Decompiling an MT4 Expert Advisor (EA) in the .ex4 format is challenging due to its proprietary nature. Here's a structured approach using x32dbg, IDA Pro, and Ghidra: ### 1. Preparation - Locate the .ex4 File: Find the EA's compiled .ex4 file (typically in MQL4/Experts of your MT4 installation). - Backup: Always work on a copy of the file to avoid corruption. - Legal Check: Ensure you have legal rights to reverse-engineer the EA (e.g., it’s your own EA). --- ### 2. Dynamic Analysis with x32dbg - Attach x32dbg to MT4: 1. Launch MT4 and load the EA onto a chart. 2. Open x32dbg, go to File > Attach, and select the MT4 process (terminal.exe). 3. Let the EA execute (e.g., trigger OnTick by a market tick). - Set Breakpoints: - Place breakpoints on WinAPI functions (e.g., MessageBoxA, CreateFile) to trace interactions. - Use the Symbols tab to locate functions like kernel32.dll APIs. - Dump Memory: - Once the EA is active, use x32dbg’s memory map (Alt+M) to find the EA’s code region (look for non-system modules or writable/executable pages). - Right-click the memory range and Dump to File for static analysis. for Paid tool Email: ex42mq42025@yopmail.com --- ### 3. Static Analysis with IDA Pro - Load the Dumped File/EX4: - Open IDA Pro, select Binary File mode, and load the dumped memory or .ex4 file. - Set architecture to x86 (32-bit), and adjust offsets if needed. - Identify Entry Points: - Look for start or WinMain functions. For EAs, focus on MQL4 event handlers like OnTick, OnInit, or OnCalculate. - Analyze Code: - Use Cross-References (Xrefs) to trace function calls. - Search for strings (Shift+F12) related to trading logic (e.g., OrderSend, IndicatorBuffers). --- ### 4. Decompilation with Ghidra - Import the Binary: - Create a Ghidra project, import the .ex4 or dumped file via File > Import File. - Choose x86:LE:32:default as the language. - Auto-Analysis: - Run Ghidra’s auto-analysis to detect functions and data structures. - Decompile Critical Functions: - Use the Decompile window to generate pseudo-C code for functions like OnTick. - Look for patterns (e.g., trading conditions, indicator calculations). --- ### 5. Tips for Success - String Analysis: Search for error messages, indicator names, or magic numbers in strings (e.g., "MACD", "StopLoss=50"). - API Hooks: Trace MQL4 runtime calls (e.g., OrderSend is mapped to internal MT4 functions). - Community Tools: Use tools like ex4_to_mq4 (third-party converters) to partially reconstruct source code before manual analysis. - Obfuscation Handling: If the EA is obfuscated, focus on behavior (e.g., network calls, file operations) via x32dbg. --- ### 6. Limitations & Warnings - No Direct .ex4 Support: Tools like IDA/Ghidra won’t natively parse .ex4 structure; treat it as raw binary. - Complexity: Expect heavy manual effort to map assembly to MQL4 logic. - Anti-Debugging: Some EAs may detect debuggers; use plugins like ScyllaHide in x32dbg to bypass. --- ### Example Workflow 1. Use x32dbg to dump the EA’s code from MT4’s memory. 2. Load the dump into IDA Pro to identify OnTick logic. 3. Decompile critical functions in Ghidra to reconstruct trading rules. 4. Cross-reference findings between tools to validate accuracy. This process requires patience and familiarity with x86 assembly. For faster results, consider combining with MQL4 decompilers (e.g., ex4-to-mq4) and manual cleanup. Here's a step-by-step guide to reverse-engineer an MT4 EA (.ex4) using x32dbg, IDA Pro, and Ghidra. This is for educational purposes only, and you must own the EA or have legal permission to proceed. --- ### Step 1: Prepare Tools & Files 1. Install Tools: - Download [x32dbg] (debugger). - Install IDA Pro or Ghidra (disassemblers/decompilers). - Optional: Tools like Process Hacker (to inspect MT4 memory). 2. Locate the EA: - Find the .ex4 file in your MT4 Experts folder (e.g., C:\MetaTrader\MQL4\Experts). 3. Backup the EA: - Copy the .ex4 file to a working directory to avoid accidental corruption. --- ### Step 2: Dynamic Analysis with x32dbg 1. Launch MT4: - Open MetaTrader 4 and attach the EA to a chart (ensure it’s running). 2. Attach x32dbg to MT4: - Open x32dbg. - Click File > Attach and select the MT4 process (terminal.exe). - Press F9 to run MT4 after attaching. 3. Trigger EA Execution: - Force the EA to run (e.g., wait for a market tick, or manually modify chart settings). 4. Dump the EA from Memory: - In x32dbg, go to Memory Map (Alt+M). - Look for executable memory regions not tied to system DLLs (e.g., .text sections). - Right-click the EA’s code block (search for its name or approximate size) and select Dump to File. - Save the dumped file (e.g., EA_dump.bin). --- ### Step 3: Static Analysis with IDA Pro 1. Open the Dumped File: - Launch IDA Pro. - Select New Project > Disassemble a binary file. - Load the dumped file (EA_dump.bin) or the original .ex4. 2. Configure IDA: - Set Processor Type to x86 (32-bit). - Treat the file as a raw binary. Adjust offsets if needed (e.g., 0x1000 for code sections). 3. Identify Key Functions: - Search for MQL4 event handlers (e.g., OnTick, OnInit): - Use Strings Window (Shift+F12) to find clues like "OnTick", "OrderSend", or "StopLoss". - Look for calls to MQL4 runtime functions (e.g., OrderSend, iClose). 4. Analyze Code Flow: - Use Graph View to map assembly logic (e.g., trading conditions, loops). - Label functions (press N to rename) for clarity (e.g., calculate_moving_average). --- ### Step 4: Decompilation with Ghidra 1. Import the Binary: - Open Ghidra, create a new project, and import the dumped file or .ex4. - Select x86:LE:32:default as the language during import. 2. Run Auto-Analysis: - Click the Analyze button (green dragon icon) and accept default settings. 3. Find Entry Points: - Search for OnTick or OnInit in the Symbol Tree or Listing window. - Use Search > For Strings to locate trading logic strings (e.g., "Buy", "Sell"). 4. Decompile Functions: - Double-click a function (e.g., OnTick) in the Listing window. - Open the Decompile window (Ctrl+E) to view pseudo-C code. - Rename variables (right-click > Rename Variable) for readability. --- ### Step 5: Cross-Reference Findings 1. Compare x32dbg and IDA: - Use breakpoints in x32dbg to verify code flow (e.g., confirm OrderSend is called when Ghidra’s decompilation shows a trade condition). 2. Validate Strings and Logic: - Match strings found in IDA/Ghidra with x32dbg’s memory (e.g., error messages, indicator names). 3. Reconstruct Logic: - Combine decompiled code from Ghidra with assembly from IDA to rebuild the EA’s logic (e.g., if (price > moving_average) → Buy signal). --- ### Key Tips - Breakpoints in x32dbg: - Set breakpoints on critical MQL4 functions (e.g., OrderSend, iMA): - In x32dbg, type bp OrderSend in the command box (if symbols are loaded). - Step through (F7/F8) to trace parameters (e.g., price, stop-loss). - Handle Obfuscation: - If code is obfuscated, focus on API calls (e.g., WinHttp for HTTP requests) or file operations (CreateFile). - Community Tools: - Try tools like Ex4-to-Mq4 (search GitHub) for partial decompilation before manual fixes. --- ### Final Notes - Complexity: Expect weeks of work. The decompiled code will not be perfect MQL4 but pseudo-C/assembly.