How to Decompile MultiCharts SEF File

This article will explore whether it is possible to perform decompilation of MultiCharts’ *.SEF file back to its original Power Language Script, a variant of Easy Language Script. This is one of trading applications just like TradeStation.

The *.SEF file is created by using the “Export Read Only” menu in MultiCharts Power Language Editor (PLEdit.exe). At first glance, the content of generated file consist some header information and the actual executable file.

Let’s find whether the editor is keeping the Intermediate code, or hopefully an encrypted source code just like TradeStation’s *.ELD file.

This is done by creating an increasing more complex script and see the changes inside the *.SEF file. So, after several steps of creating, compiling and examining the file content, I realized that the PLEdit program is in fact, do not try to preserve the intermediate code, let alone the encrypted source code.

The only information is the actual executable file that is located just after the header portion of the file which typically like this:

There’s a MZ signature that denotes that portion of the block to the end of *.SEF file is actually the executable file. Using the Hex Editor I can move out the block into separate file and try to dissasemble it:

This executable file is actually a form of a DLL file because it has some exported functions, one of which is called “Create”. When I try to execute the compiled script in MultiCharts program by using the “Insert Study …” menu, it will try to load the generated i_myTesting.dll.

The myTesting is the is the name that I declared when creating the script of type Indicator (hence the i_ prefix). This is evident by viewing the Load DLL output from WinDBG program:

When “Insert Study…” is executed for myTesting script, the program will call the DLL’s Create exported function.

So, I landed on a rather hopeless case of machine code that only the computer’s CPU and MultiCharts program can execute faithfully. At this point, I try to googling out for this issue. I found that certain website does actually stated that they can decompile manually from the machine code to the script source code.

I try to communicate with one of the support of this service, and get a positive response, that indeed, yes, they can decompile and it require about 3 or 4 weeks and some compensation.

How can they do that ? This let me pause and think, maybe I do not perform a more in depth analysis. Then I have another activities to perform, but the question remains in my head. It’s like they can provide something from nothing.

So, I decided to take a more close look, by try to identify how the PLEditor generate it’s DLL file from the script. I created the most simple Indicator script called myTesting and it’s content as follows:

Then I realized that the PLEditor.exe, actually compile it’s file by using the process called StudyServer.exe.

By examining the modules loaded by StudyServer.exe, I’ve found the curious file called GccWrapServer.dll. By examining more closely, it is revealed that it is actually a COM object and it has a methods called Compile and SetCompilerSettings method. This is evident by viewing its type library using OLE View program:

From the above picture, I can see that the Compile method accepts the CPP file name and generated DLL file name. By setting the breakpoint into the Compile method, what I get from these two parameter as follows:

From the above execution code, I can see that the ecx register contains the CPP file name:

Folder content as follows:

After the Compile finishes, the *.cpp file is removed, so I try to obtained it while the program is suspended by the debugger and the content of CPP file as follows:

There are many information revealed by this generated CPP and its corresponding *.o file, one is the parameter information. So the above Create export function calls can be identified as follows:

The above rather hopeless code starts to have some meaning, while it is just a start, then the decompilation of MultiChart’s *.SEF file suddenly become possible. Much works still to be done, it’s hard, but it is indeed possible 🙂

Advertisements

Tags: , , , , ,

One Response to “How to Decompile MultiCharts SEF File”

  1. Peter Says:

    How I can see, the certain website is http://www.elrestorer.com . Most likely they made a little change in MultiCharts Power Language Editor and use *.sef file as input file and get as output *.pla file. The both file format is own format of MultiCharts Power Language Editor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: