Anatomizer Decompiler

Program-Transformation.Org: The Program Transformation Wiki
Web sites (all in Japanese):

This binary decompiler for Win32 executables seems to have been in existance at least since early 2002. It is still at a quite early stage. There are a few parts that are surprisingly good, but these are probably the result of low level pattern matching, rather than general principes that would work for all code from all compilers.

The web pages are entirely in Japanese, which I cannot read. I have found a few clues from the fragments of English interspersed with Japanese, along with a Babelfish translation. There seem to be three binaries available for download:

The C++ versions require MFC71.DLL, MSVCR71.DLL and MSVCP71.DLL. I could not get the alpha version to decompile anything, not even the sample program from the web site. The VB version seems to take a very long time intitialising after loading larger program files. The 1.5B3 version seems to have severe output windows clipping problems. So the VB program would appear to be the best one to use, despite being a bit slow to start (and sometimes seems to just crash silently immediately after loading.)

The way to get a decompilation seems to be to open an executable (control-O on the 2004 version), choose an entry point (the upper option seems to work so far, (E) on some versions), then from the (R) menu choose (D) (control-D on the 2004 version) to get a list of procedures, select one, and from the (R) menu, choose (A) (control-A on the 2004 version) to see a decompilation. You can highlight the decompiled output and copy to the clipboard with control-C, or use the right mouse menu to select all, copy, etc. There is an option in the decompilation window to print the address of each basic block as a comment (left of 2 check boxes). The right hand checkbox seems to add the hex address of a call as a comment (e.g. // 01003740 in front of call proc_0019). Once you have done one decompilation, you can double click on a procedure in the procedure window to decompile it, replacing the existing decompilation.

Here is a small sample of output, from Boomerang's test/windows/lpq.exe. The disassembly is from objdump; I can't figure out how to copy the disassembly output to the clipboard as yet.

 18c11f7:       8b 44 24 08             mov    0x8(%esp),%eax
 18c11fb:       23 44 24 04             and    0x4(%esp),%eax
 18c11ff:       2b 44 24 08             sub    0x8(%esp),%eax
 18c1203:       83 f8 01                cmp    $0x1,%eax
 18c1206:       1b c0                   sbb    %eax,%eax
 18c1208:       f7 d8                   neg    %eax
 18c120a:       c2 08 00                ret    $0x8

long proc_0002(void arg1, void arg2)
/* 018C11F7 - 018C120C
 * Size : 22 ( 0x00000016 )
 * Takes 8 Bytes parameters.
 * Pascal calling convention.
 * Call from proc_0001.
    register long loc1; /* EAX */

    loc1 = (arg2 & arg1) - arg2;
    /* Unsupported operation. */
    _asm{018C1206 1BC0                SBB        EAX,EAX};
    return (!loc1);

The register variable is declared, and the AND and SUB instructions are combined into a suitable expression. Unfortunately, the SBB idiom is not recognised, and the NEG instruction is dubiously translated into a ! (C not) operator. Parameters are declared but not typed, so this code would not compile. The return value is typed, and the return value is used sensibly in proc_0001 (with if (proc_0002() = 0) {).

For larger examples, see Anatomizer Decompiler Test.

-- MikeVanEmmerik - 01 Aug 2005