look at a Hex-Rays process. Below we see a function with IDA Pro.
The first analysis gives a nice pseudo-code.
Still this code lacks from being a real pseudo-code. Tweaking with Hex-Rays option we finally get a much better pseudo-code:
Duh, what if I want to have this for free?
Well, if you want to decompile for free there is a way. I have to say that the formatting and options are not that sophisticated such as Hex-Rays - but hell, it is free and with sources!
The desquirr plugin by David Eriksson does a marvelous job! You can read his Master Thesis here. The decompiler uses several data structures, where the most important are nodes, instructions and expressions. The design of this decompiler plugin is heavily inspired by the RTL System. The RTL System uses the RTLFlowNode class and its subclasses to represent nodes in a control flow graph. Although this plugin does not provide control flow graph analysis, certain algorithms need to know the number of successors to a node, and therefore David provides not only a Node class but also a class hierarchy similar to that
of RTLFlowNode.
Example decompilation results
Let us have a short look at a simple example:
#include int main() { int i, numtimes, number; unsigned value, fib(); printf("Input number of iterations: "); scanf ("%d", &numtimes); for (i = 1; i <= numtimes; i++) 10 { printf ("Input number: "); scanf ("%d", &number); value = fib(number); printf("fibonacci(%d) = %u\n", number, value); } exit(0);} unsigned fib(x) /* compute fibonacci number recursively */ 20 int x; { if (x > 2) return (fib(x − 1) + fib(x − 2)); else return (1); }
This code will be decompiled to:
sub 10291: printf("Input number of iterations: "); ax = scanf("%d", & var 2); si = 1; goto loc 102DD;loc 102AF: printf("Input number: "); scanf("%d", & var 4); var 6 = sub 102EB(var 4); 10 ax = printf("fibonacci(%d) = %u\n", var 4, var 6); si = si + 1; loc 102DD: if (si <= var 2) goto loc 102AF; exit(0); return ax; sub 102EB: if (arg 0 <= 2) goto loc 10313; dx = sub 102EB(arg 0 − 1); ax = sub 102EB(arg 0 + 0xfffe); ax = dx + ax; goto loc 10318; goto loc 10318; loc 10313: ax = 1; goto loc 10318; loc 10318: return ax;
And now?
Well, this produces some nice information about the analysed target. However, desquirr has several disadvantages against Hex-Rays:
it is not attached to the graphical debugging
- desquirr is not that powerful
- renaming of information is not possible
- direct conncetion to IDA Pro not available
- … and some more
However: a real nice tool which I use at university lecture!
Comments
3 Responses to “Decompilation with IDA Pro - For free!”
Leave a Reply
-
Security Labs Blog
- IT Underground XI 2008: The Damn Vulnerable Linux Project - Steps beyond ethical hacking! (by T. Schneider)
- IT Underground XI 2008: 64-bit Imports Rebuilding and Unpacking (by S. Doucet)
- RECON2008 talk: 64-bit Imports Rebuilding and Unpacking by Sébastien Doucet (IITAC)
- IITAC - Sponsor of the RECON conference! Free IDA Pro training!
- Microsoft Security Risk Management Guide - Worth a look?
- IT Underground XI 2008: The Damn Vulnerable Linux Project - Steps beyond ethical hacking! (by T. Schneider)
-
IDA Pro Training
Get trained to analyze malware, vulnerability or copy protections with the no. 1 binary analysis tool IDA Pro!
Cognitive Debugging™
The debugging skill of the programmer is probably the biggest factor in the ability to debug a problem, but the difficulty of software debugging varies. Cognitive Debugging™ trains debugging with respect to brain and mental abilities! Both combined result is most powerful debugging results!Scientific Hacking™
Go far beyond classical ethical hacking! Instead of using tools only look under the hood, instead of making multiple choice tests only get certified by true practical assessments!
-
Get in touch
-
Get your free copy!
I like to know where can i download the software to decompile HEX to ASSEMBLY, then from ASSEMBLY to C language?
There are some few options for this. The Boomerang decompiler has some good functionality and works quite fair for C compiled applications. Otherwise you can use the desquirr plugin for IDA Pro which is free as well. The most powerfull decompiler is the Hex Rays decompiler for IDA Pro which does not produce full C++ but a fair result of decompilation.
I’m glad to see your homepage.