"Basic decompiler and decompilation service."

"Basic decompiler and decompilation service."
THE BASIC DECOMPILER AND DECOMPILATION SERVICE

=========================================

E-mail address = mspring810@aol.com
This regenerates the source code from an EXE file created by a Basic compiler. It is useful for those old EXE files for which you have lost the original source code and need to make modifications. It works on DOS Basic or QuickBasic but not Visual Basic. It could be valuable for disaster recovery.
Its aim is to produce Basic source code which should recompile to produce an EXE file which produces identical results to the original. The original Symbolic names are lost. They are replaced by automatically generated names. See Samples Of Output
It works on all .EXE files. produced by IBM or Microsoft Basic compilers except for some very early compilers (E.G. 1.00 and 1.02) when they have been compiled to run as stand alone modules. I am working on modifications to rectify this.
It produces particularily good results for .EXE files producd by the following versions:
4.0, 4.5, and 7.2
It usually works on other versions. It half works on VBDOS! It won't work on Power Basic or other non-Microsoft compilers .
Otherwise, I'll have a go at decompiling anything manually if someone will pay me for it. I've had particular success at C and Visual C++ programmes but not Visual C++ programmes that are compiled to NE format .EXE files. These were produced mid 1980s but I am working on a program to analyse/debug/decompile these. However I rarely have time to spend on this project and so refrain from predicting when this will be completed. There are many programmes on the net for decompiling Visual Basic so I've never tried this for myself!

HOW WELL DOES IT WORK?
NEW IMPROVED VERSION
THE DECOMPILER SERVICE
ANOTHER PRACTICAL SOLUTION
HOW TO PAY
TO OBTAIN THE DECOMPILER
SAMPLES OF OUTPUT
ROUGH EDGES
THE MANUAL (How to use the decompiler)
THE FUTURE
CONDITIONS
LINKS
HOW WELL DOES IT WORK

The initial output of the decompiler is called a "raw decompilation". Occasionally these will recompile to give identical results to the original. However, usually work is required on the raw decompilation before this is achieved. 50% of customers have been happy to do this work for themselves but it can be quite technical and the remainder get me to do it. Really large programmes have taken as much as 500 hours of my time but most are quicker. See The Decompiler Service
For details of what needs doing to knock a raw decompilation into shape, see rough edges.
See also Samples Of Output
A new version is now available - See immediately below.
THE NEW IMPROVED VERSION

This will contain many facilities to assist the selection of the run time parameters and knocking the decompilation into shape. If you wish to get some idea of what the new version does and how it does it you may look at the manual by clicking > THE MANUAL FOR THE NEW VERSION.
The sections on Diagnostics, Debug, The Glossary and The Examples aren't yet written. The remaining 10 sections are. I've made a start on Diagnostics.
THE DECOMPILER SERVICE

To avail yourself of the Decompiler Service just e-mail me ( mspring810@aol.com ) your EXE file and I will decompile it and let you know how successful the decompilation was. I'll also send you the first 10% of the decompiled source text. Then, if you wish, I will e-mail you the "raw decompilation" (see How Well Does It Work) as soon as you send me £120 (Pounds Sterling) (See How To Pay). If you require, I will then knock the "Raw Decompilation" into shape. to produce source code which recompiles to produce identical results to the original program. I can charge anything from £500-£5000 for this service depending on the size and difficulty of the program and the urgency with which it is required.
If you are sufficiently technically minded there are advantages in your working on the raw decompilation yourself:
1 -It helps to familiarise you with the decompiled version of your program.
2 - Any technical knowledge that you may have of the subject matter of the program can often make the work much easier.
3 - The £120 charge includes advice and help that you may require in this task.
On the other hand the advantages in getting me to do the work is that I am experienced at it and have many techniques and a great deal and technical knowledge of decompiling .
ANOTHER PRACTICAL SOLUTION

If your EXE file does not decompile very well all is not necessarily lost! For example one customer has lost the source code for programmes compiled using VBDOS . As already mentioned the decompiler only "half works" on these. However the decompilation was good enough to act (together with the Hex version) as a guide to the EXE file which enabled me to patch up the EXE file to make the required modifications. Also, in extreme cases, I have manually decompiled C language programmes and Visual C++ . I'm thinking of producing some software to make Visual C++ decompilation easier.
HOW TO PAY

I prefer to be paid by PayPal.
Please note that if you are paying in U.S. Dollars, I accept whatever exchange rate is in the days newspapers, plus the amount that my bank charges to change them into pounds. This was $6 per transaction or 3% whatever is greaterlast time I checked.
TO OBTAIN THE DECOMPILER

It is much better to get me to do the decompilation for you because it can be quite difficult to work out the run time parameters and to knock the raw decompilation into shape. I have produced a version which overcomes many (but by no means all) of these problems see The Future. However, if you really want a copy of the decompiler now you can obtain it (and a license to use it) for £500 (Pounds Sterling) . (See How To Pay).I recommend that before doing this you send me a few of your EXE files so that I can check that the decompiler works on them.
Please also read the remaining sections of this page and The Manual .
SAMPLES OF OUTPUT

1 - DISTANCE.BAS This is a short and easy program.
Here is an original Basic program-->distance.txt
This is a decompilation of the program when it was compiled using Microsoft Quickbasic compiler version 4-->dist0.txt. It contains symbol table listings.
This is the same as above but with the basic program compiled to include debugging information-->dist1.txt
This is a decompilation of the same program when it was compiled using Version 1.00.--->dist3.txt
2 - CLAUDE This is a test decompilation that someone sent me together with some of the correspondence which explains a bit about the decompilation of it. It is contained in ZIP file CLAUD.ZIP . Some of the examples in the following section refer to it. The ZIP file contains the original program CLAUD.BAS , A normal decompilation CLAUD.DEB and also a HEX version CLAUD.HEX .
ROUGH EDGES and how to knock them into shape.

There may be many more. Many should be eradicated in later versions of the decompiler. Examples of how to knock some of these into shape are contained in the indented text following its description.The decompilation of CLAUD.BAS is used to illustrate some of the techniques required to knock the Raw Decompilation into shape.
1 - Branch locations occasionally out by a line. If the decompiler "is suspicious" of a branch location it adds '???' after it. The correct location is obvious from examining the HEX version of the decompilation see The Manual or from the context.
An example of this is the lines in CLAUD.BAS that read:

K = TIMER

DO: J = TIMER: LOOP UNTIL J - K > .35 'puts a pause between knocks

These decompile in the DEB file as:

49330 R14 = TIMER

49340 R18 = TIMER

49350 IF (R18-R14) <= 0.35 THEN GOTO 49350'????

It is fairly obvious from the context that line 49350 should read:

49350 IF (R18-R14) <= 0.35 THEN GOTO 49340

but if this had not been obvious you would need to refer to the HEX version and you would find the following lines (Excluding the dumps):

49330 R14 = TIMER

9A CA 17 17 0D 8B F0 CD 35 04 CD 35 5E F2

49340 R18 = TIMER

CD 3D 90 9A CA 17 17 0D 8B F0 CD 35 04 CD 35 5E

EE

49350 IF (R18-R14) <= 0.35 THEN GOTO 49350'????

CD 3D CD 35 06 50 27 CD 35 46 EE CD 34 66 F2 CD

3D 9A A6 00 00 14 76 DA

The conditional branch right at the end (76 DA) jumps back Hex 26 (Decimal 38) bytes.

This takes it to the 3 rd byte of line 49340. Thus confirming what we'd already deduced. The CD 3D at the start of this line is just an Interrupt 3D that is a hangover from the previous line.

If it had jumped a long distance it could have been difficult to work this out. In such cases I run the original .EXE file under Debug and unassemble the appropriate instructions.

