| As a key part of reverse engineering, decompile technology play a very important role in software security and maintenance. Decompile technology originated in the 60s of last century, only 10 years later than the compiler technology. However, decompile technology is far from mature. There are many technology issues to be solved. Data flow analysis is one of the most difficult issues.In the past 50 years, there are many experimental decompilers. Among them, Dcc,Boomerang and the Hex_rays are the most famous. However, these decompilers have defects in different aspects. For example, Dcc can only identify the basic data types. Boomerang can not recognize complex data structures, such as C++ class and multi-dimensional array. Hex_rays can only produce C-like code and also can not recognize the complex data structure.In this paper, we put forward three new technologies for decompile. They are presented as follows:1) Binary interpretation based on lightweight virtual machine. The technique can effectively identify the parameters of subroutines and local variables. The problems of data transmission through the stack space can also be solved.2) Inter-Basic-Block register propagation technology. The register propagation technology used before is limited within the basic block which lost the dependency between the different variables in difference basic blocks and causes the register halfway propagation.3) Using common library signature for STL (Standard Template Library) identification. It can effectively identify the STL of different compilers,different compile options and different STL versions.In addition, on Microsoft Visual C++ compiler behavior analysis, this paper presents an efficient method to identify C++ class, class member functions and the relationship between classes.All the three new technologies and the identification of the C++ class, class member functions and the relationship between classes are implemented in a decompiler named C-Decompiler. It runs on windows operating system, reads the input exe file and generates the C / C + + code.The innovation of the C-Decompiler architecture is the stack monitor. It uses the lightweight virtual machine technology on the front end to monitor the entire process in order to achieve the purpose of the stack trace.In the experiments, there are 8 test cases. They reflect from different aspects of the C-Decompiler's decompile capacity. In the function analysis, variable analysis, code reduction rate(reduction%), the code expansion(expansion%), false positive rate and false negative rate of recognition, C-Decompiler is better than the other two well-known decompilers named Hex_rays and Boomerang.The decompiler designed and implemented in the paper get the first prize of the 2nd Innovation Competition @Technology and "ZhangJinag Cup" Innovation Fair. |
PDF Full Text Request