Hacking Good PowerPC Decompiler?

[BullyWiiPlaza]

I think that Retargetable Decompiler can be a good choice since it supports PowerPC.

I tried it out and it produces a result at least:

Disassembled input:

0x1000000:   7c 08 02 a6       mfspr r0, 0x8
0x1000004:   94 21 ff f0       stwu r1, 0xfffffff0 ( r1 )
0x1000008:   90 61 00 08       stw r3, 0x8 ( r1 )
0x100000c:   90 81 00 0c       stw r4, 0xc ( r1 )
0x1000010:   90 01 00 14       stw r0, 0x14 ( r1 )
0x1000014:   90 03 00 8c       stw r0, 0x8c ( r3 )
0x1000018:   90 03 00 98       stw r0, 0x98 ( r3 )
0x100001c:   80 61 00 08       lwz r3, 0x8 ( r1 )
0x1000020:   7c 81 e2 a6       mfspr r4, 0x381
0x1000024:   90 a3 00 9c       stw r5, 0x9c ( r3 )
0x1000028:   a1 83 01 ba       lhz r12, 0x1ba ( r3 )
0x100002c:   90 43 00 10       stw r2, 0x10 ( r3 )
0x1000030:   61 8c 00 04       ori r12, r12, 0x4
0x1000034:   39 60 00 01       addi r11, 0, 0x1
0x1000038:   b1 83 01 ba       sth r12, 0x1ba ( r3 )
0x100003c:   7c a2 e2 a6       mfspr r5, 0x382
0x1000040:   91 63 00 14       stw r11, 0x14 ( r3 )
0x1000044:   91 a3 00 3c       stw r13, 0x3c ( r3 )
0x1000048:   91 c3 00 40       stw r14, 0x40 ( r3 )
0x100004c:   7c c3 e2 a6       mfspr r6, 0x383
0x1000050:   91 e3 00 44       stw r15, 0x44 ( r3 )
0x1000054:   92 03 00 48       stw r16, 0x48 ( r3 )
0x1000058:   92 23 00 4c       stw r17, 0x4c ( r3 )
0x100005c:   7c e4 e2 a6       mfspr r7, 0x384
0x1000060:   92 43 00 50       stw r18, 0x50 ( r3 )
0x1000064:   92 63 00 54       stw r19, 0x54 ( r3 )
0x1000068:   92 83 00 58       stw r20, 0x58 ( r3 )
0x100006c:   7d 05 e2 a6       mfspr r8, 0x385
0x1000070:   92 a3 00 5c       stw r21, 0x5c ( r3 )
0x1000074:   92 c3 00 60       stw r22, 0x60 ( r3 )
0x1000078:   92 e3 00 64       stw r23, 0x64 ( r3 )
0x100007c:   7d 26 e2 a6       mfspr r9, 0x386
0x1000080:   93 03 00 68       stw r24, 0x68 ( r3 )
0x1000084:   93 23 00 6c       stw r25, 0x6c ( r3 )
0x1000088:   93 43 00 70       stw r26, 0x70 ( r3 )
0x100008c:   7d 47 e2 a6       mfspr r10, 0x387
0x1000090:   93 63 00 74       stw r27, 0x74 ( r3 )
0x1000094:   93 83 00 78       stw r28, 0x78 ( r3 )
0x1000098:   93 a3 00 7c       stw r29, 0x7c ( r3 )
0x100009c:   7d 69 02 a6       mfspr r11, 0x9
0x10000a0:   93 c3 00 80       stw r30, 0x80 ( r3 )
0x10000a4:   93 e3 00 84       stw r31, 0x84 ( r3 )
0x10000a8:   90 83 01 c0       stw r4, 0x1c0 ( r3 )
0x10000ac:   7d 80 00 26       mfcr r12
0x10000b0:   90 a3 01 c4       stw r5, 0x1c4 ( r3 )
0x10000b4:   90 c3 01 c8       stw r6, 0x1c8 ( r3 )
0x10000b8:   7c c1 02 a6       mfspr r6, 0x1
0x10000bc:   90 e3 01 cc       stw r7, 0x1cc ( r3 )
0x10000c0:   91 03 01 d0       stw r8, 0x1d0 ( r3 )
0x10000c4:   7c 89 ea a6       mfspr r4, 0x3a9
0x10000c8:   91 23 01 d4       stw r9, 0x1d4 ( r3 )
0x10000cc:   91 43 01 d8       stw r10, 0x1d8 ( r3 )
0x10000d0:   7c aa ea a6       mfspr r5, 0x3aa
0x10000d4:   90 c3 00 94       stw r6, 0x94 ( r3 )
0x10000d8:   91 63 00 90       stw r11, 0x90 ( r3 )
0x10000dc:   7c cd ea a6       mfspr r6, 0x3ad
0x10000e0:   91 83 00 88       stw r12, 0x88 ( r3 )
0x10000e4:   90 83 03 08       stw r4, 0x308 ( r3 )
0x10000e8:   7c ee ea a6       mfspr r7, 0x3ae
0x10000ec:   90 a3 03 0c       stw r5, 0x30c ( r3 )
0x10000f0:   90 c3 03 10       stw r6, 0x310 ( r3 )
0x10000f4:   7d 08 ea a6       mfspr r8, 0x3a8
0x10000f8:   90 e3 03 14       stw r7, 0x314 ( r3 )
0x10000fc:   91 03 03 18       stw r8, 0x318 ( r3 )
0x1000100:   7d 2c ea a6       mfspr r9, 0x3ac
0x1000104:   80 01 00 14       lwz r0, 0x14 ( r1 )
0x1000108:   38 21 00 10       addi r1, r1, 0x10
0x100010c:   7c 08 03 a6       mtspr 0x8, r0
0x1000110:   91 23 03 1c       stw r9, 0x31c ( r3 )
0x1000114:   38 60 00 00       addi r3, 0, 0x0

