What is New

Some of the most important changes:

• Added support for decompilation of 64-bit ARM binaries.
• Added an option to generate decompilation results in the JSON output file format. This output contains additional meta-information and can be conveniently consumed by your tools.
• Added a new library called retdec that lets you decompile the input into both an LLVM IR module and structured (i.e. functions and basic blocks) Capstone disassembly.
• Implemented proper RetDec installation. It is now possible to easily use RetDec components in other CMake projects.
• Many smaller improvements and bug fixes

For more details, see the full changelog and our blog post.

Some of the most important changes:

• Added basic support for decompilation of x86-64 binaries (previously, RetDec supported only 32b Intel x86).
• Added support for build and run on FreeBSD and potentially on other BSD OSes.
• Replaced the old LLVMIR-to-BIR converter in retdec-llvmir2hll with a new one, which, in most cases, improves code structure and significantly speeds up decompilations.
• Reduced the needed stack space in retdec-llvmir2hll, which lowers its memory requirements.
• retdec-fileinfo is now able to parse and generate imported types and TypeRef hashes for .NET binaries, metadata of Visual Basic binaries, and icon hashes for exact and similarity matching in PE files.
• Many bug fixes

We have also released a new version of our IDA plugin.

For more details, see the full changelog.

Some of the most important changes:

• We have moved from shell scripts to Python scripts so that Windows users no longer have to install MSYS2 to run RetDec. This change also simplifies build and run on macOS.
• Added generation of export-table hashes into retdec-fileinfo.
• Added an automatic generation of API documentation for RetDec via Doxygen.
• Fixed assertions in the recognition of statically linked code.
• Fixed assertions during the decoding of some MIPS binaries.
• Fixed a memory leak when parsing Mach-O files.
• Our home page has received a makeover.

We have also released a new version of our IDA plugin.

For more details, see the full changelog.

Some of the most important changes:

• Unofficial support for building and running RetDec on macOS.
• Reduced the likelihood of system crashes and freezes by limiting the overall memory when running RetDec tools.
• More accurate decoding - a complete rewrite of binary to LLVM IR translation.
• More accurate statically linked code detection - cross-checking signature references.
• Detection of corrupted and unloadable PE files.
• Better detection of compilers and packers - added new signatures and heuristics. YARA signatures are compiled now, which results in faster scanning.
• New directory structure and tool names - we have added a retdec- prefix to all installed binaries and scripts.
• Easier project development - removal of git submodules.
• Build speedup and continuous integration builds.
• Many other bugfixes and enhancements.

For more details, see the full changelog.

Also, as a related change, we have disabled the online web decompilation service, which has been out of date since the end of 2017. As RetDec is open source, you can build and run it directly on your PC (visit our GitHub repository).

A list of changes:

• Publicly released an experimental version of our decompilation plugin for the IDA disassembler.
• Implemented a loader for all the supported file formats, which improves decompilation results.
• Added support for decompilation of archives (ar format) and object files. Archives are statically linked libraries, commonly ending with .a or .lib.
• Added support for decompilation of files in the Intel HEX format.
• Added detection of various YARA patterns (e.g. used cryptographic constants). Their presence is used to improve decompilation results. They are shown in comments in the generated C source code.
• Improved unpacking of UPX-packed binaries.
• Improved recognition of statically linked code.
• Improved reconstruction of return types and arguments for external functions.
• Reworked how raw machine code is decompiled so you no longer have to select a file format.
• Changes in our fileinfo service:
• It can now emit the output in the JSON format. Set "Output format" to "JSON" via settings when using the service.
• It now produces more information about input files. For example, it now includes hashes (file, sections, imports), relocation tables for the COFF format, detected YARA patterns (e.g. used cryptographic constants), and information about resources and certificates.
• Changes in our REST API:
• Added support for decompilation of files in archives (ar format). To decompile a file from an archive, use the bin mode and pass either the index of the file in the archive (ar_index) or its name (ar_name).
• Added support for decompilation of files in the Intel HEX format. To decompile such files, use the bin mode and pass the architecture and endianness of the machine code inside the file.
• The raw_entry_point and raw_section_vma parameters in raw decompilations no longer accept the default value. In both cases, you have to explicitly pass an address.
• The raw_endian parameter was renamed to endian. Use of the original name is still supported, but it is deprecated.
• It is no longer required to set file_format in raw decompilations. When given, it will be ignored.
• It is no longer possible to force an architecture when decompiling a file in the bin mode. The architecture is now detected automatically from the input file.
• Compiler-optimization levels can now be also specified without the leading dash (e.g. you can pass O1 instead of -O1).
• Added a new optional parameter output_format to the fileinfo service. You can use it to obtain the output in the JSON format. A related change is that the extension of the output file now depends on the output format.
• Changes in our IDA plugin:
• Added support for decompilation of COFF object files.
• Added support for decompilation of Intel HEX files.
• Added support for decompilation of files containing just raw machine code.
• Added generation of IDA comments into C files generated by full decompilation.
• The plugin no longer performs automatic decompilation of the opened file upon the start of IDA.
• The plugin no longer ignores statically linked functions when selective decompilation is invoked through IDA.
• The plugin does not allow decompilation of non-existing files like objects extracted from archives.
• The plugin does not allow decompilations that it cannot properly handle.
• Many bug fixes.

