I finished decompiling Snowboard Kids 2 and wrote a small blog post about it.

Disclosure: this is my own research/writeup.

I reported this ZTE H-series router DoS in 2024; it is now public as CVE-2026-34473.

The writeup focuses on the root cause rather than just the symptom. The issue is not simply “large POST body kills the UI.” Firmware analysis maps the behavior to CGILua request-body parsing: attacker-controlled application/x-www-form-urlencoded POST data reaches body handling before login enforcement matters.

The article includes validation footage, affected-model context, disclosure timeline, decompiled parser evidence, and reconstructed public-safe code-path notes.

Interested in feedback on the root-cause framing from people who review embedded web stacks or router firmware.

open for collabs too.

I wanted a disassembler that's a single executable, loads instantly, runs everywhere. So I wrote one from scratch.

It's called Hyperion it's made in C++, No runtime dependencies. No installer.

What it actually does: It has a real decompiler, It produces readable pseudo-C for x86/x64 and ARM64.

Formats & architectures:

Format	Architectures
PE (exe, dll, sys)	x86, x64
ELF (so, o, executables)	x86, x64, ARM, ARM64, MIPS, PPC
Mach-O (dylib, fat/universal)	x64, ARM64
.NET (managed assemblies)	CIL/IL bytecode

Scripting:

Embedded Lua 5.4. Drop .lua plugins in a folder. Full API, rename, comment, patch bytes, create functions, navigate, query xrefs. Register custom menu items and hotkeys from scripts.

The numbers:

	Hyperion	IDA Pro	Ghidra
Download size	<3 MB	~120 MB	~500 MB
Runtime deps	None	Python, Qt	JVM
Price	Free (MIT)	$1,800/yr	Free
Startup time	<1s	~3s	~15s
Binary	Single exe	Installer	Installer

Platforms: Windows, Linux, macOS (Intel + Apple Silicon).

This will stay open source and free. MIT licensed.

Repo: https://github.com/Sidenai/hyperion-disassembler

Ghidra 12.1 Change History (May 2026)

New Features

• Byte Viewer. Added support for other-than-ASCII character encodings in the ByteViewer. (GP-5689)
• Data Types. Added ability to merge non-conflicting structures, unions, or enums. (GP-5808, Issue #2461)
• Debugger:Agents. Enabled synchronization between x64dbg and Ghidra. (GP-5972)
• Debugger:Time. Added a margin bar and new BreakpointTimelinePlugin that displays breakpoint hits across the whole execution of a trace. (GP-5895)
• DWARF. Added support for querying debuginfod servers for files. (GP-5924, Issue #8407)
• ELF. Added markup for .gnu.build.attributes in ELF binaries. (GP-5929)
• GUI. Updated the Data Type Manager provider to remember the program archive's selected data type when switching between program tabs. (GP-2370)
• GUI. Added a Hide Filter action for Tables and Trees. This action can be bound to the Escape key to close the filter. (GP-6336, Issue #8771)
• GUI. Updated the Find References action to appear in tables that have addresses. (GP-6365, Issue #8899)
• Importer:Trace. Added a loader for Tenet trace files. (GP-6382)
• Processors. Added the Hexagon Language module with modified instruction syntax. Modified syntax was used to better fit Ghidra's mnemonic/operand Listing API. This processor also introduces the first use of Ghidra's Sleigh crossbuild feature which is used for weaving pcode for parallel processor architectures such as the Hexagon. (GP-6621, Issue #1595)
• Scripting. Added AddVfunctionCallRefScript, which, if the cursor is on a vftable->function token in the Decompiler, will create a CALL reference to the associated function in the Listing, if it can be determined. (GP-6693)
• Search. Added the ability to scan using the results from one progam rebased on another. (GP-6260)

Improvements

• Analysis. More Swift type metadata has been marked up. (GP-6281)
• Analysis. Improved Golang analyzer to handle some obfuscation techniques. (GP-6291, Issue #8804)
• Analysis. Improved Objective-C analysis with such things as providing msgSend support. (GP-6327, Issue #5938)
• Basic Infrastructure. Environment variables can now be set in launch.properties using ENVVARS= or ENVVARS_[PLATFORM]=. (GP-6193)
• Basic Infrastructure. Ghidra's maximum heap size can now be set via external environment variables. See each of the various launch shell scripts for usage information. (GP-6213)
• Basic Infrastructure. Ghidra's Java options (system properties) can now be set via external environment variables. See each of the various launch shell scripts for usage information. (GP-6350, Issue #4960, #8885, #8942)
• Basic Infrastructure. Upgraded JDOM to 2.0.6.1. (GP-6370)
• Basic Infrastructure. Fixed an issue that occurred when expanding environment variables that contained regular expression characters in launch.properties. (GP-6704, Issue #9061)
• Build. Ghidra can now be built on Windows on ARM (requires Gradle 9.2 or later). (GP-6126)
• Data Types. Change was made which consistently allows duplicate component/field naming within Structure/Union datatypes. When editing a name within the GUI, the user will be warned and must confirm use of a duplicate name. (GP-3564, Issue #5249)
• Data Types. A datatype which gets removed will no longer attempt to update itself as a result of dependency changes. This may reduce the number of superfluous listener callbacks and events that occur during the removal process. (GP-5882)
• Debugger. Added parameter for custom arguments to gdb/lldb. (GP-6112, Issue #8565)
• Debugger. Better available lists are provided for gdb/lldb. (GP-6273, Issue #8711)
• Debugger. Added remote option for x64dbg. (GP-6401, Issue #8929)
• Debugger. Added the ability to launch lldb/gdb from Windows via ssh targeting Windows on the remote machine. (GP-6423)
• Debugger:Emulator. Provided GUI additions to expose Emulator Taint. (GP-6129)
• Debugger:Emulator. Created Save state for Emulator, as the choice of Emulator was not being saved. (GP-6163)
• Debugger:LLDB. Created new launcher for android attach. (GP-6174, Issue #6386, #8225)
• Debugger:LLDB. Rerunning the target in lldb is now allowed. (GP-6422, Issue #8945)
• Debugger:LLDB. Added the ability to attach to available process for lldb. (GP-6474)
• Debugger:Time. Provided better color management for Time overviews. (GP-6440)
• Decompiler. The Decompiler now displays structure bitfields in expressions. (GP-2493, Issue #647)
• Decompiler. Extended Abstract Interpretation logic to high pcode. (GP-5921)
• Decompiler. The display format for integer case labels can now be set for individual switch statements from the Decompiler window. (GP-5922, Issue #4438, #8196, #8726)
• Decompiler. Added a Decompiler action to toggle the Disable printing of type casts option. (GP-6199, Issue #7452)
• Decompiler. Added setter methods to the DecompilerOptions class. These can be used by script writers to control the Decompiler's behavior. (GP-6266, Issue #8812)
• Demangler. Created Output options for Microsoft Demangler that control output of anonymous namespace encoding and control the emitting of tags for user-defined types when found as template or function arguments. (GP-4901)
• Demangler. Updated the Rust Demangler to use code ported from the official Rust-based Demangler. (GP-6108, Issue #8609)
• Demangler. Updated the Gnu Demangler v2.24 to support the static modifier for functions. (GP-6394)
• Emulator. Introduced a default LOCK userop definition for x86, and a default ExclusiveMonitorPass for ARM, as well as for other userops and processors. (GP-4241, Issue #6089,
• Emulator:JIT. Optimized handling of multi-precision integers; i.e., varnodes of size greater than 8 bytes. (GP-5980)
• Function Compare. Fixed the Function Comparison provider so that it saves changes made to the Listing View fields. The provider will now also remember the last view tab selected. (GP-6016)
• GUI. Added a Data Type Manager action to search for enums by value. (GP-1914)
• GUI. Added popup menu items Close Other, Close Tabs to the Right, and Close Tabs to the Left to docking window tabs. (GP-4961)
• GUI. Added namespace chooser to Add/Edit Label Dialog. (GP-5806, Issue #8263)
• GUI. Changed the Log Viewer to a window instead of a dialog so that it can be maximized. (GP-6044)
• GUI. Added a Find All button in the Find Dialog used in many component providers. (GP-6076)
• GUI. Updated the Listing Snapshots to include the Flow Arrows, Margin Markers, and Overview Markers. (GP-6085, Issue #8601)
• GUI. Added an action to the Symbol Tree to allow users to toggle outgoing navigation events. (GP-6101, Issue #8618)
• GUI. Added a generic Mem Source table column to assist in filtering compatible tables based on the source from where the memory addresses originated. (GP-6147, Issue #8548)
• GUI. Added a modify() method to the Annotation class so clients can perform their own annotation transformations. (GP-6451, Issue #8928)
• Importer. The ElfLoader can now recognize Swift and golang binaries. (GP-3960, Issue #8795)
• Importer. The NeLoader can now load binaries that used Phar Lap’s 286/DOS-Extender. (GP-6537, Issue #1905, #2493)
• Importer:PE. The PE loader now sets up thunk functions for export forwarders. (GP-5900)
• Importer:PE. The PE Dynamic Value Relocation Table (DVRT) is now parsed and marked up. (GP-6502)
• Jython. Jython support is now delivered as a Ghidra Extension, which means an extra step is required to install it. If Jython is required, the user should simply go to File -> Install Extensions in the Ghidra Front End GUI and check Jython. The user must restart Ghidra to complete the enablement of Jython. (GP-6754)
• Languages. More Swift type metadata has been parsed and marked up. (GP-6137, Issue #8607)
• Listing. Added a feature to allow function bodies to be closed in the Listing. (GP-5987)
• Listing. Changed offcut string references to use the existing non-default label at the string beginning instead of the default name created from the string's offcut location. If no label is defined, the default offcut string naming scheme is used (s_[substring] instead of [label name]+offset). (GP-6345, Issue #8882)
• Multi-User. Improved Ghidra Server serialization filters and added serialization filters to client-side Ghidra applications. We may have missed something in our testing so let us know if you encounter an InvalidClassException. The log will identify a class which fails to pass the filter rules. (GP-6719)
• Processors. Corrected behavior of ARM thumb branchWritePC macro. (GP-6333, Issue #8585)
• Processors. Added maximumInstructionLength language property in support of inst_next2 use. (GP-6613, Issue #8941)
• Processors. Corrected operand order for MIPS162e movn and movz instructions. (GP-6766)
• Project. Expanded on the set of allowed special characters for a local Ghidra project path name to include the following: '.', '-', '=', '@', ' ', '_', '(', ')', '[', ']', and '~'. (GP-6681)
• PyGhidra. PyGhidra will now, by default, restore sys.modules to its prior state after a PyGhidra script is run (or the interactive interpreter is reset) so the next time a script is run, it freshly loads all of its imported modules again. This default behavior can be disabled by setting the pyghidra.sys.modules.restore.disable Java system property to true, which can be done in the support/launch.properties file. (GP-6288)
• Scripting. Made some improvements to the RecoverClassesFromRTTIScript for GCC programs. (GP-6670)
• Search. Fixed an issue where some matches were not found when doing a regular expression search using the regex lookbehind clause. (GP-6070)
• Search. Updated MemoryBytePatternSearcher to correctly handle mapped blocks. (GP-6308)
• Sleigh. Fixed the Sleigh goto statement to accept 64-bit literals. Added range-checking for literals in Sleigh compiler. This fixes an Emulator issue where edits to the pc register were truncated to 32 bits. (GP-6328, Issue #8875)
• Symbol Table. In the Symbol Table's Symbol References table, the user can now select multiple refs in the refs table to delete more than one reference at a time. There is also a new action in the Symbol Table popup action to allow the user to delete all references to a symbol, found under References -> Delete All. Finally, there is a new Make Selection action in the popup menu of the References Table to select, in the Listing, all references to a symbol. (GP-6430)
• Testing. Upgraded jacoco to 0.8.14. (GP-6504)
• Version Tracking. Improved Version Tracking so that when applying thiscall function signatures, the source's class structure is copied to the destination program, if appropriate, given the chosen apply options. (GP-5709, Issue #8127)
• Version Tracking. Updated Version Tracking to allow replacing of existing function label namespaces. (GP-5996)

