| ▲ | The unexpected effectiveness of one-shot decompilation with Claude(blog.chrislewis.au) |
| 124 points by knackers 8 days ago | 63 comments |
| |
|
| ▲ | simonw 3 hours ago | parent | next [-] |
| For anyone else who was initially confused by this, useful context is that Snowboard Kids 2 is an N64 game. I also wasn't familiar with this terminology: > You hand it a function; it tries to match it, and you move on. In decompilation "matching" means you found a function block in the machine code, wrote some C, then confirmed that the C produces the exact same binary machine code once it is compiled. The author's previous post explains this all in a bunch more detail: https://blog.chrislewis.au/using-coding-agents-to-decompile-... |
| |
|
| ▲ | saagarjha 4 hours ago | parent | prev | next [-] |
| It's worth noting here that the author came up with a handful of good heuristics to guide Claude and a very specific goal, and the LLM did a good job given those constraints. Most seasoned reverse engineers I know have found similar wins with those in place. What LLMs are (still?) not good at is one-shot reverse engineering for understanding by a non-expert. If that's your goal, don't blindly use an LLM. People already know that you getting an LLM to write prose or code is bad, but it's worth remembering that doing this for decompilation is even harder :) |
| |
| ▲ | zdware 2 hours ago | parent | next [-] | | Agree with this. I'm a software engineer that has mostly not had to manage memory for most of my career. I asked Opus how hard it would be to port the script extender for Baldurs Gate 3 from Windows to the native Linux Build. It outlined that it would be very difficult for someone without reverse engineering experience, and correctly pointed out they are using different compilers, so it's not a simple mapping exercise. It's recommendation was not to try unless I was a Ghrida master and had lots of time in my hands. | | |
| ▲ | dimitri-vs 2 hours ago | parent [-] | | FWIW most LLMs are pretty terrible at estimating complexity. If you've used Claude Code for any length of time you might be familiar with it's plan "timelines" which always span many days but for medium size projects get implemented in about an hour. I've had CC build semi-complex Tauri, PyQT6, Rust and SvelteKit apps for me without me having ever touched that language. Is the code quality good? Probably not. But all those apps were local-only tools or had less than 10 users so it doesn't matter. | | |
| ▲ | zdware 2 hours ago | parent [-] | | That's fair, I've had similar experiences working in other stacks with it. And with some niche stacks, it seems to struggle more. Definitely agree the more narrow the context/problem statement, higher chance of success. For this project, it described its reasoning well, and knowing my own skillset, and surface level info on how one would start this, it had many good points that made the project not realistic for me. |
|
| |
| ▲ | ph4evers 4 hours ago | parent | prev [-] | | Are they not performing well because they are trained to be more generic, or is the task too complex? It seems like a cheap problem to fine-tune. | | |
| ▲ | pixl97 4 hours ago | parent [-] | | Sounds like a more agentic pipeline task. Decompile, assess, explain. |
|
|
|
| ▲ | rlili 5 hours ago | parent | prev | next [-] |
| Makes me wonder if decompilation could eventually become so trivial that everything would become de-facto open source. |
| |
| ▲ | jasonjmcghee 3 hours ago | parent | next [-] | | It would be "source available", if anything, not "open source". > An open-source license is a type of license for computer software and other products that allows the source code, blueprint or design to be used, modified or shared (with or without modification) under defined terms and conditions. https://en.wikipedia.org/wiki/Open_source Companies have been really abusing what open source means- claiming something is "open source" cause they share the code and then having a license that says you can't use any part of it in any way. Similarly if you ever use that software or depending on where you downloaded it from, you might have agreed not to decompile or read the source code. Using that code is a gamble. | | |
