Fission is a high-performance, Rust-native reverse-engineering and decompilation framework designed for precision binary analysis at scale.
Fission represents a fundamental rearchitecture of decompilation workflows, placing Rust at the core of:
- Instruction Semantics: Precision lift via Sleigh, with semantics-preserving IR normalization
- Canonical Intermediate Representation: NIR/HIR layers ensuring deterministic, auditable transformations
- Control-Flow Recovery: Graph-based structuring with algorithmic soundness, not heuristics
- Pseudocode Rendering: Type-aware, context-sensitive output generation
Fission pursues independent decompilation excellence with Ghidra available as a benchmarking and validation reference.
- Correctness-first: Unsafe decompilation (even with high precision) fails closed to fallback modes
- Deterministic: All output feeds reproducible snapshots, metrics, and CI validation
- Auditable: Every transformation step is tracked, logged, and verifiable
- Modular: Each layer (lift β IR β structure β render) owns its contract independently
License: AGPL-3.0-or-later. Contributions welcome under the CLA in CLA.md.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Pseudocode Rendering β
β (Type-aware formatting, symbol resolution) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Structured IR (NIR/HIR Layers) β
β (Control-flow recovery, loop/region detection) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Canonical IR (P-Code Normalization & Semantics) β
β (SSA form, value numbering, dataflow analysis) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Instruction Semantics & Lifting (Sleigh-based) β
β (Precise CFG skeleton, lift contracts) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Component | Role | Ownership |
|---|---|---|
| fission-sleigh | Instruction decode, lift semantics, CFG skeleton | Sleigh layer |
| fission-pcode | Canonical IR, NIR/HIR, structuring, pseudocode printer | IR/Structure layers |
| fission-static | Static facts, native helpers, analysis services | Analysis layer |
| fission-decompiler-core | Orchestration, routing, postprocess pipeline | Workflow layer |
| fission-loader | Binary format parsing, symbols, sections, strings | Binary layer |
| fission-signatures | Function signatures, type signatures, identifier data | Data layer |
| fission-automation | Quality lanes, regression testing, telemetry reporting | Quality layer |
| fission-cli | Command-line interface, REPL, batch processing | Product layer |
| fission-tauri | Desktop GUI, interactive analysis, visualization | Product layer |
Fission maintains comprehensive, role-based documentation:
docs/architecture/ARCHITECTURE.mdβ Detailed system design and invariantsAGENTS.mdβ Contributor workflows and conventionsbenchmark/full_benchmark/README.mdβ Canonical decompilation benchmark workflow
- Wiki Home β Tutorials, guides, FAQ
- Getting Started β Installation and first steps
- User Guides β Workflow documentation
docs/EVALUATION.mdβ External headless evaluation path for CLI-first usersdocs/CLI.mdβ Detailedfission_clireference and operator workflow guide
docs/changelog/Legacy/CHANGELOG.mdβ Historical release log
| Path | Status | Coverage | Notes |
|---|---|---|---|
| NIR (Rust-native) | Primary | PE x64, ARM64 | Canonical Rust architecture path |
- PE (Windows x86, x64, ARM64) β Full support
- ELF (Linux x86, x64, ARM, ARM64) β Core support
- Mach-O (macOS x64, ARM64) β Experimental
Solid & Production-Ready:
- β CLI interface with REPL and batch modes
- β Rust-native decompilation pipeline
- β Quality assurance and regression testing
- β Automated benchmarking against Ghidra
- β Deterministic, reproducible output
In Active Development:
- π Large function readability and precision
- π Advanced data abstraction and memory modeling
- π Rich type inference and name recovery
- π Desktop UI polish and end-user experience
- π Additional architecture targets (MIPS, PPC, etc.)
Technology Notes: PE x64 has the strongest direct NIR coverage. Other architectures and formats exist as development targets and should not be treated as equivalent production-quality claims.
| Crate | Responsibility | Key Artifacts |
|---|---|---|
crates/fission-sleigh |
Instruction decode, semantics lift, CFG skeleton | Sleigh bindings, lift contracts |
crates/fission-pcode |
Canonical IR, NIR/HIR layers, structuring, printing | P-Code IR, graph reduction, pseudocode output |
crates/fission-static |
Static fact generation, prepare helpers, analysis | Dominance, SCC, value analysis |
crates/fission-decompiler-core |
Orchestration, routing, postprocess pipeline | End-to-end workflow |
| Crate | Responsibility |
|---|---|
crates/fission-loader |
Binary loading, symbol extraction, section parsing |
crates/fission-signatures |
Function/type signatures, identifier resolution |
crates/fission-analysis |
Auxiliary analysis utilities |
crates/fission-disasm |
Disassembly layer |
crates/fission-core |
Core data structures |
crates/fission-dynamic |
Dynamic analysis capabilities |
| Crate | Purpose |
|---|---|
crates/fission-cli |
Command-line interface with REPL |
crates/fission-tauri |
Cross-platform desktop GUI |
crates/fission-automation |
Quality lanes, test automation, CI/CD integration |
- Rust 1.85+ (install)
- Cargo (bundled with Rust)
- C++ compiler (for some dependencies)
git clone https://github.com/sjkim1127/Fission.git
cd Fission
cargo build -p fission-cli --releaseThe compiled binary is available at: target/release/fission_cli
# Display binary information
./target/release/fission_cli info <binary>
# Decompile a single function at address
./target/release/fission_cli decomp <binary> --addr <address>
# List discovered functions
./target/release/fission_cli list <binary> --json
# Batch decompilation with limits
./target/release/fission_cli decomp <binary> --all --limit 100
# Operator-facing inventory
./target/release/fission_cli inventory function-facts <binary> --jsonLegacy flat invocations still work for one transition period, but canonical usage is now subcommand-based.
For the full command model, subcommand ownership, operator inventory workflows,
JSON guidance, and legacy compatibility rules, see
docs/CLI.md.
If you are evaluating Fission externally and want the shortest CLI-first path,
use docs/EVALUATION.md. That guide is opinionated,
Windows x64-first, and includes checked-in sample binaries plus example output
payloads.
Library-level use is possible at the Rust crate level, but the CLI is the current primary documented product surface.
If you want comparative evaluation rather than a first manual CLI pass, use the
canonical benchmark workflow in
benchmark/full_benchmark/README.md.
Execute the main quality lane for regression testing:
cargo run -p fission-automation -- nir-check --lane nir# Release build (optimized)
cargo build --release
# Desktop GUI
cargo build -p fission-tauri --release
# Full test suite
cargo test --all- Decompilation Pipeline: Full Rust-native NIR/HIR path with deterministic output
- Command-Line Interface: Feature-rich REPL with batch processing modes
- Quality Assurance: Integrated regression testing and automated benchmarking
- Binary Support: PE x64 (primary), ELF x64/ARM64, Mach-O (experimental)
- Telemetry: Built-in metrics, statistics, and CI/CD reporting
| Area | Target | Timeline |
|---|---|---|
| Large Function Handling | >10K instruction functions | Q2 2026 |
| Data Abstraction | Field/type-aware modeling | Q2 2026 |
| Name Recovery | Symbol and identifier inference | Q3 2026 |
| UI/UX Polish | Desktop workflow optimization | Q3 2026 |
| Additional Targets | MIPS, PPC, additional architectures | Q4 2026 |
- Large functions (>10K instructions) may produce simplified output
- Advanced data abstraction patterns in progress
- Limited cross-architecture coverage (PE x64 is primary target)
- Desktop UI is functional but undergoing refinement
For comparative quality analysis:
python3 benchmark/full_benchmark/full_decomp_benchmark.py \
<binary> \
--fission-bin target/release/fission_cli \
--ghidra-dir vendor/ghidra/ghidra_11.4.2_PUBLIC \
--output-dir benchmark/artifacts/full_benchmark/<run-name> \
--limit 50Canonical benchmark config and artifacts now live under:
benchmark/config/benchmark_corpus/benchmark/artifacts/full_benchmark/benchmark/artifacts/automation/
Use benchmark_compact_summary.json for first-pass machine review and the
verbose JSON/Markdown artifacts for deep debugging.
Automated quality metrics are stored in:
benchmark/artifacts/automation/ # Fast-lane test results
benchmark/artifacts/full_benchmark/ # Detailed benchmark runs
For detailed system design, read docs/architecture/ARCHITECTURE.md
The Fission desktop GUI provides an integrated analysis environment:
Main Workspace
Decompilation View
Features:
- Interactive function browser with call graphs
- Real-time decompilation with syntax highlighting
- Symbol resolution and type inference
- Batch analysis and report generation
- Cross-reference navigation
Fission welcomes contributions from the reverse-engineering and decompilation communities.
- Review
CONTRIBUTING.mdfor guidelines - Sign the Contributor License Agreement (
CLA.md) - Check
AGENTS.mdfor code organization and conventions - Open an issue to discuss your proposed changes
- Instruction Semantics: Accuracy improvements for Sleigh lifts
- IR Transformations: New optimizations and normalization passes
- Structuring Algorithms: Control-flow recovery improvements
- Binary Format Support: Additional architectures and formats
- Testing & Benchmarking: Quality metrics and regression detection
- Documentation: Tutorials, guides, and architectural documentation
- Issues & Discussions: GitHub Issues
- Discord Community: Join our server
- Social Media: LinkedIn
Fission is architected for project-level software restoration β not just decompilation.
β
High-precision decompilation for PE x64
β
Deterministic, auditable analysis pipelines
β
Measurable quality metrics and benchmarking
π Expanded architecture support
π Advanced data abstraction and memory modeling
π Integrated static/dynamic analysis workflows
π Semantic-aware type recovery
π― Project-level program comprehension
π― Cross-function fact accumulation
π― AI-assisted analysis on verified artifacts
π― Protocol-facing and behavioral analysis integration
π― Commercial-grade analysis platform
Rather than building a thin UI over existing decompilers, Fission pursues independent decompilation excellence with:
- Algorithmic Soundness: Graph-based, mathematically rigorous transformations
- Auditability: Every decision is verifiable and reproducible
- Modularity: Clean separation of concerns across layers
- Quality Focus: Metrics and regression detection as first-class citizens
- Long-term Maintenance: Sustainable, understandable codebase
SPDX-License-Identifier: AGPL-3.0-or-later
License: GNU Affero General Public License v3.0 or later
See LICENSE for full text
If you use Fission in academic work, please cite:
@software{fission2024,
title={Fission: A Rust-Native Decompilation Framework},
author={Kim, Sung Joo},
year={2024},
url={https://github.com/sjkim1127/Fission}
}Fission builds upon decades of decompilation research and engineering. Special acknowledgment to:
- Ghidra β Reference architecture, semantic lifting, benchmarking
- RetDec β Decompilation techniques and IR design
- Radare2 β Analysis ecosystem and tooling inspiration
- LLVM β Compiler infrastructure and optimization patterns
- The reverse-engineering research community
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}