Aarch64 decompilation

deps/capstone/CMakeLists.txt

@@ -21,11 +21,11 @@ ExternalProject_Add(capstone-project
 		-DCAPSTONE_X86_ATT_DISABLE=OFF
 		# Enabled architectures.
 		-DCAPSTONE_ARM_SUPPORT=ON
+		-DCAPSTONE_ARM64_SUPPORT=ON
 		-DCAPSTONE_MIPS_SUPPORT=ON
 		-DCAPSTONE_PPC_SUPPORT=ON
 		-DCAPSTONE_X86_SUPPORT=ON
 		# Disabled architectures.
-		-DCAPSTONE_ARM64_SUPPORT=OFF
 		-DCAPSTONE_M68K_SUPPORT=OFF
 		-DCAPSTONE_SPARC_SUPPORT=OFF
 		-DCAPSTONE_SYSZ_SUPPORT=OFF

include/retdec/bin2llvmir/optimizations/decoder/decoder.h

@@ -207,6 +207,15 @@ class Decoder : public llvm::ModulePass
 		void patternsPseudoCall_arm(llvm::CallInst*& call, AsmInstruction& pAi);
 		cs_mode determineMode_arm(cs_insn* insn, utils::Address& target);
 
+	// ARM64 specific.
+	//
+	private:
+		std::size_t decodeJumpTargetDryRun_arm64(
+				const JumpTarget& jt,
+				ByteData bytes,
+				bool strict = false);
+		void patternsPseudoCall_arm64(llvm::CallInst*& call, AsmInstruction& pAi);
+
 	// MIPS specific.
 	//
 	private:

include/retdec/bin2llvmir/optimizations/syscalls/syscalls.h

@@ -46,6 +46,10 @@ class SyscallFixer : public llvm::ModulePass
 		bool runArm_linux_32();
 		bool runArm_linux_32(AsmInstruction ai);
 
+		bool runArm64();
+		bool runArm64_linux_64();
+		bool runArm64_linux_64(AsmInstruction ai);
+
 		bool runMips();
 		bool runMips_linux();
 		bool runMips_linux(AsmInstruction ai);

include/retdec/capstone2llvmir/arm64/arm64.h

@@ -0,0 +1,35 @@
+/**
+ * @file include/retdec/capstone2llvmir/arm64/arm64.h
+ * @brief ARM64 specialization of translator's abstract public interface.
+ * @copyright (c) 2017 Avast Software, licensed under the MIT license
+ */
+
+#ifndef RETDEC_CAPSTONE2LLVMIR_ARM64_ARM64_H
+#define RETDEC_CAPSTONE2LLVMIR_ARM64_ARM64_H
+
+#include "retdec/capstone2llvmir/arm64/arm64_defs.h"
+#include "retdec/capstone2llvmir/capstone2llvmir.h"
+
+namespace retdec {
+namespace capstone2llvmir {
+
+/**
+ * ARM64 specialization of translator's abstract public interface.
+ */
+class Capstone2LlvmIrTranslatorArm64 : virtual public Capstone2LlvmIrTranslator
+{
+	public:
+		virtual ~Capstone2LlvmIrTranslatorArm64() {};
+
+	public:
+		/**
+		 * @return Capstone register that is parent to the specified Capstone
+		 * register @p r. Register can be its own parent.
+		 */
+		virtual uint32_t getParentRegister(uint32_t r) const = 0;
+};
+
+} // namespace capstone2llvmir
+} // namespace retdec
+
+#endif /* RETDEC_CAPSTONE2LLVMIR_ARM64_ARM64_H */

include/retdec/capstone2llvmir/arm64/arm64_defs.h

@@ -0,0 +1,21 @@
+/**
+ * @file include/retdec/capstone2llvmir/arm64/arm64_defs.h
+ * @brief Additional (on top of Capstone) definitions for ARM64 translator.
+ * @copyright (c) 2017 Avast Software, licensed under the MIT license
+ */
+
+#ifndef RETDEC_CAPSTONE2LLVMIR_ARM64_ARM64_DEFS_H
+#define RETDEC_CAPSTONE2LLVMIR_ARM64_ARM64_DEFS_H
+
+#include <capstone/arm64.h>
+
+enum arm64_reg_cpsr_flags
+{
+	ARM64_REG_CPSR_N = ARM64_REG_ENDING + 1,
+	ARM64_REG_CPSR_Z,
+	ARM64_REG_CPSR_C,
+	ARM64_REG_CPSR_V,
+	ARM64_REG_PC,
+};
+
+#endif /* RETDEC_CAPSTONE2LLVMIR_ARM64_ARM64_DEFS_H */

