kandi background

ghidra | Ghidra is a software reverse engineering framework | Reverse Engineering library

by NationalSecurityAgency Java Version: Ghidra_10.1.2_build License: Apache-2.0

by NationalSecurityAgency Java Version: Ghidra_10.1.2_build License: Apache-2.0

Download this library from

kandi X-RAY | ghidra Summary

ghidra is a Java library typically used in Telecommunications, Media, Advertising, Marketing, Utilities, Reverse Engineering applications. ghidra has build file available, it has a Permissive License and it has high support. However ghidra has 5491 bugs and it has 3 vulnerabilities. You can download it from GitHub.

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python. In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems. If you are a U.S. citizen interested in projects like this, to develop Ghidra and other cybersecurity tools for NSA to help protect our nation and its allies, consider applying for a career with us.

Support

Support

Quality

Quality

Security

Security

License

License

Reuse

Reuse

kandi-support Support

ghidra has a highly active ecosystem.
It has 32169 star(s) with 4212 fork(s). There are 944 watchers for this library.
There were 5 major release(s) in the last 12 months.
There are 1143 open issues and 1928 have been closed. On average issues are closed in 117 days. There are 177 open pull requests and 0 closed requests.
It has a negative sentiment in the developer community.
The latest version of ghidra is Ghidra_10.1.2_build

ghidra Support

Best in #Reverse Engineering

Average in #Reverse Engineering

ghidra Support

Best in #Reverse Engineering

Average in #Reverse Engineering

quality kandi Quality

ghidra has 5491 bugs (85 blocker, 28 critical, 1830 major, 3548 minor) and 61806 code smells.

ghidra Quality

Best in #Reverse Engineering

Average in #Reverse Engineering

ghidra Quality

Best in #Reverse Engineering

Average in #Reverse Engineering

security Security

ghidra has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
ghidra code analysis shows 3 unresolved vulnerabilities (0 blocker, 3 critical, 0 major, 0 minor).
There are 379 security hotspots that need review.

ghidra Security

Best in #Reverse Engineering

Average in #Reverse Engineering

ghidra Security

Best in #Reverse Engineering

Average in #Reverse Engineering

license License

ghidra is licensed under the Apache-2.0 License. This license is Permissive.
Permissive licenses have the least restrictions, and you can use them in most projects.

ghidra License

Best in #Reverse Engineering

Average in #Reverse Engineering

ghidra License

Best in #Reverse Engineering

Average in #Reverse Engineering

build Reuse

ghidra releases are available to install and integrate.
Build file is available. You can build the component from source.
Installation instructions, examples and code snippets are available.

ghidra Reuse

Best in #Reverse Engineering

Average in #Reverse Engineering

ghidra Reuse

Best in #Reverse Engineering

Average in #Reverse Engineering

Top functions reviewed by kandi - BETA

kandi has reviewed ghidra and discovered the below as its top functions. This is intended to give you an instant insight into ghidra implemented functionality, and help decide if they suit your requirements.

Gets the primitive ms type .
ProcessType Method .
Returns the next pcode for the given instruction .
Perform the given relocation .
Returns an AppSymbolApplier for the given iterator
Parses a record .
Create the filters .
Simplify a Vcode operation .
Gets type applier .
Processes a data type and converts it to a data type .

ghidra Key Features

Ghidra is a software reverse engineering (SRE) framework

ghidra Examples and Code Snippets

See all related Code Snippets

Build

Copy

Download

$ unzip ghidra-master
$ cd ghidra-master

Advanced Development

Copy

Download

$ gradle prepdev eclipse buildNatives

How can I determine this string value based on the C disassembly?

Copy

Download

(*(short *)(in_RCX + 5) != 0x5e73)

    001011d0 8a 48 05        MOV        CL,byte ptr [RAX + 0x5]
    001011d3 8a 68 06        MOV        CH,byte ptr [RAX + 0x6]
    001011d6 66 81 f1        XOR        CX,0x4c47
             47 4c
    001011db 66 81 f9        CMP        CX,0x1234
             34 12
    001011e0 75 05           JNZ        LAB_001011e7

-----------------------

(*(short *)(in_RCX + 5) != 0x5e73)

    001011d0 8a 48 05        MOV        CL,byte ptr [RAX + 0x5]
    001011d3 8a 68 06        MOV        CH,byte ptr [RAX + 0x6]
    001011d6 66 81 f1        XOR        CX,0x4c47
             47 4c
    001011db 66 81 f9        CMP        CX,0x1234
             34 12
    001011e0 75 05           JNZ        LAB_001011e7

what's this decompiled f2xm1/fscale sequence meant to do?

Copy

Download

x=2.5000000000000000e+000 exp(x)=1.2182493960703475e+001 lib=1.2182493960703473e+001

#include <stdio.h>
#include <math.h>

int main (void)
{
    double r, x = 2.5; 

    __asm fld qword ptr[x]; // x
    __asm fldl2e;           // log2(e)=1.442695040888963, x
    __asm fmulp st(1), st;  // x*log2(e)
    __asm fld st(0);        // x*log2(e), x*log2(e)
    __asm frndint;          // rint(x*log2(e)), x*log2(e)
    __asm fxch st(1);       // x*log2(e), rint(x*log2(e))
    __asm fsub st, st(1);   // frac(x*log2(e)), rint(x*log2(e))
    __asm f2xm1;            // 2^frac(x*log2(e))-1, rint(x*log2(e))
    __asm fld1;             // 1, 2^frac(x*log2(e))-1, rint(x*log2(e))
    __asm faddp st(1),st;   // 2^frac(x*log2(e)), rint(x*log2(e))
    __asm fscale;           // exp(x)=2^frac(x*log2(e))*2^rint(x*log2(e)), rint(x*log2(e)
    __asm fstp qword ptr[r];// rint(x*log2(e)
    __asm fstp st(0);       // <empty>
    
    printf ("x=%23.16e exp(x)=%23.16e lib=%23.16e\n", x, r, exp(x));
    return 0;
}

-----------------------

x=2.5000000000000000e+000 exp(x)=1.2182493960703475e+001 lib=1.2182493960703473e+001

