summaryrefslogtreecommitdiff
path: root/source/blog/yaxpeax.md
blob: b1af77d9c9357c5be7c5d961a1ef4b5b22859a48 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# yaxpeax

a few things i talk about and hack on refer to _The Yaxpeax Project_. or, just "yaxpeax". [yaxpeax-arch](https://git.iximeow.net/yaxpeax-arch/about/) talks about "shared traits ... from the yaxpeax project". it's worth saying explicitly what the thing is or isn't.

my thesis is that most programs are not inherently more difficult to work with (e.g. read, write, modify) as machine code than as source code it was compiled from. where machine code seems dense, this is a consequence of decades of neglect and missing tooling. aspirationally, "yaxpeax" is what i think could support high-quality tooling for that category of problem.

realistically, "yaxpeax" is a [pile of disassemblers](https://git.iximeow.net/yaxpeax-arch/about/#implementations) and their partial integration into a [library for control-flow and data-flow analysis](https://github.com/iximeow/yaxpeax-core).

even this, it seems, is enough to have a twinkle of promise!!

* [Довер´яй, но провер´яй: SFI safety for native-compiled Wasm](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_5B-3_24078_paper.pdf) was a paper accompanying [VeriWasm](https://github.com/PLSysSec/veriwasm), a tool to verify the isolation properties of native-compiled WebAssembly modules by analyzing produced machine code as a black box. this requires both disassembling the native-compiled code and reasoning about the relationships of values - addresses and otherwise. [yaxpeax-core provided enough control flow analysis they could (mostly) directly use it](https://github.com/PLSysSec/veriwasm/blob/b70e92b/src/ir/x64.rs#L1029-L1044).

... though that's the best and only example of code analysis being as useful as i'd hope, so far. this is why "yaxpeax" as a project is fuzzy, and i primarily talk about it as a pile of disassemblers; those are neatly-scoped with a simple enough interface, and *are* reusable.

* [for disassembly](https://github.com/mstange/linux-perf-data/blob/0bf074f/examples/jitdumpdump.rs#L82-L206) in an example of annotating perf data
* [for disassembly](https://github.com/rust-minidump/rust-minidump/blob/019c848/minidump-processor/src/op_analysis.rs#L137-L445) in analyzing minidump crash files' code for hints of crash causes
<!-- this case of vendoring yaxpeax-x86 * [for disassembly](https://github.com/WINSDK/bite/blob/be1344b03c67e24bcb0f5fb9fde8592c46b87c19/decoder-x86_64/src/lib.rs#L1-L8) in a binary viewer/debugging tool?? -->
* [for disassembly](https://github.com/novafacing/tsffs/blob/10697a078ab5510127bd7c067760e2f8cb593675/tsffs_module/src/processor/mod.rs#L743-L751) in part of a coverage-guided fuzzer

and in some uses of my own - of course i find nails for my hammer:

* [yaxpeax-dis](https://github.com/iximeow/yaxpeax-dis), as a "please try to disassemble this" tool, including all\* yaxpeax-supporting disassemblers
  \* "all" meaning best effort :)
* [dis.yaxpeax.net](https://dis.yaxpeax.net), same as the above, but as a website
* [yaxpeax-eval](https://github.com/iximeow/yaxpeax-eval), for disassembly and debug viewing of executed machine code
* [yaxpeax-demo](https://github.com/iximeow/yaxdemo/blob/no-gods-no-/src/main.rs), a one-off example of disassembly and code analysis with `yaxpeax-core`.
* [zvm](https://github.com/iximeow/zvm), for disassembly of jitted JVM bytecode

but the real place i hope to find yaxpeax one day is to be used for analysis tasks like constructing an SSA-style representation of machine code, for example...

![register numbering](yaxpeax/register_numbering.png)\  

in turn letting me (or you!!!) get value anlyses,

![range inference](yaxpeax/range_inference.png)\  

anyway, between Then and Now.. Ghidra has become an entire *thing*. Binary Ninja still exists and continues improving. maybe yaxpeax ends up just a pile of neat disassemblers and toys demos in my (ha ha) spare time.