Avast launches open-source decompiler for machine code

Greg S

Posts: 1,607   +442

Keeping up with the latest malware and virus threats is a daunting task, even for industry professionals. Any device connected to the Internet is a target for being infected and abused. In order to stop attacks from happening, there needs to be an understanding of how they work so that a prevention method can be developed.

To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS.

As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software.

For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Permalink to story.

 

psycros

Posts: 3,230   +3,475
I guess I'll go ahead and state the obvious: if it can be used to decompile machine code then it can be used to facilitate the spread of more convincing and harder-to-detect viruses. Sort of defeats the purpose...unless Avast's next big product will be a software verification service. I hope it hasn't come to that.
 

ET3D

Posts: 1,721   +370
I wonder how well it would work for complex projects like games. There are a lot of games with lost source code which could use updates.
 
  • Like
Reactions: trgz

jobeard

Posts: 13,985   +1,782
In the exhibit shown (which is totally fallacious), a true decompiler CAN NOT produce any of the code comments as the binary image has none within it -- they are stripped in the compile process. For sensitive code, a post-processor is sometimes used to scramble function names so as to make reading still more difficult, eg:
  • getSysName(xx) may become something like egmeatsnys(x1)