python .\retdec-decompiler.py <binary_path>
测试代码
#include<iostream>
#include<windows.h>
#include<intrin.h>
using namespace std;
int dummy_1 = 1;
int dummy_2 = 2;
int res = 0;
int cpuid[4];
int main()
{
res = IsDebuggerPresent();
printf("%d\n", res);
res = dummy_1 + dummy_2;
printf("%d\n", res);
res = dummy_1 - dummy_2;
printf("%d\n", res);
res = dummy_1 * dummy_2;
printf("%d\n", res);
res = dummy_1 / dummy_2;
printf("%d\n", res);
res = dummy_1 << 1;
printf("%d\n", res);
res = dummy_1 >> 1;
printf("%d\n", res);
__cpuid(cpuid, 9);
if (res == 3)
{
res = 0x111111;
}
else
res = 0x777777;
printf("%d\n", res);
return 0;
}
反编译后的代码
int32_t function_401040(void) {
struct struct1 v1; // 0x4010e7
int32_t v2 = IsDebuggerPresent(); // 0x401042
g42 = v2;
printf("%d\n", v2);
g42 = 3;
printf("%d\n", 3);
g42 = -1;
printf("%d\n", -1);
g42 = 2;
printf("%d\n", 2);
g42 = 0;
printf("%d\n", 0);
g42 = 2;
printf("%d\n", 2);
g42 = 0;
printf("%d\n", 0);
v1 = __asm_cpuid(9);
g38 = v1.e0;
g40 = v1.e2;
int32_t v3 = g42 == 3 ? 0x111111 : 0x777777; // 0x401108
g39 = v1.e1;
g41 = v1.e3;
g42 = v3;
printf("%d\n", v3);
return 0;
}
后面去github下载了新的retdec release发现,没有retdec-decompiler.py这个脚本了,但是多了retdec-decompiler.exe。之前用老的release发现反编译一些大的dll(2.69M),会出现内存不够的情况。因为老的是x86编译的,会受限制于4G的内存空间。
