REC - Reverse Engineering Compiler User's Manual
Home Page |
User's Manual
REC is invoked with the following command line syntax:
rec [{+|-}optionname ...] exec_file
To activate an option, precede its name with a + (plus) sign. To disable
an option, precede it with a - (minus) sign. To get the list of all the
options and their current value, type:
rec +help
The minimum input to REC is the binary executable file. For example:
rec file.exe
If file.exe is in one of the recognized formats, it will be read,
and a file.rec will be produced using the default options, without
further intervention from the user.
REC can operate in three modes:
-
batch mode : by default, the user must provide an executable or
command file name when invoking REC. This file will be opened and analyzed,
and an output file with the same name as the input file and extension .rec
is produced, without further intervention by the user.
-
full screen interactive mode: in this mode, the user can interactively
analyze the input file by disassembling or decompiling individual procedures.
The user has also access to an hexadecimal viewer, and he or she can view
some of the data that REC uses internally, such as the list of strings,
labels, procedures etc. REC enters interactive mode when invoked from the
command line with the +interactive option.
-
HTML generation mode: in this mode REC reads the standard input
for commands, and generates an HTML page as the result of each command
typed. This mode is used on UNIX to allow a web browser like Netscape to
act as the user interface of the decompiler. A proxy program is needed
to translate the browser's requests into REC's standard input commands.
Check the HTTP Server setup page for a
description of how to use this mode.
REC uses HTML generation mode when invoked from the command line with the
+html option.
The other options are used to debug the program, or to tune its output.
A complete list of the options requires an understanding of the algorithms
and phases that REC performs to transform an executable file in a source
file. If you don't know the meaning of one option, you can experiment by
enabling it and check if the output is clearer. Note that some option is
only valid if another option is enabled.
The same set of options is available regardless of the host/target combination.
Interactive mode is used to analyze the program being decompiled. This
mode is useful to access the hexadecimal viewer, and to inspect many of
the internal lists maintained by REC, such as the strings list, the labels
list, etc.
To use REC in interactive mode, the user must invoke it with the following
command line:
rec +interactive file.exe
REC will start analyzing file.exe to find which area contains strings,
code and data. It will also build the list of labels and branches, and
then will try to build a list of the procedures contained in the program.
After this phase, the main menu will be presented:
Reverse Engineering Compiler 1.4 (C) Giampiero Caprino (Nov. 15
1998)
r : show regions
d : dump regions
l : show labels
b : show branches
j : show jump tables
s : show strings
y : show symbols
p : show procedures
o : show options
D : hexdump file
Q : quit program
REC's user interface is based on a simple list browser. The user can
type the following keys while in the list browser:
-
Up arrow or BS key : moves the cursor one line up
-
Down arrow or Enter key : moves the cursor one line down
-
Page Up or Ctrl-B key : shows the previous page
-
Page Down or Ctrl-F key : shows the next page
-
Right arrow when cursor is on a highlighted word: executes the command
associated with the word
-
If there is a menu, typing any highlighted letter from the menu executes
the command associated with the letter
-
Left arrow or 'Q' or ESCape key exits the current screen
and returns to the previous screen
-
The exclamation mark '!' is used to request the evaluation of numeric
expressions
-
The forward slash '/' character is used to search a string in the current
list. The question mark '?' character searches a string bacwards.
The 'n' character repeats the last search in the same direction.
The 'N' character repeats the last search in the opposite direction.
Region List
The region list shows how the input file is organized. Structured files
formats, like COFF and ELF have separate areas for code, data and auxiliary
information. The region list shows which area REC will consider for decompilation
(marked with the text type), and which areas will be searched for
ASCII strings (marked with the data type).
The user can force REC to consider a file region to be text or data
via the command file region: command.
Labels List
The labels list shows all the addresses that are the destination of a branch
or call instruction. This list is used when building the procedure list.
If REC incorrectly treats a data area as a text area, it can create labels
that are not part of any text region. This usually causes an incorrect
procedure list. The user can then change the region list until all incorrect
labels are eliminated.
Branch List
The branch list shows all the addresses that have a branch, call or return
instruction. This list is used when building the procedure list.
If REC incorrectly treats a data area as a text area, it can create branches
whose destination is not part of any text region. This usually causes an
incorrect procedure list. The user can then change the region list until
all incorrect branches are eliminated.
