pts2024

Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code
2024-07-03, 14:00–14:35 (Europe/Paris), Amphitheater

This is an hands-on talk about what you can do with the rev.ng decompiler, an open source decompiler based on LLVM and QEMU.

We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.

Then we'll dig into rev.ng intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).

Finally, we'll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by rev.ng, which is always syntactically valid.

Everything that will be shown will be 100% reproducible by the audience in real-time using rev.ng.


Talk outline:

  • From zero to decompiled C code (interactive demo on terminal)
    • Create a 7-bytes long raw binary
    • How to load it into rev.ng
    • How to produce disassembly
    • Adding prototypes to functions
    • How to produce decompiled code
  • Why you won't need to do any of the above: importing from ELF, DWARF, PE/COFF, PDB, Mach-O, and .idb.
  • Code analysis
    • Describe our internal IR, hint at analysis tools (e.g., KLEE)
    • Find bugs on a simple binary using CodeQL
    • Find bugs on a simple binary using clang-static-analyzer
  • Status: what you can expect to work
  • Final recap: rev.ng goals and future directions
See also: Slides

One day while playing a CTF I thought "hey, this decompiler could be done better".

I like C++, LLVM, binaries, Free Software and privacy.

During my dark academia years I presented at USENIX, DEF CON and several other compilers/computer security conferences.

I'm the co-founder of rev.ng Labs, the company developing the rev.ng decompiler.
My activities include overseeing the overall design and maintaining the first half of the decompilation pipeline.