JP application 2026-046620 (claims 11 / 14d — legacy-language coverage including native binary reverse direction)

SlimeASM-rev — Linux ELF x86_64 binary → ASM + C reverse transpiler

Recover NASM and C sources from a tag-less native ELF, bit-exact.

Convert source-lost / vendor-lost Linux x86_64 native binaries from banking, defense and embedded systems back into both NASM intel source and C source, bit-exact. The emitted NASM is re-assembled with nasm + ld; the emitted C is compiled with gcc -O0 -nostdlib -static; both produce real native ELFs that, when run, reproduce the original binary's stdout byte-for-byte — the strictest round-trip axis we know how to write.

Phase A: ELF64 minimal parser + x86_64 instruction decoder (integer hot-loop subset, ~14 patterns) + NASM intel emitter + straight-line C emitter
Phase B entry: CFG recovery (Cooper-Harvey-Kennedy iterative dominator + Aho/Sethi natural loop body) + structured C (do { ... } while (R[1] != 0); + if/else diamond)
Phase B (b): function-boundary recovery (prologue/epilogue + call/ret + self-recursion). Each function emits as its own C function, call → C call, ret → return;
Phase B (d): inter-procedural Slot IR — function = Slot node, call graph lifted as first-class IR edges, deterministic JSON round-trip; self-recursion expressed naturally
S9 bench: Linux ELF 8 axes 200/200 + Windows PE32+ 8 axes 152/152 = 352/352 PASS combined (2026-05-19), ELF 25 samples (NASM 8 + gcc -O0 -nostdlib -static 17) + PE 19 samples (msvcrt + kernel32 unified) including recursive fact(4) = 24, 2D matrix nested loops, struct field offsets, SIB-byte indexing, and the first libc-linked PE binary (msvcrt!puts) — both ASM and C round-trips green on both OSes
Phase D — Windows PE32+ x86_64 support: PECOFF v8.3 parser + DLL import resolution (IAT slot → function name) + Win64 ABI (rcx/rdx/r8/r9 + shadow space [rsp+0x20]) + WinAPI recipe table. The same 8-axis round-trip audit that proved out on Linux ELF now applies to Microsoft legacy .exe / .dll

A reverse transpiler for “source-lost native binaries” in Linux x86_64 banking and defense systems, built on deterministic translation + 8-axis round-trip auto-regression + audit chain.
SlimeNENC family's first reverse-direction product, paired with the existing forward family (COBOL / HLASM / MASM / MUMPS / PL/I / RPG / FORTRAN / Natural).

Reverse PoC / Request Materials →

Key measurements (2026-05-19)

352 / 352

combined (Linux ELF + Windows PE32+) × all 8 S9 axes
= ALL AXES PASS (44 samples)

200 / 200

Linux ELF 25 samples × all 8 axes
= NASM-hand 8 + gcc -O0 17

152 / 152

Windows PE32+ 19 samples × all 8 axes
= msvcrt + kernel32 unified, recursion + libc-linked included

2 OS × 2 paths

native binary regeneration
Linux (NASM/ld + GCC) + Windows (NASM/mingw + GCC), all real-machine verified

function = Slot node

inter-procedural Slot IR
unified ELF/PE schema, call graph as first-class edge, self-recursion native

~37 opcodes

x86_64 instruction coverage
SIB / movzx / movsx / cdqe / movsxd / shl-shr-sar / and-or — shared Linux/Windows

Market context — where source-lost native binaries live

Banks (Linux x86_64)	During modernization projects, native ELF / .so libraries with no source and no surviving maintenance vendor. Heirloom / Astadia focus on mainframe HLASM and do not target Linux native binaries.
Defense / aerospace	Closed binaries (embedded Linux ELF / instrumentation daemons) frozen for 10-30 years. The originating vendor cannot supply source, but a C-source recovery with audit chain is required.
Embedded / medical devices	FDA / PMDA / IEC 62304 obligate "complete software description". Binary-only components must be lifted to C as auditor-reproducible documentation.
Legacy documentation	"Working but untouchable" daemons must be lifted to C so static analysis, SBOM and CVE auditing can apply.
Competitive landscape	Ghidra (NSA OSS) / IDA Pro / Hex-Rays / RetDec already exist. SlimeASM-rev differentiates on three axes: (1) determinism + 8-axis round-trip auto-regression proves "lossless" via the bench harness; (2) single unified IR (Slot IR) across Linux ELF and Windows PE32+ enables cross-OS audit pipelines; (3) decompile output compiles directly with gcc/mingw and runs with stdout matching the original — Hex-Rays produces static C but does not guarantee build + run round-trip.

S9 bench — all 8 axes: Linux ELF 200/200 + Windows PE32+ 152/152 = 352/352 PASS

The same S9 bench harness validates Linux ELF and Windows PE32+ at bit-level. The x86_64 instruction decoder built in Phase B (~37 opcodes) is shared across both OSes; only the container layer (PE32+ parser, DLL import resolution, Win64 ABI) differs.

Linux ELF — 25 samples breakdown

Axis 1a dialect-detect	Tokenizer recognises ELF magic + ELFCLASS64 + EM_X86_64 (e_machine = 0x3E). 25/25 PASS.
Axis 1b opcode-recover	All 1,397 .text instructions across 25 samples (NASM 177 + gcc 1,220) decoded — `db 0xNN` fallback count = 0. 25/25 PASS.
Axis 2 mutation-detect	1-bit flip in .text, 5 trials × 25 samples = 125 trials, 125/125 detected. Disasm output must differ — invariant.
Axis 3 determinism	NASM emit twice, byte-equal across all 25 samples. 25/25 PASS.
Axis 4 ASM round-trip	emit NASM → nasm + ld → run → original stdout match. The strictest axis: two real native binaries (original + ours) executed and compared. 25/25 PASS, including recursive fact(4) = 24, 2D matrix nested loops, struct field offsets and SIB-byte array indexing.
Axis 5 C round-trip	emit C → gcc -O0 -nostdlib -static → run → original stdout match. Straight-line PC dispatch + byte-addressable STACK[] modelling call/ret/push/pop is bit-faithful. 25/25 PASS.
Axis 6 structured-C round-trip	CFG-recovered structured C (do-while + if/else + per-function + call → C call + ret → return;) → gcc → run → match. 25/25 PASS (nested loops included).
Axis 7 Slot IR round-trip	SlotImage → JSON → SlotImage → structural equality + JSON byte-equal double check. Function = Slot node and the call graph are preserved completely. 25/25 PASS.

Windows PE32+ — 19 samples breakdown (same 8 axes, bit-level)

Axis 1a PE dialect-detect	DOS magic "MZ" + PE signature "PE\0\0" + COFF Machine=`0x8664` (IMAGE_FILE_MACHINE_AMD64) + Optional Header Magic=`0x20B` (PE32+) + Subsystem=`3` (CONSOLE) validated at bit-level. 19/19 PASS.
Axis 1b opcode-recover	Every instruction within .text (VirtualSize-limited live region) decoded — `db 0xNN` fallback count = 0. 19/19 PASS.
Axis 2 mutation-detect	1-bit flip in .text, 5 trials × 19 samples = 95 trials, 95/95 detected.
Axis 3 determinism	Same .exe disassembled twice → byte-equal across all 19 samples. 19/19 PASS.
Axis 4 ASM round-trip	emit NASM → nasm -fwin64 → mingw-link (-lmsvcrt -lkernel32) → real .exe → WSL2 binfmt execute → stdout matches original. IAT references are emitted as `extern __imp_FUNC` so the linker regenerates the PE import table. 19/19 PASS.
Axis 5 C round-trip	emit C → mingw-gcc -nostdlib -e _start → real .exe → stdout matches original. The IAT-indirect call `mov reg, qword [rip+iat]; call reg` is collapsed by a peephole into a synthetic `call_iat <FUNC>` and expanded to a direct kernel32 / msvcrt call with Win64 ABI arguments pulled from rcx/rdx/r8/r9 / `[rsp+0x20]`. 19/19 PASS.
Axis 6 structured-C round-trip	CFG-recovered structured C (do-while + if/else + per-function) → mingw → run → match. 19/19 PASS, including recursive fact(4) = 24.
Axis 7 Slot IR round-trip	The PE32+ binary is lifted into the same Slot IR schema used for ELF. SlotFunctions, call graph edges and structural equality all round-trip. 19/19 PASS, with 06_call_simple (2fn/1call) / 07_two_funcs (3fn/2call) / 08_recursion (2fn/2call, self-loop) reconstructing call graphs identical to their Linux counterparts.

PE32+ specific layer (Phase D)

PECOFF v8.3 parserDOS header (64B, magic MZ + e_lfanew @ 0x3C) → PE signature (4B) → COFF header (20B, Machine=0x8664 required) → Optional Header (PE32+ 240B, Magic=0x20B required) → Section Table parsed at bit-level. VirtualSize bounds the live .text region.
DLL import resolutionDataDirectory[1] Import Table walked: _IMAGE_IMPORT_DESCRIPTOR array + INT/IAT thunk array (8B, ordinal flag = bit 63) + Hint/Name table. Each IAT slot VA resolves to DLL!function. e.g. 0x140003070 → msvcrt.dll!puts.
IAT-call peepholeThe two-instruction pair mov reg, qword [rip+iat]; call reg that gcc -O0 + MinGW emits is folded into a single synthetic call_iat <FUNC> and lowered to a direct C call via Win64 ABI.
Win64 ABI recipeArgument slots: rcx (R[1]) / rdx (R[2]) / r8 (R[8]) / r9 (R[9]) / 5th at mem_r(R[4]+0x20, 8). String arguments (LPCSTR) are reconstructed by reading the virtual VA byte-by-byte via mem_r into a local buffer before passing to the real kernel.
WinAPI recipe table (extensible)Current 5 functions — kernel32: GetStdHandle / WriteFile / ExitProcess / lstrlenA, msvcrt: puts. Adding a new API is a 3-step procedure (PROLOGUE dllimport declaration + recipe table entry + link command -l<dll>); the decoder, CFG and Slot IR layers stay untouched.
trailing thunk trimThe jmp qword [rip+iat] thunk table at the .text tail is excluded from the SlotImage (no spurious functions). The linker regenerates a fresh thunk table at re-link time.

Sample inventory (44 binaries total) — Linux ELF 25 + Windows PE32+ 19

Beyond the 8 hand-written NASM samples (research PoC), 17 real-world C sources built with gcc -O0 -nostdlib -static for Linux and 19 PE32+ .exe built with x86_64-w64-mingw32-gcc -nostdlib -e _start for Windows are now bench-locked at every axis. Coverage includes array indexing (SIB byte), signed/unsigned extension (movsx / movzx / movsxd / cdq / cdqe), bit operations (shl / shr / sar / and / or), nested loops, 2D arrays, struct field offsets, recursion and the first libc-linked PE binaries (msvcrt!puts, kernel32!lstrlenA). SSE2-4 (XMM floating point) is next.