Decompiled output:

#include <stdint.h>

// ------------------- Function Prototypes --------------------

int32_t entry_point(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6, int32_t a7, int32_t a8, int32_t a9, int32_t a10, int32_t a11, int32_t a12, int32_t a13, int32_t a14, int32_t a15, int32_t a16, int32_t a17, int32_t a18, int32_t a19, int32_t a20, int32_t a21, int32_t a22, int32_t a23, int32_t a24);

// ------------------------ Functions -------------------------

// Address range: 0x1000000 - 0x1000117
int32_t entry_point(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6, int32_t a7, int32_t a8, int32_t a9, int32_t a10, int32_t a11, int32_t a12, int32_t a13, int32_t a14, int32_t a15, int32_t a16, int32_t a17, int32_t a18, int32_t a19, int32_t a20, int32_t a21, int32_t a22, int32_t a23, int32_t a24) {
    // 0x1000000
    int32_t v1; // bp-16
    v1 = &v1;
    *(int32_t *)(a1 + 140) = 0;
    *(int32_t *)(a1 + 152) = 0;
    *(int32_t *)(a1 + 156) = a3;
    *(int32_t *)(a1 + 16) = 0;
    *(int16_t *)(a1 + 442) = *(int16_t *)(a1 + 442) | 4;
    *(int32_t *)(a1 + 20) = 1;
    *(int32_t *)(a1 + 60) = 0;
    *(int32_t *)(a1 + 64) = 0;
    *(int32_t *)(a1 + 68) = 0;
    *(int32_t *)(a1 + 72) = 0;
    *(int32_t *)(a1 + 76) = 0;
    *(int32_t *)(a1 + 80) = 0;
    *(int32_t *)(a1 + 84) = 0;
    *(int32_t *)(a1 + 88) = 0;
    *(int32_t *)(a1 + 92) = 0;
    *(int32_t *)(a1 + 96) = 0;
    *(int32_t *)(a1 + 100) = 0;
    *(int32_t *)(a1 + 104) = 0;
    *(int32_t *)(a1 + 108) = 0;
    *(int32_t *)(a1 + 112) = 0;
    *(int32_t *)(a1 + 116) = 0;
    *(int32_t *)(a1 + 120) = 0;
    *(int32_t *)(a1 + 124) = 0;
    *(int32_t *)(a1 + 128) = 0;
    *(int32_t *)(a1 + 132) = 0;
    *(int32_t *)(a1 + 448) = 0;
    *(int32_t *)(a1 + 452) = 0;
    *(int32_t *)(a1 + 456) = 0;
    *(int32_t *)(a1 + 460) = 0;
    *(int32_t *)(a1 + 464) = 0;
    *(int32_t *)(a1 + 468) = 0;
    *(int32_t *)(a1 + 472) = 0;
    *(int32_t *)(a1 + 148) = 0;
    *(int32_t *)(a1 + 144) = 0;
    *(int32_t *)(a1 + 136) = 0;
    *(int32_t *)(a1 + 776) = 0;
    *(int32_t *)(a1 + 780) = 0;
    *(int32_t *)(a1 + 784) = 0;
    *(int32_t *)(a1 + 788) = 0;
    *(int32_t *)(a1 + 792) = 0;
    *(int32_t *)(a1 + 796) = 0;
    return 0;
}

