User:Lucas Brooks/Researches/Windows 1.0 DR5 Notepad Decompilation

First full decompilation of a Windows 1.0 DR5 application. Picked Notepad because its source code was released by Microsoft through Chicago SDKs before. DR5's Notepad does not have anything in common with the Notepad application in modern versions of Windows, the code was rewritten from scratch after DR5.

This isn't a step by step guide, it simply outlines the main steps required to fully decompile a DR5 application to source code. You must have a good level of knowledge before attempting this.

Module Definition File Reconstruction
The NE header includes all the information required to reconstruct the Module Definition for an executable. We can recover information about the segments, stack/heap size and Load/Free procedures by examining the  segment.

HEADER:0000 HEADER         segment byte public 'MODULE' use16 HEADER:0000                assume cs:HEADER HEADER:0000                assume es:nothing, ss:nothing, ds:_DATA, fs:nothing, gs:nothing ... HEADER:0012 flags          dw 1 ... HEADER:0018 HeapSize       dw 2048 HEADER:001A StackSize      dw 0 HEADER:001C StartProc      dd 0 HEADER:0020 LoadProc       dd 2098Bh HEADER:0024 FreeProc       dd 20AB9h ... HEADER:004F HEADER         ends

Application flag of 1 means there can only be a single data segment (the application may only start once per session). Stack size of 0 means it wasn't defined in the Module Definition file and StartProc being 0 means no StartProc. Looking at ENTNAME segment we can recover the module name.

ENTNAME:0098 ENTNAME        segment byte public 'MODULE' use16 ENTNAME:0098                assume cs:ENTNAME ENTNAME:0098                ;org 98h ENTNAME:0098                assume es:nothing, ss:nothing, ds:_DATA, fs:nothing, gs:nothing ENTNAME:0098                db 7,'NOTEPAD' ENTNAME:00A0                dw 0 ENTNAME:00A2                db 0 ENTNAME:00A2 ENTNAME        ends

Module name is quite obvious. Next, we recover segment information by looking at the  segment.

SEGTABLE:0050 SEGTABLE       segment byte public 'MODULE' use16 SEGTABLE:0050                assume cs:SEGTABLE SEGTABLE:0050                ;org 50h SEGTABLE:0050                assume es:nothing, ss:nothing, ds:_DATA, fs:nothing, gs:nothing SEGTABLE:0050                SEGENT <41h, 0, 1Ch, 1, 9Ch, 40h> SEGTABLE:005C                SEGENT <0, 1Dh, 0AEh, 37h, 0, 5Ch> SEGTABLE:005C SEGTABLE       ends

Two moveable segment, first is the code segment and second is the data segment.

Now we have all the information required to reconstruct the Module Definition file. It looks like this:

NAME   Notepad CODE   MOVEABLE DATA   MOVEABLE SINGLE HEAPSIZE   2048 LOADPROC   NotepadLoad FREEPROC   NotepadFree

Source Code Reconstruction
There is no decompiler for the 8086/8088 architecture, so decompilation must be done manually. All API functions use the PASCAL calling convention (arguments pushed in the order they appear in the source code, and the caller is not responsible for the stack cleanup). Start the process by reading the disassembly and identifying offset references. Once the disassembly is good enough so that it can be re-assembled back to the exact same binary, the decompilation should begin. Start with the LoadProc first, and then decompile each function called by the LoadProc, and each function they call and etc., until all loader functions have been decompiled. Then decompile the class procedures - the PaintProc, the InputProc and etc., and the functions they call. Finally decompile the FreeProc and whatever else not referenced or decompiled. Reconstruct the header file if you can identify constants.

Decompiled C code:

Header file:

Resource Script Reconstruction
Some resources must be manually decompiled. The .RES files can be extracted, but DR5's dialog format is different from the final dialog format, so there is no decompiler or documentation. You start with a dialog template and do trial and error, until you get something that compiles back to the exact same binary.

Makefile Reconstruction
Makefiles are easy to reconstruct, just use the default template and change the filenames and you should be good to go.