Getting errors trying to decompile with IDA Pro 6.6

[b0-ones]

Edit: The solution provided works for Ghidra. Still having Problems getting IDA Pro to run.

Hi, I cant get the Extension to decompile any file. With both ghidra and IDA Pro I get different errors while trying to decompile calc.exe for example. Both Programs work on their own if I try to decompile the binary. Tried both 32 and 64 bit versions of IDA Pro.

Ghidra:

IDA Pro:

Can you help me with what the errors mean?

If I work from within ghidra/IDA Gui I can sucessfully produce .c-files. Would be cool to do this right inside VS Code. Any advice?

Thank you!

Additional Info:

Ghidra: 9.1.2 PUBLIC IDA Pro: 6.6 Java: AdoptOpenJDK - jdk-11.0.3.7-hotspot

[tintinweb]

Hey @b0-ones,

Can you move ghidra to a path that does not contain a space like "Program Files" for a second and try again? I kind of suspect node's subprocess module doesn't like that.

Please let me know if that fixes the problem. I'll check out if there are any known issues with node and spaces in path's in the meantime.

[b0-ones]

Hello, that worked for Ghidra putting it in a Folder without spaces :)

How can I do that with IDA? Reinstall again in a different Location?

Edit: Putting IDA under C:\temp\IDA_6.6 didnt work for me with the same error.

Can you give me a commandline for idaw.exe which I could test if things working on that side?

Sth. like a commandline which would decompile my 64bit calc.exe under the location C:\temp\IDA_6.6\test\calc.exe to calc.cpp? Or do you know what else I could do?

[tintinweb]

That node subprocess module is a mess when it comes to spaces in the path or args..

• Ghidra
  • ❌ win64 - space in path to ghidra; space in target filename
  • ✔️ win64 - space in path to ghidra; no space in target filename
  • ✔️ win64 - no space in path to ghidra; no space in target filename
  • ✔️ win64 - no space in path to ghidra; space in target filename
  • ✔️ macos - space in path to ghidra; space in target filename
  • ✔️ macos - space in path to ghidra; no space in target filename
  • ✔️ macos - no space in path to ghidra; no space in target filename
  • ✔️ macos - no space in path to ghidra; space in target filename
• Ida Pro
  • ❌ win64 - space in path to ida; space in target filename
  • ❌ win64 - space in path to ida; no space in target filename
  • ✔️ win64 - no space in path to ida; no space in target filename
  • ✔️ win64 - no space in path to ida; space in target filename

looking into a generic solution to fix this nodejs mess...

//Note: you should be able to workaround this by making "idaw" "analyzeHeadless" available in PATH and configure "idaw" and "analyzeHeadless" as the commands (restart vscode if you just added both files to path). and make sure there is no space in the target file.

[b0-ones]

That command worked without an error and produced a calc.cpp file:

..\idaw64.exe -A -Ohexx64:-new:calc.cpp:ALL "calc.exe"

But somehow I cant get it working with VS Code and this path:

C:\temp\IDA_6.6\test\calc.exe

and the binary in C:\temp\IDA_6.6\idaw.exe / idaw64.exe

I made "idaw" available in PATH and restartet vscode but still get this error:

[tintinweb]

the error code 1 is actually what is returned by idaw. I therefore guess that it is not compatible with the script I am using (tested under 6.8). I can however add a fallback for this version.

any chance you can provide the usage of idaw for your version? (basically this: https://www.hex-rays.com/products/ida/support/idadoc/417.shtml)

[b0-ones]

it seems idaw64.exe -? (Version 6.6) produces the (nearly?) same output as:

https://www.hex-rays.com/products/ida/support/idadoc/417.shtml

Edit: Maybe its a Problem with my python installation:

[tintinweb]

@b0-ones

yeah, looks like the decompiler python script does not seem to be compatible with your version. Added a couple of fixes and an experimental ida6.6 mode. Would you be able to test that?

