dagger
play

Dagger Decompiling to IR Ahmed Bougacha with Geoffroy Aubey, - PowerPoint PPT Presentation

Dec 31, 2022 •303 likes •1.02k views

Dagger Decompiling to IR Ahmed Bougacha with Geoffroy Aubey, Pierre Collet, Thomas Coudray, Jonathan Salwan, Amaury de la Vieuville Semantics ? The decompilation process Use cases & tools Semantics Binary > IR x86 add rax, 15 sub

  1. Dagger Decompiling to IR Ahmed Bougacha with Geoffroy Aubey, Pierre Collet, Thomas Coudray, Jonathan Salwan, Amaury de la Vieuville

  2. Semantics ? The decompilation process Use cases & tools

  3. Semantics Binary > IR

  4. x86 add rax, 15 sub [rbx + 8], rax

  5. x86 IR add rax, 15 %rax2 = add i64 %rax1, 15

  6. x86 IR add rax, 15 %rax2 = add i64 %rax1, 15

  7. x86 IR add rax, 15 %rax 2 = add i64 %rax 1 , 15

  8. x86 IR add r ax, 15 %rax2 = add i64 %rax1, 15

  9. x86 IR add rax, 15 %rax2 = add i64 %rax1, 15

  10. x86 IR %1 = add i64 %rbx1, 8 %2 = inttoptr i64 %1 to i64* %3 = load i64* %2 sub [rbx + 8], rax %4 = sub i64 %3, %rax2 store i64 %4, i64* %2

  11. x86 IR %1 = add i64 %rbx1 , 8 %2 = inttoptr i64 %1 to i64* %3 = load i64* %2 sub [ rbx + 8 ], rax %4 = sub i64 %3, %rax2 store i64 %4, i64* %2

  12. x86 IR %1 = add i64 %rbx1, 8 %2 = inttoptr i64 %1 to i64* %3 = load i64* %2 sub [rbx + 8], rax %4 = sub i64 %3, %rax2 store i64 %4, i64* %2

  13. x86 IR %1 = add i64 %rbx1, 8 %2 = inttoptr i64 %1 to i64* %3 = load i64* %2 sub [ rbx + 8 ] , rax %4 = sub i64 %3, %rax2 store i64 %4, i64* %2

  14. x86 IR add rax, 15 %rax2 = add i64 %rax1, 15 %1 = add i64 %rbx1, 8 %2 = inttoptr i64 %1 to i64* %3 = load i64* %2 sub [rbx + 8], rax %4 = sub i64 %3, %rax2 store i64 %4, i64* %2

  15. Dozens of SUBs: x86 ... sub reg32, reg32 // SUB32rr sub mem32, reg32 // SUB32mr sub reg32, imm32 // SUB32ri sub reg64, reg64 // SUB64rr ...

  16. Dozens of SUBs: x86 IR ... sub reg32, reg32 sub mem32, reg32 %dst = sub i XX %src1, %src2 sub reg32, imm32 sub reg64, reg64 ...

  17. De  ning Semantics Binary > Mir > IR

  18. def SUB : InstructionSemantics<[ (set vop0, (sub vop1, vop2)) ]>;

  19. def : OpcodesSemantics< SUB, [SUB32ri, SUB32mr, SUB32rr, ...] >;

  20. TableGen Operands def GR32 // RegisterClass ... def i32mem // Operand ... def SUB32mr { // Instruction ... dag OutOperandList = (outs); dag InOperandList = (ins i32mem:$dst, GR32:$src) ; ...

