The unexpected effectiveness of one-shot decompilation with Claude

Snowboard Kids 2 was a great N64 game. It was one of a number of racing titles inspired by Mario Kart, but the snowboarding added a bit of a different feel. The battle items were clever, and the stages were really well made given the technical limitations they faced. As a kid with two brothers, we played a lot of competitive multiplayer.

I also remember a few things in the singleplayer being very difficult. The number of times I had to fight/race Dameian in his giant robot running down the mountainside... It's carved into my brain like that footrace against Wizpig in DKR or the Donkey Kong arcade game for the Rareware coin in DK64.

The battle items in Snowboard Kids were clever and memorable. The parachute missile that would launch racers up in the air and then deploy the parachute so they slowly float back down was such a frustrating item to be hit with. The pans that would hit all opponents was iconic and it was hilarious that you could somehow doge it with invisibility. Even the basic rock dropped on the course was somehow memorable.

Great game. It's heartwarming to know that others still remember it and care about it.

We've been using LLMs for security research (finding vulnerabilities in ML frameworks) and the pattern is similar - it's surprisingly good at the systematic parts (pattern recognition, code flow analysis) when you give it specific constraints and clear success criteria.

The interesting part: the model consistently underestimates its own speed. We built a complete bug bounty submission pipeline - target research, vulnerability scanning, POC development - in hours when it estimated days. The '10 attempts' heuristic resonates - there's definitely a point where iteration stops being productive.

For decompilation specifically, the 1M context window helps enormously. We can feed entire codebases and ask 'trace this user input to potential sinks' which would be tedious manually. Not perfect, but genuinely useful when combined with human validation.

The key seems to be: narrow scope + clear validation criteria + iterative refinement. Same as this decompilation work.

I'd like to see this given a bit more structure, honestly. What occurs to me is constraining the grammar for LLM inference to ensure valid C89 (or close-to, as much can be checked without compilation), then perhaps experimentally switching to a permuter once/if a certain threshold is reached for accuracy of the decompiled function.

Eventually some or many of these attempts would, of course, fail, and require programmer intervention, but I suspect we might be surprised how far it could go.

In decompilation "matching" means you found a function block in the machine code, wrote some C, then confirmed that the C produces the exact same binary machine code once it is compiled.

They had access to the same C compiler used by Nintendo in 1999? And the register allocation on a MIPS CPU is repeatable enough to get an exact match? That's impressive.

Why not follow decompilation like ghidra does, rather than guess, compile, compare? It seems more sensible to actually decompile.

helpful

Agree with this. I'm a software engineer that has mostly not had to manage memory for most of my career.

I asked Opus how hard it would be to port the script extender for Baldurs Gate 3 from Windows to the native Linux Build. It outlined that it would be very difficult for someone without reverse engineering experience, and correctly pointed out they are using different compilers, so it's not a simple mapping exercise. It's recommendation was not to try unless I was a Ghrida master and had lots of time in my hands.

Are they not performing well because they are trained to be more generic, or is the task too complex? It seems like a cheap problem to fine-tune.

"one-shot" usually just means, one example and its correct answer was provided in the prompt.

See also, "zero-shot" / "few-shot" etc.

I definitely didn't expect one-shot to mean "let it run itself in an indefinite loop"

One shot just means one prompt. What Claude decides to do during that prompt is up to it.

Meh, the main idea of one-shot is that you prompted it once and got a good impl when it decided it was done. As opposed to having to workshop yourself with additional prompts to fix things.

It doesn't do it in one-shot on the GPU either. It feeds outputs back into inputs over and over. By the time you see tokens as an end-user, the clanker has already made a bunch of iterations.

I'd enjoy watching. A new category of eSports.

It would be "source available", if anything, not "open source".

> An open-source license is a type of license for computer software and other products that allows the source code, blueprint or design to be used, modified or shared (with or without modification) under defined terms and conditions.

https://en.wikipedia.org/wiki/Open_source

Companies have been really abusing what open source means- claiming something is "open source" cause they share the code and then having a license that says you can't use any part of it in any way.

Similarly if you ever use that software or depending on where you downloaded it from, you might have agreed not to decompile or read the source code. Using that code is a gamble.

I wonder when you're never going to run expensive software on your own CPU.

It'll either all be in the cloud, so you never run the code...

Or it'll be on a chip, in a hermetically sealed usb drive, that you plug in to your computer.

If progress continues, someday it'll be possible to generate the source code for any binary and make a native port to any other platform. Some companies might be upset, but it'll be a huge boon for game and software preservation.

That's definitely a possible future abstraction and one are about the future of technology I'm excited about.

First we get to tackle all of the small ideas and side projects we haven't had time to prioritize.

Then, we start taking ownership of all of the software systems that we interact with on a daily basis; hacking in modifications and reverse engineering protocols to suit our needs.

Finally our own interaction with software becomes entirely boutique: operating systems, firmware, user interfaces that we have directed ourselves to suit our individual tastes.

That runs into copyright issues. As someone who does a reasonable amount of decompilation, I wouldn’t ever use an LLM. It falls too close to mechanical transformation territory which is not protected, fair use.

Obviously others aren’t concerned or don’t live in jurisdictions where that would be an issue.

When the decompilation like that is trivial, so is recreation without decompilation. It implies the LLM know exactly how thins work.

Surely then people start using LLMs to obfuscate compiled source to the point that another LLM can’t deobfuscate it. I imagine it’s always easier to make something messy than clean. Something like a rule of thermodynamics or something :)

Though, that’s only for actively developer software. I can imagine a great future where all retro games are now source available.

This day will arrive.

And it will be great for retro game preservation.

Having more integrated tools and tutorials on this would be awesome.

Yes, I believe it will. What I predict will happen is that most commercial software will be hosted and provided through "trusted" platforms with limited access, making reverse engineering impossible.

Would some sparks fly when easy decompile of MSOffice and Photoshop are available, I wonder.

This deserves a discussion

One thing I don't annoying in really old sources is that sometimes you can't go function by function, because the code will occasionally just use a random register to pass results. Passing the whole file works better at that point.

This sounds interesting! Do you have some good introduction to N64 decompiliation? Would you recommend using Claude right from the start or rather try to get to know the ins and outs of N64 decomp?

This is super cool! I would be curious to see how Gemini 3 fares… I've found it to be even more effective than Opus 4.5 at technical analysis (in another domain).

Thanks, this is very cool! I've started to dip my toes into this and it's good to see it has potential.

What game are you working on?

The article is a useful resource for setting up automated flows, and Claude is great at assembly. Codex less so, Gemini is also good at assembly. Gemini will happily hand roll x86_64 bytecode. Codex appears optimized for more "mainstream" dev tasks, and excels at that. If only Gemini had a great agent...

I've been using Claude for months with Ghidra. It is simply amazing.

Makes sense because LLMs are quite good at translating between natural languages.

Anyway, we're reaching the point where documentation can be generated by LLMs and this is great news for developers.

If it is so good at it where are all those decompilation projects?

Im a encryption noob. Less than a noob. But something I've been wondering about is how can homomorphic computing be opaque/unencryptable?

If you are able to monitor what happens to encrypted data being processed by an LLM, could you not match that with the same patterns created by unencrypted data?

Real simple example, let's say I have a program that sums numbers. One sends the data to an LLM or w/e unencrypted, the other encrypted.

Wouldn't the same part of the LLM/compute machine "light up" so to speak?

I can also make a port of Prince of Persia, and faster than a LLM:

https://github.com/NagyD/SDLPoP

That's impressive. Did you convert POP from 6502 to C?

It wouldn't fit most of the current LLM cloud providers narrative about privacy and copyright either, so, not sure they would be as cooperative with a prosecutor as they are today with lawmakers and right holders.

Have you ever tried to get a game developer to open source a game? And a Japanese one at that?

Even if they were willing to (they're not) and if they still have the code (they don't), it will contain proprietary code from Nintendo and you'll never get your hands on that (legally)