Need help with Windows reversing: ccdgen.exe from TI

Das Signal das.signal at freecalypso.org
Wed May 3 18:01:32 UTC 2023 

Hi Mychaela,

Both IDA (proprietary, expensive) and ghidra (open-source, free) have
the capability of generating C code from a x86 binary. Unfortunately
the compilation process loses information in particular function names
and types, so in the absence of debug information (.pdb) the result
of the decompilation lacks a lot of the programmer's original meaning.
Only human examination and understanding of each function can hope to
restore some of that meaning, but it's a long and painstaking process.
Please have a look at https://www.freecalypso.org/members/ds/ccdgen.exe.c
which is the result of the whole executable decompilation. Thanks to
some strings we can get a glimpse as what some functions do, but it's
quite limited sadly.

I recommend you give ghidra a try nonetheless. It is a very powerful
tool that can provide a lot of information. You can also try the
IDA Free software, which however does not include a decompiler. Still,
some consider it's user interface to be superior to ghidra:
https://hex-rays.com/ida-free/

I would be surprised if either IDA's or ghidra output can be recompiled
as-is. The result of the decompiler was not meant for recompilation,
but rather to provide an easier to understand version of the code to
the person trying to decipher a binary. In fact, having used both tools
the result of the decompilation is often wrong.

Hope this helps,

--DS

On Sun, Apr 30, 2023 at 04:47:30PM -0800, Mychaela Falconia wrote:
> Hello FreeCalypso community,
> 
> Do we have anyone here who is knowledgeable about the current state of
> the art (and the state of readily available tools) in realm of static
> reversing of Windows executable binaries?  Right now I (and FC project)
> could really benefit from a Windows binary decompiler - but let me
> explain more specifically what is needed.
> 
> In the days of Calypso and LoCosto, the part of TI that was previously
> Condat had a tool called ccdgen.  This tool reads a bunch of ASCII
> text files in their own ad hoc language/format, performs some business
> logic on the data, and then produces other ASCII text files (mostly C
> headers, but seems to be capable of other output formats in other
> modes of operation) as its output.  The problem is that the source for
> this ccdgen tool has been lost, and the only surviving form is a
> Windows executable binary named ccdgen.exe - a Win32 console app that
> runs just fine under Wine.  Running strings on this binary, I see that
> it was built with MS Visual C++ - but my general knowledge of how the
> GSM Skunkworks division of TI/Condat worked strongly suggests that the
> program was most likely written in plain C (C++ unlikely, but most
> proprietary compilers including M$ have C++ in their name, even if
> only C is actually used), and I also have every good reason to believe
> that it was a "pure" ANSI C program, without any Windows specifics at
> the source level, i.e., unlikely to have used any Windows-specific
> headers or made any Win32 API calls.  I have every reason to believe
> that in its source form, ccdgen used only fopen() followed by stdio
> functions, and it is the compiler's run-time library turning this
> stdio into Win32 system calls.
> 
> This ccdgen.exe binary weighs 262144 bytes, and does not show any signs
> of obfuscation - the problem we are dealing with is purely one of lost
> source code, NOT the kind of obfuscation (packers etc) that security-
> oriented reversers typically have to deal with.  Thus it appears to me
> that the problem we have on our hands is exactly the kind for which
> automated decompiler tools should be best suited.
> 
> Hence my question to those who are more familiar with the "mainstream"
> world of static reversing: are there any readily available Windows exe
> decompilers that can turn the whole exe into recompilable C?  Obviously
> all original function and variable names have been lost, thus the
> output of the decompiler can only contain functions and variables with
> meaningless auto-generated names, but can a decompiler produce an
> output that can be fed to a new C compiler, producing a new executable
> that will function like the original?
> 
> My hesitation comes from having passively observed the work of other
> reversers in the past, and their workflow tends to be very different
> from what I am seeking to do.  It seems to me that the most common
> static RE tools (IDA, Ghidra) operate interactively with GUIs, not
> batch like I am seeking, and when reversers invoke the decompiler
> function, the output is intended for human understanding, rather than
> to be fed to a new run of a standard C compiler.  Are there any
> decompilers that operate differently?  Are there any decompilers that
> can be run in batch mode on a whole exe, as opposed to manually looking
> at individual functions in a GUI?  And can they produce output that is
> valid C, suitable to be fed to a new run of a different standard C
> compiler?
> 
> It also appears that libc functions like stdio are linked statically
> into the exe binary, thus the decompiler will need to be smart enough
> to recognize those standard compiler run-time library functions and
> exclude them from deeper analysis: for example, recognize calls to
> fopen() and call it fopen(), rather than trying to decompile the
> bodies of MSVC functions that implement stdio in terms of Win32.  Are
> any readily available decompilers smart enough to recognize such
> standard boilerplate?
> 
> The binary in question is here:
> 
> https://www.freecalypso.org/hg/fc-tourmaline/raw-file/tip/winexe/ccdgen.exe
> 
> and here is the standard invokation, serving as an example of how it
> functions:
> 
> https://www.freecalypso.org/hg/fc-tourmaline/file/tip/cdg-hybrid/makecdg.sh
> 
> If anyone in our community (Das Signal maybe?) can take this exe and
> produce the desired decompilation (i.e., produce a C source that can
> be fed to a new compiler - e.g., native Linux gcc - yielding a new
> executable program that functions like the original ccdgen, even if
> all names in that generated C "source" are meaningless), that would be
> awesome!  But even if no one in our community can actually do it, if
> anyone has pointers in the right direction, those would be helpful too.
> 
> Hasta la Victoria, Siempre,
> Mychaela aka The Mother
> _______________________________________________
> Community mailing list
> Community at freecalypso.org
> https://www.freecalypso.org/mailman/listinfo/community

More information about the Community mailing list