  21. MC Operands sub [ebx + 8], eax ## <MCInst #2562 SUB32mr ## <MCOperand Reg:45> ## <MCOperand Imm:1> ## <MCOperand Reg:0> ## <MCOperand Imm:8> ## <MCOperand Reg:0> ## <MCOperand Reg:43>>

  22. Virtual Operands

  23. Virtual Operands Input Register class: get the register value Operand: look for OperandMapping

  24. Virtual Operands Output Register class: put the value in the register Operand: look for OperandMapping

  25. Operand Mapping: Register Classes def : OperandMapping< GR32, /* In */ (get mc_op0), /* Out */ (put mc_op0, result) >;

  26. Operand Mapping: Immediates def : OperandMapping< imm32, /* In */ (mov mc_op0), /* Out */ () >;

  27. Operand Mapping: Custom Operands // base + index * scale + offset // op0 + op1 * op2 + op3 def BISO : SemaFrag< (add mc_op0, (add mc_op3, (mul mc_op1, mc_op2)))) >;

  28. Operand Mapping: Custom Operands def : OperandMapping< i32mem, /* In */ (load (BISO)), /* Out */ (store (BISO), result) >;

  29. Virtual Operand Expansion (sub vop1, vop2) SUB32mr (sub (load (add ..)), (get mc_op5))

  30. Virtual Operand Expansion (sub vop1, vop2) SUB32mr SUB32ri (sub (sub (load (add ..)), (get mc_op0), (get mc_op5)) (mov mc_op1))

  31. Virtual Operand Expansion (sub vop1, vop2) SUB32ri untyped expression tree typed instruction list (sub %0 = get32 mcop0 (get mc_op0), %1 = mov32 mcop1 (mov mc_op1)) %r = sub32 %0, %1

  32. Mir Binary > Mir > IR

  33. Mir: Target registers get %td0, 4 ... put 4, %td3

  34. Mir: Advance 9: 81 c3 d2 04 00 00 add ebx, 1234 advance @9 get %td0, EBX mov %td1, 1234 add %td2, %td0, %td1 put EBX, %td2 advance +6

  35. IR Binary > Mir > IR

  36. Generating IR x86 Mir IR ... sub ebx, ecx sub %td2, ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 put EBX, %td2

  37. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2, ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 %ebx3 = add i32 put EBX, %td2

  38. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2 , ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 %ebx3 = add i32 %ebx2 put EBX, %td2

  39. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2 , ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 %ebx3 = add i32 %ebx2 put EBX, %td2

  40. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2 , ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 %ebx3 = add i32 %ebx2 put EBX, %td2

  41. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2 , ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0 , %td1 %ebx3 = add i32 %ebx2 put EBX, %td2

  42. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2, ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 %ebx3 = add i32 %ebx2, 12 put EBX, %td2

  43. Generating IR x86 Mir IR ... ... sub ebx, ecx sub %td2, ... %ebx2 = sub i32 ... put EBX, %td2 get %td0, EBX mov %td1, 12 add ebx, 12 add %td2, %td0, %td1 %ebx3 = add i32 %ebx2, 12 put EBX, %td2

  44. Generating Branches 22: � 48 83 c1 08 add rcx, 8 ... xx: xx xx xx xx jmp 22 Mir IR advance @22 I22: get %tq0, RCX mov %tq1, 8 add %tq2, %tq0, %tq1 %rcx2 = add i64 %rcx1, 8 put RCX, %tq2 advance +4 ... jmp 22 br label %I22

  45. Generating Indirect Branches 22: 48 83 c1 08 add rcx, 8 26: 83 eb 03 sub ebx, 3 JumpTable: %p = phi ... I22: %rcx2 = add i64 %rcx1, 8 switch i64 %p, label %fail I26: [i64 22, label %I22 %ebx2 = sub i64 %ebx1, 3 i64 26, label %I26]

  46. Generating Predicated Instructions addge r7, r5, #1 Mir IR get %td0, R5 mov %td1, 1 %1 = add i32 %r5_1, 1 add %td2, %td0, %td1 %r7_2 = select xx , i64 %1, %r5_1 select %td3, xx , %td2, %td0 put R7, %td3

  47. Generating Condition Codes 22: � 48 83 c1 08 add rcx, 8 26: xx xx xx xx jne 22 Mir IR advance @22 I22: get %tq0, RCX mov %tq1, 8 add %tq2, %tq0, %tq1 %rcx2 = add i64 %rcx1, 8 ... cmpne %f3, %tq2 %ne2 = icmp ne i64 %rcx2, 0 ... put RCX, %tq2 advance +4 jmpne 22 br i1 %ne2, label %I22

