How TradeStation Generates Codes for Variable Assignment

This time, I want to provide some insights as to how the TradeStation platform generates the equivalent assembly code based on the ELD language source code for variable assignment.

Suppose I creates a very small ELD source code that contains simple variable assignment like this :

abcd = 888;

By putting aside codes that its function still unknown at this time, the above statement will generates equivalent assembly code as follows :

So, the above variable assignment statement is translated into equivalent assembly mov instruction. As you can see from the above code, the value 0x378 corresponds to 888 decimal value.

The local variable ebp-28h is certainly the variable index base. This is proved by the second source code statement :

abcd(0), def(0);
def = 888;

With the generated result :

Do you see the pattern here ? The pattern is this : the local variables ebp-28h contains index to variables list, the first one is at [ebx], second one at [ebx+4], etc.

Now, let’s see how the TradeStation can create this kind of magic 🙂

The source of information for the above generated codes turns out to be the object record generated by TradeStation that starts with 0xFA0 signature. As of TradeStation 8.5, this record is still available in decoded protected ELD file. You can refer to my previous article about method to decode the protected ELD file to obtain this record.

This is the portion of 0xFA0 record :

The byte at offset 0x4 (red box) denotes the size of this record, in this case, the size of record of 0xFA0 signature is 0xDE (222). The word data (green box) at offset 0x5 is the size of generated object code that is used to generate the assembly code. In this case, the size is 0x21E. This information is important to calculate the start address of variable object list that eventually leads to the address of object code record that is responsible for generating the above mov instruction.

The last piece of significant data is at offset 0x1D with the size of dword, which is 0x00000002 is total # of variables declared in variables statement. This data will be used to determine whether, at the end of generated object code, there are variable information list record or not. So, when there are no variables statement, then this value will be 0x0 (zero) and in this case, after the object code data, it is immediately followed by variable object list.

To generate the assembly code, TradeStation platform will traverse from 0xFA0 record, using its record size (0xDE) to determine the location of next record. This will place the pointer to the record with 0x529 signature, as in the in-memory examination of this process.

But at the in-file record, after the 0xFA0 record, there are very long series of 0xFFFFFFFE dword data that is apparently to be some sort of place-holder with unknown function at this time. So, for in-file version, you have to skip or ignore the 0xFFFFFFFE to arrive the next record which is 0x529.

The 0x529 signature is actually an #Events keyword. After the #Events keyword, it is followed by assignment of OnDestroy (0x579) keyword with EasyLanguageRtlOnDestroy (0xFCB), then closed by #End (0x3FD) keyword. The reconstruction of this code will then look like this :


Eventhough not explicitly declared in my sample source code, TradeStation platform seems to add this piece of code automatically.

Now, the object code record that is the data source for generating the mov instruction turns out to be the record with 0xFA1 signature :

The dword value at offset 0x11 is the variable index that determine the offset of variable list for mov instruction. In this case, the index of 0x1 above will generate :

mov ebx,dword ptr [ebx+4]

Index of 0x0 will generate :

mov ebx,dword ptr [ebx]


Here, we can see that the signature 0xFA1 means the variable assignment, this record has a length of 0x1D, and aside the positional value, the only important information is just the variable index information at offset 0x11 (red box) that is to be assigned some value.

After the 0xFA1 record, here comes the 0xBBF record signature, which means the assignment operator (=) :

This record has 0x11 as its length (see the red box), and it seems that there are no more additional info about this record. The signature itself (0xBBF) is indeed the only significant information.

Next comes the 0xBB8 signature, this denotes the constant variable, which has the length of 0x15 and it contains the information of offset location of constant variable of 0x00000096 (see the red box) :

After this record, comes the ending operator (;) with 0xBBB as its signature that marks the end of the assignment statement.

Using the offset location information for the constant, there are some calculations involved to retrieve the constant value that is to be used on subsequent mov assembly instruction. This will eventually leads to the constant information record :

As you can see from the dword data in the red box (0x00000378) is the constant value 888.

Using the above piece of information, TradeStation platform then generates the appropriate mov instruction.

You can also see that it is possible to construct the equivalent decompiled ELD code just by traversing this object code record, although there should involve an extensive data gathering phase in order that this pursuit to be successful. And some information will be lost, such as the variable names. In protected ELD file, the variable names is replaced with sequence number and the plus sign. For the above example, the “abcd” will be replaced by 1+ and “def” variable is replaced by 2+, etc. And it is a good practice to ensure the security of ELD file.

To increase the security measure, it is even better not to include the object code record into the protected ELD file 🙂


One Response to “How TradeStation Generates Codes for Variable Assignment”

  1. Учим французский Says:

    Курсы английского языка на сайте Курсы проходят в режиме онлайн с русскими преподавателями и носителями языка.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: