What is New
Subscribe to our RSS feed and stay up to date on all of our latest news!
We are proud to present a brand new version of our retargetable decompiler. Among many improvements and fixes, it brings support for decompilation of 64-bit ARM binaries, an option to produce output in the JSON format, new build system, and the basis of a library that you can currently use to disassemble binaries in your applications.
Some of the most important changes:
- Added support for decompilation of 64-bit ARM binaries.
- Added an option to generate decompilation results in the JSON output file format. This output contains additional meta-information and can be conveniently consumed by your tools.
- Added a new library called
retdec
that lets you decompile the input into both an LLVM IR module and structured (i.e. functions and basic blocks) Capstone disassembly.
- Implemented proper RetDec installation. It is now possible to easily use RetDec components in other CMake projects.
- Many smaller improvements and bug fixes
For more details, see the full changelog and our blog post.
We have released a new version of our retargetable decompiler. It brings experimental support for decompilation of x64 binaries, improved code structuring, faster decompilation, and much more!
Some of the most important changes:
- Added basic support for decompilation of x86-64 binaries (previously, RetDec supported only 32b Intel x86).
- Added support for build and run on FreeBSD and potentially on other BSD OSes.
- Replaced the old LLVMIR-to-BIR converter in
retdec-llvmir2hll
with a new one, which, in most cases, improves code structure and significantly speeds up decompilations.
- Reduced the needed stack space in
retdec-llvmir2hll
, which lowers its memory requirements.
retdec-fileinfo
is now able to parse and generate imported types and TypeRef hashes for .NET binaries, metadata of Visual Basic binaries, and icon hashes for exact and similarity matching in PE files.
- Many bug fixes
We have also released a new version of our IDA plugin.
For more details, see the full changelog.
A new version of our retargetable decompiler has just been released! This is the second update since the 3.0 version, which was open-sourced in December 2017. One of the most significant changes in this release is a move from shell scripts to Python scripts, so Windows users will no longer need to install MSYS2 to run RetDec. Also, our home page has received a makeover :-).
Some of the most important changes:
- We have moved from shell scripts to Python scripts so that Windows users no longer have to install MSYS2 to run RetDec. This change also simplifies build and run on macOS.
- Added generation of export-table hashes into
retdec-fileinfo
.
- Added an automatic generation of API documentation for RetDec via Doxygen.
- Fixed assertions in the recognition of statically linked code.
- Fixed assertions during the decoding of some MIPS binaries.
- Fixed a memory leak when parsing Mach-O files.
- Our home page has received a makeover.
We have also released a new version of our IDA plugin.
For more details, see the full changelog.
We are proud to release a new version of our retargetable decompiler. This is the first update since the 3.0 version, which was open-sourced in December 2017.
Some of the most important changes:
- Unofficial support for building and running RetDec on macOS.
- Reduced the likelihood of system crashes and freezes by limiting the overall memory when running RetDec tools.
- More accurate decoding - a complete rewrite of binary to LLVM IR translation.
- More accurate statically linked code detection - cross-checking signature references.
- Detection of corrupted and unloadable PE files.
- Better detection of compilers and packers - added new signatures and heuristics. YARA signatures are compiled now, which results in faster scanning.
- New directory structure and tool names - we have added a retdec- prefix to all installed binaries and scripts.
- Easier project development - removal of git submodules.
- Build speedup and continuous integration builds.
- Many other bugfixes and enhancements.
For more details, see the full changelog.
Also, as a related change, we have disabled the online web decompilation service, which has been out of date since the end of 2017. As RetDec is open source, you can build and run it directly on your PC (visit our GitHub repository).
We are proud to release a brand new version of the retargetable decompiler. Among its main features are a decompilation plugin for the IDA disassembler, implementation of a loader for all the supported file formats, and added support for decompilation of archives, object files, and files in the Intel HEX format.
A list of changes:
- Publicly released an experimental version of our decompilation plugin for the IDA disassembler.
- Implemented a loader for all the supported file formats, which improves decompilation results.
- Added support for decompilation of archives (
ar
format) and object files. Archives are statically linked libraries, commonly ending with .a
or .lib
.
- Added support for decompilation of files in the Intel HEX format.
- Added detection of various YARA patterns (e.g. used cryptographic constants). Their presence is used to improve decompilation results. They are shown in comments in the generated C source code.
