LLM4Decompile: Decompiling Binary Code with LLM
Model performance & training
- Smaller 6B model reportedly outperforms a 33B one; commenters attribute this to undertraining of large models and sensitivity to data quality, LR schedules, etc.
- The decompiler model is fine-tuned from DeepSeek-Coder; from-scratch training is seen as infeasible given only ~4B tokens vs trillions for general LLMs.
- Rough hardware needs discussed: ~2GB VRAM for 1B params, ~14GB for 7B, ~80GB for 33B.
Comparison with GPT‑4 and other LLMs
- GPT‑4 does surprisingly well at decompilation despite no task‑specific training.
- It produces syntactically valid (recompilable) C more often than the specialized model but is worse on semantic correctness (re‑executability).
- People also report using GPT‑4/3.5 for deobfuscating JavaScript and beautifying code, with partial but not complete success.
Relation to traditional decompilers & reverse engineering
- Several note that modern native-code decompilers (IDA, Ghidra, Binja, rev.ng, etc.) are strong baselines and should be part of benchmarks, using prior metrics like gotos, cyclomatic complexity, and graph-edit distance.
- Some practitioners argue decompilation of complex binaries, especially hand‑written assembly or heavily optimized code, likely can’t be fully automatic; tools mainly amplify expert effort.
- Others point out compiler diversity, non‑determinism, and lack of bijection between binaries and source code as hard limits; exact round‑tripping is often impossible.
Evaluation, correctness, and “hallucinations”
- Project currently measures:
- Re‑compilability: does the generated C compile?
- Re‑executability: does the recompiled binary pass test cases?
- Re‑executability rates are low (≈10–15%), even when recompilability is much higher, underscoring semantic gaps.
- Debate over whether round‑tripping or identical binaries is a realistic metric; many stress test quality and fuzzing as more practical checks.
- Some propose formal verification: LLM outputs code plus a proof; a non‑LLM verifier checks equivalence. Others question feasibility and undecidability limits.
Use cases, scope, and future directions
- Suggested uses: aiding reverse engineering, security analysis, malware and obfuscated JS analysis, toolchain detection, lifting to intermediate representations (e.g., RzIL), and author attribution experiments.
- Many see LLMs as “copilots” layered on top of existing disassemblers/IRs rather than standalone decompilers.
- Dataset generation from open-source C (and possibly synthetic code) is seen as a key advantage of this research direction.