  48. Using the IR IR > ?

  49. Binary Rewriting

  50. Binary Rewriting Missing semantics ➔ Inline assembly

  51. Binary Rewriting Missing semantics ➔ Inline assembly Data sections ➔ Map it all

  52. Static Binary Translation

  53. Dynamic Binary Translation

  54. Dynamic Binary Translation Self-altering code ➔ Mark read/execute

  55. Dynamic Binary Translation Self-altering code ➔ Mark read/execute Code discovery ➔ Per-BB translation

  56. Dynamic Binary Instrumentation

  57. Binary Analysis

  58. Simulation

  59. Simulation Missing semantics ➔ Runtime library

  60. Simulation Missing semantics ➔ Runtime library Cycle accuracy ➔ Machine Model?

  61. To-Source Decompilation

  62. To-source Decompilation C source output ➔ C Backend!

  63. To-source Decompilation C source output ➔ C Backend! IR “highering” ➔ Optimizations

  64. To-source Decompilation C source output ➔ C Backend! IR “highering” ➔ Optimizations Lack of accuracy ➔ Metadata

  65. Going forward

  66. Going forward Merging semantics with SD patterns?

  67. Going forward Merging semantics with SD patterns? Removing the Mir backend

  68. Going forward Merging semantics with SD patterns? Removing the Mir backend Analyzes & Highering

  69. Going forward Merging semantics with SD patterns? Removing the Mir backend Analyzes & Highering Tools!

  70. Questions? http://dagger.repzret.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dagger Category Theory Chris Heunen and Martti Karvonen 1 / 19 Outline What are dagger

Dagger Category Theory Chris Heunen and Martti Karvonen 1 / 19 Outline What are dagger

Dagger Category Theory Chris Heunen and Martti Karvonen 1 / 19 Outline What are dagger categories? What are dagger monads? What are dagger limits? What are evils about daggers? 2 / 19 Dagger A dagger is contravariant involutive

866 views • 54 slides
Dagger limits Martti Karvonen (joint work with Chris Heunen) Structure of the talk 1. Dagger

Dagger limits Martti Karvonen (joint work with Chris Heunen) Structure of the talk 1. Dagger

Dagger limits Martti Karvonen (joint work with Chris Heunen) Structure of the talk 1. Dagger categories 2. Dagger limits 3. Polar decomposition 4. Further topics? Dagger = a functorial way of reversing arrows: f = f A B A B f

261 views • 22 slides
Dagger category theory: monads and limits Martti Karvonen (joint work with Chris Heunen) August

Dagger category theory: monads and limits Martti Karvonen (joint work with Chris Heunen) August

Dagger category theory: monads and limits Martti Karvonen (joint work with Chris Heunen) August 17, 2016 Structure of the talk 1. Brief intro 2. Dagger monads 3. Dagger limits 4. The question of evil Introduction Dagger category is a

235 views • 19 slides
Dagger A fast dependency injector for Android and Java. Thursday, November 8, 12 Introduction

Dagger A fast dependency injector for Android and Java. Thursday, November 8, 12 Introduction

Jesse Wilson from Square Dagger A fast dependency injector for Android and Java. Thursday, November 8, 12 Introduction Motivation Using Dagger Inside Dagger Wrapping Up Thursday, November 8, 12 Guice Jesse javax.inject Android

870 views • 57 slides
PT symmetry Carl Bender Physics Department Washington University Dirac Hermiticity dagger H =

PT symmetry Carl Bender Physics Department Washington University Dirac Hermiticity dagger H =

PT symmetry Carl Bender Physics Department Washington University Dirac Hermiticity dagger H = H dagger means transpose + complex conjugate guarantees real energy and conserved probability but is a mathematical axiom and not

688 views • 53 slides
Dagger linear logic for categorical quantum mechanics Robin Cockett, Cole Comfort, and Priyaa