Jump Table List
The jump table list shows all those areas that may contain a table of addresses
inside a text region. These are usually generated when compiling switch()
statements. It is important that REC recognizes these tables because the
control flow analyzer depends on this data to identify all the instructions
of a procedure, and also to avoid treating data bytes as instructions.
Strings List
The string list shows those portions of data regions that may have ASCII
strings. These strings will then be used as parameter to functions like
printf() and strcpy(), among the others.
Symbols List
This list shows every symbolic name associated with addresses. These
are usually names of procedures (belonging to a text region) or names of
global variables (belonging to a data region). The symbol names and addresses
are taken from the file's symbol table, if available. The symbol list also
shows the list of imported symbols (from a types: or prototype
file), and the list of user specified symbols (entered via the symbol: command
in a .cmd file).
Procedure List
The procedure list shows all the addresses where REC has identified
a user procedure. Some of these addresses may come from the Symbols List,
in which case the name of the procedure is also shown. For static functions
and for files without a symbol table, the entry point of the procedure
is used as its name.
Options List
The option list allows the user to enable or disable each option.
Some options are used to produce a better output, some to enable alternative
analysis algorithms, and some enable internal debugging features.
Hexdump Viewer
The hexdump viewer shows the content of the input file in hexadecimal,
one page at a time. The usual cursor movement characters can be used to
navigate through the dump. This mode is very useful to look at areas
that REC has not recognized as code or data.
The following block diagram shows REC's interaction with the
files it uses/produces:
The minimum input to REC is the binary executable file. For example:
rec file.exe
If file.exe is in one of the recognized formats, it will be read,
and a file.rec will be produced using the default options, without
further intervention from the user.
However, since decompilation is a very difficult process, the more additional
information can be provided by the user, the better the output.
For example, alternative algorithms could be selected, based on the
compiler used to compile the executabile file, or based on readability
or output preferences. To change any of the default options, the content
of the file .recrc (rec.cfg on MSDOS and Windows) is
read. Each line in this file contains an option, as if that option was
entered on the command line. For example, if you always want REC to start
in interactive mode and to always print numeric constants in hexadecimal,
use the following lines in the .recrc file:
+interactive
+hexconst
These options can be overridden by command line options. For example, to
run REC in batch mode even though the .recrc has a +interactive
option, invoke REC with the following command line:
rec -interactive file.exe
A type file is used to tell REC the name and declaration of
high-level objects, like struct, union, array and functions.
By providing a type file, the user can improve the readability of
the generated output, because variables will have symbolic names.
This is particularly useful to specify the name, type and number of
function parameters. A number of type files for several Linux and Windows
system calls are provided from the download page.
To use the prototype files, you either need to specify them using
the types: command of a .cmd file, or by adding their
pathname to the proto.lst file, and put this file in the same
directory where REC is run from.
|
Command Files and handling unrecognized formats |
The input file could be in a format not yet recognized by REC.
In this case, REC has no knowledge of which areas of the file contain data,
which contain code and which contain auxiliary information. In this case,
REC can be given this information in an ASCII file, called a command file.
In this command file, a lot more information can be provided, including
predefined types, addresses of functions and configuration options. For
example, REC could be invoked with the following command line:
rec file.cmd
where file.cmd has the following content:
#!wrec
option: +hexconst
types: string.o
types: stdio.o
file: file.exe 0x50 0x53
region: 0x80100000 0x801009b4 0x800 data
region: 0x801009b4 0x8010c1e8 0x11b4 text
region: 0x8010c1e8 0x80120800 0xc888 data
symbol: 0x80107fe0, 0x80108077 T CrearImage()
symbol: 0x80108078, 0x801080d7 T LoadImage(char *, int, int)
symbol: 0x801080d8, 0x8010813b T StoreImage()
symbol: 0x8010813c, 0x801081ff T MoveImage(char *, int, int)
patterns: libmips.pat
The file starts with a magic-id : #!wrec. This must be on the
first line. Each line contains one command followed by a colon sign (:)
and by some arguments. Comments are preceded by a '#' character. The remainder
of the line after the '#' is ignored.
Each of the option: command sets one of REC's options. These
options override those provided on the command line.
The types: commands specify one or more ELF files with STAB
symbolic information. This file is read to get predefined types and function
prototypes. To create a types file, you can simply use Linux' system compiler
(or gcc on a Solaris system) with the -g option. For example,
to let REC know the types of the functions defined in the string.h
header file, you can compile the following C source with the command line
"gcc -g -c string.c":
/* string.c - types defined by string.h */
char *strcmp(const char *s1, const char *s2) { }
char *strncmp(const char *s1, const char *s2, int len) { }
char *strcpy(char *dst, const char *src) { }
char *strchr(const char *, int ch) { }
....
