airbus-cert / yagi Goto Github PK

View Code? Open in Web Editor NEW

467.0 22.0 37.0 37.4 MB

Yet Another Ghidra Integration for IDA

License: Apache License 2.0

CMake 9.88% C++ 90.12%

reverse-engineering disassembler decompiler ida-plugin ghidra

yagi's Introduction

Yagi

Yet Another Ghidra Integration for IDA

Overview

Yagi intends to include the wonderful Ghidra decompiler into both IDA pro and IDA Free.

📦 You can download installers for Windows and Linux versions here, then press F3 and enjoy! 📦

Here is the list of architectures that Yagi can decompile at the moment:

Arch Names	Yagi
x86	✔️
x86_64	✔️
arm	✔️
aarch64(armv8)	✔️
powerpc	✔️
mips	✔️
sparc	✔️
avr8	✔️
6502	✔️
z80	✔️
eBPF	🐝✔️🐝
cp1600	❌
cr16	❌
dalvik	❌
jvm	❌
tricore	❌
riscv	❌
System Z	❌
xCore	❌
68000	❌

It's easy to add one if it's supported by Ghidra. Just open an issue, and we will do our best!

It allows you to edit the following items:

Global Symbol like function prototype, global variable, etc.
Local stack variables name and type
Local registry variables name and type

Key	Interact
Decompile	🖱️ Place cursor on function ⌨️ F3
Edit Type	⌨️ Y
Clear Type	⌨️ C
Edit Name	⌨️ N
Cross References	⌨️ X
Navigate	🖱️ Double Click on keyword

💾 Changes are save into IDA database 💾

Build

As Yagi is built using git submodules to handle Ghidra dependencies, you will first need to do a recursive clone:

git clone https://github.com/airbus-cert/Yagi --recursive

For Windows

Install Dependencies

As Ghidra uses bison and flex to parse the sleigh grammar, we need first to install build dependencies from here

You also need the IDA SDK associated with your version of IDA.

Cmake

Yagi's build system is based on cmake; you can find an MSI package here.

You need at least a Visual Studio compiler with C++ toolchain.

Production

To generate a Wix installer, you need to install WiX before.

Then, let the cmake magic happen:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ..\Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DCPACK_PACKAGE_INSTALL_DIRECTORY="IDA Pro 7.6"
cmake --build . --target package --config release

A new yagi-1.0.0-win64.msi will be generated. It will contain all the necessary dependencies to install the plugin.

Development

To create a dev environment you need to generate the Visual Studio solution:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ..\Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON

PATH_TO_IDA_SDK_ROOT_FOLDER represents the root path of the decompressed archive provided by Hex-Rays.

To launch unit tests, just use ctest installed with cmake:

cd tests
ctest -VV

For Linux

Install Dependencies

As Ghidra uses bison and flex to parse the sleigh grammar and Yagi is built using Cmake and C++, you will need the following:

apt install cmake c++ git flex bison yacc

Production

To generate an installer script:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ../Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER]
cmake --build . --target package --config release

This will produce a yagi-1.0.0-Linux.sh script. Then you just have to launch it:

./yagi-1.0.0-Linux.sh --prefix=[PATH_TO_IDA_INSTALL_FOLDER]
y
n

Enjoy!

Development

To generate a dev environment you need to generate the Makefile:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ../Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON -DCMAKE_BUILD_TYPE=Debug
make

To launch unit tests, just use ctest installed with cmake:

cd tests
ctest -VV

TODO

Handle enum types
Add rules to handle end function computation on AARCH64
Change constant type (key H, R)

Credits and references

Thanks Ghidra development team to open sources this master piece of software.

Thanks Hex-Ray teams to built a very extensible software.

yagi's People

Contributors

Stargazers

Watchers

yagi's Issues

8051 support

Hi!

Would be dope to have 8051 decompiler support. If you need me to provide example binaries, or anything, I'd be happy to help.

Thanks!

IDA free 8.2 build error - "needed by 'bin/yagi64.so'"

Hello!
After running the command "- cmake --build . --target package --config release" I get the error:
[ 87%] Building CXX object yagi/CMakeFiles/yagi64.dir/src/yagirule.cc.o
make[2]: *** No rule to make target '/home/vladimir/idafree-8.2/IdaSdk/idasdk_pro82/lib/x64_linux_gcc_64/libida64.so', needed by 'bin/yagi64.so'. Stop.
make[1]: *** [CMakeFiles/Makefile2:896: yagi/CMakeFiles/yagi64.dir/all] Error 2
make: *** [Makefile:156: all] Error 2
sdk -> www.upload.ee/files/14932885/_thesame82.tar.gz.html

CMakeOutput.log

Would you please add support for 16-bit x86 decompilation?

Since Ghidra supports it.
This would really help me out :)

[Yagi] ERROR : No sleigh specification for PowerPC:BE:16:default

This happens when Yagi is attempted to be used with a xex file from Xbox 360:

[Yagi] INFO :  load compiler with sleigh id : PowerPC:BE:16:default
[Yagi] ERROR :  No sleigh specification for PowerPC:BE:16:default

The file is loaded into IDA using this loader: https://github.com/emoose/idaxex

Would appreciate a fix since PowerPC is declared to be supported, so it's probably something simple, thanks in advance

EDIT:

Full output:

WARNING: Python 3 is not configured (Python3TargetDLL value is not set). Please run idapyswitch to select a Python 3 install.

  bytes   pages size description
--------- ----- ---- --------------------------------------------
112492544 13732 8192 allocating memory for b-tree...
103317504 12612 8192 allocating memory for virtual array...
   262144    32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
216072192            total memory allocated

