ida-cyberchef is a new open source plugin that embeds CyberChef's data transformation engine directly into IDA Pro, with a Qt interface that sits alongside your disassembly as a side panel. Data flows top to bottom through three panels for input, recipe, and output.
Install it now:
hcli plugin install ida-cyberchef
That's it. CyberChef runs inside IDA.
When reverse engineering, perhaps you’ve used CyberChef, GCHQ's "Cyber Swiss Army Knife". This standalone, offline web page provides hundreds of data transformation operations that you can drag into a recipe, feed in some data, and watch the output update in real time. Personally, I like that I don’t have to install any software, that sensitive data isn’t sent to any remote server, and that the interface encourages experimentation.
For example, when I suspect data is XOR-encoded, I can try keys and immediately see if the output looks like plaintext. Or if I hit AES-encrypted data and can't remember whether it's CBC or CTR, I just try both.
However, during reverse engineering, I'm often bouncing data between IDA and CyberChef. I find an encrypted region in a binary, copy the bytes out, load them into CyberChef in a browser tab, figure out the right transformation, then copy the result back into IDA. It's tedious and easy to make a silly mistake.
So we built a plugin that eliminates the round-trip.
ida-cyberchef is an open source plugin that embeds CyberChef's data transformation engine directly into IDA Pro, with a Qt interface that sits alongside your disassembly as a side panel. Data flows top to bottom through three panels for input, recipe, and output. Here’s what the interface looks like:
The plugin works with data directly from your IDB. It can follow your cursor, transforming and previewing a slice of data from that address. As you move through the disassembly, it reads bytes at the current position and applies the recipe in real time. This is useful for validating a hypothesis. Say you've recovered an XOR key and want to see how it decodes a region of data: you can scroll around and apply the transformation and preview how it would look.
You can also operate on the mouse’s selection or specify an explicit range by hand. Of course, you can always paste or type data directly, just like the CyberChef web interface, with a format selector for string, hex, or base64 interpretations. Finally, you can select a region and “Send to CyberChef”, which is pretty handy:
To construct your recipe, a search bar with fuzzy matching helps you find the operation you want, against the ~440 supported operations. For malware analysis, the heavy hitters are probably variants of XOR, including brute forcing the key, byte-wise operations like shift and invert, AES and RC4 encryption, and a collection of hashing algorithms. But the full CyberChef catalog is available, including protobuf decoding, to/from charcode, and even CitrixCTX1 Decode. As you hover over a candidate, the plugin shows documentation about how to use the operation:
Of course, you can chain multiple operations into a recipe, and results update as you tweak parameters. The same interactive experimentation you're used to from the web interface works here, except your data never leaves IDA.
Output Destinations
Once you've figured out the right transformation, there are several destinations for the output:
The simplest options are copying to clipboard or saving to a file. When copying, you choose the format (hex dump, hex string, C-style array, raw bytes, or plain string), which is convenient for pasting into reports or other tools.
Two options are specific to IDA:
1) You can attach the decoded data as a comment at the source address. I use this when I want to annotate encrypted strings without modifying the database. The comment serves as a reminder of what the data decodes to, visible in the IDB:
2) You can attach the decoded data as a comment at the source address. I use this when I want to annotate encrypted strings or configurations without modifying the database. The comment serves as a reminder of what the data decodes to, visible in the IDB:
To build ida-cyberchef, we didn’t port 440 operations from Javascript into Python or C++. Instead, the plugin runs the actual CyberChef JavaScript code inside a V8 interpreter (via cloudflare/STPyV8) embedded in IDA. While it's a little convoluted, we’re really happy with the integration, since it's a small amount of code and lets us rely on (and contribute back to!) the CyberChef community.
One way that we know it works well is because we run CyberChef's entire upstream test suite against our embedded engine, and the 1,481 test cases pass. The few operations we can't support are due to browser-specific dependencies (Yara scanning, for example, requires linking against the Yara library in a way that doesn't translate to an embedded engine).
Furthermore, we generated an additional 980 test cases to fully exercise the supported operations. This process uncovered several bugs in CyberChef itself that hadn't been reported. We filed ten issues and submitted patches upstream, so these fixes benefit the entire CyberChef community.
Incidentally, the CyberChef engine is now accessible as a Python library. You can pass in data and recipe definitions as Python data structures and get results back programmatically. I’m not sure what you all will do with this, but I’m looking forward to hearing about it!
Anyways, try ida-cyberchef today! You can install it with a single command, via HCLI:
hcli plugin install ida-cyberchef
The UI will continue to evolve based on feedback. If something doesn't work the way you'd expect, let us know: https://github.com/HexRaysSA/ida-cyberchef