{"id":125,"date":"2012-03-10T23:55:46","date_gmt":"2012-03-10T22:55:46","guid":{"rendered":"http:\/\/kronotai.com\/wordpress\/?page_id=125"},"modified":"2012-03-10T23:55:46","modified_gmt":"2012-03-10T22:55:46","slug":"documentation","status":"publish","type":"page","link":"https:\/\/kronotai.com\/wordpress\/holdec\/documentation\/","title":{"rendered":"Documentation"},"content":{"rendered":"<p>\t\t\t\t<![CDATA[Simple example:\n$ java -Xmx1000m -jar holdec-1.1.jar -e \/path\/to\/executable -c allFunctions -i\nWill create a text file <code>all_decompiled_source_code.c<\/code> in the current directory. It will also read <code>\/path\/to\/executable.info<\/code> which contains more information about the executable and hints for the decompiler.\nIncrease the memory for larger methods.\n\n\n<h1>The Info file<\/h1>\n\n\nThe info file is read and written by the decompiler. The file structure is similar to an ini file and consists of sections which start with <code>[sectionName]<\/code>. Lines starting with a <code>#<\/code> are comments.\n\n\n<h2>The function section<\/h2>\n\n\nThis is a very common section. The section name is the address of the function and the section contains more information about this function. An example of this section may be:\n\n\n<pre lang=\"C\">\n[0x80487f0]\nsignature: d4 hexdump(d1 *fname)\nlocal-variable: 20,40,default,stat_buffer\nlocal-variable: 92,16,,read_buffer\n<\/pre>\n\n\n\n\n<h3>The signature line<\/h3>\n\n\nAs the name suggests this contains the signature of this function. The signature is similar to C with some extensions:\n\n\n<ul>\n\n\n<li>The types d1, d2, d4 and d8 stand for integer data types of 1, 2, 4 and 8 bytes size with unknown signedness. The types s1, s2, s4 and s8 stand for signed integer data types. The types u1, u2, u4 and u8 stand for unsigned integer data types. Note that depending on the memory model these types may also represent pointers.<\/li>\n\n\n\n\n<li>The basic integer types of C (char, short, int, long, long long) are available.<\/li>\n\n\n\n\n<li>The <code>const<\/code> keyword is discarded.<\/li>\n\n\n\n\n<li>The register transfer place is by default assumed to be the stack. This can be overwritten using a notation with <code>&lt;<\/code> and <code>&gt;<\/code> to specify the register. An example is:<\/li>\n\n\n<\/ul>\n\n\n\n\n<pre lang=\"C\">\nsignature: d4 memcpy(d4 dest<eax>, d4 src<edx>, d4 size<ebx>)\n<\/pre>\n\n\n\n\n<ul>\n\n\n<li>Optionally is it possible to specify a set of flags. The syntax is using <code>{<\/code> and <code>}<\/code> like in <\/li>\n\n\n<\/ul>\n\n\n\n\n<pre lang=\"C\">\nsignature: d4 foo(d4 p1 <edx>, d4 p2 <ecx>){calleePopsStack=8,rs.ebp=PERSERVED,rs.edi=PERSERVED,rs.esi=PERSERVED}\n<\/pre>\n\n\nCurrently supported flags are:\n\n\n<ul>\n    \n\n<li> `fixed`: to denote that the signature is fixed, and will not change. Examples are library functions.<\/li>\n\n\n    \n\n<li>`rs.<reg>=<status>`: Specify the register state of the given register. currently only `PERSERVED` is supported.<\/li>\n\n\n    \n\n<li>`calleePopsStack=<number>`: Number of bytes this method pops from the stack before it returns.<\/li>\n\n\n<\/ul>\n\n\n\n\n<h3>The proposed-signature line<\/h3>\n\n\nIf the decompiler finds information about the method (e.g. the number and types of parameters) it will create a signature line if no such line exists and a proposed-signature if there is already a signature. It is up to the user to merge these two lines.\n\n\n<h3>The local-variable line<\/h3>\n\n\nMay occur multiple times. Specifies a local variable. Syntax is: <code>local-variable: &lt;start&gt;,&lt;size&gt;,&lt;flags&gt;,&lt;name&gt;<\/code>. Start and size are in bytes. Currently supported flag is <code>default<\/code> meaning that any non-fixed-offset access to the local stack area will access this variable.\n\n\n<h2>The dataRanges section<\/h2>\n\n\nList the areas in code areas of the executable which are not executed. This may be padding nops after a return, a jump table or some variable. Each line consists of the start and next valid address and an optional comment. Example\n\n\n<pre lang=\"C\">\n[dataRanges]\n0x020044-0x020050\n0x020177-0x020180;unused+block+with+nops\n0x027e58-0x027e84;jump+table+11+4-byte+entries\n<\/pre>\n\n\n\n\n<h2>The extraFunctions section<\/h2>\n\n\nLists the starting addresses of functions which aren&#8217;t detected by the decompiler. Example:\n\n\n<pre lang=\"C\">\n[extraFunctions]\n0x020003\n0x020010\n<\/pre>\n\n\n\n\n<h2>The activeFunctions section<\/h2>\n\n\nLists the addresses of functions which should be decompiled when <code>-c activeFunctions<\/code> is passed to holdec on the command line. Example:\n\n\n<pre lang=\"C\">\n[activeFunctions]\n0x01238\n0x08718\nmain\n<\/pre>\n\n\n\n\n<h2>The volatileRanges section<\/h2>\n\n\nThe holdec decompiler tries aggressively to merge memory read and writes. It assumes that a memory location is no changed by some other entity. A busy-waiting loop will for example be discarded. To prevent this one can specify ranges of memory addresses which are modified some other entity and so require a memory reload every time. Example (for the Amiga):\n\n\n<pre lang=\"C\">\n[volatileRanges]\n0xdff000-0xdff1be\n0xbfe000-0xbfefff\n0xbfd000-0xbfdfff\n<\/pre>\n\n\n\n\n<h2>The globals section<\/h2>\n\n\nAllows to given fixed memory addresses (global variables) names. Example:\n\n\n<pre lang=\"C\">\n[globals]\n0x01234:rand_seed\n0x012a0:last_mouse_x\n0x012a1:scratch_area_128_bytes\n<\/pre>\n\n\n]]>\t\t<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\t\t\t\t<![CDATA[]]>\t\t <a href=\"https:\/\/kronotai.com\/wordpress\/holdec\/documentation\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":28,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-125","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/pages\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":0,"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/pages\/125\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/pages\/28"}],"wp:attachment":[{"href":"https:\/\/kronotai.com\/wordpress\/wp-json\/wp\/v2\/media?parent=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}