Anatomizer Decompiler Test
Program-Transformation.Org: The Program Transformation Wiki
Hello_release
From Boomerang's test/windows/hello_release.exe (I had to force the entry point):Original source code:
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
int wmId, wmEvent;
PAINTSTRUCT ps;
HDC hdc;
TCHAR szHello[MAX_LOADSTRING];
LoadString(hInst, IDS_HELLO, szHello, MAX_LOADSTRING);
switch (message)
{
case WM_COMMAND:
wmId = LOWORD(wParam);
wmEvent = HIWORD(wParam);
// Parse the menu selections:
switch (wmId)
{
case IDM_ABOUT:
DialogBox(hInst, (LPCTSTR)IDD_ABOUTBOX, hWnd, (DLGPROC)About);
break;
case IDM_EXIT:
DestroyWindow(hWnd);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
break;
case WM_PAINT:
hdc = BeginPaint(hWnd, &ps);
// TODO: Add any drawing code here...
RECT rt;
GetClientRect(hWnd, &rt);
DrawText(hdc, szHello, strlen(szHello), &rt, DT_CENTER); # Note (1)
EndPaint(hWnd, &ps);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
Disassembly:
4011b0: 8b 0d 58 55 40 00 mov 0x405558,%ecx 4011b6: 81 ec b4 00 00 00 sub $0xb4,%esp 4011bc: 8d 44 24 50 lea 0x50(%esp),%eax 4011c0: 6a 64 push $0x64 4011c2: 50 push %eax 4011c3: 6a 6a push $0x6a 4011c5: 51 push %ecx 4011c6: ff 15 d0 40 40 00 call *0x4040d0 4011cc: 8b 8c 24 bc 00 00 00 mov 0xbc(%esp),%ecx 4011d3: 8b c1 mov %ecx,%eax 4011d5: 83 e8 02 sub $0x2,%eax 4011d8: 0f 84 14 01 00 00 je 0x4012f2 4011de: 83 e8 0d sub $0xd,%eax 4011e1: 0f 84 ab 00 00 00 je 0x401292 4011e7: 2d 02 01 00 00 sub $0x102,%eax 4011ec: 74 28 je 0x401216 4011ee: 8b 94 24 c4 00 00 00 mov 0xc4(%esp),%edx 4011f5: 8b 84 24 c0 00 00 00 mov 0xc0(%esp),%eax 4011fc: 52 push %edx 4011fd: 50 push %eax 4011fe: 51 push %ecx 4011ff: 8b 8c 24 c4 00 00 00 mov 0xc4(%esp),%ecx 401206: 51 push %ecx 401207: ff 15 98 40 40 00 call *0x404098 40120d: 81 c4 b4 00 00 00 add $0xb4,%esp 401213: c2 10 00 ret $0x10 401216: 8b 8c 24 c0 00 00 00 mov 0xc0(%esp),%ecx 40121d: 8b c1 mov %ecx,%eax 40121f: 25 ff ff 00 00 and $0xffff,%eax 401224: 83 e8 68 sub $0x68,%eax 401227: 74 41 je 0x40126a 401229: 48 dec %eax 40122a: 74 25 je 0x401251 40122c: 8b 94 24 c4 00 00 00 mov 0xc4(%esp),%edx 401233: 8b 84 24 b8 00 00 00 mov 0xb8(%esp),%eax 40123a: 52 push %edx 40123b: 51 push %ecx 40123c: 68 11 01 00 00 push $0x111 401241: 50 push %eax 401242: ff 15 98 40 40 00 call *0x404098 401248: 81 c4 b4 00 00 00 add $0xb4,%esp 40124e: c2 10 00 ret $0x10 401251: 8b 8c 24 b8 00 00 00 mov 0xb8(%esp),%ecx 401258: 51 push %ecx 401259: ff 15 9c 40 40 00 call *0x40409c 40125f: 33 c0 xor %eax,%eax 401261: 81 c4 b4 00 00 00 add $0xb4,%esp 401267: c2 10 00 ret $0x10 40126a: 8b 94 24 b8 00 00 00 mov 0xb8(%esp),%edx 401271: a1 58 55 40 00 mov 0x405558,%eax 401276: 6a 00 push $0x0 401278: 68 10 13 40 00 push $0x401310 40127d: 52 push %edx 40127e: 6a 67 push $0x67 401280: 50 push %eax 401281: ff 15 a0 40 40 00 call *0x4040a0 401287: 33 c0 xor %eax,%eax 401289: 81 c4 b4 00 00 00 add $0xb4,%esp 40128f: c2 10 00 ret $0x10 401292: 53 push %ebx 401293: 56 push %esi 401294: 8b b4 24 c0 00 00 00 mov 0xc0(%esp),%esi 40129b: 8d 4c 24 18 lea 0x18(%esp),%ecx 40129f: 57 push %edi 4012a0: 51 push %ecx 4012a1: 56 push %esi 4012a2: ff 15 a4 40 40 00 call *0x4040a4 4012a8: 8d 54 24 0c lea 0xc(%esp),%edx 4012ac: 8b d8 mov %eax,%ebx 4012ae: 52 push %edx 4012af: 56 push %esi 4012b0: ff 15 a8 40 40 00 call *0x4040a8 4012b6: 8d 44 24 0c lea 0xc(%esp),%eax 4012ba: 6a 01 push $0x1 4012bc: 50 push %eax 4012bd: 8d 7c 24 64 lea 0x64(%esp),%edi 4012c1: 83 c9 ff or $0xffffffff,%ecx 4012c4: 33 c0 xor %eax,%eax 4012c6: f2 ae repnz scas %es:(%edi),%al # Note (1) 4012c8: f7 d1 not %ecx 4012ca: 49 dec %ecx 4012cb: 51 push %ecx 4012cc: 8d 4c 24 68 lea 0x68(%esp),%ecx 4012d0: 51 push %ecx 4012d1: 53 push %ebx 4012d2: ff 15 ac 40 40 00 call *0x4040ac 4012d8: 8d 54 24 1c lea 0x1c(%esp),%edx 4012dc: 52 push %edx 4012dd: 56 push %esi 4012de: ff 15 b0 40 40 00 call *0x4040b0 4012e4: 5f pop %edi 4012e5: 5e pop %esi 4012e6: 5b pop %ebx 4012e7: 33 c0 xor %eax,%eax 4012e9: 81 c4 b4 00 00 00 add $0xb4,%esp 4012ef: c2 10 00 ret $0x10 4012f2: 6a 00 push $0x0 4012f4: ff 15 b4 40 40 00 call *0x4040b4 4012fa: 33 c0 xor %eax,%eax 4012fc: 81 c4 b4 00 00 00 add $0xb4,%esp 401302: c2 10 00 ret $0x10
Anatomizer's decompiled output:
long Main(long arg1, void arg2, long arg3, long arg4)
/* 004011B0 - 00401304
* Size : 341 ( 0x00000155 )
* Takes 16 Bytes parameters.
* Pascal calling convention.
* Have 180Byte(s) local variable(s).
*/
{
void loc1; /* ESP -180 */
void loc2; /* ESP -164 */
void loc3; /* ESP -100 */
register long loc4; /* ECX */
register long loc5; /* EAX */
register long loc6; /* ESI */
register long loc7; /* EBX */
(void) LoadStringA(var00405558, 106, &loc3, 100);
loc4 = arg2;
loc5 = loc4;
loc5 = loc5 - 2;
if (loc5 != 0) {
loc5 = loc5 - 13;
if (loc5 != 0) {
loc5 = loc5 - 258;
if (loc5 != 0) {
loc5 = DefWindowProcA(arg1, loc4, arg3, arg4);
return (loc5);
}
loc4 = arg3;
loc5 = loc4 & 0x0000FFFF;
loc5 = loc5 - 104;
if (loc5 != 0) {
loc5 = loc5 - 1;
if (loc5 != 0) {
loc5 = DefWindowProcA(arg1, 273, loc4, arg4);
return (loc5);
}
(void) DestroyWindow(arg1);
return (0);
}
else {
(void) DialogBoxParamA(var00405558, 103, arg1, &var00401310, 0);
return (0);
}
}
else {
loc6 = arg1;
loc7 = BeginPaint(loc6, &loc2);
(void) GetClientRect(loc6, &loc1);
(void) DrawTextA(loc7, &loc3, strlen(&loc3), &loc1, 1); # Note (1)
(void) EndPaint(loc6, &loc2);
return (0);
}
}
else {
(void) PostQuitMessage(0);
return (0);
}
}
Note (1): The string scan instruction at 0x4012c6 is converted cleanly into a strlen call (the third parameter to DrawTextA); this is quite impressive.
switch_gcc.exe
The following test is from Boomerang's test/windows/switch_gcc.exe.Original source code:
int main(int argc)
{
switch(argc)
{
case 2:
printf("Two!\n"); break;
case 3:
printf("Three!\n"); break;
case 4:
printf("Four!\n"); break;
case 5:
printf( "Five!\n"); break;
case 6:
printf( "Six!\n"); break;
case 7:
printf( "Seven!\n"); break;
default:
printf( "Other!\n"); break;
}
return 0;
}
Disassembly:
401080: 55 push %ebp 401081: 31 c0 xor %eax,%eax 401083: 89 e5 mov %esp,%ebp 401085: 83 ec 08 sub $0x8,%esp 401088: 83 e4 f0 and $0xfffffff0,%esp 40108b: 89 5d fc mov %ebx,0xfffffffc(%ebp) 40108e: 8b 5d 08 mov 0x8(%ebp),%ebx 401091: e8 aa 03 00 00 call 401440 <___chkstk> 401096: e8 35 04 00 00 call 4014d0 <___main> 40109b: 83 fb 07 cmp $0x7,%ebx 40109e: 77 40 ja 4010e0 <_main+0x60> 4010a0: ff 24 9d a8 10 40 00 jmp *0x4010a8(,%ebx,4) 4010a7: 90 nop 4010a8: e0104000 e0104000 c8104000 e9104000 f2104000 fb104000 4010c0: 04114000 0d114000 4010c8: c7 04 24 50 10 40 00 movl $0x401050,(%esp) 4010cf: 90 nop 4010d0: e8 0b 04 00 00 call 4014e0 <_puts> 4010d5: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 4010d8: 31 c0 xor %eax,%eax 4010da: 89 ec mov %ebp,%esp 4010dc: 5d pop %ebp 4010dd: c3 ret 4010de: 89 f6 mov %esi,%esi 4010e0: c7 04 24 55 10 40 00 movl $0x401055,(%esp) 4010e7: eb e7 jmp 4010d0 <_main+0x50> 4010e9: c7 04 24 5c 10 40 00 movl $0x40105c,(%esp) 4010f0: eb de jmp 4010d0 <_main+0x50> 4010f2: c7 04 24 63 10 40 00 movl $0x401063,(%esp) 4010f9: eb d5 jmp 4010d0 <_main+0x50> 4010fb: c7 04 24 69 10 40 00 movl $0x401069,(%esp) 401102: eb cc jmp 4010d0 <_main+0x50> 401104: c7 04 24 6f 10 40 00 movl $0x40106f,(%esp) 40110b: eb c3 jmp 4010d0 <_main+0x50> 40110d: c7 04 24 74 10 40 00 movl $0x401074,(%esp) 401114: eb ba jmp 4010d0 <_main+0x50>
Anatomizer Decompiler decompiled output (entry point forced):
long Main()
/* 00401080 - 00401115
* Size : 150 ( 0x00000096 )
* Takes no parameters.
* Stack unresolve.
* Have 8Byte(s) local variable(s).
*/
{
void loc1; /* ESP -12 */
void loc2; /* ESP 0 */
register long loc3; /* EBP */
register long loc4; /* EBX */
register long loc5; /* ESP */
*(loc3 - 4) = loc4;
loc4 = *(loc3 + 8);
(void) proc_0002(0, loc5 & -16);
(void) Red___main();
if (loc4 <= 7) {
switch (loc4) {
case 0:
case 1:
L1:
*loc5 = &var00401055;
break;
case 2:
*loc5 = &var00401050;
break;
case 3:
*loc5 = &var0040105C;
break;
case 4:
*loc5 = &var00401063;
break;
case 5:
*loc5 = &var00401069;
break;
case 6:
*loc5 = &var0040106F;
break;
case 7:
*loc5 = &var00401074;
break;
} /* end of switch */
}
else {
goto L1;
}
(void) Red_puts();
loc4 = *(loc3 - 4);
return (0);
}
Perhaps "Stack Unresolve" results from forcing the entry point. (This is a CygWin executable; the only reference to this main function is a move indirect on the stack pointer; it is not called directly). The switch statement is handled reasonably well, apart from the default statement. The parameter to puts is missing. No strings are resolved as a result.
-- MikeVanEmmerik - 01 Aug 2005