2 - For Next loops are not always correctly initialised. The correct value is obvious from examining the HEX version of the decompilation see The Manual or from the context.
An example of this is the lines in CLAUD.BAS that read:

FOR X% = Index% + 2 TO MaxUser%

IF UserWords$(X%) = Nul$ THEN EXIT FOR

Phrase$ = Phrase$ + Spac$ + UserWords$(X%)

NEXT X%

In CLUADE.DEB this is decompiled as:

21850 GOTO 21880'????

21860 IF L156$(R26 + 2) = "" THEN GOTO 21900

21870 (R30) = (R30) + " " + L156$(R32)

21880 R32 = ( R32 + 1 )

21890 IF R32 <= 27 THEN GOTO 21860

It is always a good idea to check branches with ???? in the HEX file to see if there are any extra pieces of assembler code which aren't reflected in the decompilation, indicating a For Next Loop. Here are the appropriate lines:

21840 GOTO 21880'????

8B 46 E6 05 02 00 E9 3F 00

21850 IF L156$(R26 + 2) = "" THEN GOTO 21890

90 D1 E0 D1 E0 81 C0 DC 0E 50 B8 C0 12 50 9A 72

0D 17 0D 75 03 E9 2F 00

21860 IF L156$(R26 + 2) = "" THEN GOTO 21900

BF 22 13 8D 76 E2 E8 69 C6 8B 4E E0 D1 E1 D1 E1

81 C1 DC 0E 8B F9 8B F0 E8 57 C6 8B F8 8D 76 E2

E8 47 C6

21870 R32 = ( R32 + 1 )

8B 46 E0 40 89 46 E0

21880 IF R32 <= 27 THEN GOTO 21850

3D 1B 00 7E BA

They show that the Hex code for line 21840 is 8B 46 E6 05 02 00 E9 3F 00 giving the following lines of assembler code:

8B 46 E6 MOV AX,[BP-1A] This is loading R26 into the AX register (Hex 1A = Decimal 26)

05 02 00 ADD AX,2 This results in R26+2 being in AX

E9 3F 00 Jump 63 bytes

Checking out the exact branch location we find that it is in line 21870 just before storing the resulting R32 value.

Thus the .DEB source will function correctly if we alter lines 21850-21860 to:

21850 R32 = R26 + 2 : GOTO 21890

21860 IF L156$(R32) = "" THEN GOTO 21900

Better still change lines 21850-21890 to:

21850 FOR R32=R26 + 2 TO 27

21860 IF L156$(R32) = "" THEN GOTO 21900

21870 (R30) = (R30) + " " + L156$(R32)

21880 '''''''''

21890 NEXT R32

3 - Very occasionally some array elements with constant terms in their index might be regarded as separate arrays. The symbol table listing which appears at the end of the decompilation will help here.

As an example if we go to the line of code immediatly preceding the last example:

IF UserWords$(Index% + 6) = Nul$ THEN 'if the phrase is < 4 words long

This is decompiled as:

21840 IF L283$(P6) <> "" THEN GOTO 21900

From the context it looks as if the size of the array L156$() is likely to be at least 6 entries (24 bytes). However, if we look at the symbol table listing we see that L156$ is located at hex EDC but that array L283$() is at location EF4. Thus L283$(0) uses the same space as L156$(6). The solution to this is that L283$ is not really a separate array and the line should read:

21840 IF L156$(P6+6) <> "" THEN GOTO 21900

I admit that this can be a difficult type of error to detect until the reconstructed program gives different results to the original . NOTE It would not have harmed the function of the program if all occurrences of L283$() were altered in this way.

4 - Dynamic string variables in subroutines are not always identified as such. It is obvious when this has happened and you just have to insert a $ after the name.
E.G. Line 25180 reads:

25180 (R20) = "Just a guy selling encyclopedias. "

