PDF Reference Opcodes Or reGisters. Like IDA's FRIEND/AMIE or Ghidra's "Processor Manual..." right-click menu.
This is a glorified PDF search for tokens that show up in tables of contents.
Select a token like an instruction or a register, and "Plugins" -> "DROOG" -> "Search Reference Headings..." will show pages from PDFs available for the current architecture. Click an image to open the PDF at that page in your browser.
For unfamiliar architectures, bind the search to a hotkey. There's also a command to peek at table of contents headings in the status bar for quickly reviewing mnemonics.
If you're dealing with raw coprocessor operand values or unnamed MMIO offsets, you'll need to:
- Dig up the right PDFs for your SoC or peripheral. Rip relevant tables into a Python
dict
. - Bulk-name relevant values or instructions with a script. (You can use comments as a single "token".)
Instead of hardcoding documentation, local reference manuals are indexed with MuPDF (hence AGPLv3 licensing) and opened directly. Install via whatever pip install pymupdf
looks like in your BN Python env.
You can dump your PDF collection in droog/manuals/{arch}/*.pdf
, or include them anywhere in your plugin's directory structure if it's installed to the same plugin folder as DROOG and predictably named. Endianness and 32/64-bit indicators on arch
are stripped off with a regex, so aarch64
is in manuals/aarch/*.pdf
and x86_64
lives in manuals/x86/*.pdf
. It's weird but simplifies dealing with MIPS/ARMv7/etc.
If you're reversing ancient fauna based on scans with beautiful typesetting but terrible OCR and no table of contents, you can edit in your own ToC with MuPDF's Document.set_toc(). Check the *.idx
files in the Ghidra repo in case American taxpayers already indexed one for you!