why decompilation
play

Why decompilation? This course is ostensibly about Optimising - PowerPoint PPT Presentation

Sep 10, 2022 •283 likes •650 views

Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the transformations just work in the

  1. Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the transformations just work in the opposite direction.

  2. The decompilation problem Even simple compilation discards a lot of information: • Comments • Function and variable names • Structured control flow • Type information

  3. The decompilation problem Optimising compilation is even worse: • Dead code and common subexpressions are eliminated • Algebraic expressions are rewritten • Code and data are inlined; loops are unrolled • Unrelated local variables are allocated to the same physical register • Instructions are reordered by code motion optimisations and instruction scheduling

  4. The decompilation problem Some of this information is never going to be automatically recoverable (e.g. comments, variable names); some of it we may be able to partially recover if our techniques are sophisticated enough. Compilation is not injective . Many different source programs may result in the same compiled code, so the best we can do is to pick a reasonable representative source program.

  5. Intermediate code It is relatively straightforward to extract a flowgraph from an assembler program. Basic blocks are located in the same way as during forward compilation; we must simply deal with the semantics of the target instructions rather than our intermediate 3-address code.

  6. Intermediate code For many purposes (e.g. simplicity, retargetability) it might be beneficial to convert the target instructions back into 3-address code when storing it into the flowgraph. This presents its own problems: for example, many architectures include instructions which test or set condition flags in a status register, so it may be necessary to laboriously reconstruct this behaviour with extra virtual registers and then use dead-code elimination to remove all unnecessary instructions thus generated.

  7. Control reconstruction A compiler apparently destroys the high-level control structure which is evident in a program’s source code. After building a flowgraph during decompilation, we can recover some of this structure by attempting to match intervals of the flowgraph against some fixed set of familiar syntactic forms from our high-level language.

  8. Finding loops Any structured loops from the original program will have been compiled into tests and branches; they will look like arbitrary (“spaghetti”) control flow. In order to recover the high-level structure of these loops, we must use dominance .

  9. Dominance In a flowgraph, we say a node m dominates another node n if control must go through m before it can reach n . The immediate dominator of a node n is the unique node that dominates n but doesn’t dominate any other dominator of n . We can represent this dominance relation with a dominance tree in which each edge connects a node with its immediate dominator.

  10. Dominance ENTRY f a b c d e EXIT

  11. Dominance ENTRY f a b e c d EXIT

  12. Back edges We can now define the concept of a back edge . In a flowgraph, a back edge is one whose head dominates its tail.

  13. Back edges ENTRY f ENTRY f a a b c b e c d e d EXIT EXIT

  14. Finding loops Each back edge has an associated loop. The head of a back edge points to the loop header , and the loop body consists of all the nodes from which the tail of the back edge can be reached without passing through the loop header.

  15. Finding loops ENTRY f a b c d e EXIT

  16. Finding loops Once each loop has been identified, we can examine its structure to determine what kind of loop it is, and hence how best to represent it in source code.

  17. Finding loops Here, the loop header contains a conditional which determines whether the loop body is executed, and the last node of the body unconditionally transfers control back to the header. b This structure corresponds to source-level while (...) {...} d syntax.

  18. Finding loops Here, the loop header unconditionally allows the body to execute, and the last node of the body tests whether the loop should execute again. a This structure corresponds to source-level do {...} while (...) e syntax.

  19. Finding conditionals A similar principle applies when trying to reconstruct conditionals: we look for structures in the flowgraph which may be represented by particular forms of high-level language syntax.

  20. Finding conditionals The first node in this interval a transfers control to one node if some condition is true, otherwise it transfers control to another node b (which control also eventually reaches along the first branch). c This structure corresponds to source-level d if (...) then {...} syntax.

  21. Finding conditionals The first node in this interval transfers control to one node if some condition is true, and another node if the condition is false; control always reaches some later node. a This structure corresponds to source-level b c if (...) then {...} else {...} syntax. d

  22. Control reconstruction We can keep doing this for whatever other control- flow constructs are available in our source language. Once an interval of the flowgraph has been matched against a higher-level control structure in this way, its entire subgraph can be replaced with a single node which represents that structure and contains all of the information necessary to generate the appropriate source code.