- Improved unpacking of UPX-packed binaries.
- Improved recognition of statically linked code.
- Improved reconstruction of return types and arguments for external functions.
- Reworked how raw machine code is decompiled so you no longer have to select a file format.
- Changes in our fileinfo service:
- It can now emit the output in the JSON format. Set "Output format" to "JSON" via settings when using the service.
- It now produces more information about input files. For example, it now includes hashes (file, sections, imports), relocation tables for the COFF format, detected YARA patterns (e.g. used cryptographic constants), and information about resources and certificates.
- Changes in our REST API:
- Added support for decompilation of files in archives (
ar
format). To decompile a file from an archive, use the bin mode and pass either the index of the file in the archive (ar_index
) or its name (ar_name
).
- Added support for decompilation of files in the Intel HEX format. To decompile such files, use the
bin
mode and pass the architecture and endianness of the machine code inside the file.
- The
raw_entry_point
and raw_section_vma
parameters in raw decompilations no longer accept the default
value. In both cases, you have to explicitly pass an address.
- The
raw_endian
parameter was renamed to endian
. Use of the original name is still supported, but it is deprecated.
- It is no longer required to set
file_format
in raw decompilations. When given, it will be ignored.
- It is no longer possible to force an architecture when decompiling a file in the
bin
mode. The architecture is now detected automatically from the input file.
- Compiler-optimization levels can now be also specified without the leading dash (e.g. you can pass
O1
instead of -O1
).
- Added a new optional parameter
output_format
to the fileinfo service. You can use it to obtain the output in the JSON format. A related change is that the extension of the output file now depends on the output format.
- Changes in our IDA plugin:
- Added support for decompilation of COFF object files.
- Added support for decompilation of Intel HEX files.
- Added support for decompilation of files containing just raw machine code.
- Added generation of IDA comments into C files generated by full decompilation.
- The plugin no longer performs automatic decompilation of the opened file upon the start of IDA.
- The plugin no longer ignores statically linked functions when selective decompilation is invoked through IDA.
- The plugin does not allow decompilation of non-existing files like objects extracted from archives.
- The plugin does not allow decompilations that it cannot properly handle.
- Many bug fixes.
The end of January brings a new version of the retargetable decompiler. It is mostly a bug-fixing release. However, we have also implemented several improvements (detection of compilers and packers, demangling of symbols, and emission of floating-point literals).
A list of changes:
- When decompiling from C code, the ISO C99 standard is now used instead of the ISO C90 standard.
- Improved detection of several compilers and packers on the PE file format.
- Improved demangling of symbols.
- Improved emission of floating-point literals. Float and long-double literals now end with
f
and L
, respectively.
- Improved reconstruction of string literals.
- Many bug fixes.
Starting from version 2.1, we will add features and fix found issues more frequently. The first sub-release, 2.1.1, has arrived today. Its main features are added demangling of symbols names and improved analysis of variables stored on the stack.
A list of changes:
- Added demanling of C++ symbol names. Supported formats are those produced by GCC, MSVC, and Borland. Demangled names are shown in comments.
- Improved analysis of variables stored on the stack.
- Improved unpacking of binaries packed by modified versions of UPX.
- Improved detection of binaries produced by the Visual Basic and GCC compilers on the PE file format.
- Many bug fixes.
We are proud to inform you that we have made a new version of our retargetable decompiler! Among the main features of this release belong a new instruction-decoding algorithm, improved detection of C++ classes and functions, improved decompilation of programs using wide strings or functions from the Windows API, and improved annotations (comments) in the generated high-level language.
A list of changes:
- Added a new instruction-decoding algorithm. The new algorithm is more precise and requires less memory.
- Added basic support for decompilation of COFF binary files, e.g. Windows object files (
*.o
).
- Added a new optimization of comparisons with boolean literals. This optimization simplifies code that performs comparisons to
true/false
.
- Improved detection of C++ classes. Our decompiler is now able to reconstruct class hierarchies, virtual-method tables, and recognize constructors, destructors, and virtual member functions. All these pieces of information are emitted as comments in the generated high-level language.
- Improved decompilation of ELF binary files containing segments instead of sections.
- Improved decompilation of PE binary files containing delayed imports.
- Improved decompilation of programs that use functions from the standard C mathematical library (
math.h
).
- Improved decompilation of shared (
*.so
) and dynamic (*.dll
) libraries.
- Improved decompilation of programs that use wide strings.
- Improved decompilation of programs that use functions from the Windows API.
- Improved decompilation of UPX-packed programs. Furthermore, we newly support unpacking of several UPX modifications.
- Improved detection of the tool used to create the input binary file (e.g. compiler and packer), including detection whether the input file contains bytecode. Keep in mind that our machine-code decompiler may produce inaccurate results when decompiling bytecode.
- Improved annotations (comments) in the generated high-level language:
- Functions are now divided into several categories: user-defined, statically linked, dynamically linked, system-call, and instruction-idiom functions.
- Local variables that were created from global variables (e.g. registers) now include the name of the global variable in a comment.
- Register names now correspond to real register names (e.g.
eax
or ebx
on Intel x86). Previously, we emitted our internal names.
- Goto-label addresses now correspond to addresses in the input binary file.
- The end address of a function is now the address of the last byte of the function (previously, it was the address of the first byte of the next function).
- Slightly improved reconstruction of for loops.
- Selective decompilation is now less aggressive in terms of elimination of stack accesses. This change ensures that important stack accesses (such as loading of string literals) are kept in the generated source code.
- Speeded up generation of the target high-level language when decompilation optimizations are disabled.
- The decompiler may now produce warnings. They are shown in the decompilation log when decompiling through our decompilation web service.
- Changes in our REST API:
- Added a new key to decompilation phases:
warnings
. It represents a list of warnings (strings) that were produced by the decompiler in the given phase.
- Many bug fixes.
The beginning of June brings a new version of the retargetable decompiler. It is mainly oriented towards bug fixing. Apart from that, we have improved many of our optimizations (both in terms of speed and quality of the produced code), improved decompilation of specific binary files (e.g. ELF files containing only segments), and updated versions of the used C compilers. Also, our REST API is now considered to be stable.
A list of changes:
- Speeded up many of our optimizations, which makes the decompiler run faster.
- Added support for decompilation of ELF files containing only segments.
- Added support for decompilation of MPRESS-packed binary files.
- Our REST API is now considered to be stable.
- Improved optimization of global variables to make the produced code contain less assignments to global variables.
- Improved utilization of PDB debug information (e.g. ARM/PE).
- Improved decompilation in the selected functions/address ranges mode (e.g. more accurate function detection).
- Improved decompilation of binary files that use the BSS section.
- Improved the output of our file-analyzing service service:
- Added presentation of information from the Rich header in PE binary files.
- Added detection of AutoIt and Eziriz.
- Minor improvements in the output from our disassembler (e.g. outputs for relocatable files).
- Updated versions of C compilers that are used to compile user-provided C source code into binary files. This update allowed us to add support of the PowerPC/ELF/Clang combination.
- The decompiler now generates
char
instead of int8_t
(e.g. strings are now of type char *
, not int8_t *
).
- Many bug fixes.
Alongside with the new domain, we are proud to present you a new version of the retargetable decompiler. The biggest feature is an experimental REST API. It allows anyone to write applications that interact with the decompiler by sending HTTP requests. In this way, you can run a script on your PC that decompiles given files by using our decompilation service and downloads the outputs. Other changes include improved function detection, several usability features, and bug fixes.
A list of changes:
- Added an experimental REST API.
- Improved algorithms for function detection.
- Changes in the file-analyzing service:
- Added information about overlay.
- Added a link to download the output from the analysis.
- Changes in the decompilation service:
- Added a new option under Decompilation Settings: Decompiler Optimizations. It allows you to change the level of optimizations performed by the decompiler.
- The output from the disassembler now contains register names instead of bare numbers.
- The generated files now have file names based on the name of the original input file.
- Internal change: We no longer convert the input binary file to a unified COFF-like representation. In our previous publications, we mentioned that the decompiler utilizes such a conversion.
- Many bug fixes.
We are happy to announce that we have moved our website and decompilation service to a new address: https://retdec.com/. We recommend updating your bookmarks to the new domain (web browser, RSS client etc.).
The end of September brings a new version of the retargetable decompiler. The main features are the ability to decompile only the selected functions or address ranges from input binary files and various improvements in the quality of the generated code. Besides that, this version is mostly oriented towards bug fixing.
