Recon 2024

Path of from raw bytes to CodeQL on decompiled code
06-28, 13:00–14:00 (US/Eastern), Grand Salon

This is an hands-on talk about what you can do with the decompiler, a FLOSS decompiler based on LLVM and QEMU.

We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.

Then we'll dig into intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).

Finally, we'll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by, which is always syntactically valid.

Everything that will be shown will be 100% reproducible by the audience in real-time using

Talk outline:

  • From zero to decompiled C code (interactive demo on terminal)
    • Create a 7-bytes long raw binary
    • How to load it into
    • How to produce disassembly
    • Adding prototypes to functions
    • How to produce decompiled code
  • Why you won't need to do any of the above: importing from ELF, DWARF, PE/COFF, PDB, Mach-O, and .idb.
  • Code analysis
    • Describe our internal IR, hint at analysis tools (e.g., KLEE)
    • Find bugs on a simple binary using CodeQL
    • Find bugs on a simple binary using clang-static-analyzer
  • Status: what you can expect to work
  • Final recap: goals and future directions

One day while playing a CTF I thought "hey, this decompiler could be done better".

I like C++, LLVM, binaries, Free Software and privacy.

During my dark academia years I presented at USENIX, DEF CON and several other compilers/computer security conferences.

I'm the co-founder of Labs, the company developing the decompiler.
My activities include overseeing the overall design and maintaining the first half of the decompilation pipeline.