Opening Closed Source Software


How do you modify a program without its source? Patching, altering a few bytes of the executable, is particularly cheap and quick for small tweaks. DLL injection allows for the running of complicated code using the existing program framework. But these methods still prohibit things programmers in high-level languages take for granted, like adding a new field to a class. Truly scalable changes require building from source.

We know what to do with a program once we have its source. Existing programs like the Interactive Disassembler (IDA) are great at turning a binary into something readable. But what's missing is the middle step. We need a way of turning the raw output of reverse engineering, a long listing of definitions and code, into a well-structured source directory we can easily work with. But reengineering is an iterative process -- we usually can't afford to completely decompile the program up front. We need to find what parts we need to reverse, decompile only what we need to, and make sure our disassembly and decompilation is correct. We need to transform the decompiled portions into a clean source tree, leave the rest as assembly, and create interfaces between them. And finally, we need a way of incorporating new knowledge from reverse engineering into our new version.

Revitalize Overview

The Revitalize program aims to make it vastly easier to make major changes to programs only available as binaries by diassembling the program, and replacing individual pieces with new versions writen in C. Several subprojects make this possible. Referee augments IDA to make it cheaper to find all places a structure is used. Binary Shim automatically tests programs built from decompiled and disassembled functions against the original. to_masm outputs the disassembly in a usable form, which helps Seance format the decompilation and disassembly into a clean source tree and keep a link to the ongoing reverse-engineering efforts. All components except Binary Shim are currently available on github. A tutorial on Revitalize and its use within Project Ironfist is available here. You can see it being used to modify a game in the associated video tutorial.

Revitalize forms the backbone of Project Ironfist, an ongoing effort to create a fan-made expansion for Heroes of Might and Magic II.



Referee is a plugin for the Hex-Rays Decompiler which automatically adds all structure uses found in decompilation to the structure cross-references list. This greatly reduces the effort in finding all places in the binary where a structure is used, allowing one to ensure that all such places are correctly translated to C so that the structure can easily be altered.


The first time I ran IDA's output assembly on the Heroes of Might and Magic II executable, I spent two weeks translating IDA's custom assembly syntax into something I could reassemble using the Microsoft Macro Assmebler (MASM). Today, I can do this in minutes using to_masm. to_masm is mostly complete, but its output still requires a small amount of hand tweaking.


If you have an IDA disassembly database, and you create a directory full of template files, Seance will give you a directory of source, and leave metadata allowing future runs to help you merge in new knowledge from reverse-engineering. It is currently under development by myself.

Binary Shim

Binary Shim monitors the execution of a function in the original binary, and compares it the execution of a version based on disassembly or decompilation, thus fighting one of the main costs of reengineering: mistakes made in transformation. It is currently under development by Josiah Boning.