-
My questions is: how can we start to think about ways to convert binaries into c source code from binary ninja? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
There was also mention of converting HLIL ast to LLVM ast |
Beta Was this translation helpful? Give feedback.
-
Go ahead and edit your question to be the original problem you wanted to solve and i'll post my separate answers here. :-) |
Beta Was this translation helpful? Give feedback.
-
There's a couple of ways you could do this. First, here's a small snippet I wrote to save the HLIL for a function to a file: You can even use the Snippet Manager to bind the snippet to a hotkey. Of course, when we talked in slack you mentioned your goal was to grep for particular patterns in the results, so I want to take a moment and mention the True Binary Ninja Way: Instead of operating directly on strings or even disassembly, we recommend writing plugins to run over the IL. They'll be faster, they'll automatically be cross-architecture, and there's all sorts of powerful APIs that you don't have access to if you're just searching text. So for example, the first step is to get a list of all the symbols you care about like: syms = list(filter(lambda sym: "Unin" in sym.name, bv.get_symbols())) Next, you can find the addresses of all of those functions: targets = set(map(lambda sym: sym.address, syms)) Next, we'll find all the functions that call those addresses. Note that we're going to find functions, and not specific addresses because of the step after this one. We're going to be looking through the IL for each function to find the call to our desired target. Because the MediumLevelIL isn't necessarily available (memory usage for lots of IL functions can get very large very fast), there's no way to globally query all IL-based references from a specific instruction to a specific destination. Ok, so now we're going to get that list of functions: calling_funcs = set()
for target in targets:
for xref in bv.get_code_refs(target):
calling_funcs.add(xref.function) Finally, we're going to iterate over the IL for that function as I suggested above and look for an IL CALL to the destination we care about. That's the point where things could get interesting. We could check if the argument to memcpy for example allowed unsigned values, or whether the destination was a stack variable. This is where the power of the API becomes apparent:
In fact, much of the code above I took from an example we teach during our training class on using the API to do bug-finding and automate other reverse engineering tasks. |
Beta Was this translation helpful? Give feedback.
-
I created an issue for this #1650 |
Beta Was this translation helpful? Give feedback.
There's a couple of ways you could do this. First, here's a small snippet I wrote to save the HLIL for a function to a file:
https://gist.github.com/psifertex/6fbc7532f536775194edd26290892ef7#file-save_decompilation-py
You can even use the Snippet Manager to bind the snippet to a hotkey.
Of course, when we talked in slack you mentioned your goal was to grep for particular patterns in the results, so I want to take a moment and mention the True Binary Ninja Way:
Instead of operating directly on strings or even disassembly, we recommend writing plugins to run over the IL. They'll be faster, they'll automatically be cross-architecture, and there's all sorts of powerful APIs that you don't ha…