REC Studio 4 - How to Use



How To Use

Last update:
March 1, 2011


 Lithuanian translation courtesy of Giedrius Sadauskas

by Juraj Rehorovsky
from Coupofy team

 Vietnamese version of this page is translated by Amazon free shipping code.

      Since this release is still a beta, the user interface requires some practice. By following these simple instructions you'll get the best result from Rec Studio:

Start the Rec Studio executable. You'll see the Welcome page with a list of previously opened projects. The first time you may not see the Command View, the Project View and the Proc Info view. Resize the lower pane to show them; you can then drag each view in the preferred position to any side of the main frame.

Use File > New Project... to load an executable file. Executable files can be Windows PE files (.EXE, .DLL), Linux ELF files, Mac OS X MachO files or raw files. The level of support for each format varies, with Windows PE having the best support.

Before quitting Rec Studio, save the current state of the project with File > Save Project As..., so that you can reload the state next time you start the decompiler.

Project files (.rpj) store information entered by the user that helps the decompiler generate better output.

After loading a project or an executable file, the disassembler view is automatically opened at the entry point of the application (or at main if symbols are available). Pattern matching is used to try to detect the entry sequence and possibly define symbols to help identify higher level functions.

Should you not see any symbol in the Project pane, navigate in the Disassembler View with the Page Up and Page Down, or type the command "dis 0xXXXXX" to show a specific address. Once you identify the start of a procedure, right-click on the address at the left of the entry instruction and select "Set Procedure Entry" from the pop-up menu. That will start the code analysis from that instruction; the analysis will try to find any other procedures called recursively. At the end of the analysis the found procedures, if any, will be shown in the Project View.

Double-click on any procedure address in the Project View (or type the command "rec 0xXXXXX" in the Command View), to decompile that particular procedure. The decompiled output will be shown in its own tab in the central area.

Use the "help" command to see the list of supported commands.

The "decompile output-file-path" command will decompile the entire executable into the specified text file.

The "filemap" or the View > File Map command shows the layout of the executable file. Each link shown will try to expand the particular portion of the file.

The "strings" command shows the ASCII strings that have been detected in the file.

The "calltree" command shows which procedure calls which other procedure. This function has still some problems and may crash the application.

The "showprocs" command shows statistics about all the discovered procedures. In the future it will be possible to change the attributes of a procedure, such as the size and location of locals or input arguments.

The "add-proc-dest" command is used to specify the destination of an indirect call instruction if the decompiler cannot compute the destination automatically. Providing the destination for all indirect jumps and calls is extremely important to improve the quality of the decompiled output. The command is used like "add-proc-dest 0xXXXXXX 0xYYYYYY" where 0xXXXXXX is the address of the call instruction and 0xYYYYYY is the address of the callee.

The "add-comment" command can be used to save comments to the disassembled output, to help remember what a piece of code does.

All the information you entered in these commands is preserved when you save the project with the File > Save Project As... command.

Loading Binary Files

Rec Studio can load binary files of unknown formats. In this case, you will see the hex dump of the file. You can impose a structure on the binary file with the "def-segment" command, used like this: def-segment -o 0xOFFSET -a 0xADDRESS -l 0xLENGTH -t TYPE" where TYPE is 'r', 'w', 'x', 'd', 'i' for read, write, executable, data, info, respectively.

If you want to disassemble the content of a binary file, you must use the "def-cpu" command to let Rec Studio know which processor to use to display the disassembly. Supported processors are: x86, x86_64, MIPS, m68k, Sparc, PowerPC.

Here is a list of all commands and their parameters:

pe-dump -[htsierdbcf] Show the content of various PE COFF areas in the binary file.

-h Show PE COFF header
-t Show PE COFF symbol table
-s Show PE COFF string table
-i Show PE COFF import table
-e Show PE COFF export table
-r Show PE COFF resource tables
-d Show PE COFF debug table (limited)
-b Show PE COFF base relocation table
-c Show PE COFF certificate table
-f Show PE COFF load configuration table

mac-dump -[ht] Show the content of various Mach-O areas in the binary file.

-h Show Mach-O header
-t Show Mach-O symbol table

elf-dump -[htsy] Show the content of various ELF areas in the binary file.

-h Show ELF header, Program headers and section headers
-t Show ELF symbol table
-ty Show ELF dynamic symbol table
-s Show ELF string table
-y Show ELF dynamic section
help Shows the list of all commands
jumptbls -j jumpAddr -t tableAddr -n numDests -m {a4|a8|o2|o4|o8} define an indirect jump table
-j jumpAddr : specifies the address of the indirect jump instruction
-t tableAddr : specifies the address of the data table used by the indirect jump instruction. This data table is used to get the address of the possible destinations of the indirect jump.
-n numDests : specifies how many entries there are in the table, that is, how many possible destinations can be reached from the jump instruction.
-m {a4|a8|o2|o4|o8} : specifies the mode of the address calculation. a4 means the address table contains absolute addresses, each 4 bytes in length; similarly, a8 means the address table contains absolute addresses, each 8 bytes in length. o2 means the table contains offsets from the jump instruction, each 2 bytes in length; o4 offsets are 4 bytes; o8 offsets are 8 bytes.
At this moment, only modes a4 and a8 are implemented.
type-tree type_name Shows the type hierarchy for the specified type. The hierarcy for a typedef includes the concrete type.
strings Shows the list of detected strings. A string is a sequence of ASCII characters. The program tries to identify strings by looking in the data regions for a sequence of ASCII characters long enough to be considered a word or sentence.
calltree Shows the call tree, that is which functions are called by which other function.
showsyms Shows the list of named addresses (low-level symbol table). These may include variables, pseudo-symbols, user-defined labels etc.
proc-range This command is not implemented.
rec -a addr [-v] [-O] decompile a procedure.
-a addr : specifies the address of the procedure to decompile
-O0-9 : specifies the optimization level. The level is the same a shown in the View + Options menu.
-vbpilf : shows a lot of verbose information: b = block information, p = proc information, l = variable lifetime information, f = procedure frame information.

Copyright © 1997 - 2015 Backer Street Software - All rights reserved.