Ghidra Decompilation Scripts

Standalone Python scripts for decompiling binaries using Ghidra via pyghidra.

Setup

1. Install Ghidra (version 12.0 or later) from https://github.com/NationalSecurityAgency/ghidra/releases

2. Set environment variable (optional but recommended):

   export GHIDRA_INSTALL_DIR=/path/to/ghidra

3. Install uv (if not already installed):

   curl -LsSf https://astral.sh/uv/install.sh | sh

Usage

The script uses uv's inline script dependencies, so no separate installation is needed!

Decompile a binary

Basic usage:

./decompile.py <binary_path> <output_file> [function_filter]

Arguments:

• binary_path - Path to the binary file to decompile
• output_file - Path to the output C file
• function_filter - (Optional) Only decompile functions containing this substring in their name or labels

Examples:

Decompile all functions:

./decompile.py /bin/ls decompiled_ls.c

Decompile only functions matching "coroPow2":

./decompile.py ./async-bench output.c coroPow2

Decompile only benchmark functions (starting with "bm_"):

./decompile.py ./async-bench output.c "bm_"

This will:

• Automatically install dependencies on first run (pyghidra)
• Analyze the binary with Ghidra
• Decompile matching functions (or all if no filter)
• Write the decompiled C code with detailed metadata to the output file

Function Information Included

Each decompiled function includes:

• Function name and demangled name (for C++)
• Additional entry point labels
• Entry point address
• Function signature and calling convention
• Parameter and local variable counts
• Function type flags (Thunk, External, Inline)
• Cross-references (XREF) showing where the function is called from

Notes

• Dependencies are automatically managed by uv using inline script metadata
• First run may take longer as uv installs dependencies and Ghidra analyzes the binary
• Set GHIDRA_INSTALL_DIR environment variable if pyghidra can't find your Ghidra installation
• Requires Python 3.9 or later