NASM-source 8 (research PoC, hand-written integer hot-loop subset)

01 hello	Syscall write of `"Hello, ELF!\n"`. Smallest ELF: 1 BB / 8 instructions.
02 arith	17 + 25 = 42 printed as 2 ASCII digits. Exercises idiv, add al, mov [rip+disp], etc.
03 loop	`loop sum_loop` for 1+2+3+4+5 = 15. CFG has a back edge; structured C recovers as `do { ... } while (R[1] != 0);`.
04 branch	`cmp + jge` diamond. Structured C recovers as `if (cond) { ... } else { ... }` meeting at a common join BB.
05 compute	`imul rax, rbx` for 6 × 7 = 42.
06 call_simple	`_start → do_print`. Prologue (push rbp; mov rbp, rsp) + epilogue (pop rbp; ret) recognised as function boundary and split into independent C functions.
07 two_funcs	3 functions (`_start → add_two + print_dec`). Two inter-procedural call graph edges.
08 recursion	factorial(4) = 24 via self-recursion. Call graph carries a self-loop edge (`fact → fact`); push rbx / pop rbx caller-saved spill is preserved bit-faithfully via STK[].

gcc -O0 -nostdlib -static 17 (production target, real-world C sources)

01 hello (gcc)	Freestanding C printing `"Hello, gcc -O0!\n"`. 35 instructions; byte-addressable `STACK[65536]` + entry_pc fix make `call sys3` + `call sys_exit` bit-faithful.
02 arith (gcc)	17 + 25 = 42. True signed-division path via `cqo` + `idiv`, memory-destination arithmetic such as `add [rbp-disp], rax`. 69 instructions.
03 loop (gcc)	For-loop computing 1+2+3+4+5 = 15. Loop header uses `cmp [rbp-disp], imm` + `jle rel8`; counter update is `add [rbp-disp], 1`. 71 instructions.
04 branch (gcc)	`if (x >= 5)` branch. Full function epilogue including `mov QWORD PTR [rbp-disp], imm` and `leave`. 46 instructions.
05 compute (gcc)	6 × 7 = 42 with 2-op `imul`; multiple syscall calls. 68 instructions.
06 call_simple (gcc)	_start calls `static void do_print(void)` then sys_exit. Three-function boundary recovery (sys3 / sys_exit / do_print). 41 instructions.
07 two_funcs (gcc)	Helpers `add_two() + print_dec()`. Call graph has 5 function nodes; inter-procedural argument passing via rdi is bit-faithful. 84 instructions.
08 recursion (gcc)	C-written `fact(4) = 24` recursion. Self-loop edge detected in the call graph, matching the hand-written NASM version. 85 instructions.
09 array_sum (gcc)	`arr[5] = {3,5,7,9,11}` sum → `SUM=35`. SIB byte `mov rax, [rax*8+0x402000]` for indexed array access. 72 instructions.
10 strlen (gcc)	Hand-written strlen on `"Hello, World!\n"` → `LEN=14`. movzx eax, BYTE PTR [rax] (zero-extend) + test al, al driven null-terminator loop. 81 instructions.
11 signed_array (gcc)	Signed-char array `{-3, 5, -8, 12, 4}` sum → `SUM=10`. movsx rax, al (sign-extend) and signed arithmetic. 74 instructions.
12 int_index (gcc)	`int i` array loop + 3-digit print → `SUM=150`. cdqe (eax→rax sign-extend) + 32-bit op variants emitted by gcc -O0 for `int` locals (`mov DWORD PTR` / `cmp DWORD PTR` / ...). 89 instructions.
13 bitshift (gcc)	`32 << 3 = 256, >> 1 = 128` → `VAL=128`. shl / shr / sar (REX.W C1 /N imm8, D1 /N 1-bit). 86 instructions.
14 bitmask (gcc)	`0xFF12 & 0xFF = 18` → `RES=18`. and r/m64, imm8 (REX.W 83 /4 sign-ext imm8) bit-masking. 65 instructions.
15 stride (gcc)	Stride access `arr[i3]` sum → `STR=35`. i3 lowering** (gcc -O0 expands as `mov rax,i; add rax,rax; add rax,i`) combined with SIB indexed load. 72 instructions.
16 matrix (gcc)	3×4 matrix sum via nested loop → `MAT=78`. 2D array + nested CFG. `lea rdx, [rax*4+0x0]` (SIB-form lea) computes the row offset. 85 instructions.
17 struct (gcc)	Array-of-struct `pts[3] = {{10,20},{30,40},{50,60}}` field sum → `PT=210`. SIB + displacement for field offsets (`pts[i].x` / `pts[i].y`). 107 instructions.

Windows PE32+ 19 samples (mingw-gcc -O0 -nostdlib -e _start)

C sources functionally equivalent to the Linux ELF 17 plus two libc-linked specifics, built with x86_64-w64-mingw32-gcc into PE32+ .exe and bench-tested under the same 8 axes. The IAT-indirect call (mov rax, qword [rip+iat]; call rax) is folded by a peephole into call_iat <FUNC> and lowered to direct kernel32 / msvcrt calls via the Win64 ABI. stdout verified by direct execution under WSL2 binfmt.

01 hello (PE)	GetStdHandle + WriteFile + ExitProcess → `Hello, PE!`. Minimal IAT of 3 functions via Win64 ABI.
02 arith (PE)	17+25 = 42 written as 2 ASCII digits via WriteFile → `SUM=42`. `cqo + idiv rsi` for true signed division.
03 loop (PE)	For-loop computing 1+2+3+4+5 = 15 → `SUM=15`. `cmp DWORD PTR + jle` loop body + WriteFile.
04 branch (PE)	`if (x >= 5)` branch with x=7 → `big`. Both arms WriteFile a distinct string and converge on a common join.
05 compute (PE)	6 × 7 = 42 → `PROD=42`. 2-op `imul rax, rbx` + idiv.
06 call_simple (PE)	`_start → do_print(handle)`. Win64 rcx passing + nested WriteFile.
07 two_funcs (PE)	`add_two() + print_dec(handle, val)`. SlotImage carries 3 function nodes and 2 inter-procedural edges.
08 recursion (PE)	factorial(4) = 24 via self-recursion → `FACT=24`. Call graph carries a `fact → fact` self-loop; callee-saved state preserved via Win64 shadow space at `[rsp+0x20]`.
09 array_sum (PE)	`arr[5] = {3,5,7,9,11}` sum → `SUM=35`. SIB byte `mov rax, [rax*8+0x140002000]` for indexed access.
10 strlen (PE)	Hand-written strlen on `"Hello, World!\n"` → `LEN=14`. movzx eax, BYTE PTR [rax] + test al, al null-terminator loop.
11 signed_array (PE)	Signed-char array `{-3, 5, -8, 12, 4}` sum → `SUM=10`. movsx rax, al + signed arithmetic.
12 int_index (PE)	`int i` array loop + 3-digit print → `SUM=150`. cdqe + 32-bit op variants + dual divmod (100 / 10).
13 bitshift (PE)	`32 << 3 = 256, >> 1 = 128` → `VAL=128`. shl/sar r32 (32-bit op variants included).
14 bitmask (PE)	`0xFF12 & 0xFF = 18` → `RES=18`. and r/m64, imm8 bit-masking.
15 stride (PE)	Stride access `arr[i3]` sum → `STR=35`. `add + add` expansion for i3 + SIB load.
16 matrix (PE)	3×4 matrix nested-loop sum → `MAT=78`. 2D array + nested CFG; `lea rdx, [rax*4+0x0]` (SIB-form lea) for row offset.
17 struct (PE)	Array-of-struct `pts[3] = {{10,20},{30,40},{50,60}}` field sum → `PT=210`. SIB + displacement field offsets.
18 msvcrt_puts (PE)	First libc-linked sample. `msvcrt!puts("Hello, msvcrt!")` + `kernel32!ExitProcess` → `Hello, msvcrt!`. Demonstrates the design's scalability to DLL imports beyond kernel32.
19 lstrlenA (PE)	`kernel32!lstrlenA("Hello, libc!")` measures length 12, then `msvcrt!puts` prints as two digits → `LEN=12`. Two DLLs (kernel32 + msvcrt) imported from a single binary.