include/retdec/capstone2llvmir/capstone2llvmir.h

@@ -23,6 +23,7 @@
 
 // These are additions to capstone - include them all here.
 #include "retdec/capstone2llvmir/arm/arm_defs.h"
+#include "retdec/capstone2llvmir/arm64/arm64_defs.h"
 #include "retdec/capstone2llvmir/mips/mips_defs.h"
 #include "retdec/capstone2llvmir/powerpc/powerpc_defs.h"
 #include "retdec/capstone2llvmir/x86/x86_defs.h"

include/retdec/config/architecture.h

@@ -29,9 +29,10 @@ class Architecture
 		bool isPic32() const;
 		bool isMipsOrPic32() const;
 		bool isArm() const;
+		bool isArm32() const;
 		bool isArm64() const;
 		bool isThumb() const;
-		bool isArmOrThumb() const;
+		bool isArm32OrThumb() const;
 		bool isX86() const;
 		bool isX86_16() const;
 		bool isX86_32() const;
@@ -51,6 +52,8 @@ class Architecture
 		void setIsPic32();
 		void setIsArm();
 		void setIsThumb();
+		void setIsArm32();
+		void setIsArm64();
 		void setIsX86();
 		void setIsPpc();
 		void setIsEndianLittle();
@@ -84,7 +87,6 @@ class Architecture
 			MIPS,
 			PIC32,
 			ARM,
-			THUMB,
 			X86,
 			PPC,
 		};
@@ -97,6 +99,7 @@ class Architecture
 	private:
 		std::string _name;
 		unsigned _bitSize = 32;
+		bool _thumbFlag = false;
 		eEndian _endian = E_UNKNOWN;
 		eArch _arch = eArch::UNKNOWN;
 };

scripts/retdec-decompiler.py

@@ -38,8 +38,8 @@ def parse_args(args):
     parser.add_argument('-a', '--arch',
                         dest='arch',
                         metavar='ARCH',
-                        choices=['mips', 'pic32', 'arm', 'thumb', 'powerpc', 'x86', 'x86-64'],
-                        help='Specify target architecture [mips|pic32|arm|thumb|powerpc|x86|x86-64].'
+                        choices=['mips', 'pic32', 'arm', 'thumb', 'arm64', 'powerpc', 'x86', 'x86-64'],
+                        help='Specify target architecture [mips|pic32|arm|thumb|arm64|powerpc|x86|x86-64].'
                              ' Required if it cannot be autodetected from the input (e.g. raw mode, Intel HEX).')
 
     parser.add_argument('-e', '--endian',
@@ -882,7 +882,10 @@ def decompile(self):
                 arch_full = arch_full.lower()
 
                 # Strip comments in parentheses and all trailing whitespace
-                self.arch = arch_full.split(' ')[0]
+                if 'aarch64' in arch_full:
+                    self.arch = 'arm64'
+                else:
+                    self.arch = arch_full.split(' ')[0]
 
             # Get object file format.
             self.format, _, _ = CmdRunner.run_cmd([config.CONFIGTOOL, self.config_file, '--read', '--format'], buffer_output=True)
@@ -905,7 +908,7 @@ def decompile(self):
 
             ords_dir = ''
             # Check whether the correct target architecture was specified.
-            if self.arch in ['arm', 'thumb']:
+            if self.arch in ['arm', 'thumb', 'arm64']:
                 ords_dir = config.ARM_ORDS_DIR
             elif self.arch in ['x86', 'x86-64']:
                 ords_dir = config.X86_ORDS_DIR
@@ -917,7 +920,7 @@ def decompile(self):
 
                 self._cleanup()
                 utils.print_error('Unsupported target architecture \'%s\'. Supported architectures: '
-                                  'Intel x86, Intel x86-64, ARM, ARM + Thumb, MIPS, PIC32, PowerPC.' % self.arch)
+                                  'Intel x86, Intel x86-64, ARM, ARM + Thumb, ARM64, MIPS, PIC32, PowerPC.' % self.arch)
                 return 1
 
