反编译 - retdec

参考:反编译工具retdec的使用介绍 - 知乎

下载RetDec: Releases · avast/retdec 

hello.c
#include<stdio.h>

void printff(){
    printf("this is called funtion printff");
}

int main( int argc, char *argv[] )  
{
    printff();
    printf("This is helo analysis");
   if( argc == 2 )
   {
      printf("The argument supplied is %s\n", argv[1]);
   }
   else if( argc > 2 )
   {
      printf("Too many arguments supplied.\n");
   }
   else
   {
      printf("One argument expected.\n");
   }
}

gcc hello.c生成a.exe

>a.exe hello

this is called funtion printffThis is helo analysisThe argument supplied is hello

将exe反编译

retdec-decompiler.exe a.exe

image

生成结果,共5个文件:

  • a.exe.bc llmvIR的bytecode文件,
    • 可以使用llc a.exe.bc -o hellox86.s编译为汇编
    • 也可以使用clang a.exe.bc -o hellox86进行编译
  • a.exe.c 反编译的C文件
  • a.exe.config.json json配置文件
  • a.exe.ll 可读的LLVM IR文件
  • a.exe.dsm 汇编文件

a.exe.c如下所示

//
// This file was generated by the Retargetable Decompiler
// Website: https://retdec.com
//

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

// ------------------- Function Prototypes --------------------

int32_t ___do_global_ctors(void);
int32_t ___main(void);
int32_t _printff(void);

// --------------------- Global Variables ---------------------

int32_t g1 = -1; // 0x403bf0
int32_t g2 = 0; // 0x407028

// ------------------------ Functions -------------------------

// Address range: 0x401460 - 0x401475
int32_t _printff(void) {
    // 0x401460
    return printf("this is called funtion printff");
}

// Address range: 0x401475 - 0x4014db
int main(int argc, char ** argv) {
    // 0x401475
    ___main();
    _printff();
    printf("This is helo analysis");
    if (argc == 2) {
        int32_t v1 = *(int32_t *)((int32_t)argv + 4); // 0x4014a0
        printf("The argument supplied is %s\n", (char *)v1);
        // 0x4014d4
        return 0;
    }
    if (argc < 3) {
        // 0x4014c8
        puts("One argument expected.");
    } else {
        // 0x4014ba
        puts("Too many arguments supplied.");
    }
    // 0x4014d4
    return 0;
}

// Address range: 0x4019c0 - 0x401a06
int32_t ___do_global_ctors(void) {
    int32_t v1 = 0;
    int32_t v2 = v1 + 1; // 0x4019f6
    while (*(int32_t *)(4 * v2 + (int32_t)&g1) != 0) {
        // 0x4019f6
        v1 = v2;
        v2 = v1 + 1;
    }
    // 0x401a04
    if (v1 == 0) {
        // 0x4019df
        return atexit((void (*)())0x401990);
    }
    int32_t v3 = v1; // 0x4019d1
    while (v3 != 1) {
        // 0x4019d3
        v3--;
    }
    // 0x4019df
    return atexit((void (*)())0x401990);
}

// Address range: 0x401a10 - 0x401a2c
int32_t ___main(void) {
    int32_t result = g2; // 0x401a10
    if (result != 0) {
        // 0x401a19
        return result;
    }
    // 0x401a20
    g2 = 1;
    return ___do_global_ctors();
}

// --------------------- Meta-Information ---------------------

// Detected compiler/packer: gcc (6.3.0)
// Detected functions: 4

 

再次对a.exe.c进行编译 gcc a.exe.c -o a2.exe

>a2.exe hello

this is called funtion printffThis is helo analysisThe argument supplied is hello

打印结果和反编译之前一样

注意!这只是个简单的C程序,所以反编译出来的伪代码可以直接被编译,如果是复杂的程序,反编译出来的不能直接被编译,会报很多错,此时就需要有逆向工程的能力去还原源代码,不过就算如此,我们可以对反编译出来的伪代码进行分析其功能,用其他语言实现

 

posted @ 2025-07-29 17:10  我的腹肌不见了  阅读(44)  评论(0)    收藏  举报