The next generation of binary reverse engineering. Slice through protection, recover semantics, and reclaim your code. Zero bloat. Zero vendor lock-in. Maximum signal.
EUVA is not just a hex editor and decompiler β it's a comprehensive Static Analysis Environment designed for the modern reverse engineer. Born from the need for high-performance, scriptable, and intelligent binary analysis, EUVA combines traditional graph-theory algorithms with cutting-edge AI-assisted semantic recovery.
Important
EUVA is designed with a "Local First" philosophy. Every advanced feature, including the AI agent, is entirely optional and can be configured to run through local providers like Ollama.
This program is under active development. Experimental builds may contain bugs or lead to unexpected behavior. Use with caution.
This software is provided "as is", without warranty of any kind. EUVA is a high-precision instrument designed for educational purposes and security research. The author is not responsible for any system instability, data loss, or legal consequences resulting from the misuse of this tool.
By using EUVA, you acknowledge that you are solely responsible for your actions, you understand the risks of modifying binary files and process memory, and you will respect the laws and regulations of your jurisdiction.
Experience binary data at its most primal level with a hardware-accelerated rendering engine. EUVA bypasses the standard WPF rendering pipeline to provide maximum performance.
- Hardware Acceleration: Built on a custom
WriteableBitmapengine that performs manual pixel-array manipulation before a single-step blit to video memory. - Zero-Latency Scrolling: Scales effortlessly to multi-gigabyte binaries via Memory-Mapped Files (MMF), ensuring raw data is never loaded fully into the heap.
- PE Semantic Tree: Automatically decomposes raw bytes into a navigable hierarchy, mapping specific fields to virtual addresses for instant lookup.
- DSL-language: An language for replacing bytes and writing scripts for automatic changes
- YARA-X Integration: Industrial-grade signature matching with windowed processing (16MB chunks) and deduplicated rule-name referencing for minimal RAM impact.
- Live Script Watcher: Real-time patching via
.euvscripts with a specialized cooldown mechanism to prevent file-lock conflicts during development. - GlyphCache Subsystem: Pre-rasterizes UI symbols into high-speed memory buffers, eliminating font-rendering overhead during rapid navigation.
- Byte Minimap: A high-level visual overview of the binary's internal structure with Entropy Analysis for identifying encrypted or compressed regions.
- Dirty Tracking: Optimized for security researchers with lock-free snapshot isolation for real-time change visualization.
Buttery smooth scrolling and instant data lookup at native DPI.
The heart of EUVA. A multi-stage, industrial-grade pipeline that elevates raw machine code into human-readable C/C++ logic.
- Instruction Lifting: Normalizes complex hardware ISAs into a clean, hardware-agnostic Intermediate Representation (IR).
-
Static Single Assignment (SSA): Implements precise data-flow traversal using versioned variables and Phi (
$\phi$ ) node unification. - Advanced Optimization Passes: Includes Copy Propagation, Dead Store Elimination (DSE), and recursive AST folding for zero-entropy pseudocode.
-
Structure Discovery: Sophisticated domination analysis to recover idiomatic
if/else,while, andforloop patterns. - Constraint-Based Type Inference: A bidirectional propagation engine that reconstructs complex structs and pointers from memory-access footprints.
- Glass Engine C# Scripting: Total programmatic control over the decompilation pipeline via runtime-compiled C# scripts for handling obfuscation.
High-performance logical listing for precise low-level analysis.
- Zero-Allocation Pipeline: Leverages the Iced library with custom memory reuse to eliminate Garbage Collector pressure during million-instruction scrolls.
- Token-Based Rendering: Manual character-by-character blitting into a backbuffer with themed color mapping for every instruction component.
- Synchronization Heuristics: Advanced entry-point detection algorithms to find meaningful code boundaries in arbitrary byte streams.
- Dry-Decoding Engine: Fast instruction counting and skipping without full text translation for ultra-responsive navigation.
EUVA is built to be "omnivorous" to new analysis methods.
- Plugin-Based Detectors: A scalable architecture for detecting packers and protectors (Themida, WinLicense, UPX) via distributed priority-based plugins.
- Multi-Factor Confidence: Scoring system that combines entropy analysis, section name anomalies, and signature matches for high-accuracy detection.
- Asynchronous Management: Non-blocking detector execution to keep the UI perfectly responsive during massive file scans.
Bridge the gap between Logic and Semantics. Our experimental AI layer helps you identify variable names and function roles that are traditionally lost in compilation.
Note
Your Choice, Your Control: The AI Agent is a "Bring Your Own Key" system. It supports Cloud LLMs (OpenAI, Claude, Groq) and Local LLMs (Ollama, LocalAI). Privacy is paramount.
| π΄ Before AI (Raw Decompilation) | π’ After AI (Semantic Refactor) |
|---|---|
v3 = (uint64_t)(v1 + 8); |
current_ptr /* AI */ = (uint64_t)(v1 + 8); |
v4 = v2->field_FFFFFFFFFFFFFFFF; |
i /* AI */ = v2->field_FFFFFFFFFFFFFFFF; |
v3->field_2 = (*v3 & 7); |
current_ptr /* AI */->field_2 = (*current_ptr /* AI */ & 7); |
v3->field_1 = (v4 >> 4); |
current_ptr /* AI */->field_1 = (i /* AI */ >> 4); |
rax = (uint8_t)(v4 & 15); |
rax = (uint8_t)(i /* AI */ & 15); |
*v3 = rax; |
*current_ptr /* AI */ = rax; |
... |
... |
- Memory-Mapped File engine that scales to arbitrarily large binaries with zero heap pressure
- WriteableBitmap renderer that bypasses the WPF render pipeline entirely pixel-perfect output at native DPI
- GlyphCache subsystem that rasterizes each character once and blits it via direct memory copy thereafter
- Dirty Tracking system with lock-free snapshot reads for zero-latency change visualization
- Transactional Undo system both step-by-step (
Ctrl+Z) and full-session rollback (Ctrl+Shift+Z) - structured PE decomposition layer that turns raw bytes into a navigable semantic tree
- DSL-language A standalone language for replacing bytes in a hex editor with Python-like syntax.
- scriptable patching DSL (
.euvformat) with live file-watch execution - plugin-extensible detector pipeline for packer/protector identification
- fully themeable rendering layer with persistent theme state across sessions
- Addition of the Yara-X rules engine which allows for matching against thousands of pre-built rules for binary file analysis.
- Byte minimap Allows you to instantly scan the hex grid of a binary file, simplifying research and instantly identifying where packed code or similar may be located.
- Disassembler An iced-based disassembler will help in analyzing binary files and will present the binary file as readable logic.
- Decompiler Decompile x64, x86 binaries and get pseudocode in C/C++ format
- Scripting Decompiler A C# scripting layer that allows you to write custom decompiler scripts and custom decompilation methods.
- AI Agents Decompiler Bring your own API key Cloud or Local via Ollama to instantly restore human-readable variable names and code semantics without UI freezes.
- AI-Explain Now AI can roughly explain decompiled code to you, giving you answers as high-quality as possible. (Experimental feat)
Before building, make sure you have the following installed:
| Requirement | Version | Link |
|---|---|---|
| .NET SDK | 8.0+ | download |
| Windows OS | 10 / 11 | Required (WPF) |
Note
EUVA is a Windows-only application built on WPF. Linux/macOS are not currently supported.
# 1. Clone the repository
git clone https://github.com/pumpkin-bit/EUVA.git
cd EUVA/EUVA.UI
# 2. Restore dependencies
dotnet restore
# 3. Build in Release mode
dotnet build -c Release
# 4. Run (optional, or launch the compiled binary directly)
dotnet run -c Release- Open a binary file via File β Open or drag-and-drop onto the window
- You can change bytes in a hex editor using an internal DSL language.
- Press
Ctrl+Dto open the Disassembler,Ctrl+Efor the Decompiler - (Optional) Configure your AI provider in AI Settings in the decompiler window to enable semantic refactoring
Warning
When using the Glass Engine (C# scripting), ensure the Scripts/ folder contains valid .cs implementations to avoid pipeline startup latency.
Dive deeper into the theory and mechanics:
- π Memory-Mapped-File
- π WriteableBitmap Render
- π GlyphCache
- π Dirty-Tracking-System
- π Transactional-Undo-system
- π Structured-PE-decomposition-layer
- π DSL-language
- π scriptable-patching-DSL
- π plugin-extensible-detector-pipeline
- π fully-themeable-rendering-layer
- π Addition-of-the-Yara-X-rules-engine
- π Byte-minimap
- π Disassembler
- π Decompiler
- π Scripting-Decompiler
- π AI-Agents-Decompiler
| Command | Shortcut | Description |
|---|---|---|
NavInspector |
Alt+1 |
Switch to Inspector tab |
NavSearch |
Alt+2 |
Switch to Search tab |
NavDetections |
Alt+3 |
Switch to Detections tab |
NavProperties |
Alt+4 |
Switch to Properties tab |
CopyHex |
Ctrl+C |
Copy selection as hex string |
CopyCArray |
Ctrl+Shift+C |
Copy selection as C byte array |
CopyPlainText |
Ctrl+Alt+C |
Copy selection as Plain text |
Undo |
Ctrl+Z |
Undo last byte write |
FullUndo |
Ctrl+Shift+Z |
Revert entire last script run |
View byte |
F3 |
View the latest bytes changes |
View Yara Matches |
Shift+F3 |
View matches found by Yara |
View Disassembler |
Ctrl+D |
View Disassembler |
View Decompiler |
Ctrl+E |
View Decompiler, use F5 to switch between graphics mode and text mode |
Highlight code |
Ctrl+A |
Selecting code in text form in a decompiler |
You can reassign hotkeys by loading (via the settings in the program menu) and editing the .htk file.
Q: Why use EUVA's built-in AI instead of an AI plugin for IDA Pro or Ghidra?
A: In legacy tools, AI is often a "bolt-on" script that freezes the UI while it processes raw text and waits for a response. EUVA is a native, JIT application where AI is a first-class citizen. Our Zero-Allocation pipeline and direct AST-level semantic injection mean renames happen in milliseconds without a single interface stutter.
Q: Can I safely reverse malware or sensitive code without leaking it to cloud servers?
A: Absolutely. EUVA follows a Local First philosophy. You can configure it to use Ollama or any local OpenAI-compatible provider. Your code stays on your machine, and your privacy is preserved.
Q: LLMs often hallucinate. How do I know the AI didn't invent logic or break my decompiler output?
A: EUVA and the LLM work in a "Trust but Verify" loop. The AI is only allowed to propose renames for existing variables detected by our AST engine. Every change is clearly marked with /* AI */ comments, and you can instantly roll back any function to its raw state using the Reject AI button.
Q: Can I force the AI to use specific naming conventions (e.g., Linux Kernel style or custom crypto terminology)?
A: Yes. The AI Settings window allows you to customize the System Prompt. You can define exactly how the AI should perceive the code and which naming standards it should prioritize.
Q: Why switch to EUVA when giants like IDA Pro, Ghidra, or ImHex have existed for decades?
A: EUVA doesn't carry of legacy code.
- IDA/Ghidra: Monolithic environments where modern features like LLM integration feel sluggish due to complex Python/Java bridges.
- ImHex: An incredible hex editor and pattern parser, but not a full-scale reverse engineering environment with a specialized decompiler pipeline.
- EUVA: Specifically engineered for the era of AI and high-performance data-flow analysis. It delivers industrial-grade power with the agility of a modern C# native app.
- Imhex for the UI/UX inspiration.
- AsmResolver for parsing binary files
- Iced for disassembling and decompiling
- YARA-x for integration with thousands of signatures
- Roslyn for the script engine in the decompiler
- Microsoft.Msagl construction of graphs of decompiled code
- Catppuccin for interface theme
We welcome the street-smart netrunners and corporate-grad researchers alike.
We welcome street-smart netrunners and corporate-grad researchers alike.
- Read first: Please read our CODE_OF_CONDUCT before participating.
- Found a bug? Open an Issue with a detailed description and, if possible, a sample binary.
- Want to code? Check out the CONTRIBUTING guide for build instructions and PR templates.
PRs Welcome: Found a bug or optimized a pipeline stage? Submit a PR! π
I will also be grateful for the stars - the stars are the future of the project β.
EUVA is free software released under the GNU General Public License v3.0.
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2026 pumpkin-bit (falker) & EUVA Contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
---
EngineUnpacker Visual Analyzer (EUVA)
Professional PE Static Analysis Tool
Educational tool for reverse engineering research.
Use responsibly and in accordance with applicable laws.
EUVA β built for researchers who read hex for fun.
Built with β€οΈ for the Reverse Engineering Community | Β© 2026 EUVA Project