retdec an open source machine code decompiler
play

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek - PowerPoint PPT Presentation

May 09, 2023 •217 likes •1.74k views

RetDec: An Open-Source Machine-Code Decompiler Jakub K roustek Peter Matula Petr Zemek Threat Labs Botconf 2017 1 / 51 > whoarewe Jakub K roustek founder of RetDec Threat Labs lead @Avast (previously @AVG) reverse

  1. Preprocessing repos � Fileformat • fileformat, loader, cpdetect, fileinfo, unpacker • ar-extractor, macho-extractor, . . . � PeLib • strengthened • new modules (rich header, delayed imports, security dir, . . . ) � ELFIO • strengthened Botconf 2017 21 / 51

  2. Preprocessing repos � Fileformat • fileformat, loader, cpdetect, fileinfo, unpacker • ar-extractor, macho-extractor, . . . � PeLib • strengthened • new modules (rich header, delayed imports, security dir, . . . ) � ELFIO • strengthened � PDBparser • will hopefully be replaced by LLVM parsers Botconf 2017 21 / 51

  3. Preprocessing repos � Fileformat • fileformat, loader, cpdetect, fileinfo, unpacker • ar-extractor, macho-extractor, . . . � PeLib • strengthened • new modules (rich header, delayed imports, security dir, . . . ) � ELFIO • strengthened � PDBparser • will hopefully be replaced by LLVM parsers � Yaracpp • YARA C++ wrapper Botconf 2017 21 / 51

  4. Core Botconf 2017 22 / 51

  5. Core Botconf 2017 22 / 51

  6. Core Botconf 2017 22 / 51

  7. Core Botconf 2017 22 / 51

  8. Core: LLVM • dozens of analysis & transform & utility passes • dead global elimination, constant propagation, inlining, reassociation, loop optimization, memory promotion, dead store elimination, . . . Botconf 2017 23 / 51

  9. Core: LLVM • dozens of analysis & transform & utility passes • dead global elimination, constant propagation, inlining, reassociation, loop optimization, memory promotion, dead store elimination, . . . • clang -o hello hello.c -O3 • 217 passes • -targetlibinfo -tti -tbaa -scoped-noalias -assumption-cache-tracker -profile-summary-info -forceattrs -inferattrs -ipsccp -globalopt -domtree -mem2reg -deadargelim -domtree -basicaa -aa -instcombine -simplifycfg -basiccg -globals-aa -prune-eh -inline -functionattrs -argpromotion -domtree -sroa -basicaa -aa -memoryssa -early-cse-memssa -speculative-execution -domtree -basicaa -aa -lazy-value-info -jump-threading . . . Botconf 2017 23 / 51

  10. Core: LLVM IR • LLVM IR = LLVM Intermediate Representation • kind of assembly language / three address code @global = global i32 define i32 @fnc(i32 %arg) { %x = load i32, i32* @global %y = add i32 %x, %arg store i32 %y, @global return i32 %y } Botconf 2017 24 / 51

  11. Core: LLVM IR • LLVM IR = LLVM Intermediate Representation • kind of assembly language / three address code @global = global i32 define i32 @fnc(i32 %arg) { %x = load i32, i32* @global %y = add i32 %x, %arg store i32 %y, @global return i32 %y } • SSA = Static Single Assignment • %y = add i32 %x, %arg • Load/Store architecture • %x = load i32, i32* @global • Functions, arguments, returns, data types • (Un)conditional branches, switches Botconf 2017 24 / 51

  12. Core: LLVM IR • LLVM IR = LLVM Intermediate Representation • kind of assembly language / three address code @global = global i32 define i32 @fnc(i32 %arg) { %x = load i32, i32* @global %y = add i32 %x, %arg store i32 %y, @global return i32 %y } • SSA = Static Single Assignment • %y = add i32 %x, %arg • Load/Store architecture • %x = load i32, i32* @global • Functions, arguments, returns, data types • (Un)conditional branches, switches • � Universal IR for efficient compiler transformations and analyses Botconf 2017 24 / 51