#include <stdio.h>
#include <math.h>

int main (void)
{
    double r, x = 2.5; 

    __asm fld qword ptr[x]; // x
    __asm fldl2e;           // log2(e)=1.442695040888963, x
    __asm fmulp st(1), st;  // x*log2(e)
    __asm fld st(0);        // x*log2(e), x*log2(e)
    __asm frndint;          // rint(x*log2(e)), x*log2(e)
    __asm fxch st(1);       // x*log2(e), rint(x*log2(e))
    __asm fsub st, st(1);   // frac(x*log2(e)), rint(x*log2(e))
    __asm f2xm1;            // 2^frac(x*log2(e))-1, rint(x*log2(e))
    __asm fld1;             // 1, 2^frac(x*log2(e))-1, rint(x*log2(e))
    __asm faddp st(1),st;   // 2^frac(x*log2(e)), rint(x*log2(e))
    __asm fscale;           // exp(x)=2^frac(x*log2(e))*2^rint(x*log2(e)), rint(x*log2(e)
    __asm fstp qword ptr[r];// rint(x*log2(e)
    __asm fstp st(0);       // <empty>
    
    printf ("x=%23.16e exp(x)=%23.16e lib=%23.16e\n", x, r, exp(x));
    return 0;
}

How to reverse strings that have been obfuscated using floats and double?

Copy

Download

import string, struct
from itertools import product

possible = string.ascii_lowercase + string.punctuation + string.digits

for nxt in product(possible, repeat=5):
    n = ''.join(nxt).encode()
    s = b'_' + n[:2] + b'}' + n[2:] + b'@'
    rtn = struct.unpack("<d", s)[0]
    rtn = 1665002837.488342 / rtn
    if abs(rtn - 4088116.817143337) <= 0.0000001192092895507812:
        print(s)

Can Ghidra re-compile and run a short function?

Copy

Download

#include <stdint.h>

typedef uint8_t undefined8;
typedef long long int longlong;
typedef unsigned long long int ulonglong;
typedef unsigned int uint;

undefined8 FUN_140041010(char *param_1,longlong param_2,uint param_3)
{
  char *pcVar1;
  uint uVar2;
  ulonglong uVar3;
  
  uVar3 = 0;
  if (param_3 != 0) {
    pcVar1 = param_1;
    do {
      if (pcVar1[param_2 - (longlong)param_1] == '\0') {
        if ((uint)uVar3 < param_3) {
          param_1[uVar3] = '\0';
          return 0;
        }
        break;
      }
      *pcVar1 = pcVar1[param_2 - (longlong)param_1];
      uVar2 = (uint)uVar3 + 1;
      uVar3 = (ulonglong)uVar2;
      pcVar1 = pcVar1 + 1;
    } while (uVar2 < param_3);
  }
  param_1[param_3 - 1] = '\0';
  return 0;
}

int main(int argc, char const* argv[])
{
  char* mystr = "hello";
  printf("%hhu\n", FUN_140041010(mystr, /* not sure about this arg */ 0, strlen(mystr));
  return 0;
}

-----------------------

#include <stdint.h>

typedef uint8_t undefined8;
typedef long long int longlong;
typedef unsigned long long int ulonglong;
typedef unsigned int uint;

undefined8 FUN_140041010(char *param_1,longlong param_2,uint param_3)
{
  char *pcVar1;
  uint uVar2;
  ulonglong uVar3;
  
  uVar3 = 0;
  if (param_3 != 0) {
    pcVar1 = param_1;
    do {
      if (pcVar1[param_2 - (longlong)param_1] == '\0') {
        if ((uint)uVar3 < param_3) {
          param_1[uVar3] = '\0';
          return 0;
        }
        break;
      }
      *pcVar1 = pcVar1[param_2 - (longlong)param_1];
      uVar2 = (uint)uVar3 + 1;
      uVar3 = (ulonglong)uVar2;
      pcVar1 = pcVar1 + 1;
    } while (uVar2 < param_3);
  }
  param_1[param_3 - 1] = '\0';
  return 0;
}

int main(int argc, char const* argv[])
{
  char* mystr = "hello";
  printf("%hhu\n", FUN_140041010(mystr, /* not sure about this arg */ 0, strlen(mystr));
  return 0;
}

Is Ghidra misinterpreting a function call?

Copy

Download

CALL dword ptr [EBX*0x4 + 0x402ac0]

extern void do_thing_zero(void);
extern void do_thing_one(void);
extern void do_thing_two(void);
extern void do_thing_three(void);

typedef void (*do_thing_ptr)(void);
const do_thing_ptr do_thing_table[4] = {
  do_thing_zero, do_thing_one, do_thing_two, do_thing_three
};

// ...

void do_thing_n(unsigned int n)
{
   if (n >= 4) abort();
   do_thing_table[n]();
}

-----------------------

CALL dword ptr [EBX*0x4 + 0x402ac0]

extern void do_thing_zero(void);
extern void do_thing_one(void);
extern void do_thing_two(void);
extern void do_thing_three(void);

typedef void (*do_thing_ptr)(void);
const do_thing_ptr do_thing_table[4] = {
  do_thing_zero, do_thing_one, do_thing_two, do_thing_three
};

// ...

void do_thing_n(unsigned int n)
{
   if (n >= 4) abort();
   do_thing_table[n]();
}

Undefined behavior when calling FD_ISSET

Copy

Download

FD_ZERO(&readfds);
if (sock1 >= FD_SETSIZE) {
    error("too many file descriptors!");
    abort(); }
FD_SET(sock1, &readfds);
max_fd = sock1;

if ( some_condition ) {
    if (sock2 >= FD_SETSIZE) {
        error("too many file descriptors!");
        abort(); }
    FD_SET(sock2, &readfds);
    if ( sock2 > max_fd ) {
        max_fd = sock2;
    }
}

Binary clock_nanosleep "bypass"

Copy

Download

#include <time.h>

int clock_nanosleep(clockid_t clockid, int flags,
                    const struct timespec *request,
                    struct timespec *remain) {
    return 0;
}

> gcc inject.c -shared -fPIC -o inject.so

> LD_PRELOAD=$PWD/inject.so ./program

-----------------------

#include <time.h>

int clock_nanosleep(clockid_t clockid, int flags,
                    const struct timespec *request,
                    struct timespec *remain) {
    return 0;
}

> gcc inject.c -shared -fPIC -o inject.so

> LD_PRELOAD=$PWD/inject.so ./program

-----------------------

#include <time.h>

int clock_nanosleep(clockid_t clockid, int flags,
                    const struct timespec *request,
                    struct timespec *remain) {
    return 0;
}

> gcc inject.c -shared -fPIC -o inject.so

> LD_PRELOAD=$PWD/inject.so ./program

Read uchar value from hooked method using Frida

Copy

Download

int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);

Why is this binary vulnerable to buffer overflow?

Copy

Download

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000001189 <+0>:     endbr64 
   0x000000000000118d <+4>:     push   %rbp
   0x000000000000118e <+5>:     mov    %rsp,%rbp
   0x0000000000001191 <+8>:     sub    $0x30,%rsp
   0x0000000000001195 <+12>:    lea    0xe68(%rip),%rdi        # 0x2004
   0x000000000000119c <+19>:    mov    $0x0,%eax
   0x00000000000011a1 <+24>:    callq  0x1080 <printf@plt>
   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax
   0x00000000000011aa <+33>:    mov    %rax,%rdi
   0x00000000000011ad <+36>:    mov    $0x0,%eax
   0x00000000000011b2 <+41>:    callq  0x1090 <gets@plt>
   0x00000000000011b7 <+46>:    movabs $0x4141414141414141,%rax
   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011c5 <+60>:    je     0x11ef <main+102>
   0x00000000000011c7 <+62>:    movabs $0x1122334455667788,%rax
   0x00000000000011d1 <+72>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011d5 <+76>:    jne    0x11e3 <main+90>
   0x00000000000011d7 <+78>:    lea    0xe34(%rip),%rdi        # 0x2012
   0x00000000000011de <+85>:    callq  0x1070 <puts@plt>
   0x00000000000011e3 <+90>:    lea    0xe33(%rip),%rdi        # 0x201d
   0x00000000000011ea <+97>:    callq  0x1070 <puts@plt>
   0x00000000000011ef <+102>:   mov    $0x0,%eax
   0x00000000000011f4 <+107>:   leaveq
   0x00000000000011f5 <+108>:   retq

   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax

   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)

$ python3 -c "print ('A' * 40 +'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  c2 88 77 66 55 44 33 22  |AAAAAAAA..wfUD3"|
00000030  11 0a                                             |..|
00000032

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  88 77 66 55 44 33 22 11  |AAAAAAAA.wfUD3".|
00000030

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|./a.out 
Give it a tryThat's won
Let's continue

-----------------------

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000001189 <+0>:     endbr64 
   0x000000000000118d <+4>:     push   %rbp
   0x000000000000118e <+5>:     mov    %rsp,%rbp
   0x0000000000001191 <+8>:     sub    $0x30,%rsp
   0x0000000000001195 <+12>:    lea    0xe68(%rip),%rdi        # 0x2004
   0x000000000000119c <+19>:    mov    $0x0,%eax
   0x00000000000011a1 <+24>:    callq  0x1080 <printf@plt>
   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax
   0x00000000000011aa <+33>:    mov    %rax,%rdi
   0x00000000000011ad <+36>:    mov    $0x0,%eax
   0x00000000000011b2 <+41>:    callq  0x1090 <gets@plt>
   0x00000000000011b7 <+46>:    movabs $0x4141414141414141,%rax
   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011c5 <+60>:    je     0x11ef <main+102>
   0x00000000000011c7 <+62>:    movabs $0x1122334455667788,%rax
   0x00000000000011d1 <+72>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011d5 <+76>:    jne    0x11e3 <main+90>
   0x00000000000011d7 <+78>:    lea    0xe34(%rip),%rdi        # 0x2012
   0x00000000000011de <+85>:    callq  0x1070 <puts@plt>
   0x00000000000011e3 <+90>:    lea    0xe33(%rip),%rdi        # 0x201d
   0x00000000000011ea <+97>:    callq  0x1070 <puts@plt>
   0x00000000000011ef <+102>:   mov    $0x0,%eax
   0x00000000000011f4 <+107>:   leaveq
   0x00000000000011f5 <+108>:   retq

   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax

   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)

$ python3 -c "print ('A' * 40 +'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  c2 88 77 66 55 44 33 22  |AAAAAAAA..wfUD3"|
00000030  11 0a                                             |..|
00000032

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  88 77 66 55 44 33 22 11  |AAAAAAAA.wfUD3".|
00000030

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|./a.out 
Give it a tryThat's won
Let's continue

-----------------------

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000001189 <+0>:     endbr64 
   0x000000000000118d <+4>:     push   %rbp
   0x000000000000118e <+5>:     mov    %rsp,%rbp
   0x0000000000001191 <+8>:     sub    $0x30,%rsp
   0x0000000000001195 <+12>:    lea    0xe68(%rip),%rdi        # 0x2004
   0x000000000000119c <+19>:    mov    $0x0,%eax
   0x00000000000011a1 <+24>:    callq  0x1080 <printf@plt>
   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax
   0x00000000000011aa <+33>:    mov    %rax,%rdi
   0x00000000000011ad <+36>:    mov    $0x0,%eax
   0x00000000000011b2 <+41>:    callq  0x1090 <gets@plt>
   0x00000000000011b7 <+46>:    movabs $0x4141414141414141,%rax
   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011c5 <+60>:    je     0x11ef <main+102>
   0x00000000000011c7 <+62>:    movabs $0x1122334455667788,%rax
   0x00000000000011d1 <+72>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011d5 <+76>:    jne    0x11e3 <main+90>
   0x00000000000011d7 <+78>:    lea    0xe34(%rip),%rdi        # 0x2012
   0x00000000000011de <+85>:    callq  0x1070 <puts@plt>
   0x00000000000011e3 <+90>:    lea    0xe33(%rip),%rdi        # 0x201d
   0x00000000000011ea <+97>:    callq  0x1070 <puts@plt>
   0x00000000000011ef <+102>:   mov    $0x0,%eax
   0x00000000000011f4 <+107>:   leaveq
   0x00000000000011f5 <+108>:   retq

   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax

   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)

$ python3 -c "print ('A' * 40 +'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  c2 88 77 66 55 44 33 22  |AAAAAAAA..wfUD3"|
00000030  11 0a                                             |..|
00000032

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  88 77 66 55 44 33 22 11  |AAAAAAAA.wfUD3".|
00000030

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|./a.out 
Give it a tryThat's won
Let's continue

-----------------------

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000001189 <+0>:     endbr64 
   0x000000000000118d <+4>:     push   %rbp
   0x000000000000118e <+5>:     mov    %rsp,%rbp
   0x0000000000001191 <+8>:     sub    $0x30,%rsp
   0x0000000000001195 <+12>:    lea    0xe68(%rip),%rdi        # 0x2004
   0x000000000000119c <+19>:    mov    $0x0,%eax
   0x00000000000011a1 <+24>:    callq  0x1080 <printf@plt>
   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax
   0x00000000000011aa <+33>:    mov    %rax,%rdi
   0x00000000000011ad <+36>:    mov    $0x0,%eax
   0x00000000000011b2 <+41>:    callq  0x1090 <gets@plt>
   0x00000000000011b7 <+46>:    movabs $0x4141414141414141,%rax
   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011c5 <+60>:    je     0x11ef <main+102>
   0x00000000000011c7 <+62>:    movabs $0x1122334455667788,%rax
   0x00000000000011d1 <+72>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011d5 <+76>:    jne    0x11e3 <main+90>
   0x00000000000011d7 <+78>:    lea    0xe34(%rip),%rdi        # 0x2012
   0x00000000000011de <+85>:    callq  0x1070 <puts@plt>
   0x00000000000011e3 <+90>:    lea    0xe33(%rip),%rdi        # 0x201d
   0x00000000000011ea <+97>:    callq  0x1070 <puts@plt>
   0x00000000000011ef <+102>:   mov    $0x0,%eax
   0x00000000000011f4 <+107>:   leaveq
   0x00000000000011f5 <+108>:   retq

   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax

   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)

$ python3 -c "print ('A' * 40 +'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  c2 88 77 66 55 44 33 22  |AAAAAAAA..wfUD3"|
00000030  11 0a                                             |..|
00000032

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  88 77 66 55 44 33 22 11  |AAAAAAAA.wfUD3".|
00000030

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|./a.out 
Give it a tryThat's won
Let's continue

-----------------------

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000001189 <+0>:     endbr64 
   0x000000000000118d <+4>:     push   %rbp
   0x000000000000118e <+5>:     mov    %rsp,%rbp
   0x0000000000001191 <+8>:     sub    $0x30,%rsp
   0x0000000000001195 <+12>:    lea    0xe68(%rip),%rdi        # 0x2004
   0x000000000000119c <+19>:    mov    $0x0,%eax
   0x00000000000011a1 <+24>:    callq  0x1080 <printf@plt>
   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax
   0x00000000000011aa <+33>:    mov    %rax,%rdi
   0x00000000000011ad <+36>:    mov    $0x0,%eax
   0x00000000000011b2 <+41>:    callq  0x1090 <gets@plt>
   0x00000000000011b7 <+46>:    movabs $0x4141414141414141,%rax
   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011c5 <+60>:    je     0x11ef <main+102>
   0x00000000000011c7 <+62>:    movabs $0x1122334455667788,%rax
   0x00000000000011d1 <+72>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011d5 <+76>:    jne    0x11e3 <main+90>
   0x00000000000011d7 <+78>:    lea    0xe34(%rip),%rdi        # 0x2012
   0x00000000000011de <+85>:    callq  0x1070 <puts@plt>
   0x00000000000011e3 <+90>:    lea    0xe33(%rip),%rdi        # 0x201d
   0x00000000000011ea <+97>:    callq  0x1070 <puts@plt>
   0x00000000000011ef <+102>:   mov    $0x0,%eax
   0x00000000000011f4 <+107>:   leaveq
   0x00000000000011f5 <+108>:   retq

   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax

   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)

$ python3 -c "print ('A' * 40 +'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  c2 88 77 66 55 44 33 22  |AAAAAAAA..wfUD3"|
00000030  11 0a                                             |..|
00000032

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  88 77 66 55 44 33 22 11  |AAAAAAAA.wfUD3".|
00000030

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|./a.out 
Give it a tryThat's won
Let's continue

-----------------------

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000000000001189 <+0>:     endbr64 
   0x000000000000118d <+4>:     push   %rbp
   0x000000000000118e <+5>:     mov    %rsp,%rbp
   0x0000000000001191 <+8>:     sub    $0x30,%rsp
   0x0000000000001195 <+12>:    lea    0xe68(%rip),%rdi        # 0x2004
   0x000000000000119c <+19>:    mov    $0x0,%eax
   0x00000000000011a1 <+24>:    callq  0x1080 <printf@plt>
   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax
   0x00000000000011aa <+33>:    mov    %rax,%rdi
   0x00000000000011ad <+36>:    mov    $0x0,%eax
   0x00000000000011b2 <+41>:    callq  0x1090 <gets@plt>
   0x00000000000011b7 <+46>:    movabs $0x4141414141414141,%rax
   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011c5 <+60>:    je     0x11ef <main+102>
   0x00000000000011c7 <+62>:    movabs $0x1122334455667788,%rax
   0x00000000000011d1 <+72>:    cmp    %rax,-0x8(%rbp)
   0x00000000000011d5 <+76>:    jne    0x11e3 <main+90>
   0x00000000000011d7 <+78>:    lea    0xe34(%rip),%rdi        # 0x2012
   0x00000000000011de <+85>:    callq  0x1070 <puts@plt>
   0x00000000000011e3 <+90>:    lea    0xe33(%rip),%rdi        # 0x201d
   0x00000000000011ea <+97>:    callq  0x1070 <puts@plt>
   0x00000000000011ef <+102>:   mov    $0x0,%eax
   0x00000000000011f4 <+107>:   leaveq
   0x00000000000011f5 <+108>:   retq

   0x00000000000011a6 <+29>:    lea    -0x30(%rbp),%rax

   0x00000000000011c1 <+56>:    cmp    %rax,-0x8(%rbp)

$ python3 -c "print ('A' * 40 +'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  c2 88 77 66 55 44 33 22  |AAAAAAAA..wfUD3"|
00000030  11 0a                                             |..|
00000032

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|hd -v
00000000  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  88 77 66 55 44 33 22 11  |AAAAAAAA.wfUD3".|
00000030

$ python3 -c "import sys; sys.stdout.buffer.write(b'A' * 40 + b'\x88\x77\x66\x55\x44\x33\x22\x11')"|./a.out 
Give it a tryThat's won
Let's continue

what does this ghidra-generated pseudo c-code generate?

Copy

Download

#include <stdio.h>
#include <stdlib.h>


int main(int argc, char **argv) 
{
    char character = 'A'; // 65 in dec
    char bang = '!'; // 33 in dec


    printf("'A' in dec: %d\n", (int)character);
    printf("'!' in dec: %d\n", (int)bang);


    
    // now the modulo operator works the same in chars
    character = 'a';
    char new_value = (char)character%64;
    printf("a %% 64 : char_value: %c, int_value: %d\n", new_value, (int)new_value);
    
    // you got to remember that chars are just a coded 8bit value
    
    char at_symbol = '@'; // 64 in dec

    // now the modulo operator works the same in chars
    character = 'a';
    new_value = (char)character%at_symbol;
    printf("a %% @ : char_value: %c, int_value: %d\n", new_value, (int)new_value);


    // it works the same with every other operator 
    

    
    int value1 = 300; //this is your random value

    char hex_value = 0x5E; //94 in dec or ^ in char

    new_value = (char)(value1%hex_value); //300 % 94 = 18;

    new_value += bang; //18 + 33 = 51 in dec or the number 3 symbol in char;

    printf("dec_val: %d, char encoding: %c\n", (int)new_value, new_value);


}

-----------------------

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

long GLOBAL_COUNTER = 0;

typedef char undefined;

void * array_constructor(int size);

int main(int argc, char **argv) 
{

    char* random_string = (char*)array_constructor(0x14);
    printf("%s", random_string);
    free(random_string);
}


void * array_constructor(int size)
{
    int random_value;
    //time_t cur_time;
    void *array;
    int counter;

    //cur_time = time(NULL);
    GLOBAL_COUNTER = GLOBAL_COUNTER + 1;
    srand(0);//srand(GLOBAL_COUNTER + (int)cur_time * param_1);
    array = malloc((long)(size + 1));//returns a void array of param_1 + 1 elements 
    if (array == NULL) 
      exit(1);
    
    counter = 0;
    while (counter < size) {
    random_value = rand();
    int char_value = (char)(random_value % 0x5e) + '!';//Range of possible values 33-127
    // This is due to the fact that random value can have any value given the seed
    // but its truncated to a modulo 0x5e so its new range is 0 - 0x5e(94 in dec) 
    // and you add the bang symbol at the end so 0 + 33 = 33 and 94 + 33 = 127 

    *(char *)((long)counter + (long)array) = char_value;    
    // this statement is the same as
    // array[counter] = char_value
    counter++;
    }
    *(undefined *)((long)array + (long)size) = 0; //it puts the \0 at the end of the string
    return array;
}

See all related Code Snippets

Community Discussions

Trending Discussions on ghidra

Ghidra headless analyzer
Ghidra decompile windows is greyed backgound
Is there a command execution vulnerability in this C program?
How can I determine this string value based on the C disassembly?
how to make Ghidra use a function's complete/original stackframe for decompiled code
what's this decompiled f2xm1/fscale sequence meant to do?
Decompiler not working in Ghidra Disassembler
How to reverse strings that have been obfuscated using floats and double?
Question marks in ghidra DAT_*
Can Ghidra re-compile and run a short function?

Trending Discussions on ghidra

QUESTION

Ghidra headless analyzer

Asked 2022-Mar-23 at 09:37

I am trying to decompile nodejs bytecode using ghidra, and there is this specific plugin which decompiles the the nodejs bytecode. How can I install that plugin using ghidra headless method?

And another question I have is, after analysing the nodejs bytecode it generated a .rep folder, which I am not sure what to do about now, as I thought it will be giving me the source code after analysis.