Bugs

• Analysis. Added support for Windows DLLs generated by Golang. (GP-6325)
• Analysis. Corrected AutoAnalysisManager.removeCancelledListenter() to call removeCancelledListener() instead of incorrectly calling addCancelledListener(). This addresses a potential memory leak within Ghidra. (GP-6789)
• BSim. Improved string sanitization in PostgresFunctionDatabase.java. (GP-6722)
• BSim. Escaped values used to create BSim filters. (GP-6736)
• Build. Gradle 9 no longer fails when passed the --parallel command line argument. (GP-6385, Issue #8621, #8622)
• Byte Viewer. Fixed a bug in the Byte Viewer where the last byte in the program could not be selected in some views. (GP-6178)
• Byte Viewer. Changed the Byte Viewer to give a visual clue (foreground color is gray) when a multi-byte value spans adjacent memory blocks. (GP-6184)
• Byte Viewer. Fixed a minor alignment issue in Byte Viewer when a column could not populate the first line of a memory block. (GP-6204)
• Byte Viewer. Updated the Byte Viewer's configure options dialog to handle programs with no minimum address. (GP-6227, Issue #8762, #8763)
• Data Types. The Data Type Tree's Associate with Archive action is now only available for selected Program datatypes. A normal copy or datatype drag-n-drop may still be used between all datatype archives. (GP-6362)
• Data Types. Corrected Structure Editor Unpackage Component action which was misplacing components. (GP-6574, Issue #9041)
• Data Types. Corrected Structure insertAtOffset behavior when inserting at an offset which precedes a zero-length component. (GP-6576)
• Data Types. Corrected upgrade failure which can occur for Project Data Type Archives. (GP-6649)
• Data Types. Fixed CreateUEFIGDTArchivesScript, which parses UEFI header files for extracting data types. (GP-6690)
• Debugger. Fixed bug in the tree logic encountered when searching for an appropriate Trace Object. (GP-6173, Issue #8702)
• Debugger. Fixed a hang in the Debugger UI when closing a session under certain conditions. (GP-6299)
• Debugger. Provided a fix to allow register queries for non-active threads. (GP-6375, Issue #8903)
• Debugger. Fixed an error where breakpoints were ineffective for x64dbg. (GP-6468, Issue #8989)
• Debugger. Fixed bugs in x64dbg write methods. (GP-6482, Issue #9003)
• Debugger:Agents. Provided better end-of-life story for the x64dbg agent. (GP-6148)
• Debugger:Agents. Changed Debugger defaults to listen on localhost rather than all interfaces. (GP-6716)
• Debugger:Breakpoints. Fixed a ClosedException in the logical breakpoint service. (GP-6572, Issue #8904)
• Debugger:dbgeng.dll. Handlers should not force break. They now return DEBUG_STATUS_NO_CHANGE. (GP-6190, Issue #8738)
• Debugger:dbgeng.dll. Added python handlers for dbgeng. (GP-6374)
• Debugger:Emulator. Fixed an issue where AUX emulators, e.g., the Taint Emulator, did not recognize the emu_* userops in injections. (GP-6018)
• Debugger:Emulator. Better default behavior for Z3 plugin is provided, especially upon removal. (GP-6312)
• Decompiler. Updated the Decompiler's Set Equate action to not prompt users twice. (GP-6205, Issue #8736)
• Decompiler. Fixed a bug in the Decompiler when analyzing expressions of the form val & bitmask >> const != 0. (GP-6318, Issue #8717, #8718)
• Decompiler. Fixed infinite loop triggered during multistage jump table analysis. (GP-6610, Issue #8968)
• Decompiler. Updated the Decompiler to not re-decompile when creating a snapshot of the current function. (GP-6629)
• Demangler. Updated the legacy GnuDemangler v2.24 to handle qualifiers being used along with the F character. (GP-6363)
• Emulator. Fixed crash issue that occurred if a script, userop, or similar ever called state.getVar() with size of 0. (GP-6654)
• Emulator:JIT. Fixed several bugs discovered when converting EmuX86GccDeobfuscateHookExampleScript. (GP-6397)
• Emulator:JIT. Fixed a bug in multi-precision-integer-addition code generation. (GP-6457)
• Function. Corrected possible exception within Function Editor when applying simple parameter renames made within table. (GP-6746)
• GUI. Fixed table header not painting edges on the Windows theme. (GP-6053, Issue #8564)
• GUI. Fixed a keyboard focus issue related to modal dialogs. (GP-6069, Issue #8571)
• GUI. Updated the Choose Data Type action to use the actual data type at the current location instead of the base data type. (GP-6192, Issue #8734)
• GUI. Updated Program Tabs to better show the current active program. (GP-6323)
• GUI. Fixed stack trace in Symbol Tree when converting a Namespace to a Class. (GP-6326, Issue #8869)
• GUI. Improved the appearance of the Script Quick Launch dialog. (GP-6335, Issue #8759)
• GUI. Fixed key bindings that use the Alt key so that the right Alt key works in addition to the left Alt key. This is now an option that can be disabled for users that prefer to keep the right Alt key independent of the left Alt key. (GP-6450, Issue #8205, #8969)
• GUI. Fixed Add/Edit Label behavior on symbol names that contain the "::" namespace separator. (GP-6488)
• GUI. Fixed a bug in the Listing open-union display that caused a NullPointerException. (GP-6536)
• GUI. Corrected behavior of Function Call Tree when traversing thunk functions. (GP-6653)
• GUI. Fixed Data Type Manager filter bugs. (GP-6749)
• GUI. Fixed Save As dialog not allowing users to select a folder. (GP-6756)
• Listing. Fixed a bug where files were not marked as having unsaved changes in the Listing tabs after performing Analyze All Open action. (GP-5953)
• Logging. Fixed a bug that prevented GhidraScript output from being directed to either the default or user-specified script.log file. (GP-6532)
• Memory. Corrected various issues related to improper use of Addresses from one program in another program's AddressMap. (GP-6150)
• Multi-User. Corrected potential security concern with Ghidra Server PKI Authentication. If using PKI Authentication mode (-a2) for the server install, the user should upgrade the server.
• See reported Ghidra GitHub Pull Request #9109 for more details. (GP-6678, Issue #9109)
• Multi-User. Added Ghidra Server -ipAlt option to address self-signed certificate issues affecting docker container deployments where a formal certificate was not used (see server.conf and svrREADME.md). (GP-6811)
• Processors. Fixed ARM ldrsh.w and ldrsb.w instruction semantics. (GP-4651, Issue #6564)
• Processors. Reworded Tricore processor description. (GP-5243, Issue #7170)
• Processors. Corrected AVR32 ICALL instruction behavior when rd0 is the LR register. (GP-5306, Issue #5718)
• Processors. Corrected the signed offset parameter of PowerPC LQ instruction. (GP-5508, Issue
• Processors. Fixed disassembly for ARM Neon vmvn and vmov immediate instructions. (GP-5849, Issue #8319)
• Processors. Added support for CIP-51 microprocessor variant of the 8051 language. (GP-6000, Issue #8130)
• Processors. Added several missing ARM v8m instructions. (GP-6145, Issue #8652)
• Processors. Corrected PIC-18 disassembly for certain addressing modes when the destination operand is a banked register. (GP-6591, Issue #9051)
• Processors. Corrected disassembly error with ARM Neon vmov.i32 instruction. (GP-6750)
• Project. Eliminated the maximum 60-character length naming restriction imposed on various Ghidra elements, including: project name, repository name, project archive filename, and Ghidra tool config names. Efforts have been made to allow for the use of foreign-language-naming of these elements. Support for Ghidra projects stored on a Windows UNC shared drive has also been added. (GP-6402, Issue #8731)
• Search. Fixed Context-column-sorting in the Find References results table. (GP-6421, Issue #8943)
• Version Tracking. Fixed a Version Tracking oversight that would not correctly replace return types or parameter types when the Replace If Undefined option was set and the datatype to replace was an undefined pointer. (GP-5722)