A list of changes:
- Added support for decompiling only the selected functions or address ranges from input binary files. You can try it by selecting the "Executable File" input type in our decompilation service and setting the "Decompile" option in "Input File Settings" to "Selected Functions" or "Selected Ranges".
- Added reconstruction of more instruction idioms on Intel x86 and PowerPC.
- Added reconstruction of advanced system calls.
- Added a link to download all the generated results in a single ZIP archive (decompiled code, output from the disassembler, call and control-flow graphs).
- Added structuring of complex initializers before they are emitted into the decompiled code.
- Improved the output from the disassembler.
- Improved the detection of functions and their arguments on PowerPC.
- Improved the heuristic detection of the used compiler.
- Show the detected language(s) of the original source files in the decompiled code. This detection is based on debugging information.
- Many bug fixes.
A new version of the retargetable decompiler has just arrived! It contains many new features and enhancements. Among the most important ones belong added support for decompiling files with no file format containing just raw machine code (like firmware), improved reconstruction of complex data types (such as arrays and structures), and enhanced generation of variable names and symbolic constants. We have also created a Twitter profile for our decompiler.
A list of changes:
- added support for decompiling files with no file format containing just raw machine code (like firmware). You can try it by selecting the "Raw Machine Code" input type in our decompilation service.
- added a reconstruction of function names from dynamically linked libraries (DLL) based on ordinal numbers
- added a reconstruction of variables and constants stored over multiple registers
- added emission of global variable addresses into the generated source code
- added support for generating pointers to functions and arrays of function pointers into the generated source code
- added a detection and reconstruction of RTTI tables when decompiling programs written in C++. When RTTI tables are detected, we emit the class names and methods in comments into the generated source code.
- added new optimizations:
i += 1
and i -= 1
are generated as ++i
and --i
, respectively
- simplified the passing of arrays to functions (
&array[0]
to array
)
- added a renaming of variables based on usual names of parameters of standard-library functions. For example, a variable passed as the first argument of
fopen()
is named file_path
.
- extended the conversion of constants passed to functions from standard libraries to their symbolic names. For example, instead of
signal(2, 1)
, we now generate signal(SIGINT, SIG_IGN)
.
- improved the reconstruction of complex data types, such as arrays and structures
- improved the reconstruction of local variables
- improved the support for decompiling programs built with Microsoft Visual C++ (reconstruction of functions, arguments, and other program constructs)
- improved the default generator of variable names. Instead of fruit names, it now emits variables names
gX
, aX
, and vX
for global variables, function parameters, and other local variables, respectively.
- improved the reconstruction of switch statements
- improved the detection and use of debugging information in the DWARF format (the original language and used compiler)
- it is now possible to select the format of the generated call and control-flow graphs (the supported formats are SVG, PNG, and PDF)
- fix the generation of
continue/break
statements to outer loops (in C, continue/break
statements only apply to the innermost loop)
- fix the reconstruction of
printf()
and scanf()
calls with more exotic string formats
- many additional small enhancements and bug fixes
We are proud to inform you that we have made a new version of the retargetable decompiler! Among the main features of this release belong a preliminary version of complex data types reconstruction, experimental support for the PowerPC and PIC32 architectures, improved detection of statically linked code based on relocations, and reconstruction of code based on Linux system calls.
A list of changes:
- added a preliminary version of complex data types reconstruction, such as arrays and structures
- added experimental support for the PowerPC and PIC32 architectures. The limitations are no support for decompiling PowerPC binaries utilizing FPU, and not all combinations of file format/compiler/optimization flags are available when decompiling from C.
- added support for code reconstruction based on Linux system calls
- added support for emitting function pointers in the generated C code
- improved the decompilation of binaries produced by Clang
- improved the detection of statically linked code based on relocations
- improved the reconstruction of instruction idioms in Intel x86 binaries
- improved the support for decompiling wide strings
- improved the readability of the generated floating-point expressions
- larger numbers are now always emitted in the hexadecimal format, both in the generated C code and in the disassembled output
- decompilation speedup, mainly in the front-end part of the decompiler
- many small enhancements and bug fixes
A new version 1.5 of the retargetable decompiler is now up and running! The leading features of this version are reconstruction of simple data types, reconstruction of instruction idioms produced by a compiler into a more readable form, addition of more options to the decompilation form, and several new optimizations of the generated high-level language.