It should read

25180 R20$ = "Just a guy selling encyclopedias. "

6 - Problems concerning arrays. Generally dealing with these has been a great problem and it has been decided that (until time can be spent developing a very sophisticated technique) the displacement of the element in bytes rather than the array index will be displayed. This can be corrected with a bit of editing. This usually consists of removing * 4 (or * 2 for integer arrays).
Multidimensional arrays are treated as follows:
10 DIM A(2,30,20)
20 B = A(x,y,z)
Will be decompiled as:
10 DIM A(1200)
20 B = A( ((((x *30) + y)*20)+z) * 4 )
7 - Dynamic arrays and parameter arrays in subroutines. These are a bit of a mess. As an example the lines:
10 SUB XXX(A())
20 A(X,Y)=Z
will be decompiled as:
10 SUB XXX(P6())
20 P6((((P6+18)*X)+Y)*4)=Z
The significance of the 18 being the offset (in bytes) of the appropriate array dimension in what I call "The Array Descriptor Block", for want of a better name!.
8 - TYPE DEFS . The decompiler doesn't recognise these yet. When a file GET or PUT is decompiled the record length is usually stated in a comment. Otherwise it may be determined from the corresponding open statement. The TYPE DEF may be determined from this using the symbol table definition. Here is an example from a decompilation.
The following section of code appeared in the decompilation:

19900 GET #3,R20,L834$' Length of GET/PUT destination = 114 Bytes

19904 L86$(17) = RTRIM$((L836$))

19908 L456 = I838/10

19912 L457 = I839/100

19916 L707 = I840/1000

19920 R28 = L834$

This looks suspicious, anyway it did not function correctly in a parallell run!
Plainly L834$ must be a fixed length string. The appropriate entries in the symbol table must be examined to see what is happening. They look like this:
Symbol Address

I851 17B8 IE

I852 17BA IE

L834$ 17BC S

L836$ 1820 S

I840 1828 IE

I839 182A IE

I838 182C IE

I1 1848 IE

L834$ is at location hex 17BC and the buffer is 114 bytes long which means that the end of the buffer is at location Hex 17BC + Decimal 114 = Hex 182E. Thus, all the fields up to and including I838 are in the buffer. Thus, we correct this coding using a typedef as follows:
TYPE TDX

L834 AS STRING * 100

I836 AS STRING * 8

I840 AS INTEGER

I839 AS INTEGER

I838 AS INTEGER

END TYPE

COMMON SHARED Tda AS TDX

19900 GET #3, R20, Tda' Length of GET/PUT destination = 114 Bytes

19904 L581$ = RTRIM$((Tda.I836))

19908 L456 = Tda.I838 / 10

19912 L457 = Tda.I839 / 100

19916 L707 = Tda.I840 / 1000

19920 R28$ = Tda.L834

THE FUTURE

It is important to make the decompiler easier to use in 2 areas:
1 - To remove the rough edges. Currently this is a continual (on going) job.
2 - Ease the determination of the run time parameters.
With this in mind a front end program has been created to ease the creation of the run time parameters. This is a Windows rather than a DOS program. The parameters will be stored in a file for later use. It also contains facilities to help in knocking a decompilation into shape. Looking further into the future a program similar to Debug is envisaged, which works with the decompilers output to combat the "Rough edges" and overcomes many of the problems in using normal Debug for this purpose.
CONDITIONS

This Basic Decompiler is copyright (c) 1997, 1998 , 1999 & 2001 of M.J.Spring. A License to use it is sold on an "as is" basis and no claims are made as to its suitability for any specific purpose. The vendor accepts no responsibility for any consequential damages that may possibly occur through use or misuse of the program. It may not be copied in part or in whole except for backup purposes. Otherwise you may only have one copy of it for each license that you purchase. You may sell your copy of the software together with the license to use it on condition that you destroy your own copy and backup copies, relinquish the right to use it, and the person buying it agrees to abide by these rules. By your use of the Basic Decompiler you agree to adhere to all these terms.
LINKS

Click here for -- Our ruin in Normandy. The latest adventure for the Spring family.

Click here for -- JUST ANSWER If all else fails you could get your question answered by clicking here. Then you have myself or many hundreds of other experts of all kinds of subjects to answer your questions for a small fee.
Click here for -- PARC UCHAF - Farm Holiday Cottages Absolutely superb self catering accommodation near the Welsh border.

Click here for -- WALDO'S INTERACTIVE MATHS PAGES This is for teachers and students of maths. It is widely used and much appreciated by students all over the world.
Click here for -- FETCHING ETCHINGS A collection of limited edition etchings and other prints from 1800 to the Present Day. It is produced by my wife.
Click here for Scottish photographs -- Loch Scavaig One of my favourite places.