Good PowerPC Decompiler?

Discussion in 'Wii U - Hacking & Backup Loaders' started by BullyWiiPlaza, Feb 8, 2017.

  1. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    I think that Retargetable Decompiler can be a good choice since it supports PowerPC.

    [​IMG]

    I tried it out and it produces a result at least:

    Disassembled input:
    Code:
    0x1000000:   7c 08 02 a6       mfspr r0, 0x8
    0x1000004:   94 21 ff f0       stwu r1, 0xfffffff0 ( r1 )
    0x1000008:   90 61 00 08       stw r3, 0x8 ( r1 )
    0x100000c:   90 81 00 0c       stw r4, 0xc ( r1 )
    0x1000010:   90 01 00 14       stw r0, 0x14 ( r1 )
    0x1000014:   90 03 00 8c       stw r0, 0x8c ( r3 )
    0x1000018:   90 03 00 98       stw r0, 0x98 ( r3 )
    0x100001c:   80 61 00 08       lwz r3, 0x8 ( r1 )
    0x1000020:   7c 81 e2 a6       mfspr r4, 0x381
    0x1000024:   90 a3 00 9c       stw r5, 0x9c ( r3 )
    0x1000028:   a1 83 01 ba       lhz r12, 0x1ba ( r3 )
    0x100002c:   90 43 00 10       stw r2, 0x10 ( r3 )
    0x1000030:   61 8c 00 04       ori r12, r12, 0x4
    0x1000034:   39 60 00 01       addi r11, 0, 0x1
    0x1000038:   b1 83 01 ba       sth r12, 0x1ba ( r3 )
    0x100003c:   7c a2 e2 a6       mfspr r5, 0x382
    0x1000040:   91 63 00 14       stw r11, 0x14 ( r3 )
    0x1000044:   91 a3 00 3c       stw r13, 0x3c ( r3 )
    0x1000048:   91 c3 00 40       stw r14, 0x40 ( r3 )
    0x100004c:   7c c3 e2 a6       mfspr r6, 0x383
    0x1000050:   91 e3 00 44       stw r15, 0x44 ( r3 )
    0x1000054:   92 03 00 48       stw r16, 0x48 ( r3 )
    0x1000058:   92 23 00 4c       stw r17, 0x4c ( r3 )
    0x100005c:   7c e4 e2 a6       mfspr r7, 0x384
    0x1000060:   92 43 00 50       stw r18, 0x50 ( r3 )
    0x1000064:   92 63 00 54       stw r19, 0x54 ( r3 )
    0x1000068:   92 83 00 58       stw r20, 0x58 ( r3 )
    0x100006c:   7d 05 e2 a6       mfspr r8, 0x385
    0x1000070:   92 a3 00 5c       stw r21, 0x5c ( r3 )
    0x1000074:   92 c3 00 60       stw r22, 0x60 ( r3 )
    0x1000078:   92 e3 00 64       stw r23, 0x64 ( r3 )
    0x100007c:   7d 26 e2 a6       mfspr r9, 0x386
    0x1000080:   93 03 00 68       stw r24, 0x68 ( r3 )
    0x1000084:   93 23 00 6c       stw r25, 0x6c ( r3 )
    0x1000088:   93 43 00 70       stw r26, 0x70 ( r3 )
    0x100008c:   7d 47 e2 a6       mfspr r10, 0x387
    0x1000090:   93 63 00 74       stw r27, 0x74 ( r3 )
    0x1000094:   93 83 00 78       stw r28, 0x78 ( r3 )
    0x1000098:   93 a3 00 7c       stw r29, 0x7c ( r3 )
    0x100009c:   7d 69 02 a6       mfspr r11, 0x9
    0x10000a0:   93 c3 00 80       stw r30, 0x80 ( r3 )
    0x10000a4:   93 e3 00 84       stw r31, 0x84 ( r3 )
    0x10000a8:   90 83 01 c0       stw r4, 0x1c0 ( r3 )
    0x10000ac:   7d 80 00 26       mfcr r12
    0x10000b0:   90 a3 01 c4       stw r5, 0x1c4 ( r3 )
    0x10000b4:   90 c3 01 c8       stw r6, 0x1c8 ( r3 )
    0x10000b8:   7c c1 02 a6       mfspr r6, 0x1
    0x10000bc:   90 e3 01 cc       stw r7, 0x1cc ( r3 )
    0x10000c0:   91 03 01 d0       stw r8, 0x1d0 ( r3 )
    0x10000c4:   7c 89 ea a6       mfspr r4, 0x3a9
    0x10000c8:   91 23 01 d4       stw r9, 0x1d4 ( r3 )
    0x10000cc:   91 43 01 d8       stw r10, 0x1d8 ( r3 )
    0x10000d0:   7c aa ea a6       mfspr r5, 0x3aa
    0x10000d4:   90 c3 00 94       stw r6, 0x94 ( r3 )
    0x10000d8:   91 63 00 90       stw r11, 0x90 ( r3 )
    0x10000dc:   7c cd ea a6       mfspr r6, 0x3ad
    0x10000e0:   91 83 00 88       stw r12, 0x88 ( r3 )
    0x10000e4:   90 83 03 08       stw r4, 0x308 ( r3 )
    0x10000e8:   7c ee ea a6       mfspr r7, 0x3ae
    0x10000ec:   90 a3 03 0c       stw r5, 0x30c ( r3 )
    0x10000f0:   90 c3 03 10       stw r6, 0x310 ( r3 )
    0x10000f4:   7d 08 ea a6       mfspr r8, 0x3a8
    0x10000f8:   90 e3 03 14       stw r7, 0x314 ( r3 )
    0x10000fc:   91 03 03 18       stw r8, 0x318 ( r3 )
    0x1000100:   7d 2c ea a6       mfspr r9, 0x3ac
    0x1000104:   80 01 00 14       lwz r0, 0x14 ( r1 )
    0x1000108:   38 21 00 10       addi r1, r1, 0x10
    0x100010c:   7c 08 03 a6       mtspr 0x8, r0
    0x1000110:   91 23 03 1c       stw r9, 0x31c ( r3 )
    0x1000114:   38 60 00 00       addi r3, 0, 0x0
    Decompiled output:
    Code:
    #include <stdint.h>
    
