就像本月早期的Botconf2017会议讨论过的,retdec提供了一种把机器码-原始可执行程序还原为接近源代码的方法。
Where disassemblers convert binaries into assembly code – a somewhat readable representation of machine code – decompilers attempt to go back further to a higher-level source code language not tied to a specific processor – something more readable like C code.
反汇编器尝试把可执行程序转换为汇编语言-一种可读的机器码表达方法,反编译器则尝试还原到更高层次的源代码而不是绑定到特定类型处理器的汇编-比如可读的C代码。
Avast has used RetDec, which is based on LLVM, to decompile various ransomware strains, such as Apocalypse, BadBlock, Bart, CrySiS, TeslaCrypt, and others, in order to undo the unwanted encryption of victim's files.
Avast已经使用RetDec,基于LLVM的工具,来反编译各种各样的勒索软件样本,比如Apocalypse, BadBlock, Bart, CrySiS, TeslaCrypt等,为了帮助受害者还原他们未预料到的文件加密。
In an email to The Register, Jakub Kroustek, threat intelligence team lead at Avast, said that while there are a variety of good decompilation tools available, many are paid products and cannot easily be extended.
在于avast威胁情报小组leader Jakub Kroustek的交流中,他说当然有大量的很好的反编译工具可用,但很多是付费产品或者很难轻易扩展。
Existing open-source decompilers provide an alternative, he said, "but these do not always achieve proper stability, code readability and quality."
已经存在的开源反编译器提供了一个替代方案,他说,“但是这并不能保证稳定性,代码的可阅读性和质量”
Kroustek said he hopes RetDec, offered under a friendly MIT license, "will fill a gap in the market, in terms of produced code quality and [extensibility]."
Kroustek说他希望RetDec,在MIT授权许可下提供,“这将会填补市场空白,在生成代码的质量和扩展性上”
He expects RetDec will be helpful not only to security researchers but to developers who are interested in studying how their code compiled and those working on reverse engineering projects.
他希望RetDec不仅仅只帮助安全研究人员同样有助于对学习他们的代码是如何被编译和反编译有兴趣的开发者。
RetDec stands for Retargetable Decompiler, meaning it can be used to target code from different 32-bit architectures – Intel x86, ARM, MIPS, PIC32, and PowerPC – in various formats – ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
RetDec标准基于Retargetable反编译器,意味着他可以被用于标记来自于不同的32位平台 Intel x86, ARM, MIPS, PIC32, and PowerPC – in various formats – ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, 还有原始机器码的代码。
As a machine-code decompiler, RetDec is not suited for decompiling bytecode derived from Java, Python, or .Net source files.
作为机器码的反编译器,RetDec不适用于反编译来自Java,Python或者.net资源文件的字节码。
Because the code compilation process jettisons useful information, reversing the process tends to fall short of the original, like compressing an image with a lossy algorithm and then re-enlarging it.
因为代码编译处理了抛弃了大量有用的信息,逆向处理倾向于只丢失原始数据的一小部分,就像使用有损压缩算法压缩图片然后再解压出来。
Decompilation may be made more difficult still if the writer of the code attempts to obfuscate it.
反编译可能会变得异常困难如果代码的作者试图去混淆它。
RetDec, available as an online service since 2015, attempts to address these challenges by utilizing debugging information and reconstructing instruction idioms, among other techniques.
RetDec,从2015年开始作为在线服务可用,尝试通过利用调试信息,重构描述符号,和其他方法来进行挑战。
"Our motivation is to contribute back to the security community, [whose] tools we are using on daily basis – so why not to share back also our own tools?" said Kroustek. "Secondly, we hope that involvement of more users and developers will further improve our tool."
“我们的动力来自于安全社区的贡献,大家每天都用的基础工具-为什么我们不去共享我们自己的工具呢?”Kroustek说,“第二点,我们希望更多用户和开发者参与进来一起改进我们的工具”
Kroustek said in the four days since the code has been available, Avast has already received dozens of messages, improvements, and bug reports. ®
Kroustek说在一开始开源的四天里,Avast已经收到了大量的反馈,改进和bug报告。
<下载地址>
https://github.com/avast-tl/retdec