A list of changes:

• When decompiling from C code, the ISO C99 standard is now used instead of the ISO C90 standard.
• Improved detection of several compilers and packers on the PE file format.
• Improved demangling of symbols.
• Improved emission of floating-point literals. Float and long-double literals now end with f and L, respectively.
• Improved reconstruction of string literals.
• Many bug fixes.

A list of changes:

• Added demanling of C++ symbol names. Supported formats are those produced by GCC, MSVC, and Borland. Demangled names are shown in comments.
• Improved analysis of variables stored on the stack.
• Improved unpacking of binaries packed by modified versions of UPX.
• Improved detection of binaries produced by the Visual Basic and GCC compilers on the PE file format.
• Many bug fixes.

A list of changes:

• Added a new instruction-decoding algorithm. The new algorithm is more precise and requires less memory.
• Added basic support for decompilation of COFF binary files, e.g. Windows object files (*.o).
• Added a new optimization of comparisons with boolean literals. This optimization simplifies code that performs comparisons to true/false.
• Improved detection of C++ classes. Our decompiler is now able to reconstruct class hierarchies, virtual-method tables, and recognize constructors, destructors, and virtual member functions. All these pieces of information are emitted as comments in the generated high-level language.
• Improved decompilation of ELF binary files containing segments instead of sections.
• Improved decompilation of PE binary files containing delayed imports.
• Improved decompilation of programs that use functions from the standard C mathematical library (math.h).
• Improved decompilation of shared (*.so) and dynamic (*.dll) libraries.
• Improved decompilation of programs that use wide strings.
• Improved decompilation of programs that use functions from the Windows API.
• Improved decompilation of UPX-packed programs. Furthermore, we newly support unpacking of several UPX modifications.
• Improved detection of the tool used to create the input binary file (e.g. compiler and packer), including detection whether the input file contains bytecode. Keep in mind that our machine-code decompiler may produce inaccurate results when decompiling bytecode.
• Improved annotations (comments) in the generated high-level language:
  • Functions are now divided into several categories: user-defined, statically linked, dynamically linked, system-call, and instruction-idiom functions.
  • Local variables that were created from global variables (e.g. registers) now include the name of the global variable in a comment.
  • Register names now correspond to real register names (e.g. eax or ebx on Intel x86). Previously, we emitted our internal names.
  • Goto-label addresses now correspond to addresses in the input binary file.
  • The end address of a function is now the address of the last byte of the function (previously, it was the address of the first byte of the next function).
• Slightly improved reconstruction of for loops.
• Selective decompilation is now less aggressive in terms of elimination of stack accesses. This change ensures that important stack accesses (such as loading of string literals) are kept in the generated source code.
• Speeded up generation of the target high-level language when decompilation optimizations are disabled.
• The decompiler may now produce warnings. They are shown in the decompilation log when decompiling through our decompilation web service.
• Changes in our REST API:
  • Added a new key to decompilation phases: warnings. It represents a list of warnings (strings) that were produced by the decompiler in the given phase.
• Many bug fixes.

A list of changes:

• Speeded up many of our optimizations, which makes the decompiler run faster.
• Added support for decompilation of ELF files containing only segments.
• Added support for decompilation of MPRESS-packed binary files.
• Our REST API is now considered to be stable.
• Improved optimization of global variables to make the produced code contain less assignments to global variables.
• Improved utilization of PDB debug information (e.g. ARM/PE).
• Improved decompilation in the selected functions/address ranges mode (e.g. more accurate function detection).
• Improved decompilation of binary files that use the BSS section.
• Improved the output of our file-analyzing service service:
  • Added presentation of information from the Rich header in PE binary files.
  • Added detection of AutoIt and Eziriz.
• Minor improvements in the output from our disassembler (e.g. outputs for relocatable files).
• Updated versions of C compilers that are used to compile user-provided C source code into binary files. This update allowed us to add support of the PowerPC/ELF/Clang combination.
• The decompiler now generates char instead of int8_t (e.g. strings are now of type char *, not int8_t *).
• Many bug fixes.

A list of changes:

• Added an experimental REST API.
• Improved algorithms for function detection.
• Changes in the file-analyzing service:
  • Added information about overlay.
  • Added a link to download the output from the analysis.
• Changes in the decompilation service:
  • Added a new option under Decompilation Settings: Decompiler Optimizations. It allows you to change the level of optimizations performed by the decompiler.
  • The output from the disassembler now contains register names instead of bare numbers.
  • The generated files now have file names based on the name of the original input file.
• Internal change: We no longer convert the input binary file to a unified COFF-like representation. In our previous publications, we mentioned that the decompiler utilizes such a conversion.
• Many bug fixes.

A list of changes:

• Added support for decompiling only the selected functions or address ranges from input binary files. You can try it by selecting the "Executable File" input type in our decompilation service and setting the "Decompile" option in "Input File Settings" to "Selected Functions" or "Selected Ranges".
• Added reconstruction of more instruction idioms on Intel x86 and PowerPC.
• Added reconstruction of advanced system calls.
• Added a link to download all the generated results in a single ZIP archive (decompiled code, output from the disassembler, call and control-flow graphs).
• Added structuring of complex initializers before they are emitted into the decompiled code.
• Improved the output from the disassembler.
• Improved the detection of functions and their arguments on PowerPC.
• Improved the heuristic detection of the used compiler.
• Show the detected language(s) of the original source files in the decompiled code. This detection is based on debugging information.
• Many bug fixes.

A list of changes:

• added support for decompiling files with no file format containing just raw machine code (like firmware). You can try it by selecting the "Raw Machine Code" input type in our decompilation service.
• added a reconstruction of function names from dynamically linked libraries (DLL) based on ordinal numbers
• added a reconstruction of variables and constants stored over multiple registers
• added emission of global variable addresses into the generated source code
• added support for generating pointers to functions and arrays of function pointers into the generated source code
• added a detection and reconstruction of RTTI tables when decompiling programs written in C++. When RTTI tables are detected, we emit the class names and methods in comments into the generated source code.
• added new optimizations:
• i += 1 and i -= 1 are generated as ++i and --i, respectively
• simplified the passing of arrays to functions (&array[0] to array)
• added a renaming of variables based on usual names of parameters of standard-library functions. For example, a variable passed as the first argument of fopen() is named file_path.
• extended the conversion of constants passed to functions from standard libraries to their symbolic names. For example, instead of signal(2, 1), we now generate signal(SIGINT, SIG_IGN).
• improved the reconstruction of complex data types, such as arrays and structures
• improved the reconstruction of local variables
• improved the support for decompiling programs built with Microsoft Visual C++ (reconstruction of functions, arguments, and other program constructs)
• improved the default generator of variable names. Instead of fruit names, it now emits variables names gX, aX, and vX for global variables, function parameters, and other local variables, respectively.
• improved the reconstruction of switch statements
• improved the detection and use of debugging information in the DWARF format (the original language and used compiler)
• it is now possible to select the format of the generated call and control-flow graphs (the supported formats are SVG, PNG, and PDF)
• fix the generation of continue/break statements to outer loops (in C, continue/break statements only apply to the innermost loop)
• fix the reconstruction of printf() and scanf() calls with more exotic string formats
• many additional small enhancements and bug fixes

