Simple assembly code involving syscalls does not get decompiled correctly

[mbalous]

Code

BITS 32
global _start

section .text
_start:
    	mov eax, 5 ; sys_open
    	mov ebx, fileName
	mov ecx, 66 ; creation flags: O_RDWR | O_CREAT
	mov edx, 292 ; file mode: S_IRUSR | S_IRGRP | S_IROTH
	int 0x80 ; syscall, eax now contains file descriptor

	mov ebx, eax
	mov eax, 4 ; sys_write
	mov ecx, payload
	mov edx, payloadSize
	int 0x80

	mov eax, 1
	int 0x80
fileName:
    	db  "/tmp/myfile",0
payload:
	db "malicious payload here", 0ah, 0
payloadSize: equ $-payload

Build and run

nasm -f elf test.asm && ld -m elf_i386 test.o && ./a.out

Retdec output

//
// This file was generated by the Retargetable Decompiler
// Website: https://retdec.com
// Copyright (c) 2017 Retargetable Decompiler <[email protected]>
//

#include <stdint.h>

// ------------------- Function Prototypes --------------------

int32_t _start(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, uint32_t a6, int32_t a7, int32_t a8);
int32_t unknown_80480c4(void);
int32_t unknown_80480fe(void);
int32_t unknown_8048100(void);
int32_t unknown_8048116(void);
int32_t unknown_8048117(void);

// ------------------------ Functions -------------------------

// Address range: 0x8048060 - 0x80480b3
int32_t _start(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, uint32_t a6, int32_t a7, int32_t a8) {
    // 0x8048060
    unknown_8048100();
    unknown_80480c4();
    unknown_80480fe();
    unknown_8048116();
    char * v1 = (char *)(a7 + 101); // 0x80480ad_0
    *v1 = (char)((int32_t)*v1 & a6 / 256);
    int32_t v2 = unknown_8048117(); // 0x80480b0
    return (int32_t)*(char *)v2 | v2;
}

// --------------------- Meta-Information ---------------------

// Detected compiler/packer: elfcrypt (1.0)
// Detected functions: 1
// Decompiler release: v2.2.1 (2016-09-07)
// Decompilation date: 2017-12-14 10:28:45

I'm not experienced in low level programming, but it seems like, that the C code does not reflect what is going on...

Maybe it is confused by storing data in .text section?

[PeterMatula]

Thank you for your report. After we finish work related to open-sourcing, we will focus on improving the decompilation quality. I will definitely look into this pretty soon.

[mbalous]

Dissasembly
https://onlinedisassembler.com/odaweb/KwLtjJes/0

[mendax47]

Yah... Same Here.. Wrong Output....
2nd image Upper Part RetDec Lower Part HexRay

Using Windows 7 32 bit

https://imgur.com/a/To4eI

[MerovingianByte]

When retdec does manage to decompile though, I find it better than hex-ray's.

[PeterMatula]

Output from the current master:

// Address range: 0x8049000 - 0x8049030
int32_t _start(void) {
    int32_t fd = open("/tmp/myfile", 66); // 0x8049014
    write(fd, (int32_t *)"malicious payload here\n", 24);
    exit(fd);
    return 1;
}

Regression tests added in avast/retdec-regression-tests@69a2f3f.