Thanks in advance :)

ANSWER

Answered 2022-Mar-23 at 09:37

Installing a plugin in Ghidra via GUI is just an unzip with extra checks. Headless install is described in the doc at https://ghidra-sre.org/InstallationGuide.html#GhidraExtensionNotes

To install an extension in these cases, simply extract the desired Ghidra extension archive file(s) to the /Ghidra/Extensions directory. For example, on Linux or macOS:

Set current directory to the Ghidra installed-extensions directory: cd <GhidraInstallDir>/Ghidra/Extensions

Extract desired extension archive file(s) to the current directory: unzip /path/to/<extension>.zip

The extension(s) will be installed the next time Ghidra is started.

How to dump the source code will depend on the plugin you are using, without a link it's hard to tell. I guess it just allows disassembling NodeJS bytecode, so you have to use the regular Ghidra APIs or scripts to dump disassembly?

Source https://stackoverflow.com/questions/71567810

QUESTION

Is there a command execution vulnerability in this C program?

Asked 2022-Feb-02 at 10:16

So I am working on a challenge problem to find a vulnerability in a C program binary that allows a command to be executed by the program (using the effective UID in Linux).

I am really struggling to find how to do this with this particular program.

The disassembly of the function in question (main function):


 **************************************************************
 *                                                            *
 *  FUNCTION                                                  *
 **************************************************************
 int __cdecl main(int argc, char * * argv)
     int               EAX:4          <RETURN>
     int               Stack[0x4]:4   argc
     char * *          Stack[0x8]:4   argv                            XREF[2]:     000109b0(R), 
                                                                                   000109dd(R)  
     undefined4        Stack[-0x8]:4  local_8                         XREF[1]:     00010bcb(R)  
     int               Stack[-0xc]:4  in                              XREF[5]:     000109f0(W), 
                                                                                   000109f3(R), 
                                                                                   00010ad4(R), 
                                                                                   00010b27(R), 
                                                                                   00010b59(R)  
     int               Stack[-0x10]:4 fd                              XREF[6]:     00010a1f(W), 
                                                                                   00010a22(R), 
                                                                                   00010aa5(R), 
                                                                                   00010ab2(R), 
                                                                                   00010ac9(R), 
                                                                                   00010b4e(R)  
     pid_t             Stack[-0x14]:4 pid                             XREF[4]:     00010a6b(W), 
                                                                                   00010a6e(R), 
                                                                                   00010a8b(R), 
                                                                                   00010b6a(R)  
     int[2]            Stack[-0x1c]:8 pipefd                          XREF[3,3]:   00010a3f(*), 
                                                                                   00010a95(R), 
                                                                                   00010b42(R), 
                                                                                   00010abd(R), 
                                                                                   00010b0f(R), 
                                                                                   00010b36(R)  
     char              Stack[-0x1d]:1 c                               XREF[2]:     00010b14(*), 
                                                                                   00010b23(*)  
     int               Stack[-0x24]:4 status                          XREF[2]:     00010b66(*), 
                                                                                   00010b75(R)  
                     main                                    XREF[5]:     Entry Point(*), 
                                                                          _start:00010866(*), 00010d30, 
                                                                                  00010da0(*), 00011f34(*)  
0001097d 55              PUSH       EBP
0001097e 89 e5           MOV        EBP,ESP
00010980 53              PUSH       EBX
00010981 83 ec 1c        SUB        ESP,0x1c
00010984 e8 87 16        CALL       <EXTERNAL>::geteuid                              __uid_t geteuid(void)
         00 00
00010989 89 c3           MOV        EBX,EAX
0001098b e8 80 16        CALL       <EXTERNAL>::geteuid                              __uid_t geteuid(void)
         00 00
00010990 53              PUSH       EBX
00010991 50              PUSH       EAX
00010992 e8 9d 16        CALL       <EXTERNAL>::setreuid                             int setreuid(__uid_t __ruid, __u
         00 00
00010997 83 c4 08        ADD        ESP,0x8
0001099a e8 75 16        CALL       <EXTERNAL>::getegid                              __gid_t getegid(void)
         00 00
0001099f 89 c3           MOV        EBX,EAX
000109a1 e8 6e 16        CALL       <EXTERNAL>::getegid                              __gid_t getegid(void)
         00 00
000109a6 53              PUSH       EBX
000109a7 50              PUSH       EAX
000109a8 e8 9b 16        CALL       <EXTERNAL>::setregid                             int setregid(__gid_t __rgid, __g
