Pierluigi Paganini December 15, 2017

RetDec is the retargetable machine-code decompiler (RetDec) released by the anti-malware firm Avast to boost the fight against malicious codes.

The anti-malware company Avast announced the release of retargetable machine-code decompiler (RetDec) as open source in an effort to boost the fight against malicious codes.

RetDec, short for Retargetable Decompiler, was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology and AVG Technologies. Avast acquired AVG Technologies in 2016.

RetDec is now available for anyone on GitHub under the MIT license, this means that security experts can modify its source code and redistribute it.

RetDec is a retargetable machine-code decompiler based on LLVM that could be used by the experts to perform platform-independent analysis of executable files.

Avast decided to open-source the Retargetable Decompiler to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”

The utility includes support for multiple platforms, different architectures, file formats, and compilers.

“The decompiler is not limited to any particular target architecture, operating system, or executable file format:

• Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
• Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.”

The tool currently supports only Windows (7 or later) and Linux, but pre-built packages are available only for Windows.

RetDec features are:

• Static analysis of executable files with detailed information.
• Compiler and packer detection.
• Loading and instruction decoding.
• Signature-based removal of statically linked library code.
• Extraction and utilization of debugging information (DWARF, PDB).
• Reconstruction of instruction idioms.
• Detection and reconstruction of C++ class hierarchies (RTTI, vtables).
• Demangling of symbols from C++ binaries (GCC, MSVC, Borland).
• Reconstruction of functions, types, and high-level constructs.
• Integrated disassembler.
• Output in two high-level languages: C and a Python-like language.
• Generation of call graphs, control-flow graphs, and various statistics.

Courtesy of an IDA  (Interactive Disassembler) plugin, the utility is able to decompile files directly from the IDA disassembler.

RetDec is a powerful utility that allows optimizing reconstruction of original source code “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”

Avast also provides web service for decompilation in browser, an  IDA plugin and REST API that allows the creation of apps that can interact with RetDec through HTTP requests.

The decompiler can be used via the API through retdec-python.

Pierluigi Paganini

(Security Affairs – malware, decompiler)

[adrotate banner=”5″]

[adrotate banner=”13″]