Avast releases machine-code decompiler RetDec
Computer security heavyweight Avast released its machine-code decompiler RetDec as an open source tool to the public recently.
The company worked on RetDec for seven years, and released the decompiler "to help the cybersecurity community fight malicious software". The decompiler can be used to analyze a program without running it.
Basically, what a decompiler does is take an executable file as input, to source code. It is pretty much the exact opposite of a compiler, a program that turns source code into executable files.
Decompilers cannot reconstruct the source code of a program with 100% accuracy usually, and the fact that most malware authors do use obfuscation techniques and other protective measures make it even harder.
RetDec supports different architectures and formats, and uses algorithms to improve the accuracy of the resulting code.
RetDec addresses the above mentioned issues by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications. RetDec is also the only decompiler of its scale using a proven LLVM infrastructure and provided for free, licensed under MIT.
RetDec is freely available to anyone. You can download the source code from GitHub, or a 32-bit or 64-bit executable file for Windows instead. The release is quite big, the archive has a size of more than 250 Megabytes.
Avast notes that the decompiler supports Windows 7 and newer and Linux currently, and that Mac OS X is supported unofficially.
Setup is unfortunately not as easy as running a program on your machine. The installation instructions list other dependencies that you do need to install on the target machine.
On Windows, it is required to install the Microsoft Visual C++Redistributable for Visual Studio 2015 and other programs listed on the Windows Environment Wiki page. This is best done in a virtual machine or on a machine that is dedicated to that task in my opinion.
The feature set of RetDec according to Avast:
- Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
- Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.
- Static analysis of executable files with detailed information.
- Compiler and packer detection.
- Loading and instruction decoding.
- Signature-based removal of statically linked library code.
- Extraction and utilization of debugging information (DWARF, PDB).
- construction of instruction idioms.
- Detection and reconstruction of C++ class hierarchies (RTTI, vtables).
- Demangling of symbols from C++ binaries (GCC, MSVC, Borland).
- Reconstruction of functions, types, and high-level constructs.
- Integrated disassembler.
- Output in two high-level languages: C and a Python-like language.
- Generation of call graphs, control-flow graphs, and various statistics.
Avast released a web version of RetDec as well, but had to turn it off as it caused an "extremely high load" on company servers.
There is also a plugin for IDA that users of the disassembler may use to run decompilations directly in the software program.
Closing Words
RetDec is a specialized tool that most computer users have no use for. The installation procedure is not super straightforward, but explained well enough on the Wiki. It is open source however, and it seems that Avast has mid and long term plans for the decompiler to improve it further. (via Born)