an open source machine code decompiler
play

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi - PowerPoint PPT Presentation

Oct 13, 2023 •654 likes •1k views

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter Matula Senior software developer @Avast (previously @AVG) Main developer of the RetDec decompiler Developing reversing tools for 6

  1. An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovič

  2. Who Are We? ● Peter Matula ○ Senior software developer @Avast (previously @AVG) ○ Main developer of the RetDec decompiler ○ Developing reversing tools for 6 years ○ Love rock climbing & beer ○ peter.matula@avast.com ● Marek Milkovič ○ Software developer @Avast (previously @AVG) ○ Works on preprocessing stage of the RetDec decompiler ○ Works on YARA related tools ○ Interested in C++, reverse engineering and compilers ○ @dev_metthal, marek.milkovic@avast.com

  3. What Is RetDec? ● Set of reversing tools ● Chained together → generic binary code decompiler ● Separate → research, other (internal) projects, ... ● Core based on LLVM ● History ○ 2011-2013 AVG + BUT FIT via TAČR TA01010667 grant ○ 2013-2016 AVG + BUT FIT students via diploma theses ○ 2016-* Avast + BUT FIT students ○ December 2017 Opened-sourced under the MIT license @github ● https://retdec.com/ ● https://github.com/avast-tl/retdec ● https://twitter.com/retdec

  4. What Is RetDec? ● Supports ○ 32-bit archs: x86, ARM, PowerPC, MIPS ○ OFFs: ELF, PE, COFF, Mach-O, Intel HEX, AR, raw data ○ … working on 64-bit x86, and others ● Does ○ Compiler/packer detection ○ Statically linked code detection ○ OS loader simulation ○ Recursive traversal disassembling ○ High-level code structuring ● Runs on ○ Linux ○ Windows ○ macOS (kinda)

  5. RetDec Structure

  6. Preprocessing

  7. Preprocessing: Unpacker ● Static unpacker ● Signatures + heuristics ● Supports: UPX, MPRESS ● Unpacking of modified variants ● Decompilation of unpacked file ○ Code/Data section separation ● UPX ○ Missing UPX header ○ ADD/XOR/… instruction inserted into unpacking stub (ad-hoc)

  8. Preprocessing: Unpacker 000725e0: 40 64 15 7f d4 01 ff fe be 60 17 11 7f 48 38 1b @d.......`...H8. 000725f0: 0f 28 01 00 92 24 61 d0 7f 00 40 25 49 ff 00 00 .(...$a...@%I... - 00072600: 00 00 55 50 58 21 00 00 00 00 00 00 55 50 58 21 ..UPX!......UPX! + 00072600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00072610: 0d 16 08 07 ca 54 49 13 0c 04 33 ad 90 b5 07 00 .....TI...3..... 00072620: 1c 62 01 00 70 41 1b 00 49 4a 00 df f4 00 00 00 .b..pA..IJ...... Our unpacker UPX

  9. Preprocessing: Stacofin ● YARA based statically linked code detection (F.L.I.R.T.-like technology) ● Lib → full pattern extractor → pattern (YARA) → aggregator → final pattern (YARA) ● Matching using YARA + Capstone function_xyz(): rule rule_0 { 55 89 E5 83 E4 F0 83 EC meta: 20 E8 00 00 00 00 C7 44 name = "function_xyz" 24 1C 00 00 00 00 C7 44 size = 132 24 18 00 00 00 00 C7 44 refs = "10 ___main 62 _scanf 82 _ack 122 _printf" 24 14 00 00 00 00 8D 44 altNames = "" 24 14 89 44 24 08 8D 44 strings: 24 18 89 44 24 04 C7 04 $1 = { 55 89 E5 83 E4 F0 83 EC 20 E8 ?? ?? ?? ?? C7 44 24 1C 00 24 44 90 40 00 E8 00 00 00 00 00 C7 44 24 18 00 00 00 00 C7 44 24 14 00 00 00 00 00 00 8B 54 24 14 8B 44 8D 44 24 14 89 44 24 08 8D 44 24 18 89 44 24 04 C7 04 24 24 18 89 54 24 04 89 04 44 90 40 00 E8 ?? ?? ?? ?? 8B 54 24 14 8B 44 24 18 89 54 24 E8 00 00 00 00 89 44 24 04 89 04 24 E8 ?? ?? ?? ?? 89 44 24 1C 8B 54 24 14 8B 24 1C 8B 54 24 14 8B 44 44 24 18 8B 4C 24 1C 89 4C 24 0C 89 54 24 08 89 44 24 04 24 18 8B 4C 24 1C 89 4C C7 04 24 4A 90 40 00 E8 ?? ?? ?? ?? 8B 44 24 1C C9 C3 } 24 0C 89 54 24 08 89 44 condition: 24 04 C7 04 24 4A 90 40 $1 00 E8 00 00 00 00 8B 44 } 24 1C C9 C3

  10. Preprocessing: Fileinfo ● Universal binary file parser ○ Headers, sections/segments, symbol tables, ... ● PE, ELF, Mach-O, COFF, Intel HEX ● Plain text or JSON output ● PE ○ Import + export table ○ Certificates ○ Resources ○ .NET data types ○ PDB path ○ … ● Constantly adding new features (RTTI, statically linked code, …)

  11. Preprocessing: Fileinfo ● Compiler/packer detection ● Import table and hashes

  12. Preprocessing: Fileinfo ● PDB path ● Certificate (PE authenticode) ● .NET data types

  13. Core

  14. Core: LLVM ● Clang: dozens of analyses & transformation & utility passes clang -o hello hello.c -O3 ● → 217 passes ○ -targetlibinfo -tti -tbaa -scoped-noalias -assumption-cache-tracker -profile-summary-info -forceattrs -inferattrs -ipsccp -globalopt -domtree -mem2reg -deadargelim -domtree -basicaa -aa -instcombine … ● RetDec: dozens of stock LLVM passes & our own passes retdec-decompiler.sh input.exe ● ○ -provider-init -decoder -main-detection -idioms-libgcc -inst-opt -register -cond-branch-opt -syscalls -stack -constants -param-return -local-vars -inst-opt -simple-types -generate-dsm -remove-asm-instrs -class-hierarchy -select-fncs -unreachable-funcs -inst-opt -value-protect <LLVM> -simple-types -stack-ptr-op-remove -inst-opt -idioms -global-to-local -dead-global-assign <LLVM> -phi2seq -value-protect

  15. Core: LLVM IR ● LLVM Intermediate Representation ● Kind of assembly language ● ~62 instructions ● SSA = Static Single Assignment ● Load/Store architecture ● Functions, arguments, returns, data types ● (Un)conditional branches, switches ● Universal IR for efficient compiler transformations and analyses

  16. Core: Binary to LLVM IR translation

  17. Core: Capstone2LlvmIR ● Capstone insn → sequence of LLVM IR ● Hand-coded sequences for core instructions: ○ ARM + Thumb extension (32-bit) ○ MIPS (32/64-bit) ○ PowerPC (32/64-bit) ○ X86 (32/64-bit) ● Capstone: 64-bit ARM, SPARS, SYSZ, XCore, m68k, m680x, TMS320C64x ● Full semantics only for simple instructions ● More complex instructions translated as pseudo calls __asm_PMULHUW(mm1, mm2) ○ ● Implementation details, testing framework (Keystone + LLVM emulator), keeping LLVM IR ↔ ASM mapping, ...

  18. Core: Capstone2LlvmIR ./retdec-capstone2llvmir -a mips -b 0x1000 -m 32 -t 'addi $at, $v0, 1000’ ●

  19. Core: Capstone2LlvmIR ./retdec-capstone2llvmir -a x86 -b 0x1000 -m 32 -t 'je 1234’ ●

  20. Core: Decoding ● Recursive-traversal decoding (disassembling) into LLVM IR ● Works on (analyses) LLVM IR, not assembly ● Priority queue: control flow targets, entry point, debug, symbols, ...

  21. Core: Decoding ● Recursive-traversal decoding (disassembling) into LLVM IR ● Works on (analyses) LLVM IR, not assembly ● Priority queue: control flow targets, entry point, debug, symbols, ...

  22. Core: Pattern Matching LLVM IR is SSA → <llvm/IR/PatternMatch.h> ● ○ Simple and efficient mechanism for performing general tree-based pattern matches on the LLVM IR ● LLVM IR is load/store → Symbolic Tree Matching Reaching definition analysis → symbolic tree → LLVM-like matcher ○

  23. Core: Our Passes ● Idiom detection ● Instruction optimization ● X86 FPU analysis ● Conditional branch transformation ● System calls detection ● Stack reconstruction ● Global variable reconstruction ● Data type propagation ● C++ class hierarchy reconstruction ● Localization (global to local variable transformation) ● ...

  24. Backend

  25. Backend: BIR ● BIR = Backend IR ● AST = Abstract syntax tree while (x < 20) ● { x = x + (y * 2); }

  26. Backend: Code Structuring ● LLVM IR: only (un)conditional branches & switches ● Identify high-level control-flow patterns ● Restructure BIR: if-else, for-loop, while-loop, switch, break, continue

  27. Backend: Optimizations ● Copy propagation ○ Reducing the number of variables ● Arithmetic expression simplification a + -1 - -4 a + 3 ○ → ● Negation optimization if (!(a == b)) if (a != b) ○ → ● Pointer arithmetic *(a + 4) a[4] ○ → ● Control flow conversions while (true) { … if (cond) break; … } ○ if/else chains switch ○ → ● ...