    // ------------------- Function Prototypes --------------------
    
    int32_t entry_point(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6, int32_t a7, int32_t a8, int32_t a9, int32_t a10, int32_t a11, int32_t a12, int32_t a13, int32_t a14, int32_t a15, int32_t a16, int32_t a17, int32_t a18, int32_t a19, int32_t a20, int32_t a21, int32_t a22, int32_t a23, int32_t a24);
    
    // ------------------------ Functions -------------------------
    
    // Address range: 0x1000000 - 0x1000117
    int32_t entry_point(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6, int32_t a7, int32_t a8, int32_t a9, int32_t a10, int32_t a11, int32_t a12, int32_t a13, int32_t a14, int32_t a15, int32_t a16, int32_t a17, int32_t a18, int32_t a19, int32_t a20, int32_t a21, int32_t a22, int32_t a23, int32_t a24) {
        // 0x1000000
        int32_t v1; // bp-16
        v1 = &v1;
        *(int32_t *)(a1 + 140) = 0;
        *(int32_t *)(a1 + 152) = 0;
        *(int32_t *)(a1 + 156) = a3;
        *(int32_t *)(a1 + 16) = 0;
        *(int16_t *)(a1 + 442) = *(int16_t *)(a1 + 442) | 4;
        *(int32_t *)(a1 + 20) = 1;
        *(int32_t *)(a1 + 60) = 0;
        *(int32_t *)(a1 + 64) = 0;
        *(int32_t *)(a1 + 68) = 0;
        *(int32_t *)(a1 + 72) = 0;
        *(int32_t *)(a1 + 76) = 0;
        *(int32_t *)(a1 + 80) = 0;
        *(int32_t *)(a1 + 84) = 0;
        *(int32_t *)(a1 + 88) = 0;
        *(int32_t *)(a1 + 92) = 0;
        *(int32_t *)(a1 + 96) = 0;
        *(int32_t *)(a1 + 100) = 0;
        *(int32_t *)(a1 + 104) = 0;
        *(int32_t *)(a1 + 108) = 0;
        *(int32_t *)(a1 + 112) = 0;
        *(int32_t *)(a1 + 116) = 0;
        *(int32_t *)(a1 + 120) = 0;
        *(int32_t *)(a1 + 124) = 0;
        *(int32_t *)(a1 + 128) = 0;
        *(int32_t *)(a1 + 132) = 0;
        *(int32_t *)(a1 + 448) = 0;
        *(int32_t *)(a1 + 452) = 0;
        *(int32_t *)(a1 + 456) = 0;
        *(int32_t *)(a1 + 460) = 0;
        *(int32_t *)(a1 + 464) = 0;
        *(int32_t *)(a1 + 468) = 0;
        *(int32_t *)(a1 + 472) = 0;
        *(int32_t *)(a1 + 148) = 0;
        *(int32_t *)(a1 + 144) = 0;
        *(int32_t *)(a1 + 136) = 0;
        *(int32_t *)(a1 + 776) = 0;
        *(int32_t *)(a1 + 780) = 0;
        *(int32_t *)(a1 + 784) = 0;
        *(int32_t *)(a1 + 788) = 0;
        *(int32_t *)(a1 + 792) = 0;
        *(int32_t *)(a1 + 796) = 0;
        return 0;
    }
    We just need to implement the API and off we go. Can someone please help writing an example Java/Python/curl script which takes a Raw.bin file from your PC containing PowerPC machine code and decompiles it using the API? Their decompile.py doesn't seem to work while the website version does:
    Code:
    $ decompile.py --api-key my-secret-api-key Dump.bin
    Dump.bin (ID: 25gwz3XGRZ) [##                                      ] 5% FAIL
    error: File format of the input file is not supported. Supported formats: PE, ELF, COFF, Mach-O, Intel HEX, Raw Data.
    