REC will add the prototype information to the symbols specified by the
symbol:
commands or to those found by the patterns: command. The actual
code for the compiled functions is ignored, as well as their addresses.
Note that the compiler will not generate symbolic information for functions
that are not defined in the file, hence the { } at the end of
each function.
The file: command specifies the binary file to be loaded. There
should be only one file: command. After the file name, the magic
argument specifies an optional identifier that must be present at the beginning
of the file (magic number).
The region: commands specify the layout of the binary file.
The arguments are the start and end memory address at which the code and
data will be loaded into memory, and the file offset where the section
starts. Note that no actual loading occurs. The addresses are only used
for informational purposes (they must be correct for call statements to
be meaningful). The last argument is the region type, and affects the operation
performed on the content of the region. Only text regions are considered
for decompilation. Data regions are scanned to find ASCII strings and generic
pointers.
In the example:
region: 0x80100000 0x801009b4 0x800 data
start addr end addr region offset type
The symbol: commands specify starting and ending addresses of
functions, along with a symbolic name and possibly a list of parameters
for the function. The ending address is optional, and can be computed by
REC automatically (see later). Also the ANSI-C style prototype is optional,
and actually its use is discouraged, as types should be defined in a type
file (see the types: command later). It is better to simply specify
that the symbol is a function by adding ( ).
The patterns: commands specify one or more files containing
a list of hex strings (pattern) and symbolic names. REC will search in
the executable file for each pattern, and when found, it will assign the
symbolic name associated with the pattern to the address where the pattern
begins. The following is an example of a pattern file:
open() size: 16
A0 00 0A 24 08 00 40 01
00 00 09 24 00 00 00 00
;
lseek() size: 16
A0 00 0A 24 08 00 40 01 01 00 09 24 00 00 00 00
;
...
Each pattern can be up to 256 bytes. These patterns are sometimes called
signatures
in the literature. The size: option tells REC how many bytes the
function occupies in the binary file. For example, you can specify a 16
bytes pattern for a 3000 bytes function.
When the end of the command file is reached, and/or when REC
has finished analyzing the executable file, it will either enter interactive
mode, or it will process the entire executable file. Currently there can
be two types of output:
-
If the +disasmonly option was specified, a file with the .dis
extension will be produced. In this file, every region with the text
attribute will be disassembled, and every region with the data
attribute will be hexdumped.
-
Without any option, a file with the .rec extension will be produced
with a C-like representation of each procedure in each text
section. The C-like representation is not perfect, and cannot be fed to
a compiler to recreate the original binary. Its goal is to provide the
user a better understanding of the structure of the program. The following
is an example of the C-like output:
hexdump(char * fname)
{
unsigned char buff[16];
unsigned long offset;
struct _IO_FILE* fp;
struct stat st;
int cnt;
if(stat(fname, & st) != 0) {
fp = fopen(fname, "rb");
if(fp != 0) {
offset = 0;
L08048867:
if(st.st_size > offset) {
cnt = fread( & buff, 1, 16, fp);
if(cnt != 0) {
dumpline( & buff, offset, cnt);
offset = offset + cnt;
goto L08048867;
}
} else {
}
fclose(fp);
eax = 0;
} else {
perror(fname);
eax = 1;
}
} else {
perror(fname);
eax = 1;
}
}
Additional output files could be produced if any of the debugging options
were enabled. These files are used to produce the intermediate representation
of the decompiled file during different stages of the decompilation process.
The following is a list of all the options supported by REC.
The options are presented in hierarchical order. This means that some options
are meaningful only if the parent option has been enabled.
-
+/-help
this option simply prints the list of all the options and their current
value on the standard output, and then exits REC.
-
+/-interactive
disable/enable interactive mode. When in interactive mode, no output
file is generated. However, you can see internal information (such as the
label list, the branch list, the string list etc.), invoke an interactive
hexdump, and decompile individual procedures in random order.
-
+/-html
disable/enable HTML generation mode. This mode is only useful if REC was
called from a CGI script that acts as an HTTP server. REC will read commands
from the standard input, and produce an HTML page after each command.
-
+/-silent
this option will disable the output of the trace information during
the decompilation process. If this option is disabled, REC prints the current
activity on the standard output.
-
+/-validatestr
this option enables the analysis of the input file data areas to detect
ASCII strings.
-
+/-dfoprocs
this option is used to tell REC to only decompile procedures that can
be reached from the entry point. The order used by REC is bottom-up, that
is the deepest procedure (the farthest from the entry point) is decompiled
first; the entry procedure is decompiled last. This allows more accurate
acquisition of information such as the number and types of each procedure's
parameter.
-
+/-locals
this option enables/disables the conversion of stack and register references
to procedure arguments and local variables.
-
+/-rdonly
this option tries to substitute register references when the only assignment
to the register is that of a formal parameter
-
+/-simplifyexprs
when this is enabled, processor idioms are converted in more regular
expressions. For example, an instruction such as "EAX = EAX ^ EAX"
is converted into the expression "EAX = 0". This helps the data
flow analyzer.
-
+/-doblocks
this options builds the control-flow graph for each procedure. It must
be enabled for the data flow analyzer (+compsets option) to work correctly.
-
+/-compsets
this options enables/disables the register lifetime analysis. This
analysis greatly helps in elimination of register variables by the following
pass. If it is disabled, most if not all the produced C expressions will
use a lot of register references.
-
+/-compactexprs
this option enables the elimination of register temporary variables,
and the creation of complex expressions. The number of output statements
is greatily reduced by this option, but the complexity of each statement
increases.
For example, the following instructions:
EAX = 1;
EAX = EAX + *EBX;
PUSH(EAX);
CALL 0x1000
can be compacted into the following expression:
L1000(1 + *EBX);
+/-types
this option enables variable's type detection. Type detection is only
partially implemented at this time.
+/-compactifs
This option converts sequences of compare+branchcondition instructions
into if-goto-else-goto statements. This is the first stage where actual
C code can be produced. The following stages only try to better structure
the output by using more complex C statements.
+/-displaylabels
When this option is enabled, labels are always printed in the output,
even if there is no goto statement to that address. This is useful to compare
the C output with the disassembler output.
+/-dostmts
This option enables/disables the structurization of the output in more
complex C statements. Each type of C statement can also be individually
enabled or disabled.
+/-donullgotos
This option enables REC to remove goto statements that jump to the
next (sequential) statement.
+/-doifs
during the generation of C statements, the if statement is always represented
as a sequence of if-goto-else-goto. This representation simplifies moving
if statements around. When this option is enabled, REC tries to remove
the goto statement inside the true and false blocks by sustituting code
from the destination of the goto statement, or by removing the else part
altogether.
+/-doloops
when this option is enabled, loop analysis is used to substitute if-goto
statements into while or do-while statements.
+/-dowhile
enable/disable while statement detection.
+/-dofor
when this option is enabled, REC tries to compact while or do-while
statements into a single for statement.
+/-dopackloops
this option enables the rewriting of endless while loops into do-while
loops, when an if statement at the end of the while block would cause the
loop to either continue or end.
+/-dopackstmt
this option enables REC to compact statements, primarily if statements.
For example, boolean && and || conditions are
used to merge two consecutive if statements. Also, the conditional assignment
operator (? :) is created when there is a sequence if(e1)
v = e2; else v = e3; This option can create very good looking output.
+/-doswitch
enable/disable switch statement detection
+/-dosort
this option tries to reduce the depth of conditional statements by
rearranging compound statements blocks in the output.
+/-flag16
this option forces the i386 disassembler to work in real-mode (16-bit
mode) as opposed to the default protected (32-bit) mode. This option is
only valid when decompiling x86 files.
+/-int16
this option specifies that integer are 16 bits instead of 32 (default).
This is useful for older targets like 8086 or Macintosh's 68000.
I might add more options as I add other features.
TODO List:
Things that I still need to add (I'm working on them in my spare time):
-
Automatic detection of parameters. This is made more difficult by the fact
that on MIPS 4 parameters are passed in register, and the other are passed
on the stack.
-
Automatic detection of local variables. This is not very difficult on MIPS
and PowerPC, since they use a fixed stack pointer. It's more difficult
for i386 and mc68k, which have a variable-size stack frame.
-
Automatic detection of variable types.
-
Removal of all registers from expressions.
Copyright © 1997 - 2007 Backer Street Software --
All right reserved.
Last revised on 10 Mar. 1999
Home Page |
User's Guide