Let's be honest, there is no reason to remember how to decompile stuff with the various tools available. Wouldn't it be nice to just decompile the $h*! out of things right off the fingertips in Visual Studio Code? Well, here we go:
This extension decompiles ...
Binary executables for various platforms
as supported by Ghidra; Windows PE, Linux ELF, IOS, etc..
Just right-click → Decompile on a supported executable and wait for the magic to happen.
The decompilation result is added to a temporary sub-workspace. You can right-click → Download files to your local file-system right from the sub-workspace.
Have phun 🙌
Tour
macOS
Windows (Ghidra vs. IDAPro)
Ethereum Smart Contract
Save the EVM byte-code in a file with extension .evm, then right-click → Decompile.
Setup
Requirements: General
Requires Java (11+) to be installed system-wide. Just install the latest JRE/JDK for your OS (e.g. OpenJDK, Oracle JDK).
Other tools are bundled with the extension. Just make sure Java is available in your PATH.
Requirements: Binary executables (Ghidra / IDA Pro)
Requires a working installation of Ghidra (← Download) to decompile executables
either available in PATH (like when you install it with brew cask install ghidra on os-x; or set-up manually)
otherwise please specify the path to the executable <ghidra>/support/analyzeHeadless in code → preferences → settings: vscode-decompiler.tool.ghidra.path and make sure that the analyzeHeadless script runs without errors (and is not prompting for the JDK Home 🤓). Here's a sample Ghidra config for Windows:
(Experimental; Windows Only) Optional a licensed version of IDA Pro with decompiler support.
specify the path to the idaw executable in code → preferences → settings: vscode-decompiler.tool.idaPro.path, e.g. c:\IDA68\idaw.exe.
set preference to idaPro (experimental Windows Only) in code → preferences → settings: vscode-decompiler.default.decompiler.selected.
we'll automatically try to run 32 and 64bits idaw on the target application (preference on what executable is configured by you)
If you're running <= IDA Pro 6.6 and the normal IDA decompilation mode does not work you can try the set preference to idaPro legacy hexx-plugin (experimental Windows Only) in code → preferences → settings: vscode-decompiler.default.decompiler.selected. Note: Use this method only if the normal IDA Pro mode doesnt work. Caveat: idaw*.exe must not be in a path that contains spaces, ask @microsoft why 😉.
Requirements: Python
Python decompilation requires pip3 install uncompyle6 (see settings)
specify the uncompyle6 script location in code → preferences → settings: vscode-decompiler.tool.uncompyle.path or set to uncompyle6 if it is available in PATH
Requirements: Smart Contracts (EVM byte-code)
The pseudocode generator panoramix/eveem requires a working installation of python3.8 or newer.
specify the python3.8 path in code → preferences → settings: vscode-decompiler.tool.python38.path (e.g. /usr/local/opt/python@3.8/bin/python3.8 (macos/homebrew))
Verify that you've downloaded ghidra from the original website, verify checksums. Note: you're running an NSA tool on your computer, just saying.
Open the <ghidra-install-folder>/Ghidra/Features/Decompiler/os/osx64 in finder, Ctrl+mouseClick on decompile → open (you only need to do this one time).
Credits
This extension wouldn't be possible without the smarties that are developing the following reverse-engineering tools: