Some interesting {de/re}compilation projects

Commodore BASIC blogpost, repo, diploma thesis

• original 1977, C64 ROM, 6502 8-bit
• custom disassembler to LLVM IR (not published)
• IR translated to C (no reconstruction of higher-level structure), compiled natively
• original program has very clean platform interface, no interrupts etc.

NESgen paper repo

• very limited production ROM support

Albion, X-Com: UFO Defense (UFO: Enemy Unknown), X-Com: Terror from the Deep, Warcraft: Orcs & Humans repo

• originals released 1994-1995, target: DOS, x86 ?-bit
• disassembler based on udis86
• generate x86 or ARM assembly (ARM back-end is 8600 lines)

Frontier: First Encounters repo, archived website

Devilution repo

• original release 1996, target: Windows 95, x86 32-bit
• debug executable available -> symbol, variable and file names known
• hex-rays
• known compiler
• custom IDA scripting

Syndicate Wars Port website

• original released 1996, target: DOS, x86 ?-bit
• custom disassembler (not published)
• no attempt at supporting non-x86

NFSIISE repo

• original released 1997, target: Windows x86 32-bit
• auto-translation similar to StarCraft below
• tools published anywhere?

StarCraft for Pandora repo

• original released 1998, target: Windows 95, PE, x86 32-bit
• custom IDA plugin to dump assembly
• custom decompiler that emits compilable low-level C representation of the assembly code

example C code:

int sub_401310(int a1, int a2)
{
u32 eax = (u32)a1;
u32 ecx;
u32 edx;
u32 esi;
u32 edi;

if (eax != 0)
goto loc_40131D;
eax = (u32)a2; // arg_0
eax += 4;

loc_40131D:
esi = *(u32 *)(eax);
if (esi == 0)
goto loc_401351;
edx = *(u32 *)(eax+4);
if ((s32)edx > 0)
goto loc_40132F;
edx = ~edx;
goto loc_40133A;

loc_40132F:
edi = *(u32 *)(esi+4);
ecx = eax;
ecx -= edi;
edx += ecx;

loc_40133A:
*(u32 *)(edx) = esi;
ecx = *(u32 *)(eax);
edx = *(u32 *)(eax+4);
*(u32 *)(ecx+4) = edx;
*(u32 *)(eax) = 0;
*(u32 *)(eax+4) = 0;

loc_401351:
return eax;
}

pokeruby repo

• original released 2002, target: Game Boy Advance, flat ROM image, ARM7TDMI 32-bit
• unclear how initial disassembly was obtained
• exact toolchain is known
• functions are manually rewritten in C to generate identical binary code

goldeneye_src repo

n64decomp/majora repo

n64decomp/oot repo

n64decomp/sm64 repo

• unclear how initial disassembly was obtained
  • majora has a custom annotating disassembler written from scratch by Rozelette
• exact toolchain + SDK is known
• functions are manually rewritten in C to generate identical binary code
• useful tools: https://github.com/simonlindholm/asm-differ https://github.com/simonlindholm/decomp-permuter

KAIN2 repo

• Legacy of Kain: Soul Reaver
• originally PS1