Angr

Rules:

  • EagerReturnsSimplifier
    • Adds additional return statements to the decompiled code to improve readabilit of the code, if the number of the “in edges” for the return node (i.e., in-degree of the return site) is less than a specified threshold

Core libraries:

  • SequenceWalker
    • Used to traverse graphs

For each decompiled function, angr constructs a corresponding abstract syntax tree (AST).

When angr modifies the CFG (e.g., applies EagerReturnsSim- plifier), angr calls SequenceWalker to traverse the graph and modify nodes, e.g., insert additional return statements on the AST.

Ijk_Boring is used to handle the conditional branch instruction.

FoxDec
Freek Verbeek, Pierre Olivier, and Binoy Ravindran. Sound C code decompilation for a subset of x86-64 bi- naries. In Frank S. de Boer and Antonio Cerone, editors, Software Engineering and Formal Methods - 18th In- ternational Conference, SEFM 2020, Amsterdam, The Netherlands, September 14-18, 2020, Proceedings, vol- ume 12310 of Lecture Notes in Computer Science, pages 247–264. Springer, 2020.
Ghidra

Internally, Ghidra uses debug information, stored in the binary in the DWARF format, from binary to help recover the function prototype of the decompiled function.

For functions with the same name with different argu- ments (i.e., function overloading), compilers store multiple entities in DWARF sections. However, Ghidra may fail to match the correct entity for such a function. Consequently, Ghidra suspends the analysis of this function, which results in its decompiled function lacking arguments, i.e., void.

In Ghidra, constants are treated simi- larly to global variables, which means rules will be applied to infer their types (both their signedness and their sizes).

When Ghidra cannot correctly resolve indirect addresses, it uses the notion of partially re- solved address, as shown in this expression: “𝑣𝑎𝑟1.𝑥_𝑦 = 𝑣𝑎𝑟2”. This expression means that only 𝑦 bytes starting with offset 𝑥 in 𝑣𝑎𝑟1 should become equal to 𝑣𝑎𝑟2.