Dagger linear logic for categorical quantum mechanics Robin Cockett, Cole Comfort, and Priyaa

Dagger linear logic for categorical quantum mechanics Robin Cockett, Cole Comfort, and Priyaa Srinivasan University of Calgary 0/30 Motivation Mixed Unitary Categories Unitary construction Dagger compact closed categories This work is

859 views • 31 slides
The dagger lambda calculus Philip Atzemoglou University of Oxford Quantum Physics and Logic 2014

The dagger lambda calculus Philip Atzemoglou University of Oxford Quantum Physics and Logic 2014

The dagger lambda calculus Philip Atzemoglou University of Oxford Quantum Physics and Logic 2014 Philip Atzemoglou (University of Oxford) The dagger lambda calculus QPL 2014 1 / 20 Why higher-order? Teleportation should be the same: =

399 views • 29 slides
Cloak and dagger Chris Heunen 1 / 34 Algebra and coalgebra Increasing generality: Vector

Cloak and dagger Chris Heunen 1 / 34 Algebra and coalgebra Increasing generality: Vector

Cloak and dagger Chris Heunen 1 / 34 Algebra and coalgebra Increasing generality: Vector space with bilinear (co)multiplication (Co)monoid in monoidal category (Co)monad: (co)monoid in functor category (Co)algebras for a

1.32k views • 97 slides
Quantum Channels for Mix Unitary Categories Robin Cockett, Cole Comfort, and Priyaa Srinivasan

Quantum Channels for Mix Unitary Categories Robin Cockett, Cole Comfort, and Priyaa Srinivasan

Quantum Channels for Mix Unitary Categories Robin Cockett, Cole Comfort, and Priyaa Srinivasan 1/37 CP construction Motivation Mix Unitary Categories Dagger compact closed categories Dagger compact closed categories ( -KCC) provide a

733 views • 37 slides
Mix Unitary Categories Robin Cockett, Cole Comfort, and Priyaa Srinivasan CT2018, Ponta Delgada,

Mix Unitary Categories Robin Cockett, Cole Comfort, and Priyaa Srinivasan CT2018, Ponta Delgada,

Mix Unitary Categories Robin Cockett, Cole Comfort, and Priyaa Srinivasan CT2018, Ponta Delgada, Azores 1/31 CP construction Motivation Mix Unitary Categories Dagger compact closed categories Dagger compact closed categories ( -KCC)

431 views • 31 slides
Common Proper Collective Abstract joy Banquo FINISHED? Friday Macbeth anger dagger Can

Common Proper Collective Abstract joy Banquo FINISHED? Friday Macbeth anger dagger Can

Lesson 9 Sentence Openers.notebook April 30, 2020 Nouns What is a noun? Can you give any examples? A noun is a person, place or a thing. Abstract Common Proper Collective Noun Noun Noun Noun Something that A name of a place, Refers

389 views • 14 slides
CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from Observation Tingwu Wang, Dylan Turpin, Animesh Garg Agenda Background Problem Setting Behavior Cloning / Dagger Generative Adversarial

411 views • 12 slides
CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Supervised &amp; Imitation

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Supervised &amp; Imitation

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Supervised &amp; Imitation Learning Instructor: Animesh Garg TA: Dylan Turpin &amp; Tingwu Wang Agenda Invitation to Imitation DAGGER: Dataset Aggregation

904 views • 41 slides
Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments

Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments

Android App Anatomy Eric Burke Square @burke_eric Topics Android lifecycle Fragments Open source Tape Otto Dagger ActionBarSherlock Android Design on every device. Lifecycle Install Apps Run Forever Uninstall

844 views • 82 slides
Trajectory Optimization, Imitation Learning Lecture 14 What will you take home today? Recap LQR

Trajectory Optimization, Imitation Learning Lecture 14 What will you take home today? Recap LQR

Trajectory Optimization, Imitation Learning Lecture 14 What will you take home today? Recap LQR Trajectory Optimization Paper Imitation Learning Supervised Learning Dagger How to solve Optimal Control Problems? Sequential Quadratic

