2

Looking around for IR's used for reverse engineering, I find quite a few interesting ones. Assuming that I have a function that I'm trying to reverse engineer, I'm considering the following approach.

Lift the assembly to an IR, run an optimisation pass on it and convert it back into assembly. How hard would it be to implement something like this? Are there any IRs that you'd recommend. I'm guessing that being able to lift the assembly code into an LLVM IR would be pretty useful and one could run the LLVM optimisation passes on it.

Do you have any suggestions on this?

perror
  • 19,083
  • 29
  • 87
  • 150

2 Answers2

4

mcsema ('MC-Semantics') translates x86 to LLVM IR so that all the LLVM IR tools can be applied for analysis. It came up in the related topic Recompiling/optimizing redundant code to make analysis easier, which also has pointers to further work/papers.

Community
  • 1
DarthGizka
  • 2,010
  • 1
  • 13
  • 30
2

You can try the Miasm framework which is written in python and has all the capabilities you require. Other than this you have metasm, written in pure ruby with no dependencies. These frameworks implement their own IR which is different from LLVM.

The book Practical Reverse Engineering has tutorials on the usage of the frameworks.

0xec
  • 6,090
  • 3
  • 23
  • 33
  • I had come across the Miasm framework earlier; from what I see, it provides a means to lift assembly to IR and perform symbolic execution -- but not do optimisation passes on it? Just to be clear. Thanks! –  Jan 27 '15 at 08:17
  • It really depends on what you call optimization. Miasm can remove some obfuscation at the assembly level. Is that what you mean by optimization? – user2823000 Jan 27 '15 at 13:47
  • @Dillinur Hi, thanks for commenting. I mainly meant dead code elimination and being able to reduce the number of instructions required to perform a particular operation. I'm also curious if miasm/metasm can work with instruction traces(as opposed to binaries). –  May 07 '15 at 18:02