ReOxide

Appearance

The ReOxide project

The National Security Agency developed Ghidra to analyze a wide range of compiled code, spanning different architectures and operating systems. When they released it as open source project, security researchers could work with high quality decompiled code without having to rely on expensive commercial tools for the first time. They also kept extensibility in mind when designing Ghidra, making it possible to change many parts through their Java and Python API. Unfortunately, this does not include the decompiler, which they distribute as a separate program written in C++.

ReOxide tries to solve this. In the beginning, we wanted to improve the experience when decompiling Rust binaries. We quickly found ourselves writing algorithms that the Ghidra decompiler should already have, but from the Java side we do not see the intermediate results. Adding our own transforms with Java would also mean parsing the abstract syntax tree (AST) or C code, transforming it and generating C code again. Instead, we can write our transforms as part of the decompiler directly, but then we cannot easily distribute them as a script or extension.

ReOxide wraps the Ghidra decompiler to do exactly that. It replaces the decompiler binary with its own version. This version hooks into the creation of the decompilation pipeline and allows changing it at runtime. Whenever Ghidra spawns a new decompiler process, it connects to the ReOxide pipeline manager and retrieves the list of currently loaded rules and actions. You can write new rules and actions as a C++ plugin that you can distribute as shared library. The project has the following main goals:

  • Make it easier to hack on the Ghidra decompiler
  • Allow dynamically selecting the best rules for a binary

Ghidra has brought immense value to open source reverse engineering. By making people more familiar with the Ghidra decompiler internals, we hope to keep Ghidra competitive against commercial solutions offering similar features, for example Binary Ninja's intermediate representation rewriting.