Loading processor module C:\Program Files\IDA Pro 7.6\procs\ppc64.dll for PPC...Initializing processor module PPC...OK
Loading type libraries...
Autoanalysis subsystem has been initialized.
Database for file 'output.xex' has been loaded.
[Yagi] INFO :  load compiler with sleigh id : PowerPC:BE:16:default
[Yagi] ERROR :  No sleigh specification for PowerPC:BE:16:default
---------------------------------------------------------------------------------------------
Python 3.10.1 (tags/v3.10.1:2cd268a, Dec  6 2021, 19:10:37) [MSC v.1929 64 bit (AMD64)] 
IDAPython 64-bit v7.4.0 final (serial 0) (c) The IDAPython Team <[email protected]>
---------------------------------------------------------------------------------------------

IDA version: v7.6

Additional info from IDA View:

.rdata:82000600 Imports from xam.xex v2.0.21256.0 (minimum v2.0.16537.0)
.rdata:82000600
.rdata:82000600
.rdata:82000600 # Processor       : PPC
.rdata:82000600 # Target assembler: GNU Assembler
.rdata:82000600 # Byte sex        : Big endian
.rdata:82000600 # SIMD Instructions: VMX128
.rdata:82000600 # Processor Profile: Server
.rdata:82000600 # ABI              : sysv-hard_float
.rdata:82000600
.rdata:82000600 #include "ppc-asm.h"
.rdata:82000600 .set r1, 1; .set r2, 2
.rdata:82000600 .set lt, 0; .set gt, 1; .set eq, 2; .set so, 3

[Linux] Renaming variables makes Yagi window move

Starting from this:

After renaming a local variable, Yagi windows "jumps" out of the tabs:

Mac Builds

Hey!

Congrats on the awesome plugin and the hex-rays plugin contest entry!

It'd be awesome if we could get some prebuilt mac builds/mac support, assuming the plugin would support that :-)

plugin for x64dbg?

hi there, thanks for the nice job!
is there any possible to support Yagi for x64dbg? it's useful.
although x64dbg embedded a decompiler Snowman, however it's totally not working :(

Incorrect judgment of program architecture

ida_idp.info.is_32bit()
Out[14]: True

ida_idp.info.is_64bit()
Out[15]: True

For 64-bit programs, ida's two judgments both return true, so Yagi will judge the 64-bit program as 32-bit, which does not meet expectations。

auto mode = yagi::Compiler::Mode::M24;
if (inf_is_64bit())
{
    mode = yagi::Compiler::Mode::M64;
}
if (inf_is_16bit())
{
    mode = yagi::Compiler::Mode::M16;
}
if (inf_is_32bit_exactly())
{
    mode = yagi::Compiler::Mode::M32;
}

On Linux, Yagi fails to load processor definitions if the `Ghidra` folder is a symbolic link

With release 1.3.0, on Linux 64 bit, Yagi outputs [Yagi] ERROR : No sleigh specification for sparc:BE:32:default when the path ~/.idapro/plugins/Ghidra is a symbolic link to the real folder.

Things work correctly when Ghidra is copied to ~/.iidapro/plugins. This is confirmed by the following traces obtained with strace -f -e file ida file.idb:

Not working:

$ grep Ghidra test
193726 stat("/home/raph/.idapro/plugins/Ghidra", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
193726 stat("/home/raph/bin/ida76/plugins/Ghidra", 0x7ffd6fe45150) = -1 ENOENT (Aucun fichier ou dossier de ce type)

Working:

193522 stat("/home/raph/.idapro/plugins/Ghidra", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
193522 stat("/home/raph/bin/ida76/plugins/Ghidra", 0x7ffe7fcb41c0) = -1 ENOENT (Aucun fichier ou dossier de ce type)
193522 openat(AT_FDCWD, "/home/raph/.idapro/plugins/Ghidra/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16
193522 openat(AT_FDCWD, "/home/raph/.idapro/plugins/Ghidra/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16
193522 openat(AT_FDCWD, "/home/raph/.idapro/plugins/Ghidra/Processors/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16

one question related to the development of the ida plugin

In my plugin, I want to do something imediately after the completion of IDA initialization analysis.
So I found a function which named hook_to_notification_point, but it won't work.
Is there any other ways?

IDA Pro 7.3 Support

Hello there,
Thank you for this awesome plugin. I have tried this plugin on Linux IDA Pro 7.3 and got the error below:

dlopen(/<path>/idapro-7.3/plugins/yagi.so): /<path>/idapro-7.3/plugins/yagi.so: undefined symbol: get_struc_name
/<path>/idapro-7.3/plugins/yagi.so: can't load file

I hope you will add support to IDA Pro 7.3. Thank you very much

Yagi not supported for IDA interactive debugging

Hi there,

IDA allow users to analyze between static & debugging. however, Yagi use F7 as hotkey, it will let users cannot do single-step in dynamic mode. besides, Yagi is not stable and easy to crash in dynamic mode :(

avr8 decompiler

I saw you guys mentioned it might not be that hard to add another decompiler. Ghidra does have support for AVR8 (in particular I'm interested in the Xmega stuff). Is this somewhere in your pipeline? Thanks!

Crashes "ida.exe"

Tried running Yagi for IDA 7.6. 64 bit runs fine, but the 32bit target "ida.exe" will crash almost instantly, and without any sort of dialog/warning box.

Consider wrapping your IDA "run" in an a C or C++ exception handler.
It's what I do, great for development. With a msg() in the handler it will tell me my plugin crashed instead of crashing IDA (most of the time anyhow, could cause IDA to crash outside of our plugin space et al).

airbus-cert / yagi Goto Github PK

yagi's Introduction

Yagi

Overview

Build

For Windows

Install Dependencies

Cmake

Production

Development

For Linux

Install Dependencies

Production

Development

TODO

Credits and references

yagi's People

Contributors

Stargazers

Watchers

Forkers

yagi's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs