Lysis: An experimental .smx decompiler
 

I have been working on an experimental decompiler for compiled .smx files. I don't have much experience in this area, so this is largely a hodgepodge of various things I've learned over the past few years.

Disclaimer: This is not intended for general use. It is not a replacement for source code. It usually does not produce something that can compile. I don't have time to support it or decompile plugins on request. This is for people interested in reverse engineering technology.

I've attached the results of decompiling "ucp.smx", a closed-source anti-cheat plugin which is violating the SourceMod license. In the past, closed-source plugins have often either been bogus or contained malicious backdoors. This tool can help combat that by exposing somewhat readable text for a .smx file. I have not checked ucp.smx for backdoors, but anyone running this plugin can now inspect it for themselves. (Yes, I contacted the authors; they were unwilling to work with us.)

The decompiler is called "Lysis", and is written in C#. The source is available here: http://hg.alliedmods.net/users/dvand...ods.net/lysis/

Technical Details

The decompiler starts by decompressing and extracting each section of the .smx file. These are sections like the list of exported functions, and the compiled instruction stream. The instruction stream is then transformed into a low-level IR (LIR) on a per-function basis. Jump instructions and their targets are used to compute a control-flow graph. A number of analyses then take place on the CFG: a dominator tree is computed, and the boundaries and nesting of loops is computed.

Pawn is basically a stack machine and LIR is pretty inconvenient. Originally Lysis went from LIR to an expression tree, but expression trees are difficult to analyze. Now, we transform LIR to an SSA-form IR. This IR has a lot more information, like an embedded dataflow graph. For example, it is trivial to find all IR nodes that use another IR node, and thus it is trivial to rewrite the graph as we discover new information.

Pawn is really low-level, so even with SSA, it is pretty tricky to analyze. Some examples:

• Floating-point operations are implemented as a stock that calls a native. We essentially pattern-match calls to these stocks and rewrite the call to be a comparison.
• Array operations work by computing references. These references can be computed in a number of ways. For example, a[x] can be computed with "add a, x". When loading and storing to references, we have to pattern match sequences like this to compose a proper array+index pair.
• The instruction stream has no type information, and often passes around random addresses as if they were normal integers/cells. Dealing with this is hard. We use two type propagation passes. The first is forward, and propagates information such as "a comparison is boolean" and "loads and stores must operate on references". The second pass is backward, and does things like taking a function call, and propagating the types of the call's signature to its given operands.
• The instruction stream has no concept of scope, so the way loops are decomposed can generate duplicate variable names.
• I have not yet found a nice way to reconstruct a pretty "for" loop, so they appear as "while" loops.
• The compiler generates || and && as a really nasty chain of implicit "if"s. There is a really complicated pattern-matching algorithm to track these down and recompose the original expression.
• Currently, Lysis has difficulty figuring out x[a][b] where "x" is a global and "a" and "b" are constants. I hand-edited func_37 since I was running out of time.

The original goal of the decompiler was to continue working even in the presence of highly obfuscated binaries. By now, it's reached a tradeoff where it does a lot of pattern matching but also uses flexible analysis phases. However, there are still significant challenges I haven't figured out (and probably won't). Hopefully though, it has enough interesting stuff to be, at least, of educational value.

Re: Lysis: An experimental .smx decompiler
 

Looking at the decompiled example right now, this is really amazing :shock:

Re: Lysis: An experimental .smx decompiler
 

BAILOPAN, You stupid noob, I explains that if the code will be opensource, any cheater can able to write an emulator for the anti-cheat. If your goals are noble, you would have yourself checked for malware, and if you found backdoor, would then be posted sourcecode.

Re: Lysis: An experimental .smx decompiler
 

Endi, your right to use and distribute SourceMod or works based on SourceMod was revoked the instant you violated our license - which you are continuing to do.

If you don't like the license, don't use SourceMod. Don't complain that you're not allowed to break the law or the spirit of our community (and don't think I didn't notice that you copied and pasted other people's GPL'd code into your plugin).

Re: Lysis: An experimental .smx decompiler
 

BAILOPAN, and? You found backdoor? :) Do not cover the noble aspirations, you just avenged for not open source code.
My project, as well as your, is free, unlike yours, I do not accept Donate. Why are you so hard you want to hurt my project?

Re: Lysis: An experimental .smx decompiler
 

Endi - it is obvious why I posted the source code. Your feelings about your project are irrelevant. You have violated our license, and taken advantage our community's hard work and good faith. I contacted you multiple times about this.

If you don't want to obey our license, don't use SourceMod, and don't take advantage of our work.

(And, I have no intention of analyzing your source code. However, legitimate users of SourceMod have the right to, and this tool helps ensure that right.)

Re: Lysis: An experimental .smx decompiler
 

If you can't write code that is secure even after the source is inspected, you should learn to write better code.

If you can't follow the license for someone else's code, then you can't use it freely.

Re: Lysis: An experimental .smx decompiler
 

Arguably the two best anti-cheat plugins, KAC and SMAC both are open source, and all the better for it.

Re: Lysis: An experimental .smx decompiler
 

new version was posted to the site, here is the Lysis result

Re: Lysis: An experimental .smx decompiler
 

You don't get it, do you? The SourceMod license is clear, IF YOU DISTRIBUTE THE BINARY (SMX) VERSION OF ANY PLUGIN, YOU MUST, *MUST*, DISTRIBUTE THE SOURCE ALONG WITH IT. If you do not do this, you are not only violating the Sourcemod license (along with your right to use it), you are also VIOLATING THE LAW THAT GOES ALONG WITH IT. THERE ARE NO EXCEPTIONS TO THIS POLICY, NOT FOR ANY REASON.

Before you willingly violate the SourceMod license, perhaps you should educate yourself on the GPL. Some kind folks have translated the GPLv3 (the license that SourceMod uses) to Russian so I hope it can help you understand it: http://code.google.com/p/gpl3rus/wiki/LatestRelease