    $ decompile.py --api-key my-secret-api-key Dump.bin -a powerpc
    error: POST request to 'https://retdec.com/service/api/decompiler/decompilations' returned '422 Unsupported Combination (Unsupported combination of 'mode' ('bin') and 'architecture' ('powerpc').)'
    Other decompilers like Boomerang probably don't even work or maybe someone can try that one as well. It crashed when I gave it an RPL but what else is to be expected. I'm not sure yet how to give it a machine code function only.

    Aerosoul94 also made a modified Snowman decompiler for PowerPC but it only loads RPLs and no raw machine code apparently. Do NOT attempt to decompile entire RPLs. The IDA Pro plugin does work for decompiling certain functions. However, the decompilation is pretty bad. We can't do any better than that though because only HexRays makes better decompilers but they are commerical.

    Please help me try out various things to figure out what works best for decompiling PowerPC raw machine code as a standalone application.

    @CosmoCortney
    @PandaOnSmack
    @HackingNewbie
    @Maschell
    @NWPlayer123
    @DarkFlare69
    @QuarkTheAwesome
     
    Last edited by BullyWiiPlaza, Feb 12, 2017
    CosmoCortney likes this.


  2. PandaOnSmack

    PandaOnSmack GBAtemp Fan

    Member
    320
    181
    Nov 3, 2015
    Have you created an account and got an API key?
     
  3. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    Yes, I can query the API now but the exact request details/script needs to be worked out in case Retargetable produces any kind of useful output. Otherwise there is Aerosoul94's modified Snowman also. He also told me the output produced by Retargetable I posted above is wrong.
     
    Last edited by BullyWiiPlaza, Feb 9, 2017
  4. FaTaL_ErRoR

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
  5. QuarkTheAwesome

    QuarkTheAwesome Working for Hugs

    Member
    762
    1,857
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    To be brutally honest, I think that in most cases it's easier to read PowerPC Assembly than stuff like the output of Snowman. I'm also not huge fan of the disassembly shown above - it's missing things like mnemonics (mfspr 0x8 = mflr) and negative numbers. The decompilation is (arguably) worse, although it seems it was fed an odd program to begin with (is that for the old Wii and/or GC?).
    So yeah, I'll stick with IDA. As a side note, if you're making a program that just disassembles and prints the result, using readelf/objdump will save you the effort. There's even special versions that come with devkitPPC!
     
  6. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    Yeah, the example assembly was some nonsense kernel initialization code right at the beginning of the .text section.