| ▲ | mkatx 10 minutes ago | parent | next [-] | | So instead of reverse engineering.. an llm/agent/whatever could simply produce custom apps for everyone, simply implementing the features an individual might want. A more viable path? | |
| ▲ | DrNosferatu 2 hours ago | parent | prev | next [-] | | But, for example, isn't Cannonball (SEGA Outrun source port) open source? https://github.com/djyt/cannonball | | | |
| ▲ | sa1 3 hours ago | parent | prev | next [-] | | But clean room reverse engineered code can have its own license, no? | | |
| ▲ | vunderba 27 minutes ago | parent | next [-] | | In fact, the story of how Atari tried to circumvent the lockout chip on the original NES is a good example of this. They had gotten surprisingly close to a complete decompilation, but then they tried to request a copy of the source code from the copyright office citing that they needed it as a result of ongoing unrelated litigation with Nintendo. Later on this killed them in court. | |
| ▲ | simonw 3 hours ago | parent | prev [-] | | Yeah, I think it can. I'm reminded of the thing in the 80s when Compaq reverse engineered and reimplemented the IBM BIOS by having one team decompile it and write a spec which they handed to a separate team who built a new implementation based on the spec. I expect that for games the more important piece will be the art assets - like how the Quake game engine was open source but you still needed to buy a copy of the game in order to use the textures. |
| |
| ▲ | yieldcrv an hour ago | parent | prev [-] | | Open source never meant free to begin with and was never software specific, that’s a colloquialism and I’d love to say “language evolves” in favor of the software community’s use but open source is used in other still similar contexts, specifically legal and public policy ones FOSS specifically means/meant free and open source software, the free and software words are there for a reason so we don’t need another distinction like “source available” that people need to understand to convey an already shared concept yes, companies abuse their community’s interest in something by blending open source legal term as a marketing term | | |
| ▲ | jasonjmcghee an hour ago | parent [-] | | Whether or not something is "free" is a separate matter and subject to how the software is licensed. If there is no license it is, by definition "source available", not open source. "source available" is not some new distinction I'm making up. See my other comment: https://news.ycombinator.com/item?id=46175760 |
|
| |
| ▲ | VikingCoder 4 hours ago | parent | prev | next [-] | | I wonder when you're never going to run expensive software on your own CPU. It'll either all be in the cloud, so you never run the code... Or it'll be on a chip, in a hermetically sealed usb drive, that you plug in to your computer. | |
| ▲ | tcdent 3 hours ago | parent | prev | next [-] | | That's definitely a possible future abstraction and one are about the future of technology I'm excited about. First we get to tackle all of the small ideas and side projects we haven't had time to prioritize. Then, we start taking ownership of all of the software systems that we interact with on a daily basis; hacking in modifications and reverse engineering protocols to suit our needs. Finally our own interaction with software becomes entirely boutique: operating systems, firmware, user interfaces that we have directed ourselves to suit our individual tastes. | |
| ▲ | DrNosferatu 3 hours ago | parent | prev | next [-] | | This day will arrive. And it will be great for retro game preservation. Having more integrated tools and tutorials on this would be awesome. | |
| ▲ | js8 4 hours ago | parent | prev | next [-] | | Yes, I believe it will. What I predict will happen is that most commercial software will be hosted and provided through "trusted" platforms with limited access, making reverse engineering impossible. | |
| ▲ | Aeolun 3 hours ago | parent | prev | next [-] | | When the decompilation like that is trivial, so is recreation without decompilation. It implies the LLM know exactly how thins work. | |
| ▲ | Xmd5a 5 hours ago | parent | prev [-] | | This deserves a discussion | | |
| ▲ | ronsor 5 hours ago | parent | next [-] | | I've used LLMs to help with decompilation since the original release of GPT-4. They're excellent at recognizing the purpose of functions and refactoring IDA or Ghidra pseudo-C into readable code. | | | |
| ▲ | stevemk14ebr 4 hours ago | parent | prev [-] | | We're very far away from this. |
|
|
|
| ▲ | heavyset_go an hour ago | parent | prev | next [-] |
| Am I just wrong in thinking doing decompilation of copyrighted code via the cloud is a bad idea? Like, if it ever leaks, or you were planning on releasing it, literally every step you took in your crime is uploaded to the cloud ready to send you to prison. It's what's stopped me from using hosted LLMs for DMCA-legal RE. All it takes is for a prosecutor/attorney to spin a narrative based on uploaded evidence and your ass is in court. |
| |
| ▲ | Juliate 39 minutes ago | parent [-] | | It wouldn't fit most of the current LLM cloud providers narrative about privacy and copyright either, so, not sure they would be as cooperative with a prosecutor as they are today with lawmakers and right holders. |
|
|
| ▲ | t_mann 3 hours ago | parent | prev | next [-] |
| > The ‘give up after ten attempts’ threshold aims to prevent Claude from wasting tokens when further progress is unlikely. It was only partially successful, as Claude would still sometimes make dozens of attempts. Not what I would have expected from a 'one-shot'. Maybe self-supervised would be a more suitable term? |
| |
| ▲ | wavemode 2 hours ago | parent | next [-] | | "one-shot" usually just means, one example and its correct answer was provided in the prompt. See also, "zero-shot" / "few-shot" etc. | | |
| ▲ | simonw 25 minutes ago | parent [-] | | I've seen one-shot used to mean two different things in LLMs: 1. Getting an LLM to do something based on a single example 2. Getting an LLM to achieve a goal from a single prompt with no follow-ups I think both are equally valid. |
| |
| ▲ | hombre_fatal an hour ago | parent | prev [-] | | Meh, the main idea of one-shot is that you prompted it once and got a good impl when it decided it was done. As opposed to having to workshop yourself with additional prompts to fix things. It doesn't do it in one-shot on the GPU either. It feeds outputs back into inputs over and over. By the time you see tokens as an end-user, the clanker has already made a bunch of iterations. |
|
|
| ▲ | ACCount37 6 hours ago | parent | prev | next [-] |
| If you aren't using LLMs for your reverse engineering tasks, you're missing out, big time. Claude kicks ass. It's good at cleaning up decompiled code, at figuring out what functions do, at uncovering weird assembly tricks and more. |
| |
| ▲ | keepamovin 4 hours ago | parent | next [-] | | The article is a useful resource for setting up automated flows, and Claude is great at assembly. Codex less so, Gemini is also good at assembly. Gemini will happily hand roll x86_64 bytecode. Codex appears optimized for more "mainstream" dev tasks, and excels at that. If only Gemini had a great agent... | |
| ▲ | skerit 4 hours ago | parent | prev | next [-] | | I've been using Claude for months with Ghidra. It is simply amazing. | |
| ▲ | amelius 6 hours ago | parent | prev [-] | | Makes sense because LLMs are quite good at translating between natural languages. Anyway, we're reaching the point where documentation can be generated by LLMs and this is great news for developers. | | |
| ▲ | saagarjha 4 hours ago | parent | next [-] | | Documentation is one place where humans should have input. If an LLM can generate documentation, why would I want you to generate it when I can do so myself (probably with a better, newer model)? | | |
| ▲ | simonw 3 hours ago | parent | next [-] | | I definitely want documentation that a project expert has reviewed. I've found LLMs are fantastic at writing documentation about how something works, but they have a nasty tendency to take guesses at WHY - you'll get occasional sentences like "This improves the efficiency of the system". I don't want invented rationales for changes, I want to know the actual reason a developer decided that the code should work that way. | |
| ▲ | ACCount37 3 hours ago | parent | prev | next [-] | | That's great if those humans are around to have that input. Not so much when you have a lot of code from 6 years ago, built around an obscure SDK, and you have to figure out how it works, and the documentation is both incredibly sparse and in Chinese. | |
| ▲ | amelius 2 hours ago | parent | prev [-] | | Because it takes time and effort to write documentation. If people __can__ actually read undocumented code with the help of LLMs, why do you need human-written documentation really? |
| |
| ▲ | james_marks 5 hours ago | parent | prev | next [-] | | I stumbled across a fun trick this week. After making some API changes, I had CC “write a note to the FE team with the changes”. I then pasted this to another CC instance running the FE app, and it made the counter part. Yes, I could have CC running against both repos and sometimes do, but I often run separate instances when tasks are complex. | |
| ▲ | monsieurbanana 5 hours ago | parent | prev [-] | | Maybe documentation meant for other llms to ingest. Their documentation is like their code, it might work, but I don't want to have to be the one to read it. Although of course if you don't vibe document but instead just use them as a tool, with significant human input, then yes go ahead. | | |
| ▲ | dunham 4 hours ago | parent [-] | | Although with code it's implementing functions that don't exist yet and with documentation, it's describing functions that don't exist yet. |
|
|
|
|
| ▲ | viraptor 38 minutes ago | parent | prev | next [-] |
| Yeah, it works great for porting as well. I tried it on the assembler sources of Prince of Persia for Apple ii and went from nothing to basics being playable (with a few bugs but still) on modern Mac with SDL graphics within a day. |
|
| ▲ | knackers 8 days ago | parent | prev | next [-] |
| I've been experimenting with running Claude in headless mode + a continuous loop to decompile N64 functions and the results have been pretty incredible. (This is despite already using Claude in my decompilation workflow). I hope that others find this similarly useful. |
| |
| ▲ | viraptor 43 minutes ago | parent | next [-] | | One thing I don't annoying in really old sources is that sometimes you can't go function by function, because the code will occasionally just use a random register to pass results. Passing the whole file works better at that point. | |
| ▲ | plastic-enjoyer 5 hours ago | parent | prev | next [-] | | This sounds interesting! Do you have some good introduction to N64 decompiliation? Would you recommend using Claude right from the start or rather try to get to know the ins and outs of N64 decomp? | |
| ▲ | garrettjoecox 6 hours ago | parent | prev | next [-] | | What game are you working on? | | |
| ▲ | wk_end 6 hours ago | parent [-] | | Last sentence of the first paragraph says it’s Snowboard Kids 2. | | |
| ▲ | rat9988 5 hours ago | parent [-] | | For his defense, it is missing a "Tell HN" | | |
| ▲ | dpkirchner 5 hours ago | parent [-] | | And it isn't always obvious when the commenter is the submitter (no [S] tag like you see on other sites). | | |
|
|
| |
| ▲ | turnsout 5 hours ago | parent | prev [-] | | This is super cool! I would be curious to see how Gemini 3 fares… I've found it to be even more effective than Opus 4.5 at technical analysis (in another domain). |
|
|
| ▲ | sehugg an hour ago | parent | prev | next [-] |
| I ran Node with --print-opt-code and had Opus look at Turbofan's output. It was able to add comments to the JIT'ed code and give suggestions on how to improve the JavaScript for better optimization. |
|
| ▲ | benmccann 2 hours ago | parent | prev | next [-] |
| I used Gemini to compare the minimized output of the Rollup vs Rolldown JavaScript bundlers to find locations where the latter was not yet at the same degree of optimization. It was astoundingly good and I'm not sure how I would have been able to accomplish the task without an LLM as an available tool. |
|
| ▲ | butz 4 hours ago | parent | prev | next [-] |
| Are there any similar specialized decompilation LLM models available to be used locally? |
|
| ▲ | DrNosferatu 3 hours ago | parent | prev | next [-] |
| More than an overview, a step by step tutorial on this would be awesome! |
|
| ▲ | VikingCoder 4 hours ago | parent | prev | next [-] |
| I've been waiting for decompilation to show up in this space. |
|
| ▲ | jamesbelchamber 5 hours ago | parent | prev [-] |
| This is a refreshingly practical demonstration of an LLM adding value. More of this please. |
