RetDec: An Open-Source Machine-Code Decompiler

Transcription

1 RetDec: An Open-Source Machine-Code Decompiler Jakub Křoustek Peter Matula Petr Zemek Threat Labs Botconf / 51

2 > whoarewe Jakub Křoustek founder of RetDec Threat Labs reverse engineer, malware hunter, security Botconf / 51

3 > whoarewe Jakub Křoustek founder of RetDec Threat Labs reverse engineer, malware hunter, security Peter Matula main developer of the RetDec decompiler senior rock climbing and Botconf / 51

4 Quiz Time Botconf / 51

5 Quiz Time Botconf / 51

6 Quiz Time Botconf / 51

7 Quiz Time Botconf / 51

8 Disassembling vs. Decompilation Botconf / 51

9 Decompilation? What is it? Botconf / 51

10 Decompilation? What good is it? Binary analysis reverse engineering malware analysis vulnerability detection verification binary comparison... Botconf / 51

11 Decompilation? What good is it? Binary analysis reverse engineering malware analysis vulnerability detection verification binary comparison... Binary recompilation (yeah, like that s ever gonna work) porting bug fixing adding new features original sources got lost optimizations Botconf / 51

12 Ok, why aren t we already using it? Multiple existing tools: Hex-Rays, Hopper, Snowman, etc. Botconf / 51

13 Ok, why aren t we already using it? Multiple existing tools: Hex-Rays, Hopper, Snowman, etc. It is damn hard Botconf / 51

14 Ok, why aren t we already using it? Multiple existing tools: Hex-Rays, Hopper, Snowman, etc. It is damn hard compilation is not lossless high-level constructions data types names comments, macros,... Botconf / 51

15 Ok, why aren t we already using it? Multiple existing tools: Hex-Rays, Hopper, Snowman, etc. It is damn hard compilation is not lossless high-level constructions data types names comments, macros,... compilers are optimizing Botconf / 51

16 Ok, why aren t we already using it? Multiple existing tools: Hex-Rays, Hopper, Snowman, etc. It is damn hard compilation is not lossless high-level constructions data types names comments, macros,... compilers are optimizing computer science goodies undecidable problems complex algorithms exponential complexities Botconf / 51

17 Ok, why aren t we already using it? Multiple existing tools: Hex-Rays, Hopper, Snowman, etc. It is damn hard compilation is not lossless high-level constructions data types names comments, macros,... compilers are optimizing computer science goodies undecidable problems complex algorithms exponential complexities obfuscation, packing, anti-debugging Botconf / 51

18 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Botconf / 51

19 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Many ABIs Botconf / 51

20 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Many ABIs Many OFFs (object-file formats) ELF, PE, apple Mach-O,... Botconf / 51

21 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Many ABIs Many OFFs (object-file formats) ELF, PE, apple Mach-O,... Many programming languages Botconf / 51

22 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Many ABIs Many OFFs (object-file formats) ELF, PE, apple Mach-O,... Many programming languages Many compilers & optimizations Botconf / 51

23 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Many ABIs Many OFFs (object-file formats) ELF, PE, apple Mach-O,... Many programming languages Many compilers & optimizations Statically linked code Botconf / 51

24 Generic decompilation? Even harder Many architectures x86, ARM, MIPS, PowerPC,... CISC vs. RISC bit length, endianness, floating points versions & extensions Many ABIs Many OFFs (object-file formats) ELF, PE, apple Mach-O,... Many programming languages Many compilers & optimizations Statically linked code... Botconf / 51

25 Retargetable Decompiler (RetDec) Goal generic decompilation of binary code Botconf / 51

26 Retargetable Decompiler (RetDec) Goal generic decompilation of binary code History (AVG + BUT FIT via TAČR TA grant) (AVG + BUT FIT students via diploma theses) 2016 * (Avast + BUT FIT students) Botconf / 51

27 Retargetable Decompiler (RetDec) Goal generic decompilation of binary code History (AVG + BUT FIT via TAČR TA grant) (AVG + BUT FIT students via diploma theses) 2016 * (Avast + BUT FIT students) People 3-4 core developers 20 BSc/MSc/PhD students Botconf / 51

28 Retargetable Decompiler (RetDec) Goal generic decompilation of binary code History (AVG + BUT FIT via TAČR TA grant) (AVG + BUT FIT students via diploma theses) 2016 * (Avast + BUT FIT students) People 3-4 core developers 20 BSc/MSc/PhD students Lines of code 419,451 code 205,222 comments, etc ,673 total Botconf / 51

29 RetDec? What does it do Supports architectures (32-bit): x86, ARM, PowerPC, MIPS OFFs: ELF, PE, COFF, Mach-O, Intel HEX, AR, raw compilers (we test with): gcc, Clang, MSVC Botconf / 51

30 RetDec? What does it do Supports architectures (32-bit): x86, ARM, PowerPC, MIPS OFFs: ELF, PE, COFF, Mach-O, Intel HEX, AR, raw compilers (we test with): gcc, Clang, MSVC Does compiler/packer detection statically linked code detection OS loader simulation recursive traversal disassembling high-level constructions/types reconstruction pattern detection... Botconf / 51

31 RetDec? What does it do Supports architectures (32-bit): x86, ARM, PowerPC, MIPS OFFs: ELF, PE, COFF, Mach-O, Intel HEX, AR, raw compilers (we test with): gcc, Clang, MSVC Does compiler/packer detection statically linked code detection OS loader simulation recursive traversal disassembling high-level constructions/types reconstruction pattern detection... Runs on (hopefully) Botconf / 51

32 Good news everyone! RetDec goes open-source under the MIT license december 2017, shortly after the conference Botconf / 51

33 Good news everyone! RetDec goes open-source under the MIT license december 2017, shortly after the conference Repositories 11 core 6 support 8 third party Contacts info@retdec.com Botconf / 51

34 How to get from EXE to C... Botconf / 51

35 ... by using cool technologies Botconf / 51

36 We need to go deeper! Botconf / 51

37 Preprocessing Botconf / 51

38 Preprocessing Botconf / 51

39 Preprocessing Botconf / 51

40 Preprocessing Botconf / 51

41 Preprocessing Botconf / 51

42 Preprocessing Botconf / 51

43 Preprocessing Botconf / 51

44 Preprocessing Botconf / 51

45 Preprocessing Botconf / 51

46 Preprocessing Botconf / 51

47 Preprocessing Botconf / 51

48 Preprocessing repos Fileformat fileformat, loader, cpdetect, fileinfo, unpacker ar-extractor, macho-extractor,... Botconf / 51

49 Preprocessing repos Fileformat fileformat, loader, cpdetect, fileinfo, unpacker ar-extractor, macho-extractor,... PeLib strengthened new modules (rich header, delayed imports, security dir,... ) Botconf / 51

50 Preprocessing repos Fileformat fileformat, loader, cpdetect, fileinfo, unpacker ar-extractor, macho-extractor,... PeLib strengthened new modules (rich header, delayed imports, security dir,... ) ELFIO strengthened Botconf / 51

51 Preprocessing repos Fileformat fileformat, loader, cpdetect, fileinfo, unpacker ar-extractor, macho-extractor,... PeLib strengthened new modules (rich header, delayed imports, security dir,... ) ELFIO strengthened PDBparser will hopefully be replaced by LLVM parsers Botconf / 51

52 Preprocessing repos Fileformat fileformat, loader, cpdetect, fileinfo, unpacker ar-extractor, macho-extractor,... PeLib strengthened new modules (rich header, delayed imports, security dir,... ) ELFIO strengthened PDBparser will hopefully be replaced by LLVM parsers Yaracpp YARA C++ wrapper Botconf / 51

53 Core Botconf / 51

54 Core Botconf / 51

55 Core Botconf / 51

56 Core Botconf / 51

57 Core: LLVM dozens of analysis & transform & utility passes dead global elimination, constant propagation, inlining, reassociation, loop optimization, memory promotion, dead store elimination,... Botconf / 51

