A professional-grade multi-architecture disassembler and decompiler written entirely in Rust. No external disassembler libraries - every instruction decoder, binary parser, and analysis pass is implemented from scratch.
| Feature | IDA Pro | Ghidra | Binary Ninja | hexray |
|---|---|---|---|---|
| Formats | ||||
| ELF / Mach-O / PE | ✅ | ✅ | ✅ | ✅ |
| DWARF Debug Info | ✅ | ✅ | ✅ | ✅ |
| Architectures | ||||
| x86_64 (incl. AVX-512) | ✅ | ✅ | ✅ | ✅ |
| ARM64 (incl. SVE/SVE2) | ✅ | ✅ | ✅ | ✅ |
| RISC-V (RV32/64 + extensions) | ✅ | ✅ | ✅ | ✅ |
| Analysis | ||||
| CFG / Call Graph | ✅ | ✅ | ✅ | ✅ |
| SSA-based Decompiler | ✅ | ✅ | ✅ | ✅ |
| Type Inference | ✅ | ✅ | ✅ | ✅ |
| Data Flow Queries | ✅ | ✅ | ✅ | ✅ |
| Function Signatures | ✅ | ✅ | ✅ | ✅ |
| Static Emulation | ✅ | ✅ | ✅ | ✅ |
| Interactive Sessions | ✅ | ✅ | ✅ | ✅ |
| Unique to hexray | ||||
| 100% Rust | ❌ | ❌ | ❌ | ✅ |
| No Dependencies* | ❌ | ❌ | ❌ | ✅ |
| Single Binary CLI | ❌ | ❌ | ❌ | ✅ |
| Open Source | ❌ | ✅ | ❌ | ✅ |
*No capstone, no LLVM, no external disassemblers - pure Rust from the ground up.
Every component is hand-written in Rust for full transparency and hackability:
- Instruction decoders: x86_64 (1500+ opcodes), ARM64 (NEON, SVE, crypto), RISC-V (RV32/64IMAC)
- Binary parsers: ELF, Mach-O (including fat/universal), PE/COFF
- Debug info: Full DWARF4 parser with line numbers and variable names
- Analysis: CFG, SSA, data flow, type inference, decompilation
- Full VEX prefix decoding (SSE, AVX, AVX2, FMA)
- EVEX/AVX-512 with masking and broadcast
- BMI1/BMI2 bit manipulation (PDEP, PEXT, etc.)
- AES-NI and SHA extensions
- NEON SIMD (128-bit vectors)
- SVE/SVE2 scalable vectors (Z0-Z31, P0-P15)
- Crypto extensions (AES, SHA, SM4)
- Atomics (LDXR/STXR, CAS, LDADD, SWP)
- SSA-based intermediate representation
- Control flow structuring (if/else, while, do-while, for, switch)
- Short-circuit boolean optimization (
a && b,a || b) - Compound assignment detection (
x += 1) - Array and struct field access recovery
- Constant propagation and dead code elimination
- Data flow queries: Trace values forward/backward through code
- Function signatures: FLIRT-like pattern matching for library identification
- Type libraries: C type definitions for POSIX, Linux, macOS
- Static emulation: Resolve indirect jumps and virtual calls
- Cross-references: Code and data xref database
- Persistent REPL: SQLite-backed sessions with command history
- Annotations: Rename functions/variables, add comments, bookmarks
- Session management: Detach and resume sessions later
- Binary verification: SHA256 hash ensures session matches binary
git clone https://github.com/zoratu/hexray.git
cd hexray
cargo build --release
# Binary at target/release/hexray# Show binary info
hexray ./binary info
# List functions
hexray ./binary symbols --functions
# Disassemble a function
hexray ./binary -s main
# Decompile to pseudo-code
hexray ./binary decompile main
# Show control flow graph
hexray ./binary cfg main
# Cross-references
hexray ./binary xrefs 0x401000
# Detected strings
hexray ./binary strings
# Compare two binaries (incremental analysis)
hexray diff original.bin patched.bin --json
# Interactive session (persistent annotations)
hexray session new ./binary --output project.hrp
hexray session resume project.hrpvoid process_input(char *input)
{
int len = strlen(input);
if (len > 0 && input[0] != '#') {
for (int i = 0; i < len; i++) {
buffer[i] = input[i] ^ 0x42;
}
send_data(buffer, len);
}
}0x00401000 push rbp
0x00401001 mov rbp, rsp
0x00401004 sub rsp, 0x20
0x00401008 mov qword ptr [rbp-0x8], rdi
0x0040100c mov rax, qword ptr [rbp-0x8]
0x00401010 mov rdi, rax
0x00401013 call strlen
| Architecture | Disassembly | Decompilation | Extensions |
|---|---|---|---|
| x86_64 | ✅ | ✅ | SSE, AVX, AVX-512, BMI, AES-NI, SHA |
| ARM64 | ✅ | ✅ | NEON, SVE/SVE2, Crypto, Atomics |
| RISC-V 64 | ✅ | ✅ | M, A, C extensions |
| RISC-V 32 | ✅ | ✅ | M, A, C extensions |
| Format | Parsing | Symbols | Debug Info |
|---|---|---|---|
| ELF | ✅ | ✅ | DWARF |
| Mach-O | ✅ | ✅ | DWARF |
| Fat/Universal | ✅ | ✅ | DWARF |
| PE/COFF | ✅ | ✅ | - |
hexray/
├── crates/
│ ├── hexray/ # CLI application
│ ├── hexray-core/ # Core types (Instruction, CFG, etc.)