A list of changes:
- added reconstruction of simple data types
- added reconstruction of instruction idioms
- added more options to the decompilation form, namely
- a
-O3
optimization parameter when decompiling from C
- selecting a compiler when decompiling from C (GCC and Clang)
- selecting a new instruction set: ARM+Thumb
- added new optimizations of the generated high-level language, namely
- conversion of
if/else-if/else
constructs into switch
statements
- movement of negation inside expressions (e.g.
!e1 && !e2
instead of !(e1 || e2)
)
- conversion of dereferences into array accesses (e.g.
p[4]
instead of *(p + 4)
)
- use of compound operators instead of assignments (e.g.
i += 5
instead of i = i + 5
)
- added a recovery from decompilation errors (if some functions were decompiled with errors, an error message appears in the generated source code)
- added support of decompiling more types of MIPS processors
- various minor enhancements and bug fixes
We have created a new version of the retargetable decompiler. The main features of this version are a basic support of decompiling binaries created in Delphi, unpacking of files packed with several widely used packers and protectors, and various improvements of the readability of the decompiled code.
A list of changes:
- added a basic support of decompiling binaries created in Delphi
- added a new phase: unpacking of files packed with several widely used packers and protectors
- added a new optimization into the back-end: elimination of dead code
- added a support of recognizing and decompiling wide strings; that is, strings that are formed by characters spanning over multiple bytes
- improved the simplification of arithmetical expressions
- improved the output from our disassembler
- decompilation speedup
- various minor enhancements and bug fixes
A new release of the retargetable decompiler has just been made. Among the main features of this release belong basic support of Windows API, new optimizations, more configuration options in the online decompilation form, and a newsletter.
A list of changes:
- added a basic support for Windows API (types and renaming of variables storing values returned from functions)
- added a newsletter (you can subscribe by filling your email address in the header of our web)
- added a differentiation of optimizations into two categories: normal and aggressive. The latter may produce more readable code, although the output may not be necessarily correct in all cases. Moreover, added two aggressive optimizations of global variables and memory accesses.
- added more configuration options to the online decompilation form
- there are several types of variable-names renamers
- you can choose between normal and aggressive optimizations
- you can enable the decompilation of unreachable functions
- you can turn off the emission of addresses in the resulting code (comments of the form `// 0xXXXXXXXX`)
- added a basic support for the `long double` type from the C language
- improved the optimization of assignments into global variables
- improved the propagation of function calls (reduces the number of temporary variables)
- yet another speedup of the decoding phase
- various small enhancements and bug fixes
Today, we have made a new version of the retargetable decompiler. The main features of this version are a base implementation of FPU (Floating-Point Unit) on Intel x86, decoding speedup, elimination of unreachable code, and renaming of variables.
A list of changes:
- added a base implementation of FPU (Floating-Point Unit) on Intel x86
- speeded-up the decoding of Intel x86 binaries (up to 80%)
- added an optional elimination of unreachable functions from the generated code
- added a renaming of variables storing values from various functions in the standard libraries (for example,
int var1 = socket(..)
becomes int sock_fd = socket(..)
)
- added a basic conversion of constants passed to functions from the standard libraries to their symbolic names (for example,
flock(var2, 6))
becomes flock(var2, LOCK_EX | LOCK_NB)
)
- improved the detection of header files that have to be included for the decompiled functions from standard libraries (towards code re-compilation)
- added a basic detection and elimination of unreachable code after functions which do not return (like
exit()
or abort()
)
- added a support of several different renaming of variables
- improved the entry-point analysis
- various small enhancements and bug fixes
We are proud to inform you that we have made a new version of the retargetable decompiler. As of this version, the decompiler supports decompilation of binary files in the MS Windows PE format for the Intel x86 architecture.
A list of changes:
- added support for decompiling MS Windows PE binaries for Intel x86
- various small enhancements and bug fixes
We are pleased to introduce a new decompilation service. You can try our decompiler in your browser. Note that the service has some limitations (file size, target architecture, maximum decompilation time).
The decompiler now supports decompilation of Linux ELF binary files for the Intel x86 architecture. Hurray!
Welcome to our new website.
The retargetable decompiler now supports the ARMv7+Thumb architecture. Intel x86 is coming soon.
The retargetable decompiler has been successfully tested on the MIPS32 architecture. The next target is the ARMv7 architecture.
Research in the field of retargetable decompilation has started.