retdec an open source machine code decompiler
play

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter - PowerPoint PPT Presentation

Jan 14, 2023 •521 likes •902 views

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We? Jakub Koustek Founder of RetDec Threat Labs lead @Avast (previously @AVG) Reverse engineer, malware hunter, security researcher

  1. RetDec: An Open-Source Machine-Code Decompiler Jakub Křoustek Peter Matula

  2. Who Are We? ● Jakub Křoustek ○ Founder of RetDec ○ Threat Labs lead @Avast (previously @AVG) ○ Reverse engineer, malware hunter, security researcher ○ @jakub.kroustek on Twitter, jakub.kroustek[at]avast.com ● Peter Matula ○ Senior software developer @Avast (previously @AVG) ○ Main developer of the RetDec decompiler ○ Love rock climbing & beer ○ peter.matula[at]avast.com 2

  3. Machine-code analysis is (often) challenging… and boring ● Different target hardware and its internals ● Different instruction sets and their extensions ● Different memory models ● Different behavior based on OS ● Different file formats ● Different call conventions ● Different original programming languages ● Different compilers and linkers ● Different obfuscations and anti-* techniques ● … => let the machines do the hard work 3

  4. Decompilation FTW! 4

  5. Disassembling vs. Decompilation 5

  6. What Is RetDec? ● RetDec = Ret argetable Dec ompiler ● History ○ 2011-2013 AVG + BUT FIT via TAČR TA01010667 grant ○ 2013-2016 AVG + BUT FIT students via diploma theses ○ 2016-* Avast + BUT FIT students ○ December 2017 Opened-sourced under the MIT license @github ● Set of reversing tools ● Chained together → machine-code decompiler of binary code ● Usable as standalone tools as well ● Core based on LLVM ● https://retdec.com/ ● https://github.com/avast-tl/retdec ● https://twitter.com/retdec 6

  7. What Is RetDec? ● Supports ○ 32-bit archs: x86, MIPS, ARM, PowerPC ○ … working on x64, and others 64-bit architectures ○ Formats: ELF, PE, COFF, Mach-O, Intel HEX, AR, raw data ● Does ○ Compiler/packer detection ○ Statically linked code detection ○ OS loader simulation ○ Recursive traversal disassembling ○ High-level code structuring ● Runs on ○ Linux ○ Windows ○ macOS (kinda) 7

  8. RetDec Structure 8

  9. Preprocessing 9

  10. Preprocessing: Unpacker ● Static unpacker ● Signatures + heuristics ● Supports: UPX, MPRESS ● Unpacking of modified variants ● Decompilation of unpacked file ○ Code/Data section separation ● UPX ○ Missing UPX header ○ ADD/XOR/… instruction inserted into unpacking stub (ad-hoc) Our unpacker UPX 10

  11. Preprocessing: Stacofin ● Sta tically linked co de fin der (F.L.I.R.T.-like technology) ● Based on Yara and Capstone ● Lib → full pattern extractor → pattern → aggregator → final pattern (Yara) function_xyz(): rule rule_0 { 55 89 E5 83 E4 F0 83 EC meta: 20 E8 00 00 00 00 C7 44 name = "function_xyz" 24 1C 00 00 00 00 C7 44 size = 132 24 18 00 00 00 00 C7 44 refs = "10 ___main 62 _scanf 82 _ack 122 _printf" 24 14 00 00 00 00 8D 44 altNames = "" 24 14 89 44 24 08 8D 44 strings: 24 18 89 44 24 04 C7 04 $1 = { 55 89 E5 83 E4 F0 83 EC 20 E8 ?? ?? ?? ?? C7 44 24 1C 00 24 44 90 40 00 E8 00 00 00 00 00 C7 44 24 18 00 00 00 00 C7 44 24 14 00 00 00 00 00 00 8B 54 24 14 8B 44 8D 44 24 14 89 44 24 08 8D 44 24 18 89 44 24 04 C7 04 24 24 18 89 54 24 04 89 04 44 90 40 00 E8 ?? ?? ?? ?? 8B 54 24 14 8B 44 24 18 89 54 24 E8 00 00 00 00 89 44 24 04 89 04 24 E8 ?? ?? ?? ?? 89 44 24 1C 8B 54 24 14 8B 24 1C 8B 54 24 14 8B 44 44 24 18 8B 4C 24 1C 89 4C 24 0C 89 54 24 08 89 44 24 04 24 18 8B 4C 24 1C 89 4C C7 04 24 4A 90 40 00 E8 ?? ?? ?? ?? 8B 44 24 1C C9 C3 } 24 0C 89 54 24 08 89 44 condition: 24 04 C7 04 24 4A 90 40 $1 00 E8 00 00 00 00 8B 44 } 24 1C C9 C3 11

  12. Preprocessing: Fileinfo ● Universal binary file parser ○ Headers, sections/segments, symbol tables, ... ● PE, ELF, Mach-O, COFF, Intel HEX ● Plain text or JSON output ● PE ○ Import + export table ○ Certificates ○ Resources ○ .NET data types ○ PDB path ○ … ● Constantly adding new features (RTTI, statically linked code, …) 12