750 views • 31 slides
Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836 NIST 60NANB10D263 No thanks to: IEEE violating IEEE policies and forcing authors to take papers offline; see cr.yp.to/writing/ieee.html Decoding

885 views • 64 slides
Data-Driven Ensembles for Deep and Hard-Decision Hybrid Decoding International Symposium on

Data-Driven Ensembles for Deep and Hard-Decision Hybrid Decoding International Symposium on

Introduction Introduction Introduction Data-Driven Ensembles for Deep and Hard-Decision Hybrid Decoding International Symposium on Information Theory Tomer Raviv Nir Raviv Yair Beery School of

645 views • 41 slides
AGL ARM prototype development update T oward the AGL spec 2.0 definition Hisao Munakata Linux

AGL ARM prototype development update T oward the AGL spec 2.0 definition Hisao Munakata Linux

Project outline Achievement (by Renesas) conclusion AGL ARM prototype development update T oward the AGL spec 2.0 definition Hisao Munakata Linux Foundation : Automotive Grade Linux June 2nd 2015 1 / 52 Hisao Munakata AGL ARM prototype

761 views • 52 slides
Memory Memory Decoders M bits M bits RWM NVRWM ROM S 0 S 0 Word 0 Word 0 S 1 Word 1 Word

Memory Memory Decoders M bits M bits RWM NVRWM ROM S 0 S 0 Word 0 Word 0 S 1 Word 1 Word

Memory Memory Decoders M bits M bits RWM NVRWM ROM S 0 S 0 Word 0 Word 0 S 1 Word 1 Word 1 A 0 S 2 Storage Storage Random Non-Random Word 2 Word 2 N Words Cell A 1 Cell EPROM Mask-Programmed Decoder Access Access E 2 PROM

464 views • 21 slides
Szalinski : A Tool for Synthesizing Structured CAD Models with Equality Saturation and Inverse

Szalinski : A Tool for Synthesizing Structured CAD Models with Equality Saturation and Inverse

Szalinski : A Tool for Synthesizing Structured CAD Models with Equality Saturation and Inverse Transformations PLDI 2020 Chandrakana Nandi , Max Willsey, Adam Anderson, James R. Wilcox, Eva Darulova, Dan Grossman, Zachary Tatlock Designing

2.24k views • 89 slides
Soot .class .jimple .java commandline args Soot Polyglot Jimpilfy Jimple Parser

Soot .class .jimple .java commandline args Soot Polyglot Jimpilfy Jimple Parser

Soot .class .jimple .java commandline args Soot Polyglot Jimpilfy Jimple Parser Frontend Jimple Analysis and Transformations Jimple, with Flow Analysis Information Add tags Jimple with Tags Generate Jimple Files Generate

217 views • 18 slides
TypeMiner: Recovering Types in Binary Code using Machine Learning Alwin Maier Hugo Gascon

TypeMiner: Recovering Types in Binary Code using Machine Learning Alwin Maier Hugo Gascon

Institute of System Security TypeMiner: Recovering Types in Binary Code using Machine Learning Alwin Maier Hugo Gascon Christian Wressnegger Konrad Rieck, DIMVA 2019 Institute of System Security, TU Braunschweig Motivation Decompilation

245 views • 21 slides
OCaml Workshop 2020-08-28 Seb Mondet, TQ Tezos The Who Software Engineer at TQ Tezos Improve

OCaml Workshop 2020-08-28 Seb Mondet, TQ Tezos The Who Software Engineer at TQ Tezos Improve

OCaml Workshop 2020-08-28 Seb Mondet, TQ Tezos The Who Software Engineer at TQ Tezos Improve Tezos Ecosystem Smart Contracts. Helping partners get up to speed and build on Tezos. Standardization efgorts. Contribute to tooling, incl.

652 views • 26 slides
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information

Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information

Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs or other situations in which you are

1.19k views • 65 slides

More recommend