SmartDec

About

SmartDec is a native code to C/C++ decompiler.

Standalone Version

Supports x86 and x86-64 architectures.
Reads ELF and PE file formats.
Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch.
Has a nice graphical user interface with one-click navigation between assembler code and reconstructed program.
Has a command-line interface for batch processing.

Download

Plug-in for IDA

Enjoys all executable file formats supported by the disassembler.
Benefits from IDA’s signature search, parsers of debug information, and demanglers.
Decompiles a chosen function or the whole program by push of a button.
Allows easy jumping between the disassembler and the decompiled code.
Fully integrated into IDA’s GUI.

Download

Packages

v0.0.2 (4 July 2014) Changes
- Standalone: Windows x86-64, Windows x86.
- Plug-in for IDA: Windows x86, Qt 4.8 for IDA 6.3-6.5, Windows x86, Qt 4.7 for IDA 6.1.
v0.0.1 (25 June 2014) Changes
- Standalone: Windows x86-64, Windows x86.
- Plug-in for IDA: Windows x86, Qt 4.8 for IDA 6.3-6.6, Windows x86, Qt 4.7 for IDA 6.1.
git-6d13c8b (8 Aug 2013)
- Standalone: Windows x86-64, Windows x86.
- Plug-in for IDA: Windows x86, Qt 4.8 for IDA 6.3-6.6, Windows x86, Qt 4.7 for IDA 6.1.

Installation Instructions

Standalone version you can just unpack and run.

Plug-in for IDA is installed by copying .plw and .p64 files to IDA’s plugins directory.

Usage Instructions

Do not try to decompile large programs at once. Select a necessary part in the assembly listing and push Ctrl-E instead. Or better use the SmartDec Plug-in for IDA.
When using the IDA plug-in, press F4 to decompile the function under cursor.
Submit bug reports and feature requests.

Example

Binary Search Tree

000000000040058d <insert>:
  40058d:       55                      push   %rbp
  40058e:       48 89 e5                mov    %rsp,%rbp
  400591:       48 83 ec 10             sub    $0x10,%rsp
  400595:       48 89 7d f8             mov    %rdi,-0x8(%rbp)
  400599:       48 89 75 f0             mov    %rsi,-0x10(%rbp)
  40059d:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  4005a1:       48 8b 00                mov    (%rax),%rax
  4005a4:       48 85 c0                test   %rax,%rax
  4005a7:       75 0d                   jne    4005b6 <insert+0x29>
  4005a9:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  4005ad:       48 8b 55 f0             mov    -0x10(%rbp),%rdx
  4005b1:       48 89 10                mov    %rdx,(%rax)
  4005b4:       eb 5c                   jmp    400612 <insert+0x85>
  4005b6:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  4005ba:       8b 10                   mov    (%rax),%edx
  4005bc:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  4005c0:       48 8b 00                mov    (%rax),%rax
  4005c3:       8b 00                   mov    (%rax),%eax
  4005c5:       39 c2                   cmp    %eax,%edx
  4005c7:       7d 1c                   jge    4005e5 <insert+0x58>
  4005c9:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  4005cd:       48 8b 00                mov    (%rax),%rax
  4005d0:       48 8d 50 10             lea    0x10(%rax),%rdx
  4005d4:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  4005d8:       48 89 c6                mov    %rax,%rsi
  4005db:       48 89 d7                mov    %rdx,%rdi
  4005de:       e8 aa ff ff ff          callq  40058d <insert>
  4005e3:       eb 2d                   jmp    400612 <insert+0x85>
  4005e5:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  4005e9:       8b 10                   mov    (%rax),%edx
  4005eb:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  4005ef:       48 8b 00                mov    (%rax),%rax
  4005f2:       8b 00                   mov    (%rax),%eax
  4005f4:       39 c2                   cmp    %eax,%edx
  4005f6:       7e 1a                   jle    400612 <insert+0x85>
  4005f8:       48 8b 45 f8             mov    -0x8(%rbp),%rax
  4005fc:       48 8b 00                mov    (%rax),%rax
  4005ff:       48 8d 50 08             lea    0x8(%rax),%rdx
  400603:       48 8b 45 f0             mov    -0x10(%rbp),%rax
  400607:       48 89 c6                mov    %rax,%rsi
  40060a:       48 89 d7                mov    %rdx,%rdi
  40060d:       e8 7b ff ff ff          callq  40058d <insert>
  400612:       c9                      leaveq
  400613:       c3                      retq

gets automatically translated to

struct s0 {
    int32_t f0;
    signed char[4] pad8;
    struct s0* f8;
    struct s0* f16;
};

void insert(struct s0** rdi, struct s0* rsi) {
    struct s0** v3;
    struct s0* v4;

    v3 = rdi;
    v4 = rsi;
    if (*v3 != (struct s0*)0) {
        if ((*v3)->f0 <= v4->f0) {
            if (v4->f0 > (*v3)->f0) {
                insert(&(*v3)->f8, v4);
            }
        } else {
            insert(&(*v3)->f16, v4);
        }
    } else {
        *v3 = v4;
    }
    return;
}

ChangeLog

v0.0.2 (4 July 2014)
- The IDA plug-in works under Windows XP.
v0.0.1 (25 June 2014)
- Initial release.
- Architectures: x86, x86-64 (150 supported instructions).
- File formats: ELF, PE.
- Calling conventions: AMD64, Microsoft64, cdecl, stdcall.
- Demanglers: MSVC, GNU V3.
- Symbolic bit-precise byte-order-aware joint reaching definitions and constant folding analysis.
- Interprocedural type reconstruction.
- Interprocedural reconstruction of function arguments and return values.
- Interprocedural reconstruction of variables.
- Structural analysis of control flow.
- Ascetic GUI.
- Plug-in for IDA.