Publication detail

Advanced Static Analysis for Decompilation Using Scattered Context Grammars

ĎURFINA, L. KŘOUSTEK, J. ZEMEK, P. KOLÁŘ, D. HRUŠKA, T. MASAŘÍK, K. MEDUNA, A.

Original Title

Advanced Static Analysis for Decompilation Using Scattered Context Grammars

English Title

Advanced Static Analysis for Decompilation Using Scattered Context Grammars

Type

conference paper

Language

en

Original Abstract

Reverse program compilation (i.e. decompilation) is a process heavily exploited in reverse engineering. The task of decompilation is to transform a platform-specific executable into a high-level language representation, which is usually the C language. Such a process can be used for source code reconstruction, compiler testing, malware analysis, etc. In present, there are several existing decompilers that are able to decompile simple applications. However, we can see a drop-off in terms of the quality of the generated code when the decompiled code is highly optimized (e.g. usage of instruction idioms) or obfuscated (e.g. dead code insertion, register renaming). Optimized or obfuscated applications are usually generated by highly optimizing compilers or metamorphic engines (used by malware authors). In this paper, we present several innovative decompilation methods based on scattered context grammars. These methods are able to effectively decompile optimized or obfuscated code. For demonstration, we used these methods for enhancement of the static analysis phase of an existing decompiler. Experimental results of our solution are presented at the end of the paper.

English abstract

Reverse program compilation (i.e. decompilation) is a process heavily exploited in reverse engineering. The task of decompilation is to transform a platform-specific executable into a high-level language representation, which is usually the C language. Such a process can be used for source code reconstruction, compiler testing, malware analysis, etc. In present, there are several existing decompilers that are able to decompile simple applications. However, we can see a drop-off in terms of the quality of the generated code when the decompiled code is highly optimized (e.g. usage of instruction idioms) or obfuscated (e.g. dead code insertion, register renaming). Optimized or obfuscated applications are usually generated by highly optimizing compilers or metamorphic engines (used by malware authors). In this paper, we present several innovative decompilation methods based on scattered context grammars. These methods are able to effectively decompile optimized or obfuscated code. For demonstration, we used these methods for enhancement of the static analysis phase of an existing decompiler. Experimental results of our solution are presented at the end of the paper.

Keywords

decompilation, Lissom, static analysis, LLVM IR, scattered context grammars

RIV year

2011

Released

17.11.2011

Publisher

World Scientific and Engineering Academy

Location

Angers

ISBN

978-1-61804-051-0

Book

Proceedings of the Applied Computing Conference 2011 (ACC'11)

Edition

NEUVEDEN

Edition number

NEUVEDEN

Pages from

164

Pages to

169

Pages count

6

Documents

BibTex


@inproceedings{BUT76457,
  author="Lukáš {Ďurfina} and Jakub {Křoustek} and Petr {Zemek} and Dušan {Kolář} and Tomáš {Hruška} and Karel {Masařík} and Alexandr {Meduna}",
  title="Advanced Static Analysis for Decompilation Using Scattered Context Grammars",
  annote="Reverse program compilation (i.e. decompilation) is a process heavily exploited
in reverse engineering. The task of decompilation is to transform
a platform-specific executable into a high-level language representation, which
is usually the C language. Such a process can be used for source code
reconstruction, compiler testing, malware analysis, etc. In present, there are
several existing decompilers that are able to decompile simple applications.
However, we can see a drop-off in terms of the quality of the generated code when
the decompiled code is highly optimized (e.g. usage of instruction idioms) or
obfuscated (e.g. dead code insertion, register renaming). Optimized or obfuscated
applications are usually generated by highly optimizing compilers or metamorphic
engines (used by malware authors). In this paper, we present several innovative
decompilation methods based on scattered context grammars. These methods are able
to effectively decompile optimized or obfuscated code. For demonstration, we used
these methods for enhancement of the static analysis phase of an existing
decompiler. Experimental results of our solution are presented at the end of the
paper.",
  address="World Scientific and Engineering Academy",
  booktitle="Proceedings of the Applied Computing Conference 2011 (ACC'11)",
  chapter="76457",
  edition="NEUVEDEN",
  howpublished="print",
  institution="World Scientific and Engineering Academy",
  year="2011",
  month="november",
  pages="164--169",
  publisher="World Scientific and Engineering Academy",
  type="conference paper"
}