General Question Decompiling a dll

Urwumpe

Not funny anymore
Addon Developer
Donator
Joined
Feb 6, 2008
Messages
35,554
Reaction score
69
Points
138
Location
Wolfsburg
I get asked this question. Can you decompile a Dll? I usually say "No". But I was goggling to see if that was true.

It seem I might be wrong.


https://www.dll-decompiler.com/dll2c.html



Any thoughts on this?
Looking at the results on the homepage, it is just coarsely pattern matching disassembly code into C-like code, but it does not even look like any standard API of windows.

It might be easier to read than assembly language files for some, but I doubt you will enjoy the output if you have an optimized math-heavy Orbiter module there (There assembly output might even be easier to read).

Hell, I am sure, it could not even get the includes for OrbiterAPI right, let alone properly identify the standard library of Orbiter.

Better stay away from it, if you are not experienced in reverse engineering.
 

gattispilot

Addon Developer
Addon Developer
Joined
Oct 17, 2007
Messages
5,740
Reaction score
58
Points
123
Location
Dallas, TX
Thanks. I am not going to try it.

Maybe a tool to help see how dll from the past worked and maybe rework like AFcs,....
 

Face

Addon Developer
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,111
Reaction score
43
Points
73
Location
Vienna
In principle it is possible to decompile a DLL, because you can certainly disassemble it. If you have a disassembly, you could search for patterns that C-compilers usually emit when compiling code, and then sort of guess what C-code it originated from.

However, this is not a trivial task and error-prone for sure. In the worst case, all these generators produce is a bunch of skeleton C functions with many ASM statements inside. In the best case, you still have to decipher random variable names for their logical meaning, because C compilers usually do not embed meta-data containing variable names and somesuch. In combination with debug builds and debug databases (pdb), it might make sense, though.
 

gattispilot

Addon Developer
Addon Developer
Joined
Oct 17, 2007
Messages
5,740
Reaction score
58
Points
123
Location
Dallas, TX
So I am going to be ignorant. So what would dissembling a dll look like?
 

Face

Addon Developer
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,111
Reaction score
43
Points
73
Location
Vienna
So I am going to be ignorant. So what would dissembling a dll look like?
Take a look at IDA Pro and ollydbg . Especially the former is pretty good at showing not only the assembler code, but also diagrams of code relations (e.g. loops and calls). The later tool allows you to step through the code while the program is running.

Both essentially produce an address-numbered list of assembler mnemonic, representing the machine code of your binary. Usually you have the address in the first column, followed by several bytes in hexadecimal notation, followed by the assembler mnemonic for those bytes. Most also give additional information in a 4th column, like e.g. a cross-reference to static text content or already known function entry points.
In addition, good disassemblers can also detect various calling-conventions for functions and display the function signature together with automated argument naming (e.g. arg1, arg2, etc.).
 

Col_Klonk

New member
Joined
Aug 29, 2015
Messages
470
Reaction score
0
Points
0
Location
This here small Dot
So I am going to be ignorant. So what would dissembling a dll look like?
The normal Assembly language.
IDA has released a later version as freeware.

A DLL is nothing more than 'object code'

Your code links to it by querying a function via the Kernel ( Colonel ;) )
If successful the query returns a 'Function address' which is nothing more than a procedure.
Your code then 'branches' (Calls) to the function address, correctly setting up the stack.
Parameters usually supplied are via pointers.
The DLL would have it own (private) variables to maintain.

This is all hidden from you, the C/C++/ and higher.. developer.

To learn more pop along to http://www.masm32.com/board/index.php
You won't regret it...
:thumbup:
 
Last edited:

Col_Klonk

New member
Joined
Aug 29, 2015
Messages
470
Reaction score
0
Points
0
Location
This here small Dot
Long time since I played with a DLL, but IIRC...

The first function would be the entry function. I think it's called a constructor in c++ and other RADs.

This function sets up all the DLL internal control variables.
There should be an function/procedure export table there somewhere.
The 'unload function' (Destructor) would be there as well.

WinAPI 'Loadlibrary' handles the loading and intialisation of the DLL.

The rest of the DLL should be your normal assembler code from IDA.
IDA can also be used to load other DLL and modules that this DLL uses.

The Orbiter OAPI uses a similar framework.
:)
 

gattispilot

Addon Developer
Addon Developer
Joined
Oct 17, 2007
Messages
5,740
Reaction score
58
Points
123
Location
Dallas, TX
For grins I tried to open the AFCS.dll and see how it works so we can make one for 2016.
 

martins

Orbiter Founder
Orbiter Founder
Joined
Mar 31, 2008
Messages
2,352
Reaction score
8
Points
0
Website
orbit.medphys.ucl.ac.uk
You may have more luck when looking at a function that is actually implemented in that DLL. VESSEL2::clbkPostStep is not. That is implemented in orbiter.exe. So all you see here is the function entry point, which, I assume, is linked into the DLL vla orbiter.lib. Curiously, this seems to include a conversion of the interface from a C-style format (with the object passed as the first parameter) to a C++-style format, where the function is called as a member of that object.
 

Face

Addon Developer
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,111
Reaction score
43
Points
73
Location
Vienna
This is what I see. I expected more detail
Well, IDA is an expert tool, really. You need to dig a bit deeper on PE format and DLL inner workings to understand what you see. I know that I only understand half of it yet.

What you posted there looks like the import jump thunk table for virtual methods that gets resolved once the DLL is loaded. The single JMP there will point to the Orbiter core function. In essence it means that this function was not implemented by the DLL, and so instead it uses the base function of the VESSEL2 class, which of course is implemented in the core.

If you have a "real" implementation of a callback, IDA probably lists it in the functions menu as something like "sub_10001040", not with the neat lib name it gets from the import/export tables. IIRC, all those pink-background function names are thunks resulting from virtual methods pointing back to the core, not the actual override implementations.

---------- Post added at 13:41 ---------- Previous post was at 13:38 ----------

:ninja: ed by the man.
 

gattispilot

Addon Developer
Addon Developer
Joined
Oct 17, 2007
Messages
5,740
Reaction score
58
Points
123
Location
Dallas, TX
Thanks. Well I was hoping to see how afsc worked. Like get the prestep,.... functions
 

Face

Addon Developer
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,111
Reaction score
43
Points
73
Location
Vienna
I feel like in general, decompiling and reverse engineering would look something along the lines like this.
Well, at least for me it certainly does.
Other tools and a different instruction set, but yes, the video captures the spirit very well. From finding the entry point over analyzing code in the vicinity, guessing the author's intent right up to writing adapter/emulator code in C/C++, everything is depicted nicely.
Entertaining video, thanks for the link! :thumbup:
 
Top