             # Check file class (e.g. 'ELF32', 'ELF64'). At present, we can only decompile 32-bit files.

src/bin2llvmir/CMakeLists.txt

@@ -16,6 +16,7 @@ set(BIN2LLVMIR_SOURCES
 	optimizations/cond_branch_opt/cond_branch_opt.cpp
 	optimizations/constants/constants.cpp
 	optimizations/decoder/arm.cpp
+	optimizations/decoder/arm64.cpp
 	optimizations/decoder/bbs.cpp
 	optimizations/decoder/decoder_ranges.cpp
 	optimizations/decoder/decoder_init.cpp
@@ -65,6 +66,7 @@ set(BIN2LLVMIR_SOURCES
 	optimizations/stack_pointer_ops/stack_pointer_ops.cpp
 	optimizations/value_protect/value_protect.cpp
 	optimizations/syscalls/arm.cpp
+	optimizations/syscalls/arm64.cpp
 	optimizations/syscalls/mips.cpp
 	optimizations/syscalls/syscalls.cpp
 	optimizations/syscalls/x86.cpp

src/bin2llvmir/optimizations/decoder/arm64.cpp

@@ -0,0 +1,111 @@
+/**
+* @file src/bin2llvmir/optimizations/decoder/arm64.cpp
+* @brief Decoding methods specific to ARM64 architecture.
+* @copyright (c) 2017 Avast Software, licensed under the MIT license
+*/
+
+#include "retdec/bin2llvmir/optimizations/decoder/decoder.h"
+#include "retdec/bin2llvmir/utils/capstone.h"
+#include "retdec/utils/string.h"
+
+using namespace retdec::utils;
+using namespace retdec::capstone2llvmir;
+using namespace llvm;
+
+namespace retdec {
+namespace bin2llvmir {
+
+bool insnWrittesPcArm64(csh& ce, cs_insn* insn)
+{
+	// Aarch64 reference manual states:
+	// Software cannot write directly to the PC. It can only
+	// be updated on a branch, exception entry or exception return.
+
+	// Set of instructions that can modify PC
+	const std::set<unsigned int> branch_instructions = {
+		ARM64_INS_B,
+		ARM64_INS_CBNZ,
+		ARM64_INS_CBZ,
+		ARM64_INS_TBNZ,
+		ARM64_INS_TBZ,
+		ARM64_INS_BL,
+		ARM64_INS_BLR,
+		ARM64_INS_BR,
+		ARM64_INS_RET,
+		ARM64_INS_ERET,
+	};
+
+	return (branch_instructions.count(insn->id) != 0);
+}
+
+bool looksLikeArm64FunctionStart(cs_insn* insn)
+{
+	// Create stack frame 'stp x29, x30, [sp, -48]!'
+	return insn->id == ARM64_INS_STP;
+}
+
+std::size_t Decoder::decodeJumpTargetDryRun_arm64(
+		const JumpTarget& jt,
+		ByteData bytes,
+		bool strict)
+{
+
+	if (strict)
+	{
+		return true;
+	}
+
+	static csh ce = _c2l->getCapstoneEngine();
+
+	uint64_t addr = jt.getAddress();
+	std::size_t nops = 0;
+	bool first = true;
+	// bytes.first  -> Code
+	// bytes.second -> Code size
+	// addr         -> Address of first instruction
+	while (cs_disasm_iter(ce, &bytes.first, &bytes.second, &addr, _dryCsInsn))
+	{
+
+		if (strict && first && !looksLikeArm64FunctionStart(_dryCsInsn))
+		{
+			return true;
+		}
+
+		if (jt.getType() == JumpTarget::eType::LEFTOVER
+				&& (first || nops > 0)
+				&& _abi->isNopInstruction(_dryCsInsn))
+		{
+			nops += _dryCsInsn->size;
+		}
+		else if (jt.getType() == JumpTarget::eType::LEFTOVER
+				&& nops > 0)
+		{
+			return nops;
+		}
+
+		if (_c2l->isControlFlowInstruction(*_dryCsInsn)
+				|| insnWrittesPcArm64(ce, _dryCsInsn))
+		{
+			return false;
+		}
+
+		first = false;
+	}
+
+	if (nops > 0)
+	{
+		return nops;
+	}
+
+	// There is a BB right after, that is not a function start.
+	//
+	if (getBasicBlockAtAddress(addr) && getFunctionAtAddress(addr) == nullptr)
+	{
+		return false;
+	}
+
+	return true;
+}
+
+} // namespace bin2llvmir
+} // namespace retdec