58 Core: LLVM dozens of analysis & transform & utility passes dead global elimination, constant propagation, inlining, reassociation, loop optimization, memory promotion, dead store elimination,... clang -o hello hello.c -O3 217 passes -targetlibinfo -tti -tbaa -scoped-noalias -assumption-cache-tracker -profile-summary-info -forceattrs -inferattrs -ipsccp -globalopt -domtree -mem2reg -deadargelim -domtree -basicaa -aa -instcombine -simplifycfg -basiccg -globals-aa -prune-eh -inline -functionattrs -argpromotion -domtree -sroa -basicaa -aa -memoryssa -early-cse-memssa -speculative-execution -domtree -basicaa -aa -lazy-value-info -jump-threading... Botconf / 51

59 Core: LLVM IR LLVM IR = LLVM Intermediate Representation kind of assembly language / three address = global i32 define %arg) { %x = load i32, %y = add i32 %x, %arg store i32 return i32 %y } Botconf / 51

60 Core: LLVM IR LLVM IR = LLVM Intermediate Representation kind of assembly language / three address = global i32 define %arg) { %x = load i32, %y = add i32 %x, %arg store i32 return i32 %y } SSA = Static Single Assignment %y = add i32 %x, %arg Load/Store architecture %x = load i32, Functions, arguments, returns, data types (Un)conditional branches, switches Botconf / 51

61 Core: LLVM IR LLVM IR = LLVM Intermediate Representation kind of assembly language / three address = global i32 define %arg) { %x = load i32, %y = add i32 %x, %arg store i32 return i32 %y } SSA = Static Single Assignment %y = add i32 %x, %arg Load/Store architecture %x = load i32, Functions, arguments, returns, data types (Un)conditional branches, switches Universal IR for efficient compiler transformations and analyses Botconf / 51

62 Core: decoder Botconf / 51

63 Core: decoder Botconf / 51

64 Core: decoder Botconf / 51

65 Core: decoder Botconf / 51

66 Core: decoder Botconf / 51

67 Core: decoder Botconf / 51

68 Core: decoder Botconf / 51

69 Core: decoder Botconf / 51

70 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Botconf / 51

71 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Architectures (core instruction sets): ARM + Thumb extension 32-bit MIPS 32/64-bit PowerPC 32/64-bit x86 32/64-bit Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Botconf / 51

72 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Architectures (core instruction sets): ARM + Thumb extension 32-bit MIPS 32/64-bit PowerPC 32/64-bit x86 32/64-bit Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Decompilation & advanced insns Botconf / 51

73 Would you rather... PMULHUW Multiply Packed Unsigned Integers and Store High Result if (OperandSize == 64) { //PMULHUW instruction with 64-bit operands: Tmp0[0..31] = Dst[0..15] * Src[0..15]; Tmp1[0..31] = Dst[16..31] * Src[16..31]; Tmp2[0..31] = Dst[32..47] * Src[32..47]; Tmp3[0..31] = Dst[48..63] * Src[48..63]; Dst[0..15] = Tmp0[16..31]; Dst[16..31] = Tmp1[16..31]; Dst[32..47] = Tmp2[16..31]; Dst[48..63] = Tmp3[16..31]; } else { //PMULHUW instruction with 128-bit operands: // Even longer... } asm_pmulhuw(mm1, mm2); Botconf / 51

74 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Architectures (core instruction sets): ARM + Thumb extension 32-bit MIPS 32/64-bit PowerPC 32/64-bit x86 32/64-bit Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Decompilation & advanced insns Botconf / 51

75 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Architectures (core instruction sets): ARM + Thumb extension 32-bit MIPS 32/64-bit PowerPC 32/64-bit x86 32/64-bit Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Decompilation & advanced insns full semantics only for simple instructions Botconf / 51

76 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Architectures (core instruction sets): ARM + Thumb extension 32-bit MIPS 32/64-bit PowerPC 32/64-bit x86 32/64-bit Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Decompilation & advanced insns full semantics only for simple instructions Implementation details, testing framework (Keystone Engine + LLVM emulator), keeping LLVM IR ASM mapping,... Botconf / 51

77 Core: Capstone2LlvmIR Capstone insn sequence of LLVM IR Handcoded sequences 32/64-bit x86 1 person 2-3 weeks Architectures (core instruction sets): ARM + Thumb extension 32-bit MIPS 32/64-bit PowerPC 32/64-bit x86 32/64-bit Capstone: 64-bit ARM, SPARC, SYSZ, XCore, m68k, m680x, TMS320C64x Decompilation & advanced insns full semantics only for simple instructions Implementation details, testing framework (Keystone Engine + LLVM emulator), keeping LLVM IR ASM mapping,... Botconf / 51

78 Core: low-level passes Botconf / 51

79 Core: low-level passes Botconf / 51

80 Core: assembly generation Botconf / 51

81 Core: high-level passes Botconf / 51

82 Core repos RetDec bin2llvmir library bin2llvmirtool Botconf / 51

83 Core repos RetDec bin2llvmir library bin2llvmirtool Capstone2LlvmIR Capstone instruction to LLVM IR translation Botconf / 51

84 Core repos RetDec bin2llvmir library bin2llvmirtool Capstone2LlvmIR Capstone instruction to LLVM IR translation Capstone-dumper what does Capstone know about any instruction Botconf / 51

85 Core repos RetDec bin2llvmir library bin2llvmirtool Capstone2LlvmIR Capstone instruction to LLVM IR translation Capstone-dumper what does Capstone know about any instruction Fnc-patterns statically linked function pattern creation and detection Botconf / 51

86 Core repos RetDec bin2llvmir library bin2llvmirtool Capstone2LlvmIR Capstone instruction to LLVM IR translation Capstone-dumper what does Capstone know about any instruction Fnc-patterns statically linked function pattern creation and detection Yaramod YARA to AST parsing & C++ API to build new YARA rulesets Botconf / 51

87 Core repos RetDec bin2llvmir library bin2llvmirtool Capstone2LlvmIR Capstone instruction to LLVM IR translation Capstone-dumper what does Capstone know about any instruction Fnc-patterns statically linked function pattern creation and detection Yaramod YARA to AST parsing & C++ API to build new YARA rulesets Ctypes extraction and presentation of C function data types Botconf / 51

88 Core repos RetDec bin2llvmir library bin2llvmirtool Capstone2LlvmIR Capstone instruction to LLVM IR translation Capstone-dumper what does Capstone know about any instruction Fnc-patterns statically linked function pattern creation and detection Yaramod YARA to AST parsing & C++ API to build new YARA rulesets Ctypes extraction and presentation of C function data types Demangler gcc/clang, Microsoft Visual C++, and Borland C++ Botconf / 51

89 Backend Botconf / 51

90 Backend Botconf / 51

91 Backend Botconf / 51

92 Backend: BIR is an AST BIR = Backend IR AST = Abstract syntax tree while (x < 20){ x = x + (y * 2); } Botconf / 51

93 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

94 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

95 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

96 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

97 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

98 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

99 Backend: code structuring LLVM IR: only (un)conditional branches & switches identify high-level control-flow patterns restructure BIR: if-else, for-loop, while-loop, switch, break, continue Botconf / 51

100 Backend: optimizations copy propagation reducing the number of variables Botconf / 51

101 Backend: optimizations copy propagation reducing the number of variables arithmetic expression simplification a a + 3 Botconf / 51

102 Backend: optimizations copy propagation reducing the number of variables arithmetic expression simplification a a + 3 negation optimization if (!(a == b)) if (a!= b) Botconf / 51

103 Backend: optimizations copy propagation reducing the number of variables arithmetic expression simplification a a + 3 negation optimization if (!(a == b)) if (a!= b) pointer arithmetic *(a + 4) a[4] Botconf / 51

104 Backend: optimizations copy propagation reducing the number of variables arithmetic expression simplification a a + 3 negation optimization if (!(a == b)) if (a!= b) pointer arithmetic *(a + 4) a[4] conversion of while (true){... if (cond) break;... } for (cond){... } while (cond){... } Botconf / 51

105 Backend: optimizations copy propagation reducing the number of variables arithmetic expression simplification a a + 3 negation optimization if (!(a == b)) if (a!= b) pointer arithmetic *(a + 4) a[4] conversion of while (true){... if (cond) break;... } for (cond){... } while (cond){... } conversion of if/else-if/else chains to switch Botconf / 51

106 Backend: optimizations copy propagation reducing the number of variables arithmetic expression simplification a a + 3 negation optimization if (!(a == b)) if (a!= b) pointer arithmetic *(a + 4) a[4] conversion of while (true){... if (cond) break;... } for (cond){... } while (cond){... } conversion of if/else-if/else chains to switch... Botconf / 51

107 Backend: code generation variable name assignment induction variables: for (i = 0; i < 10; ++i) function arguments: a1, a2, a3,... general context names: return result; stdlib context names: int len = strlen(); Botconf / 51

108 Backend: code generation variable name assignment induction variables: for (i = 0; i < 10; ++i) function arguments: a1, a2, a3,... general context names: return result; stdlib context names: int len = strlen(); stdlib context literals var_ffff7dc6 = socket(2, 3, 255) Botconf / 51

109 Backend: code generation variable name assignment induction variables: for (i = 0; i < 10; ++i) function arguments: a1, a2, a3,... general context names: return result; stdlib context names: int len = strlen(); stdlib context literals var_ffff7dc6 = socket(2, 3, 255) sock_id = socket(pf_inet, SOCK_RAW, IPPROTO_RAW) Botconf / 51

110 Backend: code generation variable name assignment induction variables: for (i = 0; i < 10; ++i) function arguments: a1, a2, a3,... general context names: return result; stdlib context names: int len = strlen(); stdlib context literals var_ffff7dc6 = socket(2, 3, 255) sock_id = socket(pf_inet, SOCK_RAW, IPPROTO_RAW) flock(sock_id, 7) flock(sock_id, LOCK_SH LOCK_EX LOCK_NB) Botconf / 51

111 Backend: code generation variable name assignment induction variables: for (i = 0; i < 10; ++i) function arguments: a1, a2, a3,... general context names: return result; stdlib context names: int len = strlen(); stdlib context literals var_ffff7dc6 = socket(2, 3, 255) sock_id = socket(pf_inet, SOCK_RAW, IPPROTO_RAW) flock(sock_id, 7) flock(sock_id, LOCK_SH LOCK_EX LOCK_NB) output generation C CFG = Control-Flow Graph Call Graph Botconf / 51

112 Backend repos RetDec llvmir2hll library llvmir2hlltool Botconf / 51

113 How to use RetDec Online decompilation service Botconf / 51

114 How to use RetDec Online decompilation service REST API Botconf / 51

115 How to use RetDec Online decompilation service REST API Build it yourself CMake, gcc/clang, Visual Studio 2015 Update 2 Perl, GNU Bison, Flex, GNU Tar, scp, GNU bash, UPX, dot Recursively clone the main RetDec repository mkdir build && cd build cmake.. make && make install Botconf / 51

116 How to use RetDec Online decompilation service REST API Build it yourself CMake, gcc/clang, Visual Studio 2015 Update 2 Perl, GNU Bison, Flex, GNU Tar, scp, GNU bash, UPX, dot Recursively clone the main RetDec repository mkdir build && cd build cmake.. make && make install Run it yourself decompile.sh binary.exe Botconf / 51

117 How to use RetDec Online decompilation service REST API Build it yourself CMake, gcc/clang, Visual Studio 2015 Update 2 Perl, GNU Bison, Flex, GNU Tar, scp, GNU bash, UPX, dot Recursively clone the main RetDec repository mkdir build && cd build cmake.. make && make install Run it yourself decompile.sh binary.exe Get RetDec IDA plugin Botconf / 51

