retdec an open source machine code decompiler
play

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek - PowerPoint PPT Presentation

May 09, 2023 •217 likes •1.74k views

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek Threat Labs Botconf 2017 1 / 51 > whoarewe Jakub K roustek founder of RetDec Threat Labs lead @Avast (previously @AVG) reverse

  1. Preprocessing repos � Fileformat • fileformat, loader, cpdetect, fileinfo, unpacker • ar-extractor, macho-extractor, . . . � PeLib • strengthened • new modules (rich header, delayed imports, security dir, . . . ) � ELFIO • strengthened Botconf 2017 21 / 51

  2. Preprocessing repos � Fileformat • fileformat, loader, cpdetect, fileinfo, unpacker • ar-extractor, macho-extractor, . . . � PeLib • strengthened • new modules (rich header, delayed imports, security dir, . . . ) � ELFIO • strengthened � PDBparser • will hopefully be replaced by LLVM parsers Botconf 2017 21 / 51

  3. Preprocessing repos � Fileformat • fileformat, loader, cpdetect, fileinfo, unpacker • ar-extractor, macho-extractor, . . . � PeLib • strengthened • new modules (rich header, delayed imports, security dir, . . . ) � ELFIO • strengthened � PDBparser • will hopefully be replaced by LLVM parsers � Yaracpp • YARA C++ wrapper Botconf 2017 21 / 51

  4. Core Botconf 2017 22 / 51

  5. Core Botconf 2017 22 / 51

  6. Core Botconf 2017 22 / 51

  7. Core Botconf 2017 22 / 51

  8. Core: LLVM • dozens of analysis & transform & utility passes • dead global elimination, constant propagation, inlining, reassociation, loop optimization, memory promotion, dead store elimination, . . . Botconf 2017 23 / 51

  9. Core: LLVM • dozens of analysis & transform & utility passes • dead global elimination, constant propagation, inlining, reassociation, loop optimization, memory promotion, dead store elimination, . . . • clang -o hello hello.c -O3 • 217 passes • -targetlibinfo -tti -tbaa -scoped-noalias -assumption-cache-tracker -profile-summary-info -forceattrs -inferattrs -ipsccp -globalopt -domtree -mem2reg -deadargelim -domtree -basicaa -aa -instcombine -simplifycfg -basiccg -globals-aa -prune-eh -inline -functionattrs -argpromotion -domtree -sroa -basicaa -aa -memoryssa -early-cse-memssa -speculative-execution -domtree -basicaa -aa -lazy-value-info -jump-threading . . . Botconf 2017 23 / 51

  10. Core: LLVM IR • LLVM IR = LLVM Intermediate Representation • kind of assembly language / three address code @global = global i32 define i32 @fnc(i32 %arg) { %x = load i32, i32* @global %y = add i32 %x, %arg store i32 %y, @global return i32 %y } Botconf 2017 24 / 51

  11. Core: LLVM IR • LLVM IR = LLVM Intermediate Representation • kind of assembly language / three address code @global = global i32 define i32 @fnc(i32 %arg) { %x = load i32, i32* @global %y = add i32 %x, %arg store i32 %y, @global return i32 %y } • SSA = Static Single Assignment • %y = add i32 %x, %arg • Load/Store architecture • %x = load i32, i32* @global • Functions, arguments, returns, data types • (Un)conditional branches, switches Botconf 2017 24 / 51

  12. Core: LLVM IR • LLVM IR = LLVM Intermediate Representation • kind of assembly language / three address code @global = global i32 define i32 @fnc(i32 %arg) { %x = load i32, i32* @global %y = add i32 %x, %arg store i32 %y, @global return i32 %y } • SSA = Static Single Assignment • %y = add i32 %x, %arg • Load/Store architecture • %x = load i32, i32* @global • Functions, arguments, returns, data types • (Un)conditional branches, switches • � Universal IR for efficient compiler transformations and analyses Botconf 2017 24 / 51

