Menu

FAQ

John Källén

Frequently Asked Questions

I have a binary that has been packed with a [Packer] and Decompiler is failing to open it. Decompiler has an extensible architecture that supports adding unpacking scripts. If you need assistance with a specific unpacking script, create a Feature request and you will get assistance.

How do I decompile MS-DOS or COM files, or other exectuables that don't have an executable file structure?
The Decompiler will look for 'magic numbers' in the binary file you hand to it, to try to determine what kind of executable it is. However, some operating environments have simplistic binary formats. These usually involve reading the contents of the image file, which consists of machine code and data, but no metadata, into a particular well-known address in memory and then starting execution at that same address. Other times, all you have is a raw dump of executable code, with no metadata at all.

Because there is no executable header in such a file, the Decompiler doesn't know what kind of machine code it is dealing with, not what operating environment the executable is expecting to be available. In these cases the operator needs to provide Decompiler with some assistance to get it started.

If you are using the GUI client, go to main menu and select File > Open As.... This gives you a dialog box where you can select the executable file you wish to decompile, the processor architecture to use when decompiling it, and the operating environment to use for system calls. Finally, specify the address at which the file contents should be loaded.

If you are using the command-line client, use the following incantation:

decompile --arch <processor> --env <O/S> --base <address> --entry <address> <filename>

Examples: if your executable is an MS-DOS COM file, use

decompile --arch x86-real-16 --env ms-dos --base 0C00:0100 foo.com

Notice that if you leave out the --entry switch, Decompiler will use the --base address as a starting point.

If your executable is a CP/M COM file, you would use

decomile --arch z80 --env cpm --base 0100 foo.com

(assuming there were a CP/M environment available -- unfortunately not at the time of writing)

Related

Wiki: Packer