  23. Type reconstruction Many source languages also contain rich information about the types of variables: integers, booleans, arrays, pointers, and more elaborate data-structure types such as union s and struct s. At the target code level there are no variables, only registers and memory locations. Types barely exist here: memory contains arbitrary bytes, and registers contain integers of various bit- widths (possibly floating-point values too).

  24. Type reconstruction Reconstruction of the types of source-level variables is made more difficult by the combination of SSA and register allocation performed by an optimising compiler. SSA splits one user variable into many variables — one for each static assignment — and any of these variables with disjoint live ranges may be allocated to the same physical register.

  25. Type reconstruction So each user variable may be spread between several registers — and each register may hold the value of different variables at different times. It’s therefore a bit hopeless to try to give a type to each physical register; the notional type of the value held by any given register will change during execution. int x = 42; MOV r3,#42 … … char *y = “42”; MOV r3,#0xFF34

  26. Type reconstruction Happily, we can undo the damage by once again converting to SSA form: this will split a single register into many registers, each of which can be assigned a different type if necessary. MOV r3,#42 MOV r3 a ,#42 … … MOV r3,#0xFF34 MOV r3 b ,#0xFF34

  27. Type reconstruction int foo (int *x) { C return x[1] + 2; } compile f: ldr r0,[r0,#4] ARM add r0,r0,#2 mov r15,r14

  28. Type reconstruction int f (int r0) { r0 = *(int *)(r0 + 4); C r0 = r0 + 2; return r0; } decompile f: ldr r0,[r0,#4] ARM add r0,r0,#2 mov r15,r14

  29. Type reconstruction int f (int r0) { r0 = *(int *)(r0 + 4); r0 = r0 + 2; return r0; } SSA int f (int r0 a ) { int r0 b = *(int *)(r0 a + 4); int r0 c = r0 b + 2; return r0 c ; }

  30. Type reconstruction int f (int *r0 a ) { int r0 b = *(r0 a + 1); int r0 c = r0 b + 2; return r0 c ; } reconstruct types int f (int r0 a ) { int r0 b = *(int *)(r0 a + 4); int r0 c = r0 b + 2; return r0 c ; }

  31. Type reconstruction int f (int *r0 a ) { int r0 b = *(r0 a + 1); int r0 c = r0 b + 2; return r0 c ; } reconstruct syntax int f (int *r0 a ) { int r0 b = r0 a [1]; int r0 c = r0 b + 2; return r0 c ; }

  32. Type reconstruction int f (int *r0 a ) { return r0 a [1] + 2; } propagate copies int f (int *r0 a ) { int r0 b = r0 a [1]; int r0 c = r0 b + 2; return r0 c ; }

  33. Type reconstruction int f (int *r0 a ) { return r0 a [1] + 2; } In fact, the return type could be anything, so more generally: T f ( T *r0 a ) { return r0 a [1] + 2; }

  34. Type reconstruction This is all achieved using constraint-based analysis: each target instruction generates constraints on the types of the registers, and we then solve these constraints in order to assign types at the source level. Typing information is often incomplete intraprocedurally (as in the example); constraints generated at call sites help to fill in the gaps. We can also infer union s, struct s, etc.

  35. Summary • Decompilation is another application of program analysis and transformation • Compilation discards lots of information about programs, some of which can be recovered • Loops can be identified by using dominator trees • Other control structure can also be recovered • Types can be partially reconstructed with constraint- based analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the

408 views • 37 slides
Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

UNIVERSITY OF CAMBRIDGE Decompilation, type inference and finding the code to decompile Alan Mycroft Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/users/am/ 30 January 2012 Decompilation, type inference and finding

614 views • 34 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
Decompilation and Data Flow Analysis Silvio Cesare <silvio.cesare@gmail.com> Who am I and

Decompilation and Data Flow Analysis Silvio Cesare <silvio.cesare@gmail.com> Who am I and