src/bin2llvmir/optimizations/decoder/decoder.cpp

@@ -376,10 +376,14 @@ std::size_t Decoder::decodeJumpTargetDryRun(
 	{
 		return decodeJumpTargetDryRun_x86(jt, bytes, strict);
 	}
-	else if (_config->getConfig().architecture.isArmOrThumb())
+	else if (_config->getConfig().architecture.isArm32OrThumb())
 	{
 		return decodeJumpTargetDryRun_arm(jt, bytes, strict);
 	}
+	else if (_config->getConfig().architecture.isArm64())
+	{
+		return decodeJumpTargetDryRun_arm64(jt, bytes, strict);
+	}
 	else if (_config->getConfig().architecture.isMipsOrPic32())
 	{
 		return decodeJumpTargetDryRun_mips(jt, bytes, strict);
@@ -400,7 +404,7 @@ std::size_t Decoder::decodeJumpTargetDryRun(
 
 cs_mode Decoder::determineMode(cs_insn* insn, utils::Address& target)
 {
-	if (_config->getConfig().architecture.isArmOrThumb())
+	if (_config->getConfig().architecture.isArm32OrThumb())
 	{
 		return determineMode_arm(insn, target);
 	}
@@ -472,7 +476,7 @@ bool Decoder::getJumpTargetsFromInstruction(
 	CallInst*& pCall = tr.branchCall;
 	auto nextAddr = addr + tr.size;
 
-	if (_config->getConfig().architecture.isArmOrThumb())
+	if (_config->getConfig().architecture.isArm32OrThumb())
 	{
 		AsmInstruction ai(tr.llvmInsn);
 		patternsPseudoCall_arm(pCall, ai);
@@ -1554,7 +1558,7 @@ void Decoder::finalizePseudoCalls()
 			// TODO: what about other possible LR stores? e.g. see
 			// patternsPseudoCall_arm().
 			//
-			if (_config->getConfig().architecture.isArmOrThumb()
+			if (_config->getConfig().architecture.isArm32OrThumb()
 					&& icf)
 			if (auto* st = dyn_cast<StoreInst>(i))
 			{

src/bin2llvmir/optimizations/decoder/decoder_init.cpp

@@ -61,12 +61,17 @@ void Decoder::initTranslator()
 			case 32: basicMode = CS_MODE_32; break;
 		}
 	}
-	else if (a.isArmOrThumb()
+	else if (a.isArm32OrThumb()
 			&& a.getBitSize() == 32)
 	{
 		arch = CS_ARCH_ARM;
 		basicMode = CS_MODE_ARM; // We start with ARM mode even for THUMB.
 	}
+	else if (a.isArm64())
+	{
+		arch = CS_ARCH_ARM64;
+		basicMode = CS_MODE_ARM;
+	}
 	else
 	{
 		throw std::runtime_error("Unsupported architecture.");
@@ -188,7 +193,8 @@ void Decoder::initRanges()
 
 	auto& arch = _config->getConfig().architecture;
 	unsigned a = 0;
-	a = arch.isArmOrThumb() ? 2 : a;
+	a = arch.isArm32OrThumb() ? 2 : a;
+	a = arch.isArm64() ? 4 : a;
 	a = arch.isMipsOrPic32() ? 4 : a;
 	a = arch.isPpc() ? 4 : a;
 	_ranges.setArchitectureInstructionAlignment(a);

src/bin2llvmir/optimizations/decoder/ir_modifications.cpp

@@ -165,10 +165,14 @@ llvm::GlobalVariable* Decoder::getCallReturnObject()
 	{
 		return _abi->getRegister(PPC_REG_R3);
 	}
-	else if (_config->getConfig().architecture.isArmOrThumb())
+	else if (_config->getConfig().architecture.isArm32OrThumb())
 	{
 		return _abi->getRegister(ARM_REG_R0);
 	}
+	else if (_config->getConfig().architecture.isArm64())
+	{
+		return _config->getLlvmRegister("r0");
+	}
 
 	assert(false);
 	return nullptr;