We just need to implement the API and off we go. Can someone please help writing an example Java/Python/curl script which takes a Raw.bin file from your PC containing PowerPC machine code and decompiles it using the API? Their decompile.py doesn't seem to work while the website version does:

$ decompile.py --api-key my-secret-api-key Dump.bin
Dump.bin (ID: 25gwz3XGRZ) [##                                      ] 5% FAIL
error: File format of the input file is not supported. Supported formats: PE, ELF, COFF, Mach-O, Intel HEX, Raw Data.

$ decompile.py --api-key my-secret-api-key Dump.bin -a powerpc
error: POST request to 'https://retdec.com/service/api/decompiler/decompilations' returned '422 Unsupported Combination (Unsupported combination of 'mode' ('bin') and 'architecture' ('powerpc').)'

Other decompilers like Boomerang probably don't even work or maybe someone can try that one as well. It crashed when I gave it an RPL but what else is to be expected. I'm not sure yet how to give it a machine code function only.

Aerosoul94 also made a modified Snowman decompiler for PowerPC but it only loads RPLs and no raw machine code apparently. Do NOT attempt to decompile entire RPLs. The IDA Pro plugin does work for decompiling certain functions. However, the decompilation is pretty bad. We can't do any better than that though because only HexRays makes better decompilers but they are commerical.

Please help me try out various things to figure out what works best for decompiling PowerPC raw machine code as a standalone application.

@CosmoCortney
@PandaOnSmack
@HackingNewbie
@Maschell
@NWPlayer123
@DarkFlare69
@QuarkTheAwesome

 

[PandaOnSmack]

Have you created an account and got an API key?

 

[BullyWiiPlaza]

Have you created an account and got an API key?

Yes, I can query the API now but the exact request details/script needs to be worked out in case Retargetable produces any kind of useful output. Otherwise there is Aerosoul94's modified Snowman also. He also told me the output produced by Retargetable I posted above is wrong.

 

[FaTaL_ErRoR]

Holy shit I haven't been on in a minute.
Here you go buddy. https://sourceforge.net/projects/decompiler/

 

[QuarkTheAwesome]

To be brutally honest, I think that in most cases it's easier to read PowerPC Assembly than stuff like the output of Snowman. I'm also not huge fan of the disassembly shown above - it's missing things like mnemonics (mfspr 0x8 = mflr) and negative numbers. The decompilation is (arguably) worse, although it seems it was fed an odd program to begin with (is that for the old Wii and/or GC?).
So yeah, I'll stick with IDA. As a side note, if you're making a program that just disassembles and prints the result, using readelf/objdump will save you the effort. There's even special versions that come with devkitPPC!

 

[BullyWiiPlaza]

To be brutally honest, I think that in most cases it's easier to read PowerPC Assembly than stuff like the output of Snowman. I'm also not huge fan of the disassembly shown above - it's missing things like mnemonics (mfspr 0x8 = mflr) and negative numbers. The decompilation is (arguably) worse, although it seems it was fed an odd program to begin with (is that for the old Wii and/or GC?).
So yeah, I'll stick with IDA. As a side note, if you're making a program that just disassembles and prints the result, using readelf/objdump will save you the effort. There's even special versions that come with devkitPPC!

Yeah, the example assembly was some nonsense kernel initialization code right at the beginning of the .text section.

I was just thinking it would be cool to add a decompiler feature for functions in my TCP Gecko client application so people don't need IDA and can do it on the "live" RAM even though decompiling PPC seems to be terrible and almost useless anyway. Better having this then not

 

[HackingNewbie]

I'll try making the python script

 

[HackingNewbie]

So, I made the python script for you. This is python 3. You will need to run this in cmd:

pip install requests

This is of course incomplete, right now it gives me an error because I don't have the API key, so you will have to add that in
Without further ado, here is the code:

import requests
url = "https://retdec.com/service/api/decompiler/decompilations"
payload = {"mode": "bin", "input": r"C:\Users\Joseph\Desktop\Nintendo Hacking\wii u\JGecko U\dumps\AMKP01\47C8319B.bin"}

r = requests.post(url, data = payload)

print(r.text, end="\n\n")
print(r.status_code, end="\n\n")

input("Press the enter key to exit.")