Translation example 1 — loop recovered as structured do-while (sample 03)

The original NASM uses loop sum_loop to compute 1+2+3+4+5. The CFG carries a back edge; SlimeASM-rev recognises a natural loop body of one BB whose terminator is a `loop` instruction, and recovers structured C as do { ... } while (R[1] != 0); — no goto:

; Original NASM (sample 03, loop region)
        xor     rax, rax
        mov     rcx, 5
sum_loop:
        add     rax, rcx
        loop    sum_loop            ; dec rcx; jnz sum_loop

// SlimeASM-rev recovered C (structured)
R[0] = R[0] ^ R[0];                  // xor rax, rax
R[1] = 0x5;                          // mov rcx, 5
do {
    R[0] = R[0] + R[1];              // add rax, rcx
    /* e2 fb  loop sum_loop (terminator absorbed) */
    R[1] = R[1] - 1;
} while (R[1] != 0);

Cooper-Harvey-Kennedy iterative dominator detects the back edge; Aho/Sethi natural-loop body analysis collapses the self-loop to a single BB; the structured emitter then renders the whole loop as do-while.

Translation example 2 — branch recovered as structured if/else (sample 04)

The original NASM uses cmp + jge; both arms reconverge at a common join BB. SlimeASM-rev recognises cond BB + 2 succs reconverging at a single join and recovers structured C as if (cond) { ... } else { ... }:

; Original NASM (sample 04, branch region)
        mov     rax, 7
        cmp     rax, 5
        jge     is_big
        ; small branch
        ... write "small\n" ...
        jmp     done
is_big:
        ... write "big\n" ...
done:
        ... exit ...

// SlimeASM-rev recovered C (structured, both arms join)
R[0] = 0x7;                          // mov rax, 7
{ int64_t _diff = (int64_t)R[0] - (int64_t)5;
  ZF = (_diff == 0); SF = (_diff < 0); }
OF = 0;
/* 7d 1a  jge is_big (terminator absorbed) */
if (SF == OF) {                      // jge condition
    /* big arm */
    ... write "big\n" ...
} else {
    /* small arm */
    ... write "small\n" ...
}
/* done: common join BB → exit */

The diamond is detected via intra-function dominator + post-dominator agreement; the unconditional jmp at the end of the taken arm is absorbed by the structured form, leaving plain C if/else with no goto.

Translation example 3 — per-function + self-recursion showcase (sample 08)

factorial(4) = 24 via self-recursion, 6 BBs in one function. The CFG is neither a clean loop nor a join-converging diamond (each branch arm terminates with its own ret), so the structured C still carries goto BB_xxxx; labels. We include it as a showcase of function-boundary recovery + call → C call + ret → return; + caller-saved spill (push rbx / pop rbx) preserved bit-faithfully via STK[] + self-recursion:

; Original NASM (sample 08, fact function)
fact:
        push    rbp
        mov     rbp, rsp
        cmp     rbx, 1
        jg      recurse
        mov     rax, 1               ; base: 1! = 1
        pop     rbp
        ret
recurse:
        push    rbx                  ; spill rbx across recursive call
        sub     rbx, 1
        call    fact                 ; rax := (rbx-1)!
        pop     rbx                  ; restore rbx
        imul    rax, rbx             ; rax := rbx * (rbx-1)!
        pop     rbp
        ret

// SlimeASM-rev recovered C (per-function, self-recursion, caller-saved spill)
static void func_401060(void) {           // fact()
  BB_401060:;
    STK[--RSP_IDX] = R[5];               // push rbp
    R[5] = R[4];                         // mov rbp, rsp
    /* cmp rbx, 1 */
    if (ZF == 0 && SF == OF) goto BB_401071;  // jg recurse
  BB_40106a:;
    R[0] = 1;                            // mov rax, 1
    R[5] = STK[RSP_IDX++];               // pop rbp
    return;                              // ret → C return
  BB_401071:;
    STK[--RSP_IDX] = R[3];               // push rbx
    R[3] -= 1;                           // sub rbx, 1
    func_401060();                       // call fact → C function call (self-recursion)
    R[3] = STK[RSP_IDX++];               // pop rbx
    R[0] = R[0] * R[3];                  // imul rax, rbx
    R[5] = STK[RSP_IDX++];               // pop rbp
    return;
}

