Attempting to solve the malicious software issue, the anti-malware company Avast has just announced the release of its open sources machine-code decompiler. The software utility is called Retargetable Decompiler (RetDec), and it’s been under developement for seven years.
RetDec was originally developed as a joint project by the Faculty of Information Technology of the Brno University of Technology in the Czech Republic, and AVG Technologies. However, in 2016 the Avast company acquired AVG Technologies.
The Retargetable Decompiler gives an opportunity to the security experts to make platform-independent analysis of executable files. Thanks to its source code published to GitHub under the MIT license, RetDec is already available free of charge for everyone who wants to study its source code, modify it, and redistribute it.
By open-sourcing RetDec, the anti-malware company Avast offers “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”
The software utility supports multiple platforms, different architectures, file formats, and compilers. The architectures supported by RetDec are: (32b only) Intel x86, ARM, MIPS, PIC32, and PowerPC, and the following file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
Presently, the Retargetable Decompiler can be used on both – Windows and Linux systems, however, only pre-built packages for Windows are available. The Linux users should build and install the decompiler by themselves.
The RetDec tool can also be used to make static analysis of executable files with detailed information; for compiler and packer detection; for loading and instruction decoding; signature-based removal of statically linked library code; extraction and utilization of debugging information (DWARF, PDB), reconstruction of instruction idioms; detection and reconstruction of C++ class hierarchies (RTTI, vtables); demangling of symbols from C++ binaries (GCC, MSVC, Borland); reconstruction of functions, types, and high-level constructs; and generation of call graphs, control-flow graphs, and various statistics.
In addition, users can take advantage of the integrated disassembler and the output which is available in two languages: C and a Python-like language. Courtesy of an IDA plugin, decompilation of files directly from the IDA disassembler is also possible.
Usually, decompilers cannot reconstruct original source code perfectly due to the obfuscation techniques the malware creators use and the fact that the information is lost during the compilation process.
The Avast experts claim that the Retargetable Decompiler addresses these issues “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”
Apart from publishing the RetDec’s source code, Avast offers several ways to take full advantage of the tool, starting with its web service.
Additionally, the company made its IDA plugin available, alongside an REST API which allows the creation of apps that can interact with RetDec via HTTP requests.
The Retargetable Decompiler can be used through the API via retdec-python.