Bugalyze.com - Detecting Bugs Using Decompilation and Data Flow Analysis Silvio Cesare <silvio.cesare@gmail.com> Who am I and where did this talk come from? Ph.D. Student at Deakin University Book Author This talk covers some

764 views • 50 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly Marcus Botacin

RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly Marcus Botacin

Introduction RevEngE Evaluation Final Remarks RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly Marcus Botacin 1 , Lucas Galante 2 , cio de Geus 2 , Andr egio 1 Paulo L e Gr 1 Federal University of

763 views • 44 slides
Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts to perform the inverse process of the compiler. Given an executable program compiled in any high-level language, the aim is to produce a high-level

803 views • 25 slides
Modular Interpretive Decompilation of Low-Level Code by Partial Evaluation Elvira Albert 1 joint

Modular Interpretive Decompilation of Low-Level Code by Partial Evaluation Elvira Albert 1 joint

Modular Interpretive Decompilation of Low-Level Code by Partial Evaluation Elvira Albert 1 joint work with omez-Zamalloa 1 and Germ an Puebla 2 Miguel G (1) Complutense University of Madrid (Spain) (2) Technical University of Madrid (Spain)

690 views • 56 slides
Dagger Decompiling to IR Ahmed Bougacha with Geoffroy Aubey, Pierre Collet, Thomas Coudray,

Dagger Decompiling to IR Ahmed Bougacha with Geoffroy Aubey, Pierre Collet, Thomas Coudray,

Dagger Decompiling to IR Ahmed Bougacha with Geoffroy Aubey, Pierre Collet, Thomas Coudray, Jonathan Salwan, Amaury de la Vieuville Semantics ? The decompilation process Use cases & tools Semantics Binary > IR x86 add rax, 15 sub

1.02k views • 70 slides
Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin,

Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin,

Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin, Yaroslav Alexandrov SmartDec REcon, Brussels, 2017 What we do at SmartDec Decompilation, deobfuscation x86/x64 ARM/AArch64 JVM,

429 views • 42 slides
TypeMiner: Recovering Types in Binary Code using Machine Learning Alwin Maier Hugo Gascon

TypeMiner: Recovering Types in Binary Code using Machine Learning Alwin Maier Hugo Gascon

Institute of System Security TypeMiner: Recovering Types in Binary Code using Machine Learning Alwin Maier Hugo Gascon Christian Wressnegger Konrad Rieck, DIMVA 2019 Institute of System Security, TU Braunschweig Motivation Decompilation

245 views • 21 slides
Part C Instruction scheduling Instruction scheduling character stream token stream

Part C Instruction scheduling Instruction scheduling character stream token stream

Part C Instruction scheduling Instruction scheduling character stream token stream optimisation parse tree optimisation decompilation intermediate code optimisation target code Motivation We have seen optimisation techniques which

895 views • 45 slides
HITB 2009 Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan

HITB 2009 Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan

Binary deprotection with metasm and stuff Alexandre Gazet Yoann Guillot Sogeti / ESEC R&D Sogeti / ESEC R&D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com HITB 2009 Metasm Debugger Analysis of a protection Compiler

767 views • 59 slides
Representing the control flow of a program P3 / 2004 Control forms a graph Loop

Representing the control flow of a program P3 / 2004 Control forms a graph Loop

Representing the control flow of a program P3 / 2004 Control forms a graph Loop Optimizations A very large graph Observation lot of straight-line connections simplify the graph by grouping some instructions Spring 2004

223 views • 7 slides
CS293S SVN & DVN & GCSE Yufei Ding Review of Last Class Removing redundant

CS293S SVN & DVN & GCSE Yufei Ding Review of Last Class Removing redundant

CS293S SVN & DVN & GCSE Yufei Ding Review of Last Class Removing redundant expressions DAG: version tracking Linear representation: (local) value numbering Scope of optimization Basic block, Extended basic block,

570 views • 38 slides
Modular Constraint Solver Cooperation via Abstract Interpretation ICLP 2020 Pierre Talbot , ric

Modular Constraint Solver Cooperation via Abstract Interpretation ICLP 2020 Pierre Talbot , ric