    I was just thinking it would be cool to add a decompiler feature for functions in my TCP Gecko client application so people don't need IDA and can do it on the "live" RAM even though decompiling PPC seems to be terrible and almost useless anyway. Better having this then not :P
     
    Last edited by BullyWiiPlaza, Feb 10, 2017
    QuarkTheAwesome likes this.
  7. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    I'll try making the python script
     
    Last edited by HackingNewbie, Feb 12, 2017
  8. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    So, I made the python script for you. This is python 3. You will need to run this in cmd:
    Code:
    pip install requests
    
    This is of course incomplete, right now it gives me an error because I don't have the API key, so you will have to add that in :P
    Without further ado, here is the code:
    Code:
    
    import requests
    url = "https://retdec.com/service/api/decompiler/decompilations"
    payload = {"mode": "bin", "input": r"C:\Users\Joseph\Desktop\Nintendo Hacking\wii u\JGecko U\dumps\AMKP01\47C8319B.bin"}
    
    r = requests.post(url, data = payload)
    
    print(r.text, end="\n\n")
    print(r.status_code, end="\n\n")
    
    input("Press the enter key to exit.")
    
     
  9. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    You should sign up for an API key and see if it works out for you :)
     
  10. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    Does it cost money?
     
  11. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    No, it's free
     
  12. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    K, shall try out now!
     
  13. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    OK, I was ripping my hair out and then saw the retdec-python library. Install like this in CMD:
    Code:
    pip install retdec-python
    
    Here is the code:
    Code:
    from retdec.decompiler import Decompiler
    
    decompiler = Decompiler(api_key='YOUR-API-KEY')
    decompilation = decompiler.start_decompilation(input_file="C:\path\of\ram\dump.bin")
    decompilation.wait_until_finished()
    decompilation.save_hll_code()
    
    I noticed with the API you had to specify a mode, but with this it detects the mode using the file extension, so as long as the dump is a .bin file, it should decompile it as raw machine code (like firmware, as they say :D). You may have to prefix the path with r like this:
    Code:
    ...
    decompilation = decompiler.start_decompilation(input_file=r"C:\path\of\ram\dump.bin")
    ...
    
     
    Last edited by HackingNewbie, Feb 12, 2017
  14. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    @HackingNewbie:
    Uhm. Please don't pretend you got the solution if you didn't test it and got it to work :/
    Code:
    $ python decompile.py
    Traceback (most recent call last):
      File "decompile.py", line 5, in <module>
        decompilation.wait_until_finished()
      File "C:\Python34\lib\site-packages\retdec\decompilation.py", line 149, in wait_until_finished
        self._handle_failure(on_failure, self._error)
      File "C:\Python34\lib\site-packages\retdec\resource.py", line 131, in _handle_failure
        raise obj
    retdec.exceptions.DecompilationFailedError: File format of the input file is not supported. Supported formats: PE, ELF, COFF, Mach-O, Intel HEX, Raw Data.
     
  15. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    It worked for me
     
  16. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    Okay, it might be the dump then. Can you upload yours for testing please?
     
  17. HackingNewbie

    HackingNewbie GBAtemp Fan

    Member
    425
    71
    Dec 29, 2016
    Uncached MEM2 of the Wii :-)
    Change the file extension from .txt to .bin because I'm not allowed to upload .bin files. It seems to work on any dump I make. are you using a .bin?
    EDIT: It's not working any more
     

    Attached Files:

    Last edited by HackingNewbie, Feb 12, 2017
  18. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    It never did and yet again you miss the point by giving it data instead of executable code...
    The assembly is below the 0x10000000 memory range by the way since you started the dump there.

    I contacted them now asking how to do it with the API.
     
    Last edited by BullyWiiPlaza, Feb 12, 2017
  19. Chakratos

    Chakratos GBAtemp Regular

    Member
    272
    68
    Aug 17, 2015
    Gambia, The
    Instead of beeing a dick you could aprecciate the work of others that want to help you
     
    HackingNewbie likes this.
  20. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,680
    1,371
    Aug 2, 2014
    Germany
    It's not being a dick when they do something fundamentally wrong a 2nd time so of course it wouldn't work with invalid input and just wastes time so better not post then when you don't know what you're doing.
     
    Last edited by BullyWiiPlaza, Feb 12, 2017