RecStudio
RecStudio is a Windows graphical user interface to the REC decompilation engine.
RecStudio integrates access to all the different configuration and support files used by the REC engine to improve the result of the decompilation process.
RecStudio User Interface |
---|
Here is a screen snapshot of RecStudio:
On the left, the Project view is used to quickly browse through the decompiled code (Procedures) as well as other high-level information.
The Command view (on the bottom) is used to enter commands or to include commands from a text script.The main view is where the decompiled information is shown.
The following information can be accessed through the items in the "View" menu:These lists constitute the REC database. The database is used by the decompiler to improve the quality of the output. REC will fill the database automatically the first time an executable file is opened. Right-clicking on the main window allows the user to modify some of the information containted in the REC database. More advanced information (type definitions and function prototypes) can be loaded from object files compiled with debug information (for example using "gcc -g").
- List of Symbols from binary file
- List of detected Procedures
- List of detected Regions
- File (Sections) Map
- List of detected Strings
- List of imported Types
The information in the REC database can be saved in a Project file.
Project files are text files that can be manually edited and reloaded in a subsequent decompilation session.
A project file integrates the various pattern, type and command files used in previous versions of REC.
Using RecStudio |
---|
The first step to decompilation is to load the executable file into RecStudio.
Use the "File+New Project..." menu to locate the file you want to decompile.
If you already saved the information from a previous decompilation session, use the "File+Open Project..." to load the project file.If loading an executable file, REC will attempt to detect which area of the executable file are code and which are data. Additionally, ASCII strings and procedure entry points are detected.
This process can take a few minutes, depending on the size of the file you are decompiling, and on the speed and memory size of the host processor.
When REC has finished extracting the information, the Project view will show an outline of the binary file. Also, the items in the "View" menu are now enabled. The list of detected procedures is shown in the Project view, or, with more details, in the window opened by the menu "View+Procedures":
Double-clicking on a procedure entry in the list will show the decompiled code for that procedure.
As can be seen from the first image, the decompilation process can only show fake names for addresses and local variables. Many times the decompiler will not be able to decide whether a temporary variable has been generated by the compiler or is a true local variable from the original source (for example the "eax" register in the first image should have been removed by the decompiler).If the executable file has symbolic information, the procedure list will show the names and arguments in the procedure code and possibly local variables will have the correct name and types.
We can quickly switch between the C-like decompiled code and the disassembly code by using the "Decompiler+View Decompiled Code" menu item (or by hitting F11) and the "Decompiler+View as Disassembly" menu item (or by hitting Ctrl+F11).
If, by looking at the decompiled code, the user is able to determine the name of a function or of a parameter, then information about the procedure can be changed in the Procedure window (or by editing the Project file and reloading the project into RecStudio).
By iteratively inspecting the decompiled code and providing more information, the quality of the code will improve dramatically.Sometimes the decompiler is not able to decide whether an area of the binary file is code or data. If, by looking at the decompiled code, the user determines that an area has been treated as code but it is in reality a data area, the user can change the list of regions in the project file (the lines starting with "region: "), or in the region list using the "View+Regions" menu item:
The same process can be used to improve the information about ASCII strings detected by the decompiler. The string information can be accessed via the "View+Strings" menu item, or through the lines marked "string: " in the project file:
Complex types (structures, array, typedefs etc.) can be provided in a prototype file (specified by the "type: " commands in the project file). You can see the list of types currently known by REC using the "View+Type Table" menu item:
Double-clicking on a type name will show the definition of that type.
After enough information has been discovered about the binary file, it is possible to decompile the entire binary file to a text file using the "Decompile+Save file..." menu. Similarly, the entire binary file can be disassembled to a text file using the "Decompile+Save Disassembly...".
Remember to save the information you entered during the decompilation session by using the "File+Save Project" menu item.
Multiple binary files can be decompiled in batch mode. This feature is mostly used to debug the decompiler, but it can also be used by end users after a new version of the decompiler has become available to re-create decompiled files. The "File+Run Batch File..." menu item will load a text file with a list of binary files or project files to be automatically processed. See the file "tests.rbt" file in the tests directory for a sample text file.
From version 2.1 it's possible once again to run the decompiler in batch mode. When you provide the +batch option followed by a batch file name (same as provided to the "File+Run Batch File..." menu in interactive mode) the decompiler will automatically decompile all files listed in the batch file and then exit.
While RecStudio is a significant improvement over the previous REC user interface, the REC decompilation engine has been changed only slightly. More advanced algorithm can be implemented in the engine to improve the quality of the output.
Boomerang is an open-source decompiler under development that uses more advanced techniques to solve the problem of general decompilation of binary programs.
Copyright © 2005 - 2007 Backer Street Software - All rights reserved.