  28. Backend: Code Generation ● Variable name assignment for (i = 0; i < 10; ++i) ○ Induction variables: a1, a2, a3, … ○ Function arguments: General context names: return result; ○ Stdlib context names: int len = strlen(); ○ ● Stdlib context literals flock(sock_id, 7) → flock(sock_id, LOCK_SH | LOCK_EX | LOCK_NB) ○ ● Output generation ○ C ○ CFG = Control-Flow Graph ○ Call Graph

  29. RetDec IDA Plugin

  30. RetDec IDA Plugin ● Look & feel native ● Same object names as IDA ● Interactive ○ We have to fake it ○ Local decompilation ● Built with IDA SDK 7.0 ● Works in IDA 7.x ● Does not work in freeware IDA 7.0

  31. RetDec IDA Plugin

  32. RetDec IDA Plugin

  33. What’s next? ● Output quality improvements ○ Major refactoring in RetDec v3.1 ○ Still a lot of work is needed ● Better documentation ● New architectures (64-bit) ○ x64 ○ ARM ○ … ● Better integration with IDA ● Better integration with other tools: ○ Binary Ninja ○ Radare2 ○ x64dbg

  34. Questions? https://retdec.com https://github.com/avast-tl https://twitter.com/retdec

Recommend

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We? Jakub Koustek Founder of RetDec Threat Labs lead @Avast (previously @AVG) Reverse engineer, malware hunter, security researcher

902 views • 36 slides
RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek Threat Labs Botconf 2017 1 / 51 &gt; whoarewe Jakub K roustek founder of RetDec Threat Labs lead @Avast (previously @AVG) reverse

1.74k views • 152 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM Leslie Hawthorn Program Manager - Open Source Open Source Programs Office http://code.google.com/opensource/ Who We Are What We Do

750 views • 47 slides
Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open source MySQL database Parameterized Database Queries Input Valida@on HTML Output Encoding

642 views • 13 slides
assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the &quot;machine code&quot; into memory 2 jal __start (the OS

798 views • 66 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts to perform the inverse process of the compiler. Given an executable program compiled in any high-level language, the aim is to produce a high-level

803 views • 25 slides
Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer &amp; PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why open-sourcing ? 1. Code doesn't need to be written from scratch Code from similar open-source applications can be reused 2. Free help and support

629 views • 17 slides
About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code compatible (binary compatible on 68k) - Ported on Multiple Architectures (68k,PPC,ARM,x86/64) - Available as Native and Hosted (linux, windows) - ARIX (in

581 views • 8 slides
Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

University of Zrich, March 14, 2019 Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source software: from curiosity to digital infrastructure 1999 2016 Open source code as digital roads or Roads

834 views • 59 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Does Open Source need Standards Bodies? Doug Davis, STSM, IBM Op Open Source Start a new OSS

Does Open Source need Standards Bodies? Doug Davis, STSM, IBM Op Open Source Start a new OSS

Does Open Source need Standards Bodies? Doug Davis, STSM, IBM Op Open Source Start a new OSS Project New project is started: Pick a spot: e.g. github.com, sourceforge.net No barrier to entry Could be seeded with existing code

822 views • 24 slides
Open Data Kit h8p://code.google.com/p/open-data-kit A set of open

Open Data Kit h8p://code.google.com/p/open-data-kit A set of open

Open Data Kit h8p://code.google.com/p/open-data-kit A set of open source tools to help organiza3ons collect, aggregate and visualize their rich data.

429 views • 27 slides
Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A

Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A

Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A single language construct can have many implementations many-to-many mappings from high-level source language to low-level target machine language

560 views • 16 slides
Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate Code optimizer Code generator Code generator Input: intermediate code + symbol tables In our case, three-address code All variables

717 views • 38 slides
December 7, 2015 - January 25, 2016 What is open source? Computer software where the source

December 7, 2015 - January 25, 2016 What is open source? Computer software where the source

December 7, 2015 - January 25, 2016 What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes

423 views • 15 slides
Translation Models Machine-dependent Generate Machine Code Directly Through

Translation Models Machine-dependent Generate Machine Code Directly Through

Translation Models Machine-dependent Generate Machine Code Directly Through Intermediate Code Machine-independent Interpret the source code Generate intermediate code and then interpret the intermediate code Single

263 views • 5 slides
Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 ,

Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 ,

The Apertium MT toolbox Data for the pt es pair Concluding remarks Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 , A.M. Corb-Bellot 1 , M.L. Forcada 1 , 2 , M. Ginest-Rosell 1 , S.

338 views • 30 slides
Compiling and Linking C code Assembly C Source C Source C Source Source .c Code Code Code

Compiling and Linking C code Assembly C Source C Source C Source Source .c Code Code Code

Advanced Programming Modular Programming in C Modular Programming Intro n It is not possible to create complex programs using a single source file: n Compiling is slow n Difficult reuse of functions n Impossible collaboration among

513 views • 17 slides

More recommend