5

I have Erlang application's beam files which I want to decompile.

Application is Compiled and build with 'debug_info' options. here is snippet of emake file to which is used to build application :

{"apps/my_app/src/*",   [debug_info, nowarn_export_all, {outdir, "apps/my_app/ebin"},{pa, "deps"},{parse_transform, lager_transform}, {parse_transform, events_transform}]}.

I have tried function from beam_lib module but getting following Error :

1>{ok,{_,[{abstract_code,{_,AC}}]}} = beam_lib:chunks(abc,[abstract_code]).
** exception error: no match of right hand side value {error,beam_lib,{not_a_beam_file,'abc.beam'}}

I have also tried solution mentioned in following post Decompile erlang .beam files compiled without debug_info but Its not working for me. I'm getting following error :

1> file:write_file("/tmp/my_module_disasm", io_lib:fwrite("~p.\n", [beam_disasm:file(abc)])).
ok

/tmp/my_module_disasm file contains :

{error,beam_lib,{not_a_beam_file,'abc.beam'}}.

Anyone have Idea ?

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
parmar7725274
  • 151
  • 2

1 Answers1

4

Have you tried using recon:source/1? I think it does exactly what you need. If you don't want to use it, at least you can get inspiration from its source code:

-spec source(module()) -> iolist().
source(Module) ->
    Path = code:which(Module),
    {ok,{_,[{abstract_code,{_,AC}}]}} = beam_lib:chunks(Path, [abstract_code]),
    erl_prettypr:format(erl_syntax:form_list(AC)).
Brujo Benavides
  • 141
  • 3
  • I had already tried it, you can see it in code snippets in post. – parmar7725274 Oct 31 '17 at 03:11
  • Looks like your module (abc) is not compiled. What does code:which(abc). return? – Brujo Benavides Nov 01 '17 at 21:10
  • I have taken backup from live node. So I don’t think so it is not compiled. And code:which(abc) is returning absolute path of beam file. – parmar7725274 Nov 02 '17 at 06:02
  • Actually, on closer look, the error you're seeing comes from here, which means your file doesn't start with something like FOR1____BEAM (i.e. something that matches <<"FOR1", _Size:32, "BEAM">>.

    Out of curiosity, can you show me the first 12 bytes of your abc.beam file?

     – Brujo Benavides Nov 02 '17 at 12:48
  • here it is : <<69,82,76,50,62,12,178,214,62,207,41,11>> Or in printable format <<"ERL2>\f\262\326>\317)\v">>. – parmar7725274 Nov 02 '17 at 15:13
  • That's really strange. According to this and other sources, FOR1 is actually just a Magic number indicating an IFF form. This is an extension to IFF indicating that all chunks are four-byte aligned. and it's used to build and scan all .beam files since at least R13B03 (i.e. a long time ago). So, two more questions:
    1. What does abc:module_info(). return?
    2. Any way you can share your beam file with us?
     – Brujo Benavides Nov 02 '17 at 18:00
  • here is abc:module_info(). [{module,abc}, {exports,[...]}, {attributes,[{vsn,[10...]}, {declared_records,[]}]}, {compile,[{options,[{parse_transform,events_transform}, compressed, {source,"apps/***/src/abc.erl"}, {i,"apps/***/include"}, nowarn_export_all, {d,production}]}, {version,"2.0"}, {source,".../src/abc.erl"}]}, {native,false}, {md5,<<75,214,244,246,35,73,154,180,70,208,143,93,40, 254,32,143>>}] – parmar7725274 Nov 03 '17 at 04:14
  • I have truncated because of comment length limit. Can you suggest a way to share beam file. – parmar7725274 Nov 03 '17 at 04:16
  • To share the beam file, you can (among other possible solutions) upload it to a public repo on Github and paste the link here. – Brujo Benavides Nov 03 '17 at 11:28
  • In any case, judging by the compile options reported by abc:module_info(). (i.e. [{parse_transform,events_transform}, compressed, {source,"apps/***/src/abc.erl"}, {i,"apps/***/include"}, nowarn_export_all, {d,production}]), it looks like the module is not compiled with debug_info. But, if that would be the case, the reported error should be no_abstract_code. – Brujo Benavides Nov 03 '17 at 11:41
  • Any solution? This solution also not working : https://reverseengineering.stackexchange.com/questions/8895/decompile-erlang-beam-files-compiled-without-debug-info – parmar7725274 Nov 03 '17 at 14:06
  • No solutions yet, my friend. I must say your beam file is… interesting. If I can get access to it, I might be able to find out more. – Brujo Benavides Nov 03 '17 at 14:40
  • here is beam file : https://github.com/parmar7725274/beam – parmar7725274 Nov 10 '17 at 10:34
  • This is what happens when I try to load it:

    https://gist.github.com/elbrujohalcon/bc93e6a6881b3395da2318f567b4638d

    Is this not happening on your computer?

     – Brujo Benavides Nov 10 '17 at 12:05
  • Out of curiosity I checked http://erlang.org/download/ and looked for the oldest available version of Erlang/OTP source code (i.e. R6B-0 - …and that was a trip!) but that one still has the same BEAM format (i.e. beam files are required to start with FOR1). – Brujo Benavides Nov 10 '17 at 12:37
  • I also found this mail by Daniel Luna from 2007. But sadly, there is no answer. – Brujo Benavides Nov 10 '17 at 12:37