Notable API Changes

• API. (GP-6039) Revised ProgramUtilities.parseAddress(Program, String) to handle the parsing of external addresses (e.g., EXTERNAL:000000100). Support for memory block style addresses has been eliminated for this method (e.g., <blockName>:<offsetWithinAddressSpace>). Memory block style addresses should not be used.
• Basic Infrastructure. (GP-6370) GenericXMLOutputter is now instantiated with a static getInstance() method rather than a constructor.
• Byte Viewer. (GP-5689) ByteViewer's DataFormatModel.replaceValue() has been moved to the new MutableDataFormatModel interface, and DataFormatModel.isEditable() has been removed.
• DataFormatModel.validateBytesPerLine() has been replaced with validateByteViewerConfigOptions(). DataFormatModel.setByteViewerConfigOptions() has been added and (get/set)GroupSize() has been removed.
• Data Types. (GP-3564) Eliminated throwing DuplicateNameException from DataTypeComponent.setFieldName. Added Composite.findComponent(String name) and Composite.findComponents(String name) API methods.
• Debugger:dbgeng.dll. (GP-6190) dbgeng handlers return DEBUG_STATUS_NO_CHANGE.
• Debugger:Emulator. (GP-6129) PcodeOp was added to many Emulator methods.
• Debugger:Emulator. (GP-6131) Managers in the Trace API now permit operating directly on register overlay spaces, where applicable.
• Debugger:Emulator. (GP-6159) Removed PcodeUseropDefinition.execute(PcodeExecutor, PcodeUseropLibrary, Varnode, List) in favor of one taking PcodeOp as well.
• Emulator. (GP-4241) Converted each now-deprecated XxxEmulateInstructionStateModifer to a XxxPcodeUseropLibraryFactory.
• Emulator. (GP-6158) AnnotatedPcodeUseropLibrary now allows static methods to be marked @PcodeUserop. Both interpretation and JIT emulators can invoke them.
• Emulator. (GP-6234) Deprecated EmulatorHelper and related.
• GUI. (GP-6451) Added a modify() method to the Annotation class so clients can perform their own annotation transformations.
• Project. (GP-6402) Overhauled GhidraURL utility class which now uses URI to generate URLs to ensure that proper encoding and decoding is performed. Added GhidaURL.resolve method which simplifies creating a new Ghidra URL derived from another Ghidra URL to the same project or repository.
• Search. (GP-6261) Various classes related to searching memory for byte patterns have been changed to use generics to make them generally more useful.
• Search. (GP-6309) SequenceSearchState is renamed to BulkPatternSearcher and its API has changed. Also, it and related classes have been changed to use generics and support different kinds of patterns.