 

[BullyWiiPlaza]

So, I made the python script for you. This is python 3. You will need to run this in cmd:

pip install requests

This is of course incomplete, right now it gives me an error because I don't have the API key, so you will have to add that in
Without further ado, here is the code:

import requests
url = "https://retdec.com/service/api/decompiler/decompilations"
payload = {"mode": "bin", "input": r"C:\Users\Joseph\Desktop\Nintendo Hacking\wii u\JGecko U\dumps\AMKP01\47C8319B.bin"}

r = requests.post(url, data = payload)

print(r.text, end="\n\n")
print(r.status_code, end="\n\n")

input("Press the enter key to exit.")

You should sign up for an API key and see if it works out for you

 

[HackingNewbie]

You should sign up for an API key and see if it works out for you

Does it cost money?

 

[BullyWiiPlaza]

Does it cost money?

No, it's free

 

[HackingNewbie]

No, it's free

K, shall try out now!

 

[HackingNewbie]

OK, I was ripping my hair out and then saw the retdec-python library. Install like this in CMD:

pip install retdec-python

Here is the code:

from retdec.decompiler import Decompiler

decompiler = Decompiler(api_key='YOUR-API-KEY')
decompilation = decompiler.start_decompilation(input_file="C:\path\of\ram\dump.bin")
decompilation.wait_until_finished()
decompilation.save_hll_code()

I noticed with the API you had to specify a mode, but with this it detects the mode using the file extension, so as long as the dump is a .bin file, it should decompile it as raw machine code (like firmware, as they say ). You may have to prefix the path with r like this:

...
decompilation = decompiler.start_decompilation(input_file=r"C:\path\of\ram\dump.bin")
...

 

[BullyWiiPlaza]

@HackingNewbie:
Uhm. Please don't pretend you got the solution if you didn't test it and got it to work :/

$ python decompile.py
Traceback (most recent call last):
  File "decompile.py", line 5, in <module>
    decompilation.wait_until_finished()
  File "C:\Python34\lib\site-packages\retdec\decompilation.py", line 149, in wait_until_finished
    self._handle_failure(on_failure, self._error)
  File "C:\Python34\lib\site-packages\retdec\resource.py", line 131, in _handle_failure
    raise obj
retdec.exceptions.DecompilationFailedError: File format of the input file is not supported. Supported formats: PE, ELF, COFF, Mach-O, Intel HEX, Raw Data.

 

[HackingNewbie]

@HackingNewbie:
Uhm. Please don't pretend you got the solution if you didn't test it and got it to work :/

$ python decompile.py
Traceback (most recent call last):
  File "decompile.py", line 5, in <module>
    decompilation.wait_until_finished()
  File "C:\Python34\lib\site-packages\retdec\decompilation.py", line 149, in wait_until_finished
    self._handle_failure(on_failure, self._error)
  File "C:\Python34\lib\site-packages\retdec\resource.py", line 131, in _handle_failure
    raise obj
retdec.exceptions.DecompilationFailedError: File format of the input file is not supported. Supported formats: PE, ELF, COFF, Mach-O, Intel HEX, Raw Data.

It worked for me

 

[BullyWiiPlaza]

It worked for me

Okay, it might be the dump then. Can you upload yours for testing please?

 

[HackingNewbie]

Okay, it might be the dump then. Can you upload yours for testing please?

Change the file extension from .txt to .bin because I'm not allowed to upload .bin files. It seems to work on any dump I make. are you using a .bin?
EDIT: It's not working any more

 

[BullyWiiPlaza]

EDIT: It's not working any more

It never did and yet again you miss the point by giving it data instead of executable code...
The assembly is below the 0x10000000 memory range by the way since you started the dump there.

I contacted them now asking how to do it with the API.

 

[Chakratos]

It never did and yet again you miss the point by giving it data instead of executable code...
The assembly is below the 0x10000000 memory range by the way since you started the dump there.

I contacted them now asking how to do it with the API.

Instead of beeing a dick you could aprecciate the work of others that want to help you

 

[BullyWiiPlaza]

Instead of beeing a dick you could aprecciate the work of others that want to help you

It's not being a dick when they do something fundamentally wrong a 2nd time so of course it wouldn't work with invalid input and just wastes time so better not post then when you don't know what you're doing.