  13. Core: decoder Botconf 2017 25 / 51

  14. Core: decoder Botconf 2017 25 / 51

  15. Core: decoder Botconf 2017 25 / 51

  16. Core: decoder Botconf 2017 25 / 51

  17. Core: decoder Botconf 2017 25 / 51

  18. Core: decoder Botconf 2017 25 / 51

  19. Core: decoder Botconf 2017 25 / 51

  20. Core: decoder Botconf 2017 25 / 51

  21. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks Botconf 2017 26 / 51

  22. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Botconf 2017 26 / 51

  23. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns Botconf 2017 26 / 51

  24. Would you rather . . . • PMULHUW • Multiply Packed Unsigned Integers and Store High Result if (OperandSize == 64) { //PMULHUW instruction with 64-bit operands: Tmp0[0..31] = Dst[0..15] * Src[0..15]; Tmp1[0..31] = Dst[16..31] * Src[16..31]; Tmp2[0..31] = Dst[32..47] * Src[32..47]; Tmp3[0..31] = Dst[48..63] * Src[48..63]; Dst[0..15] = Tmp0[16..31]; __asm_PMULHUW(mm1, mm2); Dst[16..31] = Tmp1[16..31]; Dst[32..47] = Tmp2[16..31]; Dst[48..63] = Tmp3[16..31]; } else { //PMULHUW instruction with 128-bit operands: // Even longer ... } Botconf 2017 25 / 51

  25. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns Botconf 2017 26 / 51

  26. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns • full semantics only for simple instructions Botconf 2017 26 / 51

  27. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns • full semantics only for simple instructions • Implementation details, testing framework (Keystone Engine + LLVM emulator), keeping LLVM IR ↔ ASM mapping, . . . Botconf 2017 26 / 51

  28. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns • full semantics only for simple instructions • Implementation details, testing framework (Keystone Engine + LLVM emulator), keeping LLVM IR ↔ ASM mapping, . . . Botconf 2017 26 / 51

  29. Core: low-level passes Botconf 2017 27 / 51

  30. Core: low-level passes Botconf 2017 27 / 51

  31. Core: assembly generation Botconf 2017 28 / 51

  32. Core: high-level passes Botconf 2017 29 / 51

  33. Core repos � RetDec • bin2llvmir library • bin2llvmirtool Botconf 2017 30 / 51

  34. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation Botconf 2017 30 / 51

  35. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction Botconf 2017 30 / 51

  36. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection Botconf 2017 30 / 51

  37. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection � Yaramod • YARA to AST parsing & C++ API to build new YARA rulesets Botconf 2017 30 / 51

  38. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection � Yaramod • YARA to AST parsing & C++ API to build new YARA rulesets � Ctypes • extraction and presentation of C function data types Botconf 2017 30 / 51

  39. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection � Yaramod • YARA to AST parsing & C++ API to build new YARA rulesets � Ctypes • extraction and presentation of C function data types � Demangler • gcc/Clang, Microsoft Visual C++, and Borland C++ Botconf 2017 30 / 51

  40. Backend Botconf 2017 31 / 51

  41. Backend Botconf 2017 31 / 51

  42. Backend Botconf 2017 31 / 51

  43. Backend: BIR is an AST • BIR = Backend IR • AST = Abstract syntax tree • while (x < 20){ x = x + (y * 2); } Botconf 2017 32 / 51

  44. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  45. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  46. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  47. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  48. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  49. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  50. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  51. Backend: optimizations • copy propagation • reducing the number of variables Botconf 2017 34 / 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We? Jakub Koustek Founder of RetDec Threat Labs lead @Avast (previously @AVG) Reverse engineer, malware hunter, security researcher

902 views • 36 slides
An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter Matula Senior software developer @Avast (previously @AVG) Main developer of the RetDec decompiler Developing reversing tools for 6

1k views • 34 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM Leslie Hawthorn Program Manager - Open Source Open Source Programs Office http://code.google.com/opensource/ Who We Are What We Do

