[ π π© π₯ ]
Decompiler!
Let's be honest, there is no reason to remember how to decompile stuff with the various tools available. Wouldn't it be nice to just decompile the $h*! out of things right off the fingertips in Visual Studio Code? Well, here we go:
This extension decompiles ...
- Binary executables for various platforms
- as supported by Ghidra; Windows PE, Linux ELF, IOS, etc..
- or IDAPro (Experimental, Windows Only for now)
- Java Jar archives and compiled Classes
- Android APK's
- Python
.pyc
and .pyo
- Ethereum/EVM based Smart Contracts
Just right-click β Decompile
on a supported executable and wait for the magic to happen.
The decompilation result is added to a temporary sub-workspace. You can right-click β Download
files to your local file-system right from the sub-workspace.
Have phun π
Tour
macOS
Windows (Ghidra vs. IDAPro)
Ethereum Smart Contract
Save the EVM
byte-code in a file with extension .evm
, then right-click β Decompile
.
Setup
Requirements: General
* Requires Java (11+) to be installed system-wide. Just install the latest JRE/JDK for your OS (e.g. OpenJDK, Oracle JDK).
* Other tools are bundled with the extension. Just make sure Java is available in your `PATH`.
Requirements: Binary executables (Ghidra / IDA Pro)
* Requires a working installation of [Ghidra](https://ghidra-sre.org/) (β Download) to decompile executables
* either available in `PATH` (like when you install it with `brew cask install ghidra` on os-x; or set-up manually)
* otherwise please specify the path to the executable `/support/analyzeHeadless` in `code β preferences β settings: vscode-decompiler.tool.ghidra.path` and make sure that the `analyzeHeadless` script runs without errors (and is not prompting for the JDK Home π€). Here's a sample Ghidra config for Windows:
![ghidraconf](https://user-images.githubusercontent.com/2865694/81807509-7dc76b00-951e-11ea-99d7-359bd624cce5.png)
* (Experimental; Windows Only) Optional a licensed version of [IDA Pro](https://www.hex-rays.com/products/decompiler/) with decompiler support.
* specify the path to the `idaw` executable in `code β preferences β settings: vscode-decompiler.tool.idaPro.path`, e.g. `c:\IDA68\idaw.exe`.
* set preference to `idaPro (experimental Windows Only)` in `code β preferences β settings: vscode-decompiler.default.decompiler.selected`.
* we'll automatically try to run 32 and 64bits `idaw` on the target application (preference on what executable is configured by you)
* If you're running `<= IDA Pro 6.6` and the normal IDA decompilation mode does not work you can try the set preference to `idaPro legacy hexx-plugin (experimental Windows Only)` in `code β preferences β settings: vscode-decompiler.default.decompiler.selected`. Note: Use this method only if the normal IDA Pro mode doesnt work. Caveat: `idaw*.exe` must not be in a path that contains spaces, ask @microsoft why π.
* You're using Ghidra? Great! Now please follow the [Ghidra installation guide](https://ghidra-sre.org/InstallationGuide.html#JavaNotes) (JAVA setup in particular). Make sure both `ghidraRun` and `support/analyzeHeadless` run without errors.
Requirements: Python
* Python decompilation requires `pip3 install uncompyle6` (see settings)
* specify the `uncompyle6` script location in `code β preferences β settings: vscode-decompiler.tool.uncompyle.path` or set to `uncompyle6` if it is available in `PATH`
Requirements: Smart Contracts (EVM byte-code)
* The pseudocode generator [panoramix](https://github.com/eveem-org/panoramix)/[eveem](https://www.eveem.org/) requires a working installation of `python3.8` or newer.
* specify the `python3.8` path in `code β preferences β settings: vscode-decompiler.tool.python38.path` (e.g. `/usr/local/opt/python@3.8/bin/python3.8` (macos/homebrew))
* make sure `pip` for `python3.8` is installed
* install `panoramix` dependencies: `$ /usr/local/opt/python@3.8/bin/python3.8 -m pip install coloredlogs requests web3 timeout_decorator `
* Note: Panoramix is run in local mode. EVM byte-code is **not** sent to eveem.org.
* It will attempt to download a function signature database on first load.
* It will cache files to `/.panoramix`.
* No Windows support :/ ([see this issue](https://github.com/eveem-org/panoramix/issues/19)).
Setting tool preferences
`code β preferences β settings:`
* Set default decompiler preference to `ghidra` (default) or `idaPro (experimental Windows Only)` (requires a licensed version of IDAPro + Decompiler)
* `vscode-decompiler.default.decompiler.selected`
* Set preference for java decompilation to JADX or JD-CLI (default)
* `vscode-decompiler.java.decompiler.selected`
* Set preference for android apk decompilation to dex2jar + jd-cli (slow) or JADx (default)
* `vscode-decompiler.apk.decompiler.selected"`
Troubleshooting & FAQ
(macOs) "macOs cannot verify the developer of 'decompiler' ...
- Follow the fix outline in https://support.apple.com/en-za/guide/mac-help/mh40616/mac.
- Verify that you've downloaded ghidra from the original website, verify checksums. Note: you're running an NSA tool on your computer, just saying.
- Open the
<ghidra-install-folder>/Ghidra/Features/Decompiler/os/osx64
in finder, Ctrl+mouseClick on decompile
β open
and confirm that you trust the application (you only need to do this one time).
(General) This thing failed with: {"code":1,"type":"single"}. What does this mean?
- Your tool (Ghidra/Ida/...) is not set up correctly and therefore execution failed. The path may be wrong, the tool may fail due ti an incorrect java configuration or the java version is incompatible. There are many ways this error can be provoked and it's in 99% of cases a misconfiguration of the tool or the environment it requires (e.g. java env vars, version, etc)
- code: is the tools exit code. we are expecting success (0) but a tool may return non-zero to indicate an error. Check the tools output to troubleshoot. code=1 means the tool retunred exitcode 1, indicating an error conditon.
- type: is how ths tool got executed. single or multi command. ignore this.
(Ghidra) Failed to run decompiliation command. Check your configuration. {"code":1,"type":"single"}
- make sure you're using a supported java version (e.g. win: jdk 14 is working, jdk 16 seems to be incompatible)
- make sure environment vars are set up correctly (ghida setup doc google: setting env vars)
JAVA_HOME
pointing to your jdk installation folder
PATH
including an en try pointing to $JAVA_HOME/bin
(win: %JAVA_HOME\bin
)
- make sure
ghidraRun
and support/analyzeHeadless
run without errors (you may have to follow the analyzeheadless documentation to provide meaningful parameters for this test)
- check out the ghidra application log in (windows)
c:\users\<yourname>\.ghidra\<.ghidraversion>\application.log
Note: always restart vscode after changing env vars for changes to take effect.
Credits
This extension wouldn't be possible without the smarties that are developing the following reverse-engineering tools:
Release Notes
see CHANGELOG