│ ├── hexray-formats/ # ELF, Mach-O, PE parsers + DWARF
│ ├── hexray-disasm/ # Instruction decoders
│ ├── hexray-analysis/ # CFG, SSA, decompiler, data flow
│ ├── hexray-demangle/ # C++/Rust symbol demangling
│ ├── hexray-signatures/ # Function signature matching
│ ├── hexray-types/ # C type libraries
│ └── hexray-emulate/ # Static emulation engine
├── fuzz/ # Fuzz testing targets
└── docs/ # Architecture documentation
- Architecture Overview - Crate structure and data flow
- Decompiler Guide - Decompilation pipeline details
- Supported Instructions - Complete instruction reference
- Testing Infrastructure - Ground truth benchmarks, test fixtures, fuzzing
- Performance and Determinism - Parallelism knobs and stable benchmark workflow
- Performance Tuning Guide - Fast/medium/full tier usage and benchmark stability
- Module Dependency Diagrams - Crate and analysis-layer dependency maps
- Tutorials - Getting started, API usage, incremental workflow, and extension guide
- API Examples - Analysis cache, incremental analysis, C++/EH/devirtualization examples
- Architecture Decision Records - Decision log for CI/process and architecture choices
- Development Roadmap - Feature status and plans
# Run tests (1300+ tests across all crates)
cargo test --workspace
# Tiered local CI (hook-aligned)
scripts/ci-local --tier fast
scripts/ci-local --tier medium
scripts/ci-local --tier full
scripts/ci-local --tier full --perf # optional deterministic perf gate
# Fast decompiler control-flow quality smoke (fixture-backed)
scripts/quality-smoke
# Run with debug output
RUST_LOG=debug cargo run -- ./binary decompile main
# Run benchmarks
cargo bench --workspace
# Benchmark regression testing
./scripts/bench-regression.sh baseline # Save baseline
./scripts/bench-regression.sh compare # Compare to baseline
# Fuzz testing (decoders, parsers, and decompiler)
cd fuzz && cargo +nightly fuzz run x86_64_decoder
cd fuzz && cargo +nightly fuzz run decompiler
# Run all fuzzers via Docker
cd fuzz && ./run-fuzzers.sh --hours 2The decompiler includes a benchmark suite with 20+ test patterns validated against expected output:
# Run decompiler regression tests
cargo test --package hexray --test decompiler_regression
# Multi-language test fixtures available in tests/fixtures/
# C, C++, Rust, D, Go, Swift patterns for cross-compiler validationFor reliable performance comparisons, run benchmarks locally on consistent hardware:
# Save baseline (e.g., before changes)
cargo bench --workspace -- --save-baseline main
# Make changes, then compare
cargo bench --workspace -- --save-baseline pr
# Compare results (install with: cargo install critcmp)
critcmp main pr
# Deterministic benchmark workflow helper
scripts/bench-deterministic --main-label main --change-label pr --jobs 8 --test-threads 1See /Volumes/OWC 1M2/Users/isaiah/src/hexray/docs/PERFORMANCE.md for deterministic benchmark and parallelism guidance.
- Reverse Engineering: Analyze malware, understand proprietary software
- Security Research: Vulnerability discovery, exploit development
- CTF Competitions: Quick binary analysis with scriptable CLI
- Education: Learn how disassemblers and decompilers work
- Tooling Integration: JSON output for programmatic analysis
GNU GPLv3
Built to deeply understand binary analysis from first principles:
- Instruction set architectures and encoding formats
- Binary file formats and linking
- Control flow analysis and decompilation theory
- Data flow analysis and type recovery