an open source machine code decompiler
play

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi - PowerPoint PPT Presentation

Oct 13, 2023 •654 likes •1k views

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter Matula Senior software developer @Avast (previously @AVG) Main developer of the RetDec decompiler Developing reversing tools for 6

  1. An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovič

  2. Who Are We? ● Peter Matula ○ Senior software developer @Avast (previously @AVG) ○ Main developer of the RetDec decompiler ○ Developing reversing tools for 6 years ○ Love rock climbing & beer ○ peter.matula@avast.com ● Marek Milkovič ○ Software developer @Avast (previously @AVG) ○ Works on preprocessing stage of the RetDec decompiler ○ Works on YARA related tools ○ Interested in C++, reverse engineering and compilers ○ @dev_metthal, marek.milkovic@avast.com

  3. What Is RetDec? ● Set of reversing tools ● Chained together → generic binary code decompiler ● Separate → research, other (internal) projects, ... ● Core based on LLVM ● History ○ 2011-2013 AVG + BUT FIT via TAČR TA01010667 grant ○ 2013-2016 AVG + BUT FIT students via diploma theses ○ 2016-* Avast + BUT FIT students ○ December 2017 Opened-sourced under the MIT license @github ● https://retdec.com/ ● https://github.com/avast-tl/retdec ● https://twitter.com/retdec

  4. What Is RetDec? ● Supports ○ 32-bit archs: x86, ARM, PowerPC, MIPS ○ OFFs: ELF, PE, COFF, Mach-O, Intel HEX, AR, raw data ○ … working on 64-bit x86, and others ● Does ○ Compiler/packer detection ○ Statically linked code detection ○ OS loader simulation ○ Recursive traversal disassembling ○ High-level code structuring ● Runs on ○ Linux ○ Windows ○ macOS (kinda)

  5. RetDec Structure

  6. Preprocessing

  7. Preprocessing: Unpacker ● Static unpacker ● Signatures + heuristics ● Supports: UPX, MPRESS ● Unpacking of modified variants ● Decompilation of unpacked file ○ Code/Data section separation ● UPX ○ Missing UPX header ○ ADD/XOR/… instruction inserted into unpacking stub (ad-hoc)

  8. Preprocessing: Unpacker 000725e0: 40 64 15 7f d4 01 ff fe be 60 17 11 7f 48 38 1b @d.......`...H8. 000725f0: 0f 28 01 00 92 24 61 d0 7f 00 40 25 49 ff 00 00 .(...$a...@%I... - 00072600: 00 00 55 50 58 21 00 00 00 00 00 00 55 50 58 21 ..UPX!......UPX! + 00072600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00072610: 0d 16 08 07 ca 54 49 13 0c 04 33 ad 90 b5 07 00 .....TI...3..... 00072620: 1c 62 01 00 70 41 1b 00 49 4a 00 df f4 00 00 00 .b..pA..IJ...... Our unpacker UPX

  9. Preprocessing: Stacofin ● YARA based statically linked code detection (F.L.I.R.T.-like technology) ● Lib → full pattern extractor → pattern (YARA) → aggregator → final pattern (YARA) ● Matching using YARA + Capstone function_xyz(): rule rule_0 { 55 89 E5 83 E4 F0 83 EC meta: 20 E8 00 00 00 00 C7 44 name = "function_xyz" 24 1C 00 00 00 00 C7 44 size = 132 24 18 00 00 00 00 C7 44 refs = "10 ___main 62 _scanf 82 _ack 122 _printf" 24 14 00 00 00 00 8D 44 altNames = "" 24 14 89 44 24 08 8D 44 strings: 24 18 89 44 24 04 C7 04 $1 = { 55 89 E5 83 E4 F0 83 EC 20 E8 ?? ?? ?? ?? C7 44 24 1C 00 24 44 90 40 00 E8 00 00 00 00 00 C7 44 24 18 00 00 00 00 C7 44 24 14 00 00 00 00 00 00 8B 54 24 14 8B 44 8D 44 24 14 89 44 24 08 8D 44 24 18 89 44 24 04 C7 04 24 24 18 89 54 24 04 89 04 44 90 40 00 E8 ?? ?? ?? ?? 8B 54 24 14 8B 44 24 18 89 54 24 E8 00 00 00 00 89 44 24 04 89 04 24 E8 ?? ?? ?? ?? 89 44 24 1C 8B 54 24 14 8B 24 1C 8B 54 24 14 8B 44 44 24 18 8B 4C 24 1C 89 4C 24 0C 89 54 24 08 89 44 24 04 24 18 8B 4C 24 1C 89 4C C7 04 24 4A 90 40 00 E8 ?? ?? ?? ?? 8B 44 24 1C C9 C3 } 24 0C 89 54 24 08 89 44 condition: 24 04 C7 04 24 4A 90 40 $1 00 E8 00 00 00 00 8B 44 } 24 1C C9 C3

  10. Preprocessing: Fileinfo ● Universal binary file parser ○ Headers, sections/segments, symbol tables, ... ● PE, ELF, Mach-O, COFF, Intel HEX ● Plain text or JSON output ● PE ○ Import + export table ○ Certificates ○ Resources ○ .NET data types ○ PDB path ○ … ● Constantly adding new features (RTTI, statically linked code, …)

  11. Preprocessing: Fileinfo ● Compiler/packer detection ● Import table and hashes

  12. Preprocessing: Fileinfo ● PDB path ● Certificate (PE authenticode) ● .NET data types

  13. Core

  14. Core: LLVM ● Clang: dozens of analyses & transformation & utility passes clang -o hello hello.c -O3 ● → 217 passes ○ -targetlibinfo -tti -tbaa -scoped-noalias -assumption-cache-tracker -profile-summary-info -forceattrs -inferattrs -ipsccp -globalopt -domtree -mem2reg -deadargelim -domtree -basicaa -aa -instcombine … ● RetDec: dozens of stock LLVM passes & our own passes retdec-decompiler.sh input.exe ● ○ -provider-init -decoder -main-detection -idioms-libgcc -inst-opt -register -cond-branch-opt -syscalls -stack -constants -param-return -local-vars -inst-opt -simple-types -generate-dsm -remove-asm-instrs -class-hierarchy -select-fncs -unreachable-funcs -inst-opt -value-protect <LLVM> -simple-types -stack-ptr-op-remove -inst-opt -idioms -global-to-local -dead-global-assign <LLVM> -phi2seq -value-protect

  15. Core: LLVM IR ● LLVM Intermediate Representation ● Kind of assembly language ● ~62 instructions ● SSA = Static Single Assignment ● Load/Store architecture ● Functions, arguments, returns, data types ● (Un)conditional branches, switches ● Universal IR for efficient compiler transformations and analyses

  16. Core: Binary to LLVM IR translation

  17. Core: Capstone2LlvmIR ● Capstone insn → sequence of LLVM IR ● Hand-coded sequences for core instructions: ○ ARM + Thumb extension (32-bit) ○ MIPS (32/64-bit) ○ PowerPC (32/64-bit) ○ X86 (32/64-bit) ● Capstone: 64-bit ARM, SPARS, SYSZ, XCore, m68k, m680x, TMS320C64x ● Full semantics only for simple instructions ● More complex instructions translated as pseudo calls __asm_PMULHUW(mm1, mm2) ○ ● Implementation details, testing framework (Keystone + LLVM emulator), keeping LLVM IR ↔ ASM mapping, ...

  18. Core: Capstone2LlvmIR ./retdec-capstone2llvmir -a mips -b 0x1000 -m 32 -t 'addi $at, $v0, 1000’ ●

  19. Core: Capstone2LlvmIR ./retdec-capstone2llvmir -a x86 -b 0x1000 -m 32 -t 'je 1234’ ●

  20. Core: Decoding ● Recursive-traversal decoding (disassembling) into LLVM IR ● Works on (analyses) LLVM IR, not assembly ● Priority queue: control flow targets, entry point, debug, symbols, ...

  21. Core: Decoding ● Recursive-traversal decoding (disassembling) into LLVM IR ● Works on (analyses) LLVM IR, not assembly ● Priority queue: control flow targets, entry point, debug, symbols, ...

  22. Core: Pattern Matching LLVM IR is SSA → <llvm/IR/PatternMatch.h> ● ○ Simple and efficient mechanism for performing general tree-based pattern matches on the LLVM IR ● LLVM IR is load/store → Symbolic Tree Matching Reaching definition analysis → symbolic tree → LLVM-like matcher ○

  23. Core: Our Passes ● Idiom detection ● Instruction optimization ● X86 FPU analysis ● Conditional branch transformation ● System calls detection ● Stack reconstruction ● Global variable reconstruction ● Data type propagation ● C++ class hierarchy reconstruction ● Localization (global to local variable transformation) ● ...

  24. Backend

  25. Backend: BIR ● BIR = Backend IR ● AST = Abstract syntax tree while (x < 20) ● { x = x + (y * 2); }

  26. Backend: Code Structuring ● LLVM IR: only (un)conditional branches & switches ● Identify high-level control-flow patterns ● Restructure BIR: if-else, for-loop, while-loop, switch, break, continue

  27. Backend: Optimizations ● Copy propagation ○ Reducing the number of variables ● Arithmetic expression simplification a + -1 - -4 a + 3 ○ → ● Negation optimization if (!(a == b)) if (a != b) ○ → ● Pointer arithmetic *(a + 4) a[4] ○ → ● Control flow conversions while (true) { … if (cond) break; … } ○ if/else chains switch ○ → ● ...

  28. Backend: Code Generation ● Variable name assignment for (i = 0; i < 10; ++i) ○ Induction variables: a1, a2, a3, … ○ Function arguments: General context names: return result; ○ Stdlib context names: int len = strlen(); ○ ● Stdlib context literals flock(sock_id, 7) → flock(sock_id, LOCK_SH | LOCK_EX | LOCK_NB) ○ ● Output generation ○ C ○ CFG = Control-Flow Graph ○ Call Graph

  29. RetDec IDA Plugin

  30. RetDec IDA Plugin ● Look & feel native ● Same object names as IDA ● Interactive ○ We have to fake it ○ Local decompilation ● Built with IDA SDK 7.0 ● Works in IDA 7.x ● Does not work in freeware IDA 7.0

  31. RetDec IDA Plugin

  32. RetDec IDA Plugin

  33. What’s next? ● Output quality improvements ○ Major refactoring in RetDec v3.1 ○ Still a lot of work is needed ● Better documentation ● New architectures (64-bit) ○ x64 ○ ARM ○ … ● Better integration with IDA ● Better integration with other tools: ○ Binary Ninja ○ Radare2 ○ x64dbg

  34. Questions? https://retdec.com https://github.com/avast-tl https://twitter.com/retdec

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We? Jakub Koustek Founder of RetDec Threat Labs lead @Avast (previously @AVG) Reverse engineer, malware hunter, security researcher

902 views • 36 slides
RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek Threat Labs Botconf 2017 1 / 51 &gt; whoarewe Jakub K roustek founder of RetDec Threat Labs lead @Avast (previously @AVG) reverse

1.74k views • 152 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM Leslie Hawthorn Program Manager - Open Source Open Source Programs Office http://code.google.com/opensource/ Who We Are What We Do

750 views • 47 slides
Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open source MySQL database Parameterized Database Queries Input Valida@on HTML Output Encoding

642 views • 13 slides
assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the &quot;machine code&quot; into memory 2 jal __start (the OS

798 views • 66 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts to perform the inverse process of the compiler. Given an executable program compiled in any high-level language, the aim is to produce a high-level

803 views • 25 slides
Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer &amp; PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why open-sourcing ? 1. Code doesn't need to be written from scratch Code from similar open-source applications can be reused 2. Free help and support

629 views • 17 slides
About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code compatible (binary compatible on 68k) - Ported on Multiple Architectures (68k,PPC,ARM,x86/64) - Available as Native and Hosted (linux, windows) - ARIX (in

581 views • 8 slides
Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

University of Zrich, March 14, 2019 Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source software: from curiosity to digital infrastructure 1999 2016 Open source code as digital roads or Roads

834 views • 59 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Homotopy-theoretic aspects of Martin-L of type theory Nicola Gambino University of Palermo

Homotopy-theoretic aspects of Martin-L of type theory Nicola Gambino University of Palermo

Homotopy-theoretic aspects of Martin-L of type theory Nicola Gambino University of Palermo visiting The University of Manchester Logic Colloquium Paris July 30th, 2010 Background Identity types: for a type A and a , b A , we have

652 views • 31 slides
BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger Plan Introduction Dmonstration Sous le capot Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT Plan

875 views • 66 slides
Bridging the ROUGE/Human Evaluation Gap in Multi- Document Summarization John M. Conroy Judith

Bridging the ROUGE/Human Evaluation Gap in Multi- Document Summarization John M. Conroy Judith

Bridging the ROUGE/Human Evaluation Gap in Multi- Document Summarization John M. Conroy Judith D. Schlesinger IDA Center for Computing Sciences,USA Dianne P. OLeary University of Maryland, College Park, USA Outline CLASSY 07

429 views • 22 slides
KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh

KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh

KEYPATCH: binary patcher for IDA Pro http://keystone-engine.org/keypatch NGUYEN Anh Quynh &lt;aquynh -at- gmail.com&gt; Trada hacking - 16/9/2016 1 / 28 NGUYEN Anh Quynh KEYPATCH: binary patcher for IDA Pro Who am I Nguyen Anh Quynh, aquynh

418 views • 28 slides
Logic and discrete mathematics (HKGAB4) Discrete mathematics: contents http://www.ida.liu.se/

Logic and discrete mathematics (HKGAB4) Discrete mathematics: contents http://www.ida.liu.se/

Discrete mathematics, Lecture I Sets Discrete mathematics, Lecture I Sets Logic and discrete mathematics (HKGAB4) Discrete mathematics: contents http://www.ida.liu.se/ HKGAB4/ 1. Sets: equality and inclusion, operations, Venn diagrams.

522 views • 25 slides
Chapter 3 Solving Problems by Searching 3.5 3.6 Informed (heuristic) search strategies More on

Chapter 3 Solving Problems by Searching 3.5 3.6 Informed (heuristic) search strategies More on

Chapter 3 Solving Problems by Searching 3.5 3.6 Informed (heuristic) search strategies More on heuristics CS5811 - Advanced Artificial Intelligence Nilufer Onder Department of Computer Science Michigan Technological University A search

337 views • 16 slides
WIDER Development Conference 13- 15 September 2018: Aid Policy Continuity or Change? Richard

WIDER Development Conference 13- 15 September 2018: Aid Policy Continuity or Change? Richard

WIDER Development Conference 13- 15 September 2018: Aid Policy Continuity or Change? Richard Manning Total ODA USD billion (2016 prices and exchange rates) (Source OECD) ODA as percentage of GNI 10% 15% 20% 25% 30% 35% 0% 5%

665 views • 29 slides
A Guide to Budgeted Tree Search Nathan R. Sturtevant University of Alberta Amii Fellow, CIFAR

A Guide to Budgeted Tree Search Nathan R. Sturtevant University of Alberta Amii Fellow, CIFAR

A Guide to Budgeted Tree Search Nathan R. Sturtevant University of Alberta Amii Fellow, CIFAR Chair Malte Helmert Universitt Basel Talk Overview Budgeted Tree Search (BTS) is a new algorithm with better worst-case guarantees than IDA*

1.37k views • 132 slides

More recommend