A list of changes:

• added a preliminary version of complex data types reconstruction, such as arrays and structures
• added experimental support for the PowerPC and PIC32 architectures. The limitations are no support for decompiling PowerPC binaries utilizing FPU, and not all combinations of file format/compiler/optimization flags are available when decompiling from C.
• added support for code reconstruction based on Linux system calls
• added support for emitting function pointers in the generated C code
• improved the decompilation of binaries produced by Clang
• improved the detection of statically linked code based on relocations
• improved the reconstruction of instruction idioms in Intel x86 binaries
• improved the support for decompiling wide strings
• improved the readability of the generated floating-point expressions
• larger numbers are now always emitted in the hexadecimal format, both in the generated C code and in the disassembled output
• decompilation speedup, mainly in the front-end part of the decompiler
• many small enhancements and bug fixes

A list of changes:

• added reconstruction of simple data types
• added reconstruction of instruction idioms
• added more options to the decompilation form, namely
• a -O3 optimization parameter when decompiling from C
• selecting a compiler when decompiling from C (GCC and Clang)
• selecting a new instruction set: ARM+Thumb
• added new optimizations of the generated high-level language, namely
• conversion of if/else-if/else constructs into switch statements
• movement of negation inside expressions (e.g. !e1 && !e2 instead of !(e1 || e2))
• conversion of dereferences into array accesses (e.g. p[4] instead of *(p + 4))
• use of compound operators instead of assignments (e.g. i += 5 instead of i = i + 5)
• added a recovery from decompilation errors (if some functions were decompiled with errors, an error message appears in the generated source code)
• added support of decompiling more types of MIPS processors
• various minor enhancements and bug fixes

A list of changes:

• added a basic support of decompiling binaries created in Delphi
• added a new phase: unpacking of files packed with several widely used packers and protectors
• added a new optimization into the back-end: elimination of dead code
• added a support of recognizing and decompiling wide strings; that is, strings that are formed by characters spanning over multiple bytes
• improved the simplification of arithmetical expressions
• improved the output from our disassembler
• decompilation speedup
• various minor enhancements and bug fixes

A list of changes:

• added a basic support for Windows API (types and renaming of variables storing values returned from functions)
• added a newsletter (you can subscribe by filling your email address in the header of our web)
• added a differentiation of optimizations into two categories: normal and aggressive. The latter may produce more readable code, although the output may not be necessarily correct in all cases. Moreover, added two aggressive optimizations of global variables and memory accesses.
• added more configuration options to the online decompilation form
  • there are several types of variable-names renamers
  • you can choose between normal and aggressive optimizations
  • you can enable the decompilation of unreachable functions
  • you can turn off the emission of addresses in the resulting code (comments of the form `// 0xXXXXXXXX`)
• added a basic support for the `long double` type from the C language
• improved the optimization of assignments into global variables
• improved the propagation of function calls (reduces the number of temporary variables)
• yet another speedup of the decoding phase
• various small enhancements and bug fixes

A list of changes:

• added a base implementation of FPU (Floating-Point Unit) on Intel x86
• speeded-up the decoding of Intel x86 binaries (up to 80%)
• added an optional elimination of unreachable functions from the generated code
• added a renaming of variables storing values from various functions in the standard libraries (for example, int var1 = socket(..) becomes int sock_fd = socket(..))
• added a basic conversion of constants passed to functions from the standard libraries to their symbolic names (for example, flock(var2, 6)) becomes flock(var2, LOCK_EX | LOCK_NB))
• improved the detection of header files that have to be included for the decompiled functions from standard libraries (towards code re-compilation)
• added a basic detection and elimination of unreachable code after functions which do not return (like exit() or abort())
• added a support of several different renaming of variables
• improved the entry-point analysis
• various small enhancements and bug fixes

A list of changes:

• added support for decompiling MS Windows PE binaries for Intel x86
• various small enhancements and bug fixes