Raised This Month: $12 Target: $400
 3% 

Lysis: An experimental .smx decompiler


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
BAILOPAN
Join Date: Jan 2004
Old 10-30-2011 , 07:02   Lysis: An experimental .smx decompiler
Reply With Quote #1

I have been working on an experimental decompiler for compiled .smx files. I don't have much experience in this area, so this is largely a hodgepodge of various things I've learned over the past few years.

Disclaimer: This is not intended for general use. It is not a replacement for source code. It usually does not produce something that can compile. I don't have time to support it or decompile plugins on request. This is for people interested in reverse engineering technology.

I've attached the results of decompiling "ucp.smx", a closed-source anti-cheat plugin which is violating the SourceMod license. In the past, closed-source plugins have often either been bogus or contained malicious backdoors. This tool can help combat that by exposing somewhat readable text for a .smx file. I have not checked ucp.smx for backdoors, but anyone running this plugin can now inspect it for themselves. (Yes, I contacted the authors; they were unwilling to work with us.)

The decompiler is called "Lysis", and is written in C#. The source is available here: http://hg.alliedmods.net/users/dvand...ods.net/lysis/

Technical Details

The decompiler starts by decompressing and extracting each section of the .smx file. These are sections like the list of exported functions, and the compiled instruction stream. The instruction stream is then transformed into a low-level IR (LIR) on a per-function basis. Jump instructions and their targets are used to compute a control-flow graph. A number of analyses then take place on the CFG: a dominator tree is computed, and the boundaries and nesting of loops is computed.

Pawn is basically a stack machine and LIR is pretty inconvenient. Originally Lysis went from LIR to an expression tree, but expression trees are difficult to analyze. Now, we transform LIR to an SSA-form IR. This IR has a lot more information, like an embedded dataflow graph. For example, it is trivial to find all IR nodes that use another IR node, and thus it is trivial to rewrite the graph as we discover new information.

Pawn is really low-level, so even with SSA, it is pretty tricky to analyze. Some examples:
  • Floating-point operations are implemented as a stock that calls a native. We essentially pattern-match calls to these stocks and rewrite the call to be a comparison.
  • Array operations work by computing references. These references can be computed in a number of ways. For example, a[x] can be computed with "add a, x". When loading and storing to references, we have to pattern match sequences like this to compose a proper array+index pair.
  • The instruction stream has no type information, and often passes around random addresses as if they were normal integers/cells. Dealing with this is hard. We use two type propagation passes. The first is forward, and propagates information such as "a comparison is boolean" and "loads and stores must operate on references". The second pass is backward, and does things like taking a function call, and propagating the types of the call's signature to its given operands.
  • The instruction stream has no concept of scope, so the way loops are decomposed can generate duplicate variable names.
  • I have not yet found a nice way to reconstruct a pretty "for" loop, so they appear as "while" loops.
  • The compiler generates || and && as a really nasty chain of implicit "if"s. There is a really complicated pattern-matching algorithm to track these down and recompose the original expression.
  • Currently, Lysis has difficulty figuring out x[a][b] where "x" is a global and "a" and "b" are constants. I hand-edited func_37 since I was running out of time.

The original goal of the decompiler was to continue working even in the presence of highly obfuscated binaries. By now, it's reached a tradeoff where it does a lot of pattern matching but also uses flexible analysis phases. However, there are still significant challenges I haven't figured out (and probably won't). Hopefully though, it has enough interesting stuff to be, at least, of educational value.
Attached Files
File Type: txt ucp.sp.txt (57.3 KB, 8490 views)
__________________
egg

Last edited by BAILOPAN; 10-30-2011 at 07:19.
BAILOPAN is offline
napalm00
Veteran Member
Join Date: Jun 2011
Location: Italy, sadly
Old 10-30-2011 , 08:00   Re: Lysis: An experimental .smx decompiler
Reply With Quote #2

Looking at the decompiled example right now, this is really amazing
__________________
napalm00 is offline
Endi
Junior Member
Join Date: Nov 2009
Location: Russia
Old 11-01-2011 , 00:16   Re: Lysis: An experimental .smx decompiler
Reply With Quote #3

BAILOPAN, You stupid noob, I explains that if the code will be opensource, any cheater can able to write an emulator for the anti-cheat. If your goals are noble, you would have yourself checked for malware, and if you found backdoor, would then be posted sourcecode.
Endi is offline
BAILOPAN
Join Date: Jan 2004
Old 11-01-2011 , 00:24   Re: Lysis: An experimental .smx decompiler
Reply With Quote #4

Endi, your right to use and distribute SourceMod or works based on SourceMod was revoked the instant you violated our license - which you are continuing to do.