[tintinweb]

@b0-ones, here's a debug package that

• fixes the "spaces in path" problem
• fixes mixed line-endings when decompiling with ghidra on windows
• disables readonly on the decompiled sources
• adds a new default decompiler that should work with your version (it currently prints the cmdline as a warning box for you to verify). Let me know if that works.

the debug package is too large to be pasted here, therefore, please download https://wsi.li/LSXRVm2umBWHlV -> unzip -> check md5 (below) -> rename .png to .vsix -> code --install-extension vscode-decompiler-0.0.5-0.0.6-debug-ida.vsix

• try out the extension with ghidra in "Progam Files" or any folder that contains spaces
• try out the idea 6.6 legacy hexx plugin mode. Note: that I cannot test this mode as I don't have idea 6.6

MD5 (vscode-decompiler-0.0.5-0.0.6-debug-ida.vsix.png) = ba2b1933e609d242b50a9548a29a3a5a

[b0-ones]

I installed that .vsix, but I dont get the third option (legacy). Its also not in the package.json of that .vsix.

Maybe you gave me the wrong version?

Edit: checked the MD5 - its the same: BA2B1933E609D242B50A9548A29A3A5A

Edit: With this .vsix installed, Ghidra can run out of a path with spaces - that works.

Edit: I still get the same error with IDA. I just added the third option in the package.json and then I am able to pick it, but the error stays the same.

Edit: Still get this, if i try to decompile with: "vscode-decompiler.tool.idaPro.path": "C:\temp\IDA_6.6\idaw64.exe"

(it currently prints the cmdline as a warning box for you to verify)

I somehow am unable to find that output, only get the error window

[tintinweb]

oh, if the warning msg doesn't pop up you're def. at an older version. let's try once again @b0-ones :)

repackaged -> https://wsi.li/m1GxTFPbFQII81 MD5 (vscode-decompiler-0.0.5-debug-test.vsix) = 5684e26e9c532d93e74ccc2cbd516f86

[b0-ones]

Now thats better. I can see the debug information. I think there is a little error. There is no "-" infront of the "O".

But if I try this command in console it doesnt produce a cpp-file (I created the AppData-Folder): idaw64.exe -A -B -M Ohexx64:-new:C:\Users\Username\AppData\Local\Temp\tmp-6708-nhWuA0sjeb61\calc.exe.cpp:ALL "c:\temp\IDA_6.6\test\calc.exe"

If I do it manually and omit the "-B" and the "-M" and add "-" infront of "O" it still does not work.

What works is, if I dont give idaw64.exe the path to save the file, but instead let it save to the folder I am running the command in e.g. I am in folder "C:\temp" and do that command, I get the cpp-file in that folder (C:\temp\calc.exe.cpp):

idaw64.exe -A -Ohexx64:-new:calc.exe.cpp:ALL "c:\temp\IDA_6.6\test\calc.exe"

So maybe we need to pass the path to save the cpp-file somehow differently, so that it takes the path argument? But I didnt get it working till now to give that path-argument. I cant see the error of idaw64, the window closes so fast, I dont know how to pause it and see what it complains about...

Edit: With the "-M" flag it still works:

idaw64.exe -A -M -Ohexx64:-new:calc.exe.cpp:ALL "c:\temp\IDA_6.6\test\calc.exe"

If I add the "-B" flag no more cpp-file is created...

Edit: I found nothing about passing a path to the hexx64 plugin, only this site: http://www.hexacorn.com/blog/2019/0/page/32/ Maybe its only possible to create the new file in the path where it is running?

[tintinweb]

give it a shot @b0-ones (uninstall the prevs. debug version first):

• Note: This method does not support IDA being in a path that contains spaces 🤷, no non-hacky way around that.

https://wsi.li/9PRfM1Rw1oTetK MD5 (vscode-decompiler-0.0.6.vsix) = b9946a2dda65f30225ed1790c7e2ee87

for reference, the changeset is in https://github.com/tintinweb/vscode-decompiler/pull/10

//PS. seems to work with ida 6.8 as well but is less reliable, produces db files in the target binary location (which is undesirable), may hang if db files are locked, ...

[tintinweb]

fixed & released. v0.0.6

[b0-ones]

fixed & released. v0.0.6

thank you :)