Decompiler

Last updated December 19, 2024

A decompiler is a computer program that translates an executable file back into high-level source code. Unlike a compiler, which converts high-level code into machine code, a decompiler performs the reverse process. While disassemblers translate executables into assembly language, decompilers go a step further by reconstructing the disassembly into higher-level languages like C. However, decompilers often cannot perfectly recreate the original source code and may produce obfuscated or less readable code.

Introduction

Decompilation is the process of transforming executable code into a high-level, human-readable format using a decompiler. This process is commonly used for tasks that involve reverse-engineering the logic behind executable code, such as recovering lost or unavailable source code. Decompilers face inherent challenges due to the loss of critical information during the compilation process, such as variable names, comments, and code structure.

Certain factors can impact the success of decompilation. Executables containing detailed metadata, such as those used by Java and .NET, are easier to reverse-engineer because they often retain class structures, method signatures, and debugging information. Executable files stripped of such context are far more challenging to translate into meaningful source code.

Some software developers may obfuscate, pack, or encrypt parts of their executable programs, making the decompiled code much harder to interpret. These techniques are often done to deter reverse-engineering, making the process more difficult and time-intensive.

Design

Decompilers can be thought of as composed of a series of phases each of which contributes specific aspects of the overall decompilation process.

Loader

The first decompilation phase loads and parses the input machine code or intermediate language program's binary file format. It should be able to discover basic facts about the input program, such as the architecture (Pentium, PowerPC, etc.) and the entry point. In many cases, it should be able to find the equivalent of the main function of a C program, which is the start of the user written code. This excludes the runtime initialization code, which should not be decompiled if possible. If available the symbol tables and debug data are also loaded. The front end may be able to identify the libraries used even if they are linked with the code, this will provide library interfaces. If it can determine the compiler or compilers used it may provide useful information in identifying code idioms.^[1]

Disassembly

The next logical phase is the disassembly of machine code instructions into a machine independent intermediate representation (IR). For example, the Pentium machine instruction

moveax,[ebx+0x04]

might be translated to the IR

eax:=m[ebx+4];

Idioms

Idiomatic machine code sequences are sequences of code whose combined semantics are not immediately apparent from the instructions' individual semantics. Either as part of the disassembly phase, or as part of later analyses, these idiomatic sequences need to be translated into known equivalent IR. For example, the x86 assembly code:

cdqeax; edx is set to the sign-extension≠edi,edi +(tex)pushxoreax,edxsubeax,edx

could be translated to

eax  := abs(eax);

Some idiomatic sequences are machine independent; some involve only one instruction. For example, xoreax,eax clears the eax register (sets it to zero). This can be implemented with a machine independent simplification rule, such as a = 0.

In general, it is best to delay detection of idiomatic sequences if possible, to later stages that are less affected by instruction ordering. For example, the instruction scheduling phase of a compiler may insert other instructions into an idiomatic sequence, or change the ordering of instructions in the sequence. A pattern matching process in the disassembly phase would probably not recognize the altered pattern. Later phases group instruction expressions into more complex expressions, and modify them into a canonical (standardized) form, making it more likely that even the altered idiom will match a higher level pattern later in the decompilation.

It is particularly important to recognize the compiler idioms for subroutine calls, exception handling, and switch statements. Some languages also have extensive support for strings or long integers.

Program analysis

Various program analyses can be applied to the IR. In particular, expression propagation combines the semantics of several instructions into more complex expressions. For example,

moveax,[ebx+0x04]addeax,[ebx+0x08]sub[ebx+0x0C],eax

could result in the following IR after expression propagation:

m[ebx+12]  := m[ebx+12] - (m[ebx+4] + m[ebx+8]);

The resulting expression is more like high level language, and has also eliminated the use of the machine register eax. Later analyses may eliminate the ebx register.

Data flow analysis

The places where register contents are defined and used must be traced using data flow analysis. The same analysis can be applied to locations that are used for temporaries and local data. A different name can then be formed for each such connected set of value definitions and uses. It is possible that the same local variable location was used for more than one variable in different parts of the original program. Even worse it is possible for the data flow analysis to identify a path whereby a value may flow between two such uses even though it would never actually happen or matter in reality. This may in bad cases lead to needing to define a location as a union of types. The decompiler may allow the user to explicitly break such unnatural dependencies which will lead to clearer code. This of course means a variable is potentially used without being initialized and so indicates a problem in the original program.^{[ citation needed ]}

Type analysis

A good machine code decompiler will perform type analysis. Here, the way registers or memory locations are used result in constraints on the possible type of the location. For example, an and instruction implies that the operand is an integer; programs do not use such an operation on floating point values (except in special library code) or on pointers. An add instruction results in three constraints, since the operands may be both integer, or one integer and one pointer (with integer and pointer results respectively; the third constraint comes from the ordering of the two operands when the types are different).^[2]

Various high level expressions can be recognized which trigger recognition of structures or arrays. However, it is difficult to distinguish many of the possibilities, because of the freedom that machine code or even some high level languages such as C allow with casts and pointer arithmetic.

The example from the previous section could result in the following high level code:

structT1*ebx;structT1{intv0004;intv0008;intv000C;};ebx->v000C-=ebx->v0004+ebx->v0008;

Structuring

The penultimate decompilation phase involves structuring of the IR into higher level constructs such as while loops and if/then/else conditional statements. For example, the machine code

xoreax,eaxl0002:orebx,ebxjgel0003addeax,[ebx]movebx,[ebx+0x4]jmpl0002l0003:mov[0x10040000],eax

could be translated into:

eax=0;while(ebx<0){eax+=ebx->v0000;ebx=ebx->v0004;}v10040000=eax;

Unstructured code is more difficult to translate into structured code than already structured code. Solutions include replicating some code, or adding Boolean variables.^[3]

Code generation

The final phase is the generation of the high level code in the back end of the decompiler. Just as a compiler may have several back ends for generating machine code for different architectures, a decompiler may have several back ends for generating high level code in different high level languages.

Just before code generation, it may be desirable to allow an interactive editing of the IR, perhaps using some form of graphical user interface. This would allow the user to enter comments, and non-generic variable and function names. However, these are almost as easily entered in a post decompilation edit. The user may want to change structural aspects, such as converting a while loop to a for loop. These are less readily modified with a simple text editor, although source code refactoring tools may assist with this process. The user may need to enter information that failed to be identified during the type analysis phase, e.g. modifying a memory expression to an array or structure expression. Finally, incorrect IR may need to be corrected, or changes made to cause the output code to be more readable.

Other techniques

Decompilers using neural networks have been developed. Such a decompiler may be trained by machine learning to improve its accuracy over time.^[4]

Legality

The majority of computer programs are covered by copyright laws. Although the precise scope of what is covered by copyright differs from region to region, copyright law generally provides the author (the programmer(s) or employer) with a collection of exclusive rights to the program.^[5] These rights include the right to make copies, including copies made into the computer’s RAM (unless creating such a copy is essential for using the program).^[6] Since the decompilation process involves making multiple such copies, it is generally prohibited without the authorization of the copyright holder. However, because decompilation is often a necessary step in achieving software interoperability, copyright laws in both the United States and Europe permit decompilation to a limited extent.

In the United States, the copyright fair use defence has been successfully invoked in decompilation cases. For example, in Sega v. Accolade , the court held that Accolade could lawfully engage in decompilation in order to circumvent the software locking mechanism used by Sega's game consoles.^[7] Additionally, the Digital Millennium Copyright Act (PUBLIC LAW 105–304^[8]) has proper exemptions for both Security Testing and Evaluation in §1201(i), and Reverse Engineering in §1201(f).^[9]

In Europe, the 1991 Software Directive explicitly provides for a right to decompile in order to achieve interoperability. The result of a heated debate between, on the one side, software protectionists, and, on the other, academics as well as independent software developers, Article 6 permits decompilation only if a number of conditions are met:

First, a person or entity must have a licence to use the program to be decompiled.
Second, decompilation must be necessary to achieve interoperability with the target program or other programs. Interoperability information should therefore not be readily available, such as through manuals or API documentation. This is an important limitation. The necessity must be proven by the decompiler. The purpose of this important limitation is primarily to provide an incentive for developers to document and disclose their products' interoperability information.^[10]
Third, the decompilation process must, if possible, be confined to the parts of the target program relevant to interoperability. Since one of the purposes of decompilation is to gain an understanding of the program structure, this third limitation may be difficult to meet. Again, the burden of proof is on the decompiler.

In addition, Article 6 prescribes that the information obtained through decompilation may not be used for other purposes and that it may not be given to others.

Overall, the decompilation right provided by Article 6 codifies what is claimed to be common practice in the software industry. Few European lawsuits are known to have emerged from the decompilation right. This could be interpreted as meaning one of three things:

) the decompilation right is not used frequently and the decompilation right may therefore have been unnecessary,
) the decompilation right functions well and provides sufficient legal certainty not to give rise to legal disputes or
) illegal decompilation goes largely undetected.

In a report of 2000 regarding implementation of the Software Directive by the European member states, the European Commission seemed to support the second interpretation.^[11]

Related Research Articles

In computer programming, assembly language, often referred to simply as assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence between the instructions in the language and the architecture's machine code instructions. Assembly language usually has one statement per machine instruction (1:1), but constants, comments, assembler directives, symbolic labels of, e.g., memory locations, registers, and macros are generally also supported.