         00 00
000109ad 83 c4 08        ADD        ESP,0x8
000109b0 8b 45 0c        MOV        EAX,dword ptr [EBP + argv]
000109b3 83 c0 04        ADD        EAX,0x4
000109b6 8b 00           MOV        EAX,dword ptr [EAX]
000109b8 85 c0           TEST       EAX,EAX
000109ba 75 21           JNZ        LAB_000109dd
000109bc a1 98 1f        MOV        EAX,[stderr]
         01 00
000109c1 50              PUSH       EAX
000109c2 6a 22           PUSH       0x22
000109c4 6a 01           PUSH       0x1
000109c6 68 50 0c        PUSH       s_Please_specify_the_file_to_verif_00010c50      = "Please specify the file to ve
         01 00
000109cb e8 50 16        CALL       <EXTERNAL>::fwrite                               size_t fwrite(void * __ptr, size
         00 00
000109d0 83 c4 10        ADD        ESP,0x10
000109d3 b8 01 00        MOV        EAX,0x1
         00 00
000109d8 e9 ee 01        JMP        LAB_00010bcb
         00 00
                     LAB_000109dd                                    XREF[1]:     000109ba(j)  
000109dd 8b 45 0c        MOV        EAX,dword ptr [EBP + argv]
000109e0 83 c0 04        ADD        EAX,0x4
000109e3 8b 00           MOV        EAX,dword ptr [EAX]
000109e5 6a 00           PUSH       0x0
000109e7 50              PUSH       EAX
000109e8 e8 43 16        CALL       <EXTERNAL>::open                                 int open(char * __file, int __of
         00 00
000109ed 83 c4 08        ADD        ESP,0x8
000109f0 89 45 f8        MOV        dword ptr [EBP + in],EAX
000109f3 83 7d f8 00     CMP        dword ptr [EBP + in],0x0
000109f7 79 17           JNS        LAB_00010a10
000109f9 68 73 0c        PUSH       DAT_00010c73                                     = 6Fh    o
         01 00
000109fe e8 19 16        CALL       <EXTERNAL>::perror                               void perror(char * __s)
         00 00
00010a03 83 c4 04        ADD        ESP,0x4
00010a06 b8 02 00        MOV        EAX,0x2
         00 00
00010a0b e9 bb 01        JMP        LAB_00010bcb
         00 00
                     LAB_00010a10                                    XREF[1]:     000109f7(j)  
00010a10 6a 02           PUSH       0x2
00010a12 68 78 0c        PUSH       s_/dev/null_00010c78                             = "/dev/null"
         01 00
00010a17 e8 14 16        CALL       <EXTERNAL>::open                                 int open(char * __file, int __of
         00 00
00010a1c 83 c4 08        ADD        ESP,0x8
00010a1f 89 45 f4        MOV        dword ptr [EBP + fd],EAX
00010a22 83 7d f4 00     CMP        dword ptr [EBP + fd],0x0
00010a26 79 17           JNS        LAB_00010a3f
00010a28 68 73 0c        PUSH       DAT_00010c73                                     = 6Fh    o
         01 00
00010a2d e8 ea 15        CALL       <EXTERNAL>::perror                               void perror(char * __s)
         00 00
00010a32 83 c4 04        ADD        ESP,0x4
00010a35 b8 05 00        MOV        EAX,0x5
         00 00
00010a3a e9 8c 01        JMP        LAB_00010bcb
         00 00
                     LAB_00010a3f                                    XREF[1]:     00010a26(j)  
00010a3f 8d 45 e8        LEA        EAX=>pipefd,[EBP + -0x18]
00010a42 50              PUSH       EAX
00010a43 e8 f8 15        CALL       <EXTERNAL>::pipe                                 int pipe(int * __pipedes)
         00 00
00010a48 83 c4 04        ADD        ESP,0x4
00010a4b 85 c0           TEST       EAX,EAX
00010a4d 79 17           JNS        LAB_00010a66
00010a4f 68 82 0c        PUSH       DAT_00010c82                                     = 70h    p
         01 00
00010a54 e8 c3 15        CALL       <EXTERNAL>::perror                               void perror(char * __s)
         00 00
00010a59 83 c4 04        ADD        ESP,0x4
00010a5c b8 03 00        MOV        EAX,0x3
         00 00
00010a61 e9 65 01        JMP        LAB_00010bcb
         00 00
                     LAB_00010a66                                    XREF[1]:     00010a4d(j)  
00010a66 e8 d9 15        CALL       <EXTERNAL>::fork                                 __pid_t fork(void)
         00 00
00010a6b 89 45 f0        MOV        dword ptr [EBP + pid],EAX
00010a6e 83 7d f0 00     CMP        dword ptr [EBP + pid],0x0
00010a72 79 17           JNS        LAB_00010a8b
00010a74 68 87 0c        PUSH       DAT_00010c87                                     = 66h    f
         01 00
00010a79 e8 9e 15        CALL       <EXTERNAL>::perror                               void perror(char * __s)
         00 00
00010a7e 83 c4 04        ADD        ESP,0x4
00010a81 b8 04 00        MOV        EAX,0x4
         00 00
00010a86 e9 40 01        JMP        LAB_00010bcb
         00 00
                     LAB_00010a8b                                    XREF[1]:     00010a72(j)  
00010a8b 83 7d f0 00     CMP        dword ptr [EBP + pid],0x0
00010a8f 0f 85 8c        JNZ        LAB_00010b21
         00 00 00
00010a95 8b 45 e8        MOV        EAX,dword ptr [EBP + pipefd[0]]
00010a98 6a 00           PUSH       0x0
00010a9a 50              PUSH       EAX
00010a9b e8 60 15        CALL       <EXTERNAL>::dup2                                 int dup2(int __fd, int __fd2)
         00 00
00010aa0 83 c4 08        ADD        ESP,0x8
00010aa3 6a 01           PUSH       0x1
00010aa5 ff 75 f4        PUSH       dword ptr [EBP + fd]
00010aa8 e8 53 15        CALL       <EXTERNAL>::dup2                                 int dup2(int __fd, int __fd2)
         00 00
00010aad 83 c4 08        ADD        ESP,0x8
00010ab0 6a 02           PUSH       0x2
00010ab2 ff 75 f4        PUSH       dword ptr [EBP + fd]
00010ab5 e8 46 15        CALL       <EXTERNAL>::dup2                                 int dup2(int __fd, int __fd2)
         00 00
00010aba 83 c4 08        ADD        ESP,0x8
00010abd 8b 45 ec        MOV        EAX,dword ptr [EBP + pipefd[1]]
00010ac0 50              PUSH       EAX
