C code output

[jakejasey]

My questions is: how can we start to think about ways to convert binaries into c source code from binary ninja?

[jakejasey]

There was also mention of converting HLIL ast to LLVM ast

[psifertex]

Go ahead and edit your question to be the original problem you wanted to solve and i'll post my separate answers here. :-)

[psifertex]

There's a couple of ways you could do this. First, here's a small snippet I wrote to save the HLIL for a function to a file:
https://gist.github.com/psifertex/6fbc7532f536775194edd26290892ef7#file-save_decompilation-py

You can even use the Snippet Manager to bind the snippet to a hotkey.

Of course, when we talked in slack you mentioned your goal was to grep for particular patterns in the results, so I want to take a moment and mention the True Binary Ninja Way:

Instead of operating directly on strings or even disassembly, we recommend writing plugins to run over the IL. They'll be faster, they'll automatically be cross-architecture, and there's all sorts of powerful APIs that you don't have access to if you're just searching text.

So for example, the first step is to get a list of all the symbols you care about like:

syms = list(filter(lambda sym: "Unin" in sym.name, bv.get_symbols()))

Next, you can find the addresses of all of those functions:

targets = set(map(lambda sym: sym.address, syms))

Next, we'll find all the functions that call those addresses. Note that we're going to find functions, and not specific addresses because of the step after this one. We're going to be looking through the IL for each function to find the call to our desired target. Because the MediumLevelIL isn't necessarily available (memory usage for lots of IL functions can get very large very fast), there's no way to globally query all IL-based references from a specific instruction to a specific destination. Ok, so now we're going to get that list of functions:

calling_funcs = set()
for target in targets:
	for xref in bv.get_code_refs(target):
		calling_funcs.add(xref.function)

Finally, we're going to iterate over the IL for that function as I suggested above and look for an IL CALL to the destination we care about. That's the point where things could get interesting. We could check if the argument to memcpy for example allowed unsigned values, or whether the destination was a stack variable. This is where the power of the API becomes apparent:

for caller in calling_funcs:
	mlil = caller.medium_level_il
	for insn in mlil.instructions:
		if insn.operation == MediumLevelILOperation.MLIL_CALL:
			if insn.dest.value in targets:
				#We found an MLIL call to the function we care about

In fact, much of the code above I took from an example we teach during our training class on using the API to do bug-finding and automate other reverse engineering tasks.

[plafosse]

I created an issue for this #1650