  13. Preprocessing: Fileinfo ● Compiler/packer detection ● Import table and hashes 13

  14. Preprocessing: Fileinfo ● PDB path ● Certificate (PE authenticode) ● .NET data types 14

  15. Core 15

  16. Core: LLVM ● Clang: dozens of analyses & transformation & utility passes clang -o hello hello.c -O3 ● → 217 passes ○ -targetlibinfo -tti -tbaa -scoped-noalias -assumption-cache-tracker -profile-summary-info -forceattrs -inferattrs -ipsccp -globalopt -domtree -mem2reg -deadargelim -domtree -basicaa -aa -instcombine … ● RetDec: dozens of stock LLVM passes & our own passes retdec-decompiler.sh input.exe ● ○ -provider-init -decoder -main-detection -idioms-libgcc -inst-opt -register -cond-branch-opt -syscalls -stack -constants -param-return -local-vars -inst-opt -simple-types -generate-dsm -remove-asm-instrs -class-hierarchy -select-fncs -unreachable-funcs -inst-opt -value-protect <LLVM> -simple-types -stack-ptr-op-remove -inst-opt -idioms -global-to-local -dead-global-assign <LLVM> -phi2seq -value-protect 16

  17. Core: LLVM IR ● LLVM Intermediate Representation ● Kind of assembly language ● ~62 instructions ● SSA = Static Single Assignment ● Load/Store architecture ● Functions, arguments, returns, data types ● (Un)conditional branches, switches ● Universal IR for efficient compiler transformations and analyses 17

  18. Core: Binary to LLVM IR translation 18

  19. Core: Capstone2LlvmIR ● Capstone insn → sequence of LLVM IR ● Hand-coded sequences for core instructions: ○ ARM + Thumb extension (32-bit) ○ MIPS (32/64-bit) ○ PowerPC (32/64-bit) ○ X86 (32/64-bit) ● Capstone: 64-bit ARM, SPARS, SYSZ, XCore, m68k, m680x, TMS320C64x ● Full semantics only for simple instructions ● More complex instructions translated as pseudo calls __asm_PMULHUW(mm1, mm2) ○ ● Implementation details, testing framework (Keystone + LLVM emulator), keeping LLVM IR ↔ ASM mapping, ... 19

  20. Core: Capstone2LlvmIR ./retdec-capstone2llvmir -a mips -b 0x1000 -m 32 -t 'addi $at, $v0, 1000’ ● 20

  21. Core: Capstone2LlvmIR ./retdec-capstone2llvmir -a x86 -b 0x1000 -m 32 -t 'je 1234’ ● 21

  22. Core: Decoding ● Recursive-traversal decoding (disassembling) into LLVM IR ● Works on (analyses) LLVM IR, not assembly ● Priority queue: control flow targets, entry point, debug, symbols, ... 22

  23. Core: Decoding ● Recursive-traversal decoding (disassembling) into LLVM IR ● Works on (analyses) LLVM IR, not assembly ● Priority queue: control flow targets, entry point, debug, symbols, ... 23

  24. Core: Pattern Matching LLVM IR is SSA → <llvm/IR/PatternMatch.h> ● ○ Simple and efficient mechanism for performing general tree-based pattern matches on the LLVM IR ● LLVM IR is load/store → Symbolic Tree Matching Reaching definition analysis → symbolic tree → LLVM-like matcher ○ 24

  25. Core: Our Passes ● Idiom detection ● Instruction optimization ● X86 FPU analysis ● Conditional branch transformation ● System calls detection ● Stack reconstruction ● Global variable reconstruction ● Data type propagation ● C++ class hierarchy reconstruction ● Localization (global to local variable transformation) ● ... 25

  26. Backend 26

  27. Backend: BIR ● BIR = Backend IR ● AST = Abstract syntax tree while (x < 20) ● { x = x + (y * 2); } 27

  28. Backend: Code Structuring ● LLVM IR: only (un)conditional branches & switches ● Identify high-level control-flow patterns ● Restructure BIR: if-else, for-loop, while-loop, switch, break, continue 28

  29. Backend: Optimizations ● Copy propagation ○ Reducing the number of variables ● Arithmetic expression simplification a + -1 - -4 a + 3 ○ → ● Negation optimization if (!(a == b)) if (a != b) ○ → ● Pointer arithmetic *(a + 4) a[4] ○ → ● Control flow conversions while (true) { … if (cond) break; … } ○ if/else chains switch ○ → ● ... 29

  30. Backend: Code Generation ● Variable name assignment for (i = 0; i < 10; ++i) ○ Induction variables: a1, a2, a3, … ○ Function arguments: General context names: return result; ○ Stdlib context names: int len = strlen(); ○ ● Stdlib context literals flock(sock_id, 7) → flock(sock_id, LOCK_SH | LOCK_EX | LOCK_NB) ○ ● Output generation ○ C ○ CFG = Control-Flow Graph ○ Call Graph 30