Modular Constraint Solver Cooperation via Abstract Interpretation ICLP 2020 Pierre Talbot , ric Monfroy, Charlotte Truchet {pierre.talbot}@uni.lu University of Luxembourg 22nd September 2020 Introduction Many research communities centered

512 views • 26 slides
Unrealistic Assumptions Philosophy of Economics University of Virginia Matthias Brinkmann

Unrealistic Assumptions Philosophy of Economics University of Virginia Matthias Brinkmann

Unrealistic Assumptions Philosophy of Economics University of Virginia Matthias Brinkmann Contents 1. Musgrave on Unrealistic Assumptions 2. Assumptions in Hotellings Model 3. The Vector Model 29/10/2018 Unrealistic Assumptions 2 What

304 views • 15 slides
Class 2 Review; questions Basic Analyses (2) Assign (see Schedule for links)

Class 2 Review; questions Basic Analyses (2) Assign (see Schedule for links)

Class 2 Review; questions Basic Analyses (2) Assign (see Schedule for links) Representation and Analysis of Software (Sections 1-5) Additional reading: depth-first presentation, data-flow analysis, etc. Problem Set 1:

607 views • 26 slides
CO444H SSA SSA Construction SSA-based analysis Ben Livshits 1 Refresher: Reaching Definitions

CO444H SSA SSA Construction SSA-based analysis Ben Livshits 1 Refresher: Reaching Definitions

Dataflow Solutions CO444H SSA SSA Construction SSA-based analysis Ben Livshits 1 Refresher: Reaching Definitions Direction D = forward. Domain V = set of all sets of definitions in the flow graph. = union. Functions F =

659 views • 54 slides
Dominators in a Flowgraph Flowgraph: G = ( V, E, r ); each v in V is reachable from r v dominates

Dominators in a Flowgraph Flowgraph: G = ( V, E, r ); each v in V is reachable from r v dominates

Dominators in a Flowgraph Flowgraph: G = ( V, E, r ); each v in V is reachable from r v dominates w if every path from r to w includes v Application areas : Program optimization, VLSI testing, theoretical biology, distributed systems,

1.44k views • 119 slides
263-2810: Advanced Compiler Design 3.0 SSA form for arbitrary control flow graphs Thomas R. Gross

263-2810: Advanced Compiler Design 3.0 SSA form for arbitrary control flow graphs Thomas R. Gross

263-2810: Advanced Compiler Design 3.0 SSA form for arbitrary control flow graphs Thomas R. Gross Computer Science Department ETH Zurich, Switzerland SSA format funcKons allows us to deal with a basic block that has mulKple predecessors

481 views • 30 slides
Appendix: Appendix: Other ATPG algorithms Other ATPG algorithms 1 TOPS Dominators TOPS

Appendix: Appendix: Other ATPG algorithms Other ATPG algorithms 1 TOPS Dominators TOPS

4/28/2009 Appendix: Appendix: Other ATPG algorithms Other ATPG algorithms 1 TOPS Dominators TOPS Dominators Kirkland and Mercer (1987) Kirkland and Mercer (1987) Dominator of g all paths from g to PO must pass through the

598 views • 13 slides
Principles of Programming Languages h"p://www.di.unipi.it/~andrea/Dida2ca/PLP-15/ Prof.

Principles of Programming Languages h"p://www.di.unipi.it/~andrea/Dida2ca/PLP-15/ Prof.

Principles of Programming Languages h"p://www.di.unipi.it/~andrea/Dida2ca/PLP-15/ Prof. Andrea Corradini Department of Computer Science, Pisa Lesson 17 Loops in Control Flow Graphs Convergence speed of data-flow analysis Region

525 views • 35 slides
ACCEPT: We Built an Open-Source Approximation Compiler Framework So You Don't Have To Adrian

ACCEPT: We Built an Open-Source Approximation Compiler Framework So You Don't Have To Adrian

ACCEPT: We Built an Open-Source Approximation Compiler Framework So You Don't Have To Adrian Sampson Andr Baixo Benjamin Ransford Thierry Moreau Joshua Yip Luis Ceze Mark Oskin sa pa University of Washington http:// accept.rocks

570 views • 19 slides

More recommend