For years, Rust binaries made reversing a nightmare. Modern decompilers only support C, lacking meaningful types, constructs, and language-specific functions. Led by @34r7hm4n, we're releasing our S&P work Oxidizer, the first deep Rust decompiler, built on angr!
Interested? ๐งต๐
You can get access to it now! It's available directly on angr main, and can be accessed through the command line:
`pip install angr && angr decompile FakeCrypt-stripped --functions 0x455300 --rust`
The Rust-specific decompiler code is also open source:
https://github.com/sefcom/oxidizer
But, this work is more than just a tool, and it is fundamentally different from Rust plugins for decompilers that you have experience with in Ghidra, IDA, or even Binary Ninja's Rust-like output.
We measure that in our corresponding IEEE S&P 2026 paper:
https://www.zionbasque.com/files/papers/oxidizer_sp26.pdf
So what makes it different? To decompile a new language, you need to go deep into the decompiler. Simply transforming C into Rust after the decompilation process is incredibly lossy and guessy!
You lose information needed to make decisions on Rust types and control flow!
When does this happen? Uses of specific control flow constructs (`?`), inlining, calling convention changes, and even Rust struct-type recovery (which is also guessy!)
All of this, and more, can be found in our paper!
@mahaloz the chemistry dude in me says "No! Not oxidizer! It's reducer!!!"
Steel mill = use carbon to reduce iron oxide (rust) to iron
Oxidization = bind oxygen to a molecule
Reduction = remove oxygen from a molecule
@mahaloz Adding some alt text to the two images: a comparison of rust code. Both images show the source of a Rust binary, decompiled. The first is the result of Oxidizer (angr), the second one is the result of IDA pro.
Oxidizer (angr) can reconstruct struct types, in IDA pro it's all just __int64.
(Disclaimer: not too much into Rust yet, but found this pretty cool so I tried my best adding alt text)
brk, a.k.a. @evanrichter
mahaloz
*sigh*Ber nard
Lea Rosema