  31. RetDec IDA Plugin 31

  32. RetDec IDA Plugin ● Look & feel native ● Same object names as IDA ● Interactive ○ We have to fake it ○ Local decompilation ● Built with IDA SDK 7.0 ● Works in IDA 7.x ● Does not work in freeware IDA 7.0 32

  33. RetDec IDA Plugin 33

  34. RetDec IDA Plugin 34

  35. What’s next? ● Output quality improvements ○ Major refactoring in RetDec v3.1 ○ Still a lot of work is needed ● Better documentation ● New architectures (64-bit) ○ x64 ○ ARM ○ … ● Better integration with IDA ● Better integration with other tools: ○ Binary Ninja ○ Radare2 ○ x64dbg 35

  36. Questions? https://retdec.com https://github.com/avast-tl https://twitter.com/retdec 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek Threat Labs Botconf 2017 1 / 51 &gt; whoarewe Jakub K roustek founder of RetDec Threat Labs lead @Avast (previously @AVG) reverse

1.74k views • 152 slides
An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter Matula Senior software developer @Avast (previously @AVG) Main developer of the RetDec decompiler Developing reversing tools for 6

1k views • 34 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM Leslie Hawthorn Program Manager - Open Source Open Source Programs Office http://code.google.com/opensource/ Who We Are What We Do

750 views • 47 slides
Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open source MySQL database Parameterized Database Queries Input Valida@on HTML Output Encoding

642 views • 13 slides
assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the &quot;machine code&quot; into memory 2 jal __start (the OS

798 views • 66 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts to perform the inverse process of the compiler. Given an executable program compiled in any high-level language, the aim is to produce a high-level

803 views • 25 slides
Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer &amp; PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why open-sourcing ? 1. Code doesn't need to be written from scratch Code from similar open-source applications can be reused 2. Free help and support

629 views • 17 slides
About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code compatible (binary compatible on 68k) - Ported on Multiple Architectures (68k,PPC,ARM,x86/64) - Available as Native and Hosted (linux, windows) - ARIX (in

581 views • 8 slides
Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

University of Zrich, March 14, 2019 Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source software: from curiosity to digital infrastructure 1999 2016 Open source code as digital roads or Roads

834 views • 59 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
File Operations Lecture 16 COP 3014 Spring 2018 April 18, 2018 Input/Ouput to and from files

File Operations Lecture 16 COP 3014 Spring 2018 April 18, 2018 Input/Ouput to and from files

File Operations Lecture 16 COP 3014 Spring 2018 April 18, 2018 Input/Ouput to and from files File input and file output is an essential in programming. Most software involves more than keyboard input and screen user interfaces. Data

297 views • 10 slides
The Unix I/O Philosophy The Unix I/O Philosophy CS 105 Tour of the Black Holes of

The Unix I/O Philosophy The Unix I/O Philosophy CS 105 Tour of the Black Holes of

The Unix I/O Philosophy The Unix I/O Philosophy CS 105 Tour of the Black Holes of Computing Before Unix, doing I/O was a pain

364 views • 8 slides
CS 240 Programming in C Introduction September 4, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C Introduction September 4, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C Introduction September 4, 2019 Haoyu Wang UMass Boston CS 240 September 4, 2019 1 / 24 Schedule Course Introduction 1 Programming Overview 2 History of C Language 3 Editor 4 Intro of Linux Command-line 5

483 views • 24 slides
Administrative Notes February 9, 2017 Feb 10: Project proposal resubmission (optional)

Administrative Notes February 9, 2017 Feb 10: Project proposal resubmission (optional)

Administrative Notes February 9, 2017 Feb 10: Project proposal resubmission (optional) Feb 13: Art and Images reading quiz on Connect Feb 17: In the News call #2 Computational Thinking The image part with relationship ID rId20

782 views • 34 slides
Text Files COMP 1002/1402 Purpose Program is in memory What happens if the computer

Text Files COMP 1002/1402 Purpose Program is in memory What happens if the computer

Text Files COMP 1002/1402 Purpose Program is in memory What happens if the computer fails Computation has finished, whats next? User interaction is on line Can we keep a record of it? Does the user need to reinsert

743 views • 36 slides
CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Assembly code and binary formats (ELF)

630 views • 23 slides
Elmer Post-processing utilities ElmerTeam CSC IT Center for Science Visualization

Elmer Post-processing utilities ElmerTeam CSC IT Center for Science Visualization

Elmer Post-processing utilities ElmerTeam CSC IT Center for Science Visualization capabilities of Elmer suite ElmerPost is basically ok but has some limitations Somewhat outdated look and feel Output resolution same as window

1.04k views • 48 slides
CIS 218 File Utilities and Filters Text / File Commands File Manipulation cat displays

CIS 218 File Utilities and Filters Text / File Commands File Manipulation cat displays

CIS 218 File Utilities and Filters Text / File Commands File Manipulation cat displays file text on STDOUT cut displays designated fields/characters echo displays string on STDOUT expand converts tabs to spaces file display info

512 views • 6 slides

More recommend