llil_transpiler
llil_transpiler copied to clipboard
Vector35
transpile llil to c++ for execution and testing
LLIL Transpiler
Convert LLIL to compileable and executable C++.
GOALS:
- test lifting: accurate LLIL should compute like native code
- provide LLIL semantics - runtime.cpp contains a C/C++ implementation for many LLIL operations
QUICK START: make -f Makefile_x86_x64 ./main
EXAMPLE: transpiled A64
How does it work?
The LLIL gets mapped to C/C++ code:
| LLIL | C/C++ |
|---|---|
| LLIL_IF | if |
| LLIL_GOTO | goto, with labels generated at every block |
| LLIL_CALL | function call |
| LLIL_JUMP_TO | switch |
| LLIL_REG | REG16(), REG32(), REG64(), etc. |
| LLIL_ADD | ADD16(), ADD32(), ADD64(), etc. |
| LLIL_XXX | XXX() |
See ildump2cpp.py for the mapper, and runtime.cpp for the C/C++ implementation of the LLIL operations.
Workflow
- compile tests.cpp into tests.o with the architecture you want to lift
- extract the llil into tests_il.cpp using ildump2cpp.py
- compile tests_il.cpp with runtime.cpp and main.cpp to main
./main
Using make: make x64 or make arm then ./main
How can I test my own architecture?
- atop runtime.h, do an
#ifdef ARCH_XXXand inside define your arch's register types, etc. - in main.cpp, do an
#ifdef ARCH_XXXand inside definevm_init_stack(),vm_set_arg0(), etc. - create a Makefile, being sure to pass
-DARCH_XXX - run
./main
What else?
You could compile a routine in one architecture, transpile it's LLIL to C++, then compile the result to a new architecture.
You could do the above many times, even with the same architecture, increasing code size and obfuscation.
Vector35