750 views • 47 slides
Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open source MySQL database Parameterized Database Queries Input Valida@on HTML Output Encoding

642 views • 13 slides
assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the &quot;machine code&quot; into memory 2 jal __start (the OS

798 views • 66 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts to perform the inverse process of the compiler. Given an executable program compiled in any high-level language, the aim is to produce a high-level

803 views • 25 slides
Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer &amp; PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why open-sourcing ? 1. Code doesn't need to be written from scratch Code from similar open-source applications can be reused 2. Free help and support

629 views • 17 slides
About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code compatible (binary compatible on 68k) - Ported on Multiple Architectures (68k,PPC,ARM,x86/64) - Available as Native and Hosted (linux, windows) - ARIX (in

581 views • 8 slides
Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

University of Zrich, March 14, 2019 Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source software: from curiosity to digital infrastructure 1999 2016 Open source code as digital roads or Roads

834 views • 59 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
TODAYS PROGRAM: Career Development Steve, ~ 25 min Theme: Capitalize on your

TODAYS PROGRAM: Career Development Steve, ~ 25 min Theme: Capitalize on your

@SDFLIES #BGSORIENTATION TODAYS PROGRAM: Career Development Steve, ~ 25 min Theme: Capitalize on your Skills &amp; Traits. Time Management Julie Blendy, ~ 30 min Theme: Organize; setting boundaries. Student

734 views • 28 slides
Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC San Diego) Sarah Meiklejohn (UC San Diego) Stefan Savage (UC San Diego) 1 Code-based access control 2 Code-based access control 2 Code-based

1.2k views • 102 slides
Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis,

Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis,

Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis, Charles Sutton m.allamanis@ed.ac.uk csutton@inf.ed.ac.uk University of Edinburgh Supported by: Polyglot programmers Multitude of APIs &amp;

2.69k views • 22 slides
FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why you should use LLVM to build a JIT Common Objections (and why theyre mostly wrong) 2 WHAT IS FALCON? Falcon is an LLVM based

1.01k views • 66 slides
Introduction 1 Turbo Principle 2 Coding and uncoding SISO (Soft Input Soft Output) 3

Introduction 1 Turbo Principle 2 Coding and uncoding SISO (Soft Input Soft Output) 3

Introduction Turbo Principle SISO (Soft Input Soft Output) Example of a product code Introduction 1 Turbo Principle 2 Coding and uncoding SISO (Soft Input Soft Output) 3 Definition of a soft information, how to use it? Convolutional

843 views • 39 slides
IST Research Dr. Sam Blazek Insights from Hard-To-Reach Populations February 19, 2019 1 IST

IST Research Dr. Sam Blazek Insights from Hard-To-Reach Populations February 19, 2019 1 IST

IST Research Dr. Sam Blazek Insights from Hard-To-Reach Populations February 19, 2019 1 IST Research Corporation Who are we? We are a small, distributed, field-focused engineering company that focuses on developing engagement and

350 views • 7 slides
Quality and Performance Kotlin 1.4 in IntelliJ IDEs Anton Yalyshev @anton_yalyshev October

Quality and Performance Kotlin 1.4 in IntelliJ IDEs Anton Yalyshev @anton_yalyshev October

Kotlin 1.4 Online Event Quality and Performance Kotlin 1.4 in IntelliJ IDEs Anton Yalyshev @anton_yalyshev October 12, 2020 Activities and events Indexing 28% 5% Overall lost time Build 16% VCS events 3% VFS refresh 4% Project

449 views • 30 slides
RESource: A Framework for Online Matching of Assembly with Open Source Code Ashkan Rahimian*,

RESource: A Framework for Online Matching of Assembly with Open Source Code Ashkan Rahimian*,

RESource: A Framework for Online Matching of Assembly with Open Source Code Ashkan Rahimian*, Philippe Charland**, Stere Preda*, and Mourad Debbabi* *Computer Security Laboratory, CIISE Concordia University, Montreal, Quebec, Canada **Mission

649 views • 25 slides

More recommend