JEB Decompiler for S7 PLC

The "Siemens S7 PLC Decompiler" extension for JEB allows reverse engineers and security auditors to analyze Industrial Control Systems code.

At a glance.

Coupled with the power of JEB 2.3, our S7 PLC decompiler provides the following unmatched features:

  • Parse and explore opaque Siemens S7 PLC binary blobs.
  • Disassemble MC7 programs.
  • Decompile to C source code.
  • Perform static analysis of PLC code.

Step7 PLC Code Decompilation Diagram

Features.

Perform precise and robust decompilation of Siemens MC7 code.

Siemens PLC programs can be written in low-level STL (Statement List), mid-level SCL (Structured Control Language), or in higher-level LAD (Ladder Logic) diagrams. Regardless of the input source type, the PLC program is compiled to MC7 machine code - an even lower-level representation of STL -, and packed into an opaque binary blob that contains the block data elements, metadata description, and machine code. That block is then uploaded on to the an S7 PLC.

Our decompiler can parse such blocks:

  • The metadata (eg, timestamps, authoring information, etc.) is extracted;
  • The block data structures are parsed;
  • Most importantly, the MC7 machine code is disassembled and decompiled to pseudo C code.

That last step is crucial when it comes to analyzing unknown and/or large PLC code, for example for black-box auditing or research purpose. Instead of navigating thousands of obscure, undocumented lines of MC7 or STL code, the reverse engineer can now navigate and massage C code.

Step7 PLC Code Decompilation in JEB

Annotate and refactor your analysis.

A crucial requirement to make the analysis of unknown code as easy as possible is to provide a flexible output.

JEB allows the user to:

  • Comment the code and reverse compiled pseudo C code;
  • Rename variables and routines, since they are anonymous after a decompilation phase;
  • Navigate cross-references of code and data.

Leverage the JEB API to automate reverse engineering tasks.

Using Java or Python, users can write their own scripts and plugins to automate some tasks of reverse engineering process. For example, the analyst may want to look for specific code patterns; they may want to rename methods or find relationship between areas of code automatically.

Our API also allows power users to perform advanced static analysis on the code, for example to track register and data usage, which can be used to determine unwanted code conditions or potential bugs.

Team.

The S7 Decompiler is developed by Nicolas Falliere and his team.

Back in 2010-2011, Falliere spent countless hours reversing the Stuxnet malware. He fully analyzed the malicious code that infected Step-7 400 PLCs to thwart iranian centrifuges, and was the first to publish a detailed description of the attack sequence.

Inquire Further