Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the abiity to use the contents of library files to enhance the decompilation process #753

Open
Cairn23 opened this issue Mar 20, 2019 · 3 comments
Open

Add the abiity to use the contents of library files to enhance the decompilation process #753

Cairn23 opened this issue Mar 20, 2019 · 3 comments
Assignees
@Cairn23
Labels
enhancement This is a feature request

Comments

@Cairn23
Copy link

Cairn23 commented Mar 20, 2019

By using the contents of a library file, Function names and binary that makes up the function can be utilised to enhance the decompilation process. IDA has a tech called FLIRT which does this.
In the standard compilation process library files are linked into the exe copying the relevant parts into the bin, you cannot do a straight search for the library binary as optimisers cut out bits that are not used, and the linker process will change some bytes values as they are addresses.

It will require for an application to create signature files which will in effect scan the library file to produce list of the function names, and the binary pattern that makes up the app. this will be saved away as a signature file. this app will have to process COFF, ELF and MACHO, but I would recommend that you need to understand instruction sets here.
Then within Reko, as part of the decompilation process, after the functions have been identified a search will be required to see if a pattern match exists, but it will have to take into account some byte values have changed due to the change of address values. It will require that the disassemblers identify which instructs contain a operand which is an address, in this case the operand values will be ignored.

To do this the best way is to load all the signature files into a tree like structure, then as a function is check, if the operand is identified as an address the process will jump down the size of the operand, then check for the next byte match. This will continue until either the function being examine has no more bytes to check, if at this point the tree has a leaf which contains a function name, the function been examined is renamed.
@Cairn23
Copy link
Author

Cairn23 commented Mar 20, 2019

branch created for this call Signature-recognition

@uxmal uxmal added the enhancement This is a feature request label Apr 3, 2019
@Cairn23
Copy link
Author

Cairn23 commented Apr 9, 2019

I have created the COFF, ELF, and archive processing, so that Signatures can be created. I have also added the code into the decompiler so that the signature files can be used against the binary being processed.

@Cairn23
Copy link
Author

Cairn23 commented Apr 14, 2019

Xref to PR769 for check-ins

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Cairn23 Cairn23

Labels
enhancement This is a feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uxmal @Cairn23