-
-
[转帖]IDA Decompiler 0.1 by Einstein
-
2013-7-16 23:57
-
IDA Decompiler 0.1 by Einstein
_https://github.com/EiNSTeiN-/ida-decompiler
_https://github.com/EiNSTeiN-/ida-decompiler
This is an IDA plugin which can decompile one function at a time. To try it in IDA, place your cursor on a function, and execute the plugin. The decompiled function will appear in the output window.
It is currently capable of decompiling small functions with fairly simple control flow. It may also be able to decompile larger functions by pure luck. It shows what can be done in a few thousand lines of python.
The first analysis phase takes care of transforming every instruction into a form very close to static single assignment form. For example, add eax, 1 becomes eax = eax + 1. Instructions that affect more than one memory location (such as push, pop, leave, etc) are expanded into their more basic representation, such that pop edi becomes edi = *(esp) followed by esp = esp + 4.
This phase also attempt to track modifications to the eflags register. All status bits are supported, although only zf, cf, of and sf have a proper decompiled representation, and the af and pf eflags will be displayed as PARITY(...) or ADJUST(...). Modifications to eflags are tracked by emitting assignments to special registers (named %eflags.*). When a jump instruction is later encountered, the corresponding condition is emitted using eflags as operands, for example, jz is emitted as if(%eflags.zf == 0). Unused eflags are then eliminated as dead code, and used ones are propagated the normal way when replacing uses by definitions.
The second analysis phase attempts to tracks definition-use chains. When an assignation takes place, a new def-use chain is created. All following uses of this register is attached to the chain until a subsequent assignation to the same register takes place. This enables the analysis of which register are 'active' at a specific location during the execution of the function.
In this phase, def-use chains are simplified by replacing uses by their definitions until a definition has no more uses, at which point it is eliminated as dead code.
In this phase, the basic control blocks are combined together to form more complex control blocks. Basic algorithm are applied iteratively in an attempt to make more complex statements such as if, while, do-while from simple if(...) goto constructs.
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
_https://github.com/EiNSTeiN-/ida-decompiler
|
|
|
|