118 What is RetDec IDA plugin Botconf / 51

119 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

120 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

121 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

122 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

123 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

124 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

125 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

126 How does RetDec IDA plugin work Goals look & feel native same object names as IDA interactive Botconf / 51

127 RetDec IDA plugin is interactive Botconf / 51

128 How was RetDec used so far retdec.com launched on Botconf / 51

129 How was RetDec used so far retdec.com launched on ,000 registered users Botconf / 51

130 How was RetDec used so far retdec.com launched on ,000 registered users 423,000 decompilations 350,000 Web 73,000 API 410 decompilations daily Botconf / 51

131 Real example #1: Vawtrak (x86) Botconf / 51

132 Real example #2: Vawtrak (x86) Botconf / 51

133 Real example #3: CryproWall (x86) Botconf / 51

134 Real example #4: Psyb0t (mips) RetDec Botconf / 51

135 Real example #5: Psyb0t (mips) RetDec main ip2c system flock function_ function_404b1c fileno backup Daemonize RSeed getip fetch sleep strcmp xdec fopen fread fclose fork exit gettimeofday srand snprintf strncmp parse strncpy strlen Botconf / 51

136 Should you throw away your Hex-Rays? Botconf / 51

137 Should you throw away your Hex-Rays? IDA and Hex-Rays are great output quality interactive seamlessly integrated mature many plugins official support NO! Botconf / 51

138 Should you throw away your Hex-Rays? IDA and Hex-Rays are great output quality interactive seamlessly integrated mature many plugins official support IDA and Hex-Rays have flaws not free proprietary big monolithic GUI app NO! Botconf / 51

139 RetDec is handy because... Obvious reasons it is free + MIPS architecture MIT license you can play with the sources Botconf / 51

140 RetDec is handy because... Obvious reasons it is free + MIPS architecture MIT license you can play with the sources Not so obvious reasons LLVM is awesome Botconf / 51

141 RetDec is handy because... Obvious reasons it is free + MIPS architecture MIT license you can play with the sources Not so obvious reasons LLVM is awesome different basic designs: interactive GUI vs. pipeline Botconf / 51

142 RetDec is handy because... Obvious reasons it is free + MIPS architecture MIT license you can play with the sources Not so obvious reasons LLVM is awesome different basic designs: interactive GUI vs. pipeline LLVM is OP (don t worry, it won t be nerfed) Botconf / 51

143 RetDec is not only decompiler RetDec the decompiler RetDec IDA plugin Hex-Rays impersonation Botconf / 51

144 RetDec is not only decompiler RetDec the decompiler RetDec IDA plugin Hex-Rays impersonation Fileformat generic OFF parsing and analysis Capstone2LlvmIR binary to LLVM translation Fnc-patterns statically linked code detection in YARA (IDA F.L.I.R.T.) Yaramod hack YARA rules in C++ Yaracpp YARA C++ wrapper Ctypes info on function types Botconf / 51

145 What s next Release the sources on Github shortly after the conference Botconf / 51

146 What s next Release the sources on Github shortly after the conference Throw a release party Botconf / 51

147 What s next Release the sources on Github shortly after the conference Throw a release party Solve some inevitable hey guys, I m unable to build your repo Botconf / 51

148 What s next Release the sources on Github shortly after the conference Throw a release party Solve some inevitable hey guys, I m unable to build your repo Write more technical documentation on how it all works Botconf / 51

149 What s next Release the sources on Github shortly after the conference Throw a release party Solve some inevitable hey guys, I m unable to build your repo Write more technical documentation on how it all works Present it somewhere (maybe LLVM dev meeting) Botconf / 51

150 What s next Release the sources on Github shortly after the conference Throw a release party Solve some inevitable hey guys, I m unable to build your repo Write more technical documentation on how it all works Present it somewhere (maybe LLVM dev meeting) Continue improving the implementation make it more portable: Bash Python, bit architectures supports replace some libraries & modules Botconf / 51

151 What s next Release the sources on Github shortly after the conference Throw a release party Solve some inevitable hey guys, I m unable to build your repo Write more technical documentation on how it all works Present it somewhere (maybe LLVM dev meeting) Continue improving the implementation make it more portable: Bash Python, bit architectures supports replace some libraries & modules We will see... Botconf / 51

152 That s all folks Thanks! Contacts info@retdec.com Botconf / 51