Breaking decompilers with single-function, and no-main() C codebases
15 hours ago
- #C programming
- #reverse engineering
- #decompiler
- The author introduces a humorous concept of breaking reverse engineers' decompilers by converting an entire C codebase into a single function, `main()`, replacing all function calls with recursive calls to `main()`. This creates a call stack consisting solely of `main() -> main() -> main() -> ...`.
- A Python script named `c-fucker` is developed to automate the conversion of basic single-file C codebases into single-function codebases. It demonstrates this by rewriting a simple `printdatetime` program and a tiny HTTP server (~450 LoC), which causes Ghidra to crash during decompilation.
- The article also explores creating a C codebase with an empty `main()` function, where the actual functionality is executed in a function declared with `__attribute__ ((constructor))`. This approach hides the program's logic from decompilers, as the call stack does not include `main()`.
- The author acknowledges the limitations of using Python for this transformation and suggests that an LLVM extension would be more suitable, though they lack the expertise to implement it.