  13. Core: decoder Botconf 2017 25 / 51

  14. Core: decoder Botconf 2017 25 / 51

  15. Core: decoder Botconf 2017 25 / 51

  16. Core: decoder Botconf 2017 25 / 51

  17. Core: decoder Botconf 2017 25 / 51

  18. Core: decoder Botconf 2017 25 / 51

  19. Core: decoder Botconf 2017 25 / 51

  20. Core: decoder Botconf 2017 25 / 51

  21. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks Botconf 2017 26 / 51

  22. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Botconf 2017 26 / 51

  23. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns Botconf 2017 26 / 51

  24. Would you rather . . . • PMULHUW • Multiply Packed Unsigned Integers and Store High Result if (OperandSize == 64) { //PMULHUW instruction with 64-bit operands: Tmp0[0..31] = Dst[0..15] * Src[0..15]; Tmp1[0..31] = Dst[16..31] * Src[16..31]; Tmp2[0..31] = Dst[32..47] * Src[32..47]; Tmp3[0..31] = Dst[48..63] * Src[48..63]; Dst[0..15] = Tmp0[16..31]; __asm_PMULHUW(mm1, mm2); Dst[16..31] = Tmp1[16..31]; Dst[32..47] = Tmp2[16..31]; Dst[48..63] = Tmp3[16..31]; } else { //PMULHUW instruction with 128-bit operands: // Even longer ... } Botconf 2017 25 / 51

  25. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns Botconf 2017 26 / 51

  26. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns • full semantics only for simple instructions Botconf 2017 26 / 51

  27. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns • full semantics only for simple instructions • Implementation details, testing framework (Keystone Engine + LLVM emulator), keeping LLVM IR ↔ ASM mapping, . . . Botconf 2017 26 / 51

  28. Core: Capstone2LlvmIR • Capstone insn → sequence of LLVM IR • Handcoded sequences • 32/64-bit x86 – 1 person ≈ 2-3 weeks • Architectures (core instruction sets): • ARM + Thumb extension – 32-bit • MIPS – 32/64-bit • PowerPC – 32/64-bit • x86 – 32/64-bit • Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x • Decompilation & advanced insns • full semantics only for simple instructions • Implementation details, testing framework (Keystone Engine + LLVM emulator), keeping LLVM IR ↔ ASM mapping, . . . Botconf 2017 26 / 51

  29. Core: low-level passes Botconf 2017 27 / 51

  30. Core: low-level passes Botconf 2017 27 / 51

  31. Core: assembly generation Botconf 2017 28 / 51

  32. Core: high-level passes Botconf 2017 29 / 51

  33. Core repos � RetDec • bin2llvmir library • bin2llvmirtool Botconf 2017 30 / 51

  34. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation Botconf 2017 30 / 51

  35. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction Botconf 2017 30 / 51

  36. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection Botconf 2017 30 / 51

  37. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection � Yaramod • YARA to AST parsing & C++ API to build new YARA rulesets Botconf 2017 30 / 51

  38. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection � Yaramod • YARA to AST parsing & C++ API to build new YARA rulesets � Ctypes • extraction and presentation of C function data types Botconf 2017 30 / 51

  39. Core repos � RetDec • bin2llvmir library • bin2llvmirtool � Capstone2LlvmIR • Capstone instruction to LLVM IR translation � Capstone-dumper • what does Capstone know about any instruction � Fnc-patterns • statically linked function pattern creation and detection � Yaramod • YARA to AST parsing & C++ API to build new YARA rulesets � Ctypes • extraction and presentation of C function data types � Demangler • gcc/Clang, Microsoft Visual C++, and Borland C++ Botconf 2017 30 / 51

  40. Backend Botconf 2017 31 / 51

  41. Backend Botconf 2017 31 / 51

  42. Backend Botconf 2017 31 / 51

  43. Backend: BIR is an AST • BIR = Backend IR • AST = Abstract syntax tree • while (x < 20){ x = x + (y * 2); } Botconf 2017 32 / 51

  44. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  45. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  46. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  47. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  48. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  49. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  50. Backend: code structuring • LLVM IR: only (un)conditional branches & switches • identify high-level control-flow patterns • restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf 2017 33 / 51

  51. Backend: optimizations • copy propagation • reducing the number of variables Botconf 2017 34 / 51

Recommend

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We?

RetDec: An Open-Source Machine-Code Decompiler Jakub Koustek Peter Matula Who Are We? Jakub Koustek Founder of RetDec Threat Labs lead @Avast (previously @AVG) Reverse engineer, malware hunter, security researcher

902 views • 36 slides
An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter

An Open-Source Machine-Code Decompiler Peter Matula Marek Milkovi Who Are We? Peter Matula Senior software developer @Avast (previously @AVG) Main developer of the RetDec decompiler Developing reversing tools for 6

1k views • 34 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM

Open Source and Google Summer of Code TM plus the Google Highly Open Participation Contest TM Leslie Hawthorn Program Manager - Open Source Open Source Programs Office http://code.google.com/opensource/ Who We Are What We Do

750 views • 47 slides
Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open source MySQL database Parameterized Database Queries Input Valida@on HTML Output Encoding

642 views • 13 slides
assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be

assembly language source assembler code &quot;machine code&quot; 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the &quot;machine code&quot; into memory 2 jal __start (the OS

798 views • 66 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts

Decompilation Ximing Yu May 3, 2011 Decompiler Definition Decompiler is a program that attempts to perform the inverse process of the compiler. Given an executable program compiled in any high-level language, the aim is to produce a high-level

803 views • 25 slides
Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer &amp; PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why

1 IWES, September 2018 Summary of open-source licenses Claudio Scordino Paolo Gai 2 Why open-sourcing ? 1. Code doesn't need to be written from scratch Code from similar open-source applications can be reused 2. Free help and support

629 views • 17 slides
About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code

About AROS - AROS is a open source rewrite of Amiga OS 3.1 - APL licence - Source Code compatible (binary compatible on 68k) - Ported on Multiple Architectures (68k,PPC,ARM,x86/64) - Available as Native and Hosted (linux, windows) - ARIX (in

581 views • 8 slides
Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

University of Zrich, March 14, 2019 Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source software: from curiosity to digital infrastructure 1999 2016 Open source code as digital roads or Roads

834 views • 59 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Does Open Source need Standards Bodies? Doug Davis, STSM, IBM Op Open Source Start a new OSS

Does Open Source need Standards Bodies? Doug Davis, STSM, IBM Op Open Source Start a new OSS

Does Open Source need Standards Bodies? Doug Davis, STSM, IBM Op Open Source Start a new OSS Project New project is started: Pick a spot: e.g. github.com, sourceforge.net No barrier to entry Could be seeded with existing code

822 views • 24 slides
Open Data Kit h8p://code.google.com/p/open-data-kit A set of open

Open Data Kit h8p://code.google.com/p/open-data-kit A set of open

Open Data Kit h8p://code.google.com/p/open-data-kit A set of open source tools to help organiza3ons collect, aggregate and visualize their rich data.

429 views • 27 slides
Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A

Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A

Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A single language construct can have many implementations many-to-many mappings from high-level source language to low-level target machine language

560 views • 16 slides
Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate Code optimizer Code generator Code generator Input: intermediate code + symbol tables In our case, three-address code All variables

717 views • 38 slides
December 7, 2015 - January 25, 2016 What is open source? Computer software where the source

December 7, 2015 - January 25, 2016 What is open source? Computer software where the source

December 7, 2015 - January 25, 2016 What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes

423 views • 15 slides
Translation Models Machine-dependent Generate Machine Code Directly Through

Translation Models Machine-dependent Generate Machine Code Directly Through

Translation Models Machine-dependent Generate Machine Code Directly Through Intermediate Code Machine-independent Interpret the source code Generate intermediate code and then interpret the intermediate code Single

263 views • 5 slides
Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 ,

Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 ,

The Apertium MT toolbox Data for the pt es pair Concluding remarks Open-source PortugueseSpanish machine translation C. Armentano-Oller 1 , R.C. Carrasco 1 , 2 , A.M. Corb-Bellot 1 , M.L. Forcada 1 , 2 , M. Ginest-Rosell 1 , S.

338 views • 30 slides
Compiling and Linking C code Assembly C Source C Source C Source Source .c Code Code Code

Compiling and Linking C code Assembly C Source C Source C Source Source .c Code Code Code

Advanced Programming Modular Programming in C Modular Programming Intro n It is not possible to create complex programs using a single source file: n Compiling is slow n Difficult reuse of functions n Impossible collaboration among

513 views • 17 slides

More recommend