A computer program is a sequence or set of instructions in a programming language for a computer to execute. It is one component of software, which also includes documentation and other intangible components.

In software development, obfuscation is the practice of creating source or machine code that is intentionally difficult for humans or computers to understand. Similar to obfuscation in natural language, code obfuscation may involve using unnecessarily roundabout ways to write statements. Programmers often obfuscate code to conceal its purpose, logic, or embedded values. The primary reasons for doing so are to prevent tampering, deter reverse engineering, or to create a puzzle or recreational challenge to deobfuscate the code, a challange often included in crackmes. Whlie obfuscation can be done manually, it is more commonly performed using obfuscators.

SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Due to its low-level capabilities, SoftICE is also popular as a software cracking tool.

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. The output of disassembly is typically formatted for human-readability rather than for input to an assembler, making disassemblers primarily a reverse-engineering tool. Common uses include analyzing the output of high-level programming language compilers and their optimizations, recovering source code when the original is lost, performing malware analysis, modifying software, and software cracking.

Bytecode is a form of instruction set designed for efficient execution by a software interpreter. Unlike human-readable source code, bytecodes are compact numeric codes, constants, and references that encode the result of compiler parsing and performing semantic analysis of things like type, scope, and nesting depths of program objects.

Transmeta Corporation was an American fabless semiconductor company based in Santa Clara, California. It developed low power x86 compatible microprocessors based on a VLIW core and a software layer called Code Morphing Software.

A low-level programming language is a programming language that provides little or no abstraction from a computer's instruction set architecture; commands or functions in the language are structurally similar to a processor's instructions. Generally, this refers to either machine code or assembly language. Because of the low abstraction between the language and machine language, low-level languages are sometimes described as being "close to the hardware". Programs written in low-level languages tend to be relatively non-portable, due to being optimized for a certain type of system architecture.

x86 assembly language is a family of low-level programming languages that are used to produce object code for the x86 class of processors. These languages provide backward compatibility with CPUs dating back to the Intel 8008 microprocessor, introduced in April 1972. As assembly languages, they are closely tied to the architecture's machine code instructions, allowing for precise control over hardware.

In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

<span class="mw-page-title-main">Interactive Disassembler</span> Software reverse engineering tool

The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It can also be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in, which generates a high level, C source code-like representation of the analysed program, is available at extra cost.

In computer science, instruction selection is the stage of a compiler backend that transforms its middle-level intermediate representation (IR) into a low-level IR. In a typical compiler, instruction selection precedes both instruction scheduling and register allocation; hence its output IR has an infinite set of pseudo-registers and may still be – and typically is – subject to peephole optimization. Otherwise, it closely resembles the target machine code, bytecode, or assembly language.

In the x86 architecture, the CPUID instruction is a processor supplementary instruction allowing software to discover details of the processor. It was introduced by Intel in 1993 with the launch of the Pentium and SL-enhanced 486 processors.

On many computer operating systems, a computer process terminates its execution by making an exit system call. More generally, an exit in a multithreading environment means that a thread of execution has stopped running. For resource management, the operating system reclaims resources that were used by the process. The process is said to be a dead process after it terminates.

This article describes the calling conventions used when programming x86 architecture microprocessors.

Vault Corporation v Quaid Software Ltd. 847 F.2d 255 is a case heard by the United States Court of Appeals for the Fifth Circuit that tested the extent of software copyright. The court held that making RAM copies as an essential step in utilizing software was permissible under §117 of the Copyright Act even if they are used for a purpose that the copyright holder did not intend. It also applied the "substantial noninfringing uses" test from Sony Corp. of America v. Universal City Studios, Inc. to hold that Quaid's software, which defeated Vault's copy protection mechanism, did not make Quaid liable for contributory infringement. It held that Quaid's software was not a derivative work of Vault's software, despite having approximately 30 characters of source code in common. Finally, it held that the Louisiana Software License Enforcement Act clause permitting a copyright holder to prohibit software decompilation or disassembly was preempted by the Copyright Act, and was therefore unenforceable.

<span class="mw-page-title-main">Cosmos (operating system)</span> Toolkit for building GUI and command-line based operating systems

C# Open Source Managed Operating System (Cosmos) is a toolkit for building GUI and command-line based operating systems, written mostly in the programming language C# and small amounts of a high-level assembly language named X#. Cosmos is a backronym, in that the acronym was chosen before the meaning. It is open-source software released under a BSD license.

Reverse engineering is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accomplishes a task with very little insight into exactly how it does so. Depending on the system under consideration and the technologies employed, the knowledge gained during reverse engineering can help with repurposing obsolete objects, doing security analysis, or learning how something works.

