VB Decompiler

MrUnleaded · Posted: Thu Oct 02, 2003 5:09 am Post subject: Decompiler Markup Language

Ok here is an Idea that I had...in order to keep consistency among all of the people developing decompilers....i wanted to propose a DML or Decompiler MarkUp Language.... it would be an xml language that would basically tell a program how to parse[at the minimum] a vb exe file...

using includes and such we could make custom structs that are essentially dynamic....

I am starting it right now.....let me know your guy's opinions as to wether you would use such a thing or not....
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Sounds very good.
It would be "universal" because for tool using such DML file does not matter what to parse.
May be there is such(similar) tool somewhere already

1) What about placing decompiled parts in different files?
Theirs names will be known during processing...

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

some parts of processing requeries specific algorithmes.
so tool to be universal MUST (?) contain some scripting language capable processing bit operations

More I think more boring it seems to me.

Have I missed something?

golem · Often here Joined: 18 Nov 2002 Posts: 73

Maybe you have heard of golems_Folly and this thing called golem Definition Language (gDL)?

gDL is dynamic (can be edited on the fly), integrated (treats the source code/structures as a database), heuristic (automatically sees linkages/relationships with other structures AND automatically analyzes the validity of the field contents), visual (supports attributes permitting the intelligent viewing of structures/data item contents)...

What an original idea you have there Mr. Unleaded!

Carry on!
golem

MrUnleaded · Posted: Fri Oct 03, 2003 1:11 am Post subject:

[="golem":1keka1qt]Maybe you have heard of golems_Folly and this thing called golem Definition Language (gDL)?

gDL is dynamic (can be edited on the fly), integrated (treats the source code/structures as a database), heuristic (automatically sees linkages/relationships with other structures AND automatically analyzes the validity of the field contents), visual (supports attributes permitting the intelligent viewing of structures/data item contents)...

What an original idea you have there Mr. Unleaded!

Carry on!
golem [/:1keka1qt]Ahh golem Haven't seen you in a while....i see that youve migrated to this board now...i still dont know what happened to decompiler.com

I forgot that you had mentioned this gDL...you never really went very indepth with it from what ive read on decompiler..... since you have experience in this..... would you like to share anything general....or specific about it?
_________________
-MrU

golem · Often here Joined: 18 Nov 2002 Posts: 73

Migrated? No, just visiting... Don't really consider myself a 'member' of this MB... Though I don't have a problem with my logon have made yet another leap to a new MB, presumably from my originally signing up...

http://www.decompiler.com. What happened? Stanley basically abandoned us... Despite the great excitement when it first opened up, it rapidly went into decline because the underlying philosophy behind the MB was flawed...

Everyone who asked, regardless of their ability and their contributions to a/the decompiler, was made a moderator... I often got the impression that the entire setup was a honey pot... A culture of wannabeism was the dominant theme. Some of the guys with the least abilities or results were the most vocal in pushing for what they were interested in...

When I posted the first published sample output of a recovered project using golems_Folly... Let's just say the results were pretty laughable. Most of decompiler.com's members had absolutely NO IDEA of the significance of what had truly been accomplished.

My absolute favorite was the Moogster's comment that it looked pretty good except for a few errors when he loaded into his VB6 IDE, therefore had problems... Psst Moogman, it was VB5... and was flawless.

Actually, Mr. Unleaded, I have been lurking here all along... Monitoring what you guys have been up to... Looking for the MBs progress.

I have discussed gDL several times in the past. It was predicatably of little interest or help on decompiler.com.

gDL, like COM, is an amazingly simple concept and is basically implemented as follows. Now keep in mind that golems_Folly lives in a VB5 runtime IDE environment and that is why it can be dynamically altered on the fly (or worse case, as in the redefinition of a core UDT, with a simple full recompile ).

All of the VB program structures are defined via VB Type structures, for instance...

Type Structure1
Field1 as Long ' 0 LVA
Field2 as Long ' 4 OVA
Field3 as Guid_Type ' 8 GUID
Field4 as String *2 '18
Field5(15) as Integer '1A
End Type

When golems_Folly is started up, it loads up and parses its own source code, cataloging all of the UDT structures. During the course of parsing the project to be analyzed (read the Exe at the heart of that specific project), as it comes to points where it reads the program structures, it both validates and sequentially logs the entries out to a .gLG log file, it also loads them into a parsed/cataloged structures array, using a process I have named Ghosting.

If you look at the hypothetical UDT structure... The offset is not an active field (Ghosting calculates its own ), is just for editing purposes in the IDE, but the VB types (Integer, Long, UDTs...) are actively interpreted and more importantly, the keyword based attribute type and other supporting info (following the UDT offset) is what makes the magic occur...

Once the Exe is fully parsed, you can either examine the binary image by either looking at the .gLG output or visually cruise the Exe which uses the arrays the gDL attributes controls the field formatting, verifies the links (points to other structures), etc...

Though executed in VB, this gDL concept with a little imagination and mental flexibility can be implemented in most any language...

Carry on!
golem

MrUnleaded · Posted: Sun Oct 05, 2003 12:55 am Post subject:

I can understand making the structures and stuff in some sort of definition language.....but i have yet to think of a good way to generate output for it.

I mean the Structures and UDT seems fairly simple....but once you get to the code....i mean you could make a new UDT for each opcode and give that udt substructures[the variables].....but then converting those variables and udt would be a custom process specific to each type of executable...ie VB3 vs VB6

My memory mapping program is a kind-of output that might be used...it at least shows a visual representation of the location of many of the structures....but the memory map could not be the primary output because it misses a great deal of information that would be needed for decompiling....

I suppose that for each custom struct...you could specify a place for output....ie a file or stdout....or other....maybe even have some running variables in a struct to output data based on the variables generated...

golem: care to elaborate on how you display[but not nesasarily visually] your output?
_________________
-MrU

golem · Often here Joined: 18 Nov 2002 Posts: 73

gDL basically has nothing to do with the tokens definition database. gDL is strictly used to define the VB program structures, though the subroutines and related structures are of course referenced by other structures.

>care to elaborate on how you display[but not nesasarily visually] your output?
Your question doesn't make much sense in the context of the above description about gDL. The visual output consists of structures... that exactly match/are the UDT, its file location and length, its field definitions and their respective field and attribute/database types. For instance, LVAs get represented in hex typically as 004xxxxx/yyyyyy (being file offset). Any fields that are links to other structures actually do become links, which you can advance to...

You can examine the structures from the program in question statically by viewing the gLG file or dynamically, using the Ghosting arrays, by selecting a pull down list (sorted by location in the Exe binary image ) or starting from the top... which would of course be the Dos_Header.

I have interwoven a couple of more wrinkles (naturally ), but they are not really relevant to a baseline outline of gDL... at least as described here.

Carry on!
golem

MrUnleaded · Posted: Sun Oct 05, 2003 6:11 am Post subject:

Im talking about how do you get from iterating the class structures with gDL to something like your project file? do you do that with gDL? or by other means?
_________________
-MrU

golem · Often here Joined: 18 Nov 2002 Posts: 73

In reading your responses and your seeming inability to even be able to ask a relevant question, one can't help but come to the conclusion that you are fairly clueless.

This and the almost total lack of collective progress on a VB5/6 decompiler as evidenced by the glaring errors and omissions in the core VB5/6 structures, and the almost humorous opcode definitions leads to comment that...

Yes, 'there are 10 types of people in this world, those that understand binary and those who don't...' and there is little doubt of which of those 10 types of people you are...

Carry on!
golem

_aLfa_ · Posted: Mon Oct 06, 2003 2:57 pm Post subject:

(my apologies for interrupting the conversation)

[:295q61t9]This and the almost total lack of collective progress on a VB5/6 decompiler as evidenced by the glaring errors and omissions in the core VB5/6 structures, and the almost humorous opcode definitions leads to comment that...[/:295q61t9]
golem, this MB is meant for learning and researching, thats why we have created another MB
perhaps u could help us in correcting that "humorous opcode definitions" and the errors and omissions in "our" structures
i believe u are way ahead from me in VB5/6 decompiling technics, at least u demostrate a higher level of knowlegde. while im glad we have a member like that, im also sad because that member "laught" at us
_________________
One thing only I know, and that is that I know nothing. (Socrates)

golem · Often here Joined: 18 Nov 2002 Posts: 73

quite right Alfa.

Maybe it's some type of elitism... It can probably just be chalked up to a demonstratable lack of performance by most of the MB participants.

I harp about the structures a lot... But REALLY!!! You would think that SOMEONE would notice all of the essential structures/fields that are simply NOT documented... NOT even conceived of... even in the core data structures.

What am I talking about? Here is an example...

How about a concept I call: 'The address is everything'.

Who here can even tell us what I am babbling about?

Carry on!
golem