Need help with Windows reversing: ccdgen.exe from TI
Mychaela Falconia
falcon at freecalypso.org
Mon May 1 00:47:30 UTC 2023
Hello FreeCalypso community,
Do we have anyone here who is knowledgeable about the current state of
the art (and the state of readily available tools) in realm of static
reversing of Windows executable binaries? Right now I (and FC project)
could really benefit from a Windows binary decompiler - but let me
explain more specifically what is needed.
In the days of Calypso and LoCosto, the part of TI that was previously
Condat had a tool called ccdgen. This tool reads a bunch of ASCII
text files in their own ad hoc language/format, performs some business
logic on the data, and then produces other ASCII text files (mostly C
headers, but seems to be capable of other output formats in other
modes of operation) as its output. The problem is that the source for
this ccdgen tool has been lost, and the only surviving form is a
Windows executable binary named ccdgen.exe - a Win32 console app that
runs just fine under Wine. Running strings on this binary, I see that
it was built with MS Visual C++ - but my general knowledge of how the
GSM Skunkworks division of TI/Condat worked strongly suggests that the
program was most likely written in plain C (C++ unlikely, but most
proprietary compilers including M$ have C++ in their name, even if
only C is actually used), and I also have every good reason to believe
that it was a "pure" ANSI C program, without any Windows specifics at
the source level, i.e., unlikely to have used any Windows-specific
headers or made any Win32 API calls. I have every reason to believe
that in its source form, ccdgen used only fopen() followed by stdio
functions, and it is the compiler's run-time library turning this
stdio into Win32 system calls.
This ccdgen.exe binary weighs 262144 bytes, and does not show any signs
of obfuscation - the problem we are dealing with is purely one of lost
source code, NOT the kind of obfuscation (packers etc) that security-
oriented reversers typically have to deal with. Thus it appears to me
that the problem we have on our hands is exactly the kind for which
automated decompiler tools should be best suited.
Hence my question to those who are more familiar with the "mainstream"
world of static reversing: are there any readily available Windows exe
decompilers that can turn the whole exe into recompilable C? Obviously
all original function and variable names have been lost, thus the
output of the decompiler can only contain functions and variables with
meaningless auto-generated names, but can a decompiler produce an
output that can be fed to a new C compiler, producing a new executable
that will function like the original?
My hesitation comes from having passively observed the work of other
reversers in the past, and their workflow tends to be very different
from what I am seeking to do. It seems to me that the most common
static RE tools (IDA, Ghidra) operate interactively with GUIs, not
batch like I am seeking, and when reversers invoke the decompiler
function, the output is intended for human understanding, rather than
to be fed to a new run of a standard C compiler. Are there any
decompilers that operate differently? Are there any decompilers that
can be run in batch mode on a whole exe, as opposed to manually looking
at individual functions in a GUI? And can they produce output that is
valid C, suitable to be fed to a new run of a different standard C
compiler?
It also appears that libc functions like stdio are linked statically
into the exe binary, thus the decompiler will need to be smart enough
to recognize those standard compiler run-time library functions and
exclude them from deeper analysis: for example, recognize calls to
fopen() and call it fopen(), rather than trying to decompile the
bodies of MSVC functions that implement stdio in terms of Win32. Are
any readily available decompilers smart enough to recognize such
standard boilerplate?
The binary in question is here:
https://www.freecalypso.org/hg/fc-tourmaline/raw-file/tip/winexe/ccdgen.exe
and here is the standard invokation, serving as an example of how it
functions:
https://www.freecalypso.org/hg/fc-tourmaline/file/tip/cdg-hybrid/makecdg.sh
If anyone in our community (Das Signal maybe?) can take this exe and
produce the desired decompilation (i.e., produce a C source that can
be fed to a new compiler - e.g., native Linux gcc - yielding a new
executable program that functions like the original ccdgen, even if
all names in that generated C "source" are meaningless), that would be
awesome! But even if no one in our community can actually do it, if
anyone has pointers in the right direction, those would be helpful too.
Hasta la Victoria, Siempre,
Mychaela aka The Mother
More information about the Community
mailing list