bsdphk
commented
6 years ago 100% agreement on the "hard to produce" and "not readable" of LLVM IL, but that's not really the fish I care about.
I will however also note, that for arcane old computers, which is my real target, the assembly code can be far worse.
For instance like this from a 42-bit GIER computer (http://ddhf.dk/wiki/GIER)
a10:pp_
1_
7,grna12
pmpc13,tln7
ck−10,grc5
tln12,grc11
tln20,grc4
pmp19c13,tln7The main reason I want LLVM is so that I don't need to write (for instance) a "function-recognizer" for every single architecture, but can write one single one which recognizes all sequences of code which match the abstract pattern we think of as functions. (save return addres, do stuff, jump to saved return address)
The secondary reason is that as you go back in time, you find many "two-level" programs, one part of the program implements an interpreter in assembly, the rest of the program is byte-code for this interpreter. (CHIP8 is an example of this), and I would like to be able to disassemble both levels at the same time (but I don't expect to automatically infer the interpreted language, you will have to type in a disassembler for that as well.)
Finally, I want to be able to deal with really weird shared binaries, where you have multiple heterogenous instruction-streams mingled.
One example, although relatively trivial, is the CBM 1541 floppy drive which has two CPUs running out of the same EPROM, but there are worse things about, semi-autonomous math-processors, I/O processors, vector display engines etc.
As you notice I don't produce actual LLVM IL, but the intent is that it can be converted into "real" LLVM IL automatically.
The reason I don't go straight for LLVM IL, is that it is a high priority that it should be easy to add a new (old!) architecture, by reading through the technical manual for the CPU, and then be able to get machine-assistance to understand and curate the program. (I'm coming at this from a data-archaeology angle as you can hear)
(I'm quite proud of the "just type in the tables from the manual" disassembler, so far that is probably the most important thing of all this.)
Now that I've gotten some experience with producing the IL from instructions, there are some patterns I spot which can and will be automated.
For instance rotates and shifts through carry bits are annoying, and it should be possible to just write "pyreveng.shift.left(1, i1 %C, i8 %AH, i8 %AL, i1 0)" and get that expanded to "real IL" automatically.
Another sore point is decimal arithmetic, I havn't really started poking at that yet.
I have not entirely made up my mind about register aliasing (%BC vs %B and %C) which crops up in every single flag register in every single processor, but I have some ideas. Again, I want it to be easy to express intent when you type in the instruction set, and then have code do the tedious work of splitting/collapsing registers.
I did consider producing C code, but while it is more readable to humans, it is a nightmare to analyse with programs, so I decided to push one level in between and use LLVM IL, hoping that some or all the analysis tools people write for that can be exploited, including, hopefully, something which emits C from the LLVM IL.
The problem with all attempts to "level up" the language, is that you have to recognize the toplevel structure, in particular the functions, otherwise you just end up with a nightmare main() full of gotos.
As long as the code you work on is the output of a compiler for a "structured programming language", PASCAL, C, etc, that is very simple, but once you get further back in time you run into things like "Wheelgol", "Jensens Device" (look it up!) and handwritten and highly optimized assembler code.
So all in all, I'm pretty comfortable with my choice of LLVM IL for now, but if my hopes of leveraging LLVM IL tools do not pan out, I will probably ditch it again.
pfalcon
I know it never works like that, but one can only try, right?
So, I went running "git pull" thru my reverse engineering projects dump, and noticed that among many projects dead yours is still running "strong". As you guessed, I have the same problem, even more: I now have 3 times more commits and a bunch more code for program analysis. There're differences too:
So, my project, https://github.com/pfalcon/ScratchABlock, explicitly rejects LLVM IR as something not really human readable. Nor it's trivial to produce LLVM IR, unless of course you mean to convert your registers to memory variables and load/store them. That's definitely doable, though probably not the dumbest of all the dumb text-processing, but then LLVM indeed will take care of converting your code to SSA form. Otherwise that needs to be done by you, and SSA conversion isn't exactly trivial.
What can be more human readable than C? That's the idea behind ScratchABlock's IL. It's more or less described in https://github.com/pfalcon/ScratchABlock/blob/master/docs/PseudoC-spec.md . Examples of decompilation can be found in https://github.com/pfalcon/ScratchABlock/tree/master/tests/decomp .
https://github.com/pfalcon/ScratchABlock/tree/master/tests/decomp/sub_5fac in particular was contributed by a guy who wrote PowerPC -> PseudoC converter. (The rest of example (growing) come from my Xtensa work).
Well, I'd be really interested to hear from someone trying it for "HP nanoprocessor" and other CPUs I never heard of. Feel free to give it a thought ;-).
Happy New Year!