If you don't like the license, don't use SourceMod. Don't complain that you're not allowed to break the law or the spirit of our community (and don't think I didn't notice that you copied and pasted other people's GPL'd code into your plugin).
__________________
egg

Last edited by BAILOPAN; 11-01-2011 at 00:25.
BAILOPAN is offline
Endi
Junior Member
Join Date: Nov 2009
Location: Russia
Old 11-01-2011 , 00:42   Re: Lysis: An experimental .smx decompiler
Reply With Quote #5

BAILOPAN, and? You found backdoor? Do not cover the noble aspirations, you just avenged for not open source code.
My project, as well as your, is free, unlike yours, I do not accept Donate. Why are you so hard you want to hurt my project?
Endi is offline
BAILOPAN
Join Date: Jan 2004
Old 11-01-2011 , 01:39   Re: Lysis: An experimental .smx decompiler
Reply With Quote #6

Endi - it is obvious why I posted the source code. Your feelings about your project are irrelevant. You have violated our license, and taken advantage our community's hard work and good faith. I contacted you multiple times about this.

If you don't want to obey our license, don't use SourceMod, and don't take advantage of our work.

(And, I have no intention of analyzing your source code. However, legitimate users of SourceMod have the right to, and this tool helps ensure that right.)
__________________
egg

Last edited by BAILOPAN; 11-01-2011 at 01:41.
BAILOPAN is offline
Fyren
FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren
Join Date: Feb 2106
Old 11-01-2011 , 01:40   Re: Lysis: An experimental .smx decompiler
Reply With Quote #7

If you can't write code that is secure even after the source is inspected, you should learn to write better code.

If you can't follow the license for someone else's code, then you can't use it freely.
Fyren is offline
necavi
Veteran Member
Join Date: Sep 2010
Old 11-01-2011 , 02:05   Re: Lysis: An experimental .smx decompiler
Reply With Quote #8

Arguably the two best anti-cheat plugins, KAC and SMAC both are open source, and all the better for it.
necavi is offline
BAILOPAN
Join Date: Jan 2004
Old 11-01-2011 , 02:17   Re: Lysis: An experimental .smx decompiler
Reply With Quote #9

new version was posted to the site, here is the Lysis result
Attached Files
File Type: txt ucp_7_2.sp.txt (57.7 KB, 2365 views)
__________________
egg
BAILOPAN is offline
Sazpaimon
Member
Join Date: Apr 2008
Old 11-01-2011 , 03:19   Re: Lysis: An experimental .smx decompiler
Reply With Quote #10

Quote:
Originally Posted by Endi View Post
BAILOPAN, and? You found backdoor? Do not cover the noble aspirations, you just avenged for not open source code.
My project, as well as your, is free, unlike yours, I do not accept Donate. Why are you so hard you want to hurt my project?
You don't get it, do you? The SourceMod license is clear, IF YOU DISTRIBUTE THE BINARY (SMX) VERSION OF ANY PLUGIN, YOU MUST, *MUST*, DISTRIBUTE THE SOURCE ALONG WITH IT. If you do not do this, you are not only violating the Sourcemod license (along with your right to use it), you are also VIOLATING THE LAW THAT GOES ALONG WITH IT. THERE ARE NO EXCEPTIONS TO THIS POLICY, NOT FOR ANY REASON.

Before you willingly violate the SourceMod license, perhaps you should educate yourself on the GPL. Some kind folks have translated the GPLv3 (the license that SourceMod uses) to Russian so I hope it can help you understand it: http://code.google.com/p/gpl3rus/wiki/LatestRelease

Last edited by Sazpaimon; 11-01-2011 at 03:19.
Sazpaimon is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 11:11.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode