Bin2Wrong: Fuzzing Binary Decompilers

This directory contains the source code of our tool Bin2Wrong: our prototype all-in-one fuzzer for finding correctness bugs in binary-to-C decompilers.

This work is presented in our paper Bin2Wrong: a Unified Fuzzing Framework for Uncovering Semantic Errors in Binary-to-C Decompilers, appearing in the 2025 USENIX Annual Technical Conference (ATC'25).

• Using Bin2Wrong
• Additional Notes
• Bug Trophy Case

Citing this repository:	@inproceedings{yang:bin2wrong, title = {Bin2Wrong: a Unified Fuzzing Framework for Uncovering Semantic Errors in Binary-to-C Decompilers}, author = {Zao Yang and Stefan Nagy}, booktitle = {{USENIX} {Annual} {Technical} {Conference} ({ATC})}, year = {2025},}
Developers:	Zao Yang ([email protected]) and Stefan Nagy ([email protected])
License:	MIT License
Disclaimer:	This software is provided as-is with no warranty.

Table of Contents

mutation/ folder contains the source code for Bin2Wrong's program mutation/generation.

post_decompilation/ folder contains the code for applying syntax patching to decompiled code, instrumenting code to track its global variables, and comparing the execution output between the original code and decompiled code.

decompilers/ folder contains the instructions to set up each decompiler.

config/ folder contains the configuration files to start fuzzing each decompiler.

flags/ folder contains the optimization flags used for each compiler.

Using Bin2Wrong

0. Install prerequisite packages

Install prerequisite packages by running install_prereq.sh:

./install_prereq.sh

For fuzzing Windows-only decompilers, or using MSVC as compiler, WineHQ needs to be installed.

For fuzzing decompilers with Mach-O binaries, OSXCross and Darling need to be installed.

1. Build AFL++

Run the following commands to build AFL++:

cd AFLplusplus/
make distrib
sudo make install

2. Build Bin2Wrong's mutation module

Navigate to mutation/ and run build_mutator.sh. This script will build the mutation module of Bin2Wrong.

After the script finishes, copy the generated mutation module file (llvm-project/build/lib/libBin2WrongMutator.so) to mutation/.

3. Set up the target decompiler

Follow instructions in decompilers/ to set up each decompiler.

4. Modify fuzzing configurations

Modify the configuration file accordingly in configs/. The configurations include the settings for AFL++, the compiler(s), the optimizations flags, and the target decompiler.

5. Fuzz decompilers using Bin2Wrong

Run the script to start fuzzing:

chmod +x run_fuzz.sh
./run_fuzz.sh [decompiler_to_be_fuzzed]

When there is a divergent test case found for a decompiler, Bin2Wrong will output the execution results of the original program and decompiled code in the terminal, like this:

Compiler used: clang                                                  
Original code output:   
i: 2 s: 321 l: 13134243432 str: another local string checksum = 901FD064                                                                                                    
Decompiled code output: 
i: 2 s: 321 l: 9876543 str: local string checksum = 42FA5691 

Additional Notes

Below are instructions for extending Bin2Wrong with new features.

Supporting New Decompilers

To test a new decompiler:

1. Add recompilation-oriented syntax patching rules in the following scripts under post_decompilation/:

   • modifiers.py
   • processors.py
   • fix_dec.py

2. Create a new config file in the configs/ directory for the decompiler.

3. Create a corresponding directory in fuzz_dir/ to store its fuzzing data.

4. Add the new fuzzing command to run_fuzz.sh.

Integrating New Code Mutators

Our code mutator operates on individual AST node, applying mutations based on their AST type through corresponding VisitASTType() functions (e.g., VisitForStmt() mutates for statements).

• Add new mutations for existing AST types:
  Modify the corresponding VisitASTType() function.

• Support new AST types:
  Refer to the LLVM documentation for supported AST node types. Implement a new VisitASTType() function and define mutation rules within it.

Integrating New Compilers

To integrate support for a new compiler:

1. Extract and save the compiler's optimization flags to a text file and place it in the flags/ directory.

2. Update the relevant fields of config files to reference the new compiler and its flags file path.

3. Modify run_fuzz.sh to retrieve the flags path from the config.

4. In CompilationMutators.cpp, add logic to:

   • Get the flags file path.
   • Compile using the compiler and those flags.

Bug Trophy Case

Bin2Wrong discovered the following bugs in mainstream binary decompilers:

Decompiler	Reported Bugs
Angr	angr/angr#4582, angr/angr#4583, angr/angr#4584, angr/angr#4585, angr/angr#4586, angr/angr#4587, angr/angr#4589, angr/angr#4590
BinaryNinja	Vector35/binaryninja-api#5199, Vector35/binaryninja-api#5200, Vector35/binaryninja-api#5201, Vector35/binaryninja-api#5202, Vector35/binaryninja-api#5205, Vector35/binaryninja-api#5309
Radare2	radareorg/r2ghidra#134, radareorg/r2ghidra#135, radareorg/r2ghidra#136
Rev.Ng	revng/revng-c#11, revng/revng-c#12, revng/revng-c#15, revng/revng#383, revng/revng#424
Reko	uxmal/reko#1338, uxmal/reko#1339, uxmal/reko#1340, uxmal/reko#1341, uxmal/reko#1342

If you find new decompiler bugs using Bin2Wrong, please let us know!

Acknowledgement

This material is based upon work supported by the National Science Foundation under Grant No. 2419798: CICI: TCR: Practical, Systematic Fuzz Testing for Securing Scientific Software.