Compiling this with gcc -O0 -nostdlib -static and running yields the same stdout (FACT=24) as the original ELF — Axis 6 structured-C round-trip PASS. The remaining goto labels (cond BB + each arm an independent ret) will be eliminated by the multi-BB loop / tail-duplication extensions in later Phase B work.

Function = Slot node, call graph as first-class IR (Phase B (d))

The same SlimeNENC-family Slot IR (Core64 + Ext32 fixed-bit, claim 11) applied in reverse: each function becomes a SlotFunction node, and call edges are first-class IR (a list of callee names per function). Self-recursion is naturally a self-loop edge:

sample	functions	call edges
01-05 (linear)	1	0
06 call_simple	2	1 (`_start → func_40100f`)
07 two_funcs	3	2 (`_start → func_401014`, `_start → func_401027`)
08 recursion	2	2 (`_start → func_401060`, `func_401060 → func_401060`)

The full SlotImage encodes/decodes via deterministic JSON (Axis 7 round-trip), so call graphs and function structure can flow into external toolchains (audit DBs, SBOM, static analysis) without information loss.

Audit fitness (finance / defense / medical-device)

Bit-exactSame ELF input → same sha256 NASM/C output. CFG / function boundaries / instruction stream all fully deterministic.
Native ELF round-tripEmitted NASM re-assembled via nasm + ld; emitted C compiled via gcc -nostdlib; two real native ELFs executed and stdout compared with the original. Not simulation — real-machine verification.
Mutation detection1-bit flip in .text always changes disasm. Linux 25 × 5 = 125/125 + Windows 19 × 5 = 95/95 detected — tampering is immediately visible.
DeterminismSame ELF disassembled + emitted twice → byte-equal per sample. Stable across parallel and GPU execution.
Slot IR auditFunction = Slot node + call graph persisted as deterministic JSON. Joins SBOM / audit DB pipelines as a structured artifact.
Build-time LLMLLM only at decoder-rule construction time. Runtime is deterministic rule-based — aligned with bank / defense audit requirements.

Supported instructions (Linux/Windows shared, integer + memory subset, ~37 patterns)

Data movement	`mov reg/mem, imm/reg` (B8+r / 89 /r / 8B /r / C7 /0 / 88 /r, both 64-bit and 32-bit) / `mov r32, imm32` (B8+r, no REX.W) / `movzx r32/64, r/m8` (0F B6 /r, zero-extend) / `movsx r32/64, r/m8` (0F BE /r, sign-extend) / `lea r64, m` (8D /r, SIB / [reg+disp] / [rip+disp] all forms) / `nop` (90) / `leave` (C9)
Arithmetic	`add r/m, r` (01 /r, reg + mem-dst, 64/32-bit) / `add r/m, imm8` (83 /0, reg + mem-dst, 64/32-bit) / `add rax, imm32` (REX.W 05 imm32) / `sub r/m, r` (29 /r, 64/32-bit) / `sub r/m, imm8` (83 /5) / `imul r, r/m` (REX.W 0F AF, reg + mem-src) + 32-bit (no REX.W) / 1-op `imul r/m64` (REX.W F7 /5, signed 128-bit product in RDX:RAX) / `idiv r/m` (F7 /7, 64/32-bit) / `cqo` (REX.W 99, sign-extend rax→rdx:rax) / `cdqe` (REX.W 98, sign-extend eax→rax) / `cdq` (99 no REX.W, sign-extend eax→edx:eax) / `movsxd r64, r/m32` (REX.W 63 /r, 32→64 sign-extend)
Logic	`and / or / xor r/m64, r64` (21 /r, 09 /r, 31 /r, reg + mem-dst) / `and r/m, imm8` (83 /4), `or r/m, imm8` (83 /1); `xor reg, reg` idiom recognised as zero-init
Bit shifts	`shl / shr / sar r/m, imm8` (C1 /4/5/7 imm8, 64/32-bit) / `shl / shr / sar r/m, 1` (D1 /N, 64/32-bit)
Compare / test	`cmp r/m64, r64` (39 /r, 64/32-bit) / `cmp r/m, imm8` (83 /7, reg + mem-dst) / `test r/m8, r8` (84 /r) / `test r/m32/64, r32/64` (85 /r)
Branch	`Jcc rel8` (70-7F: je/jne/jge/jg/jl/jle/jb/jae/jbe/ja/js/jns/...) / `Jcc rel32` (0F 80-8F) / `jmp rel8/32` (EB/E9) / `loop rel8` (E2)
Call / stack	`call rel32` (E8) / `ret` (C3) / `push/pop r64` (50-5F) / `push imm` (6A/68)
System	Linux: `syscall` (0F 05) — sys_write (rax=1) / sys_exit (rax=60) recognised by heuristic. Windows: IAT-indirect call (`mov rax, qword [rip+iat]; call rax`) folded by peephole into `call_iat <FUNC>`, then lowered to a direct WinAPI call via Win64 ABI (rcx/rdx/r8/r9 + [rsp+0x20]).
Control flow (indirect)	`call r/m64` (FF /2 reg + mem) / `jmp r/m64` (FF /4 reg + mem) / `inc / dec / push r/m64` (FF /0/1/6) / `leave` (C9) / multi-byte NOP (0F 1F /0)
Memory operands	`[reg]` / `[reg+disp8]` / `[reg+disp32]` / `[rip+disp32]` / *`[base+indexscale+disp]`** (SIB byte, scale=1/2/4/8, REX.X index extension) — full coverage of `[rbp-disp]` local-variable access, `[rax*8+disp]` array indexing, and Win64 shadow space `[rsp+0x20]`.

Next-phase additions: printf / malloc / PLT/GOT dynamic linking, SSE2 / SSE4 (XMM + floating-point), 3-op imul r64, r/m64, imm32 (0x69 /r, common at -O2 and above), movabs r64, imm64 (REX.W B8+r imm64, 64-bit absolute). Combined Linux ELF 25 × 8 = 200/200 + Windows PE32+ 19 × 8 = 152/152 = 352/352 PASS (2026-05-19) is the foundation for the ongoing expansion.

License model

Charged	WASM/WASI converter tool (developer side)
Not charged	The produced NASM / C sources (customer asset, perpetual deployment)
Method	Ed25519 144B signed license + 3-hop air-gap activation (finance / defense audit ready)
Parallelization (PSDP)	Not included. See the independent PSDP SKU under SlimeNENC.

Related materials

Technical overviewSlimeNENC Technical Overview (reverse-direction ASM/C chapter being prepared)
Patent applicationJP application 2026-046620 v15b, claims 11 / 14d, target legacy-language dialect handling for COBOL / MUMPS / PL/I / RPG / assembler / native binary reverse direction.
Sister product (forward pair)SlimeASM (HLASM + Win x64 MASM forward) — together they cover both directions of the native-code surface.
Sister products (Slot IR shared)SlimeCOBOL / SlimePL/I / SlimeRPG / SlimeMUMPS share the Slot IR (Core64 + Ext32 fixed-bit).
BenchmarksS9 bench harness (8 axes), Linux asm_rev_to/s9_bench/bench.py + Windows pe_rev_to/s9_bench/bench.py auto-regress 44 samples × 8 axes = 352/352 combined (Linux 25 + Windows 19, ~37 opcodes, Slot IR unified schema).

Reverse PoC / Request Materials Back to SlimeNENC family SlimeASM (forward pair) SlimeCOBOL