22.9 forum: Decompiling code with boomerang from radare

0.9.7 adds support for boomerang to be able to decompile specific functions of a binary program from the debugger or the dissassembler.

Here's a little example usage:

Code:

$ radare -e dbg.bep=main -d /bin/ls
argv = '/bin/ls', ]
entry at: 0x8049a80
cont: breakpoint stop (0x8049a80)
main at: 0x804e880
cont: breakpoint stop (0x804e880)
Program '/bin/ls' loaded.
Warning: sysctl -w kernel.randomize_va_space=0
open debugger ro /bin/ls
96 symbols added.
[0x0804E884]> s 0x8059ED0

Let's disassemble the unknown call from the main (the fourth one)

[0x08059ED0]> pD 60
             0x08059ED0,           55                push ebp              
             0x08059ED1            31c0              eax ^= eax            
             0x08059ED3            89e5              ebp = esp             
             0x08059ED5            53                push ebx              
             0x08059ED6            e8efffffff      ^ call 0x8059ECA  ;        [1]
             0x08059EDB            81c329420000      ebx += 0x4229         
             0x08059EE1            83ec0c            esp -= 0xc  ; 12 ' ' ; eax+0xb
             0x08059EE4,           8b93fcffffff      edx = [ebx-0x4]       
             0x08059EEA            85d2              test edx, edx         
        .==< 0x08059EEC,           7402            v jz 0x8059EF0   ;         [2]
        |    0x08059EEE            8b02              eax = [edx]           
        `--> 0x08059EF0,           89442408          [esp+0x8] = eax       
             0x08059EF4,           8b4508            eax = [ebp+0x8]       
             0x08059EF7            c7442404000000.   dword [esp+0x4] = 0x0 
             0x08059EFF            890424            [esp] = eax           
             0x08059F02            e819f6feff      ^ call 0x8049520  ; sym___cxa_atexit   [3]
             0x08059F07            83c40c            esp += 0xc  ; 12 ' ' ; eax+0xb
             0x08059F0A            5b                pop ebx               
             0x08059F0B            5d                pop ebp               
             0x08059F0C,           c3               ret ;--                
             0x08059F0C          ; ------------------------------------

And now...time for decompilation! :D

[0x08059ED0]> !rsc boomerang $FILE $XOFFSET
decompiling entry point proc1
void proc2();

// address: 0x8059ed0
void proc1() {
   __size32 eax;               // r24
   __size32 ebp;               // r29
   __size32 ebx;               // r27
   __size32 edx;               // r26
   int esp;            // r28
   unsigned int local0;                // m[esp - 12]
   __size32 local1;            // m[esp - 8]
   __size32 local2;            // m[esp - 4]

   eax = proc2(pc, ebx, ebp, 0, ebx, esp - 4, LOGICALFLAGS32(0), LOGICALFLAGS32(0), LOGICALFLAGS32(0)); /* Warning: also results in ebx, esp, ebp */
   edx = *(ebx + 0x4225);
   if (edx != 0) {
       eax = *edx;
   }
   local2 = eax;
   eax = *(ebp + 8);
   local1 = 0;
   local0 = eax;
   __cxa_atexit();
   return;
}