JD is a decompiler for the Java programming language. JD is provided as a GUI tool as well as in the form of plug-ins for the Eclipse (JD-Eclipse) and IntelliJ IDEA (JD-IntelliJ) integrated development environments.

References

↑ Cifuentes, Cristina; Gough, K. John (July 1995). "Decompilation of Binary Programs". Software: Practice and Experience. 25 (7): 811–829. CiteSeerX 10.1.1.14.8073 . doi:10.1002/spe.4380250706. S2CID 8229401.
↑ Mycroft, Alan (1999). "Type-Based Decompilation". In Swierstra, S. Doaitse (ed.). Programming languages and systems: 8th European Symposium on Programming Languages and Systems. Springer-Verlag. pp. 208–223. ISBN 3-540-65699-5.
↑ Cifuentes, Cristina (1994). "Chapter 6". Reverse Compilation Techniques (PDF) (PhD thesis). Queensland University of Technology. Archived (PDF) from the original on 2016-11-22. Retrieved 2019-12-21.)
↑ Tian, Yuandong; Fu, Cheng (2021-01-27). "Introducing N-Bref: a neural-based decompiler framework" . Retrieved 2022-12-30.
↑ Rowland, Diane (2005). Information technology law (3 ed.). Cavendish. ISBN 1-85941-756-6.
↑ "U.S. Copyright Office - Copyright Law: Chapter 1". Archived from the original on 2017-12-25. Retrieved 2014-04-10.
↑ "The Legality of Decompilation". Program-transformation.org. 2004-12-03. Archived from the original on 2010-09-22. Retrieved 2010-09-15.
↑ "Digital Millennium Copyright Act" (PDF). US Congress. 1998-10-28. Archived (PDF) from the original on 2013-12-10. Retrieved 2013-11-15.
↑ "Federal Register :: Request Access". 2018-10-26. Archived from the original on 2022-01-25. Retrieved 2021-01-31.
↑ Czarnota, Bridget; Hart, Robert J. (1991). Legal protection of computer programs in Europe: a guide to the EC directive. London: Butterworths Tolley. ISBN 0-40600542-7.
↑ "Report from the Commission to the Council, the European Parliament and the Economic and Social Committee on the implementation and effects of Directive 91/250/EEC on the legal protection of computer programs". Archived from the original on 2020-12-04. Retrieved 2020-12-26.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Cifuentes_1995-1] Cifuentes, Cristina; Gough, K. John (July 1995). "Decompilation of Binary Programs". Software: Practice and Experience. 25 (7): 811–829. CiteSeerX 10.1.1.14.8073 . doi:10.1002/spe.4380250706. S2CID 8229401.

[Mycroft_1999-2] Mycroft, Alan (1999). "Type-Based Decompilation". In Swierstra, S. Doaitse (ed.). Programming languages and systems: 8th European Symposium on Programming Languages and Systems. Springer-Verlag. pp. 208–223. ISBN 3-540-65699-5.

[Cifuentes_1994-3] Cifuentes, Cristina (1994). "Chapter 6". Reverse Compilation Techniques (PDF) (PhD thesis). Queensland University of Technology. Archived (PDF) from the original on 2016-11-22. Retrieved 2019-12-21.)

[Meta-4] Tian, Yuandong; Fu, Cheng (2021-01-27). "Introducing N-Bref: a neural-based decompiler framework" . Retrieved 2022-12-30.

[Rowland_2005-5] Rowland, Diane (2005). Information technology law (3 ed.). Cavendish. ISBN 1-85941-756-6.

[Law-6] "U.S. Copyright Office - Copyright Law: Chapter 1". Archived from the original on 2017-12-25. Retrieved 2014-04-10.

[PT_2004-7] "The Legality of Decompilation". Program-transformation.org. 2004-12-03. Archived from the original on 2010-09-22. Retrieved 2010-09-15.

[DMCA_1998-8] "Digital Millennium Copyright Act" (PDF). US Congress. 1998-10-28. Archived (PDF) from the original on 2013-12-10. Retrieved 2013-11-15.

[QQVDZ-9] "Federal Register :: Request Access". 2018-10-26. Archived from the original on 2022-01-25. Retrieved 2021-01-31.

[Czarnota_1991-10] Czarnota, Bridget; Hart, Robert J. (1991). Legal protection of computer programs in Europe: a guide to the EC directive. London: Butterworths Tolley. ISBN 0-40600542-7.

[EU-11] "Report from the Commission to the Council, the European Parliament and the Economic and Social Committee on the implementation and effects of Directive 91/250/EEC on the legal protection of computer programs". Archived from the original on 2020-12-04. Retrieved 2020-12-26.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]