00010ac1 e8 8a 15        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010ac6 83 c4 04        ADD        ESP,0x4
00010ac9 ff 75 f4        PUSH       dword ptr [EBP + fd]
00010acc e8 7f 15        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010ad1 83 c4 04        ADD        ESP,0x4
00010ad4 ff 75 f8        PUSH       dword ptr [EBP + in]
00010ad7 e8 74 15        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010adc 83 c4 04        ADD        ESP,0x4
00010adf 6a 00           PUSH       0x0
00010ae1 68 8c 0c        PUSH       s_-asxml_00010c8c                                = "-asxml"
         01 00
00010ae6 68 93 0c        PUSH       DAT_00010c93                                     = 74h    t
         01 00
00010aeb 68 93 0c        PUSH       DAT_00010c93                                     = 74h    t
         01 00
00010af0 e8 17 15        CALL       <EXTERNAL>::execlp                               int execlp(char * __file, char *
         00 00
00010af5 83 c4 10        ADD        ESP,0x10
00010af8 68 98 0c        PUSH       s_execlp_00010c98                                = "execlp"
         01 00
00010afd e8 1a 15        CALL       <EXTERNAL>::perror                               void perror(char * __s)
         00 00
00010b02 83 c4 04        ADD        ESP,0x4
00010b05 b8 05 00        MOV        EAX,0x5
         00 00
00010b0a e9 bc 00        JMP        LAB_00010bcb
         00 00
                     LAB_00010b0f                                    XREF[1]:     00010b34(j)  
00010b0f 8b 45 ec        MOV        EAX,dword ptr [EBP + pipefd[1]]
00010b12 6a 01           PUSH       0x1
00010b14 8d 55 e7        LEA        EDX=>c,[EBP + -0x19]
00010b17 52              PUSH       EDX
00010b18 50              PUSH       EAX
00010b19 e8 1e 15        CALL       <EXTERNAL>::write                                ssize_t write(int __fd, void * _
         00 00
00010b1e 83 c4 0c        ADD        ESP,0xc
                     LAB_00010b21                                    XREF[1]:     00010a8f(j)  
00010b21 6a 01           PUSH       0x1
00010b23 8d 45 e7        LEA        EAX=>c,[EBP + -0x19]
00010b26 50              PUSH       EAX
00010b27 ff 75 f8        PUSH       dword ptr [EBP + in]
00010b2a e8 d5 14        CALL       <EXTERNAL>::read                                 ssize_t read(int __fd, void * __
         00 00
00010b2f 83 c4 0c        ADD        ESP,0xc
00010b32 85 c0           TEST       EAX,EAX
00010b34 75 d9           JNZ        LAB_00010b0f
00010b36 8b 45 ec        MOV        EAX,dword ptr [EBP + pipefd[1]]
00010b39 50              PUSH       EAX
00010b3a e8 11 15        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010b3f 83 c4 04        ADD        ESP,0x4
00010b42 8b 45 e8        MOV        EAX,dword ptr [EBP + pipefd[0]]
00010b45 50              PUSH       EAX
00010b46 e8 05 15        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010b4b 83 c4 04        ADD        ESP,0x4
00010b4e ff 75 f4        PUSH       dword ptr [EBP + fd]
00010b51 e8 fa 14        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010b56 83 c4 04        ADD        ESP,0x4
00010b59 ff 75 f8        PUSH       dword ptr [EBP + in]
00010b5c e8 ef 14        CALL       <EXTERNAL>::close                                int close(int __fd)
         00 00
00010b61 83 c4 04        ADD        ESP,0x4
00010b64 6a 00           PUSH       0x0
00010b66 8d 45 e0        LEA        EAX=>status,[EBP + -0x20]
00010b69 50              PUSH       EAX
00010b6a ff 75 f0        PUSH       dword ptr [EBP + pid]
00010b6d e8 b2 14        CALL       <EXTERNAL>::waitpid                              __pid_t waitpid(__pid_t __pid, i
         00 00
00010b72 83 c4 0c        ADD        ESP,0xc
00010b75 8b 45 e0        MOV        EAX,dword ptr [EBP + status]
00010b78 c1 f8 08        SAR        EAX,0x8
00010b7b 0f b6 c0        MOVZX      EAX,AL
00010b7e 83 f8 01        CMP        EAX,0x1
00010b81 74 18           JZ         LAB_00010b9b
00010b83 83 f8 02        CMP        EAX,0x2
00010b86 74 22           JZ         LAB_00010baa
00010b88 85 c0           TEST       EAX,EAX
00010b8a 75 2d           JNZ        LAB_00010bb9
00010b8c 68 9f 0c        PUSH       DAT_00010c9f                                     = 4Fh    O
         01 00
00010b91 e8 92 14        CALL       <EXTERNAL>::puts                                 int puts(char * __s)
         00 00
00010b96 83 c4 04        ADD        ESP,0x4
00010b99 eb 2b           JMP        LAB_00010bc6
                     LAB_00010b9b                                    XREF[1]:     00010b81(j)  
00010b9b 68 a4 0c        PUSH       s_Your_file_is_not_completely_comp_00010ca4      = "Your file is not completely c
         01 00
00010ba0 e8 83 14        CALL       <EXTERNAL>::puts                                 int puts(char * __s)
         00 00
00010ba5 83 c4 04        ADD        ESP,0x4
00010ba8 eb 1c           JMP        LAB_00010bc6
                     LAB_00010baa                                    XREF[1]:     00010b86(j)  
00010baa 68 ca 0c        PUSH       s_Your_file_contains_errors_00010cca             = "Your file contains errors"
         01 00
00010baf e8 74 14        CALL       <EXTERNAL>::puts                                 int puts(char * __s)
         00 00
00010bb4 83 c4 04        ADD        ESP,0x4
00010bb7 eb 0d           JMP        LAB_00010bc6
                     LAB_00010bb9                                    XREF[1]:     00010b8a(j)  
00010bb9 68 e4 0c        PUSH       s_I_can't_tell_if_your_file_is_XHT_00010ce4      = "I can't tell if your file is 
         01 00
00010bbe e8 65 14        CALL       <EXTERNAL>::puts                                 int puts(char * __s)
         00 00
00010bc3 83 c4 04        ADD        ESP,0x4
                     LAB_00010bc6                                    XREF[3]:     00010b99(j), 00010ba8(j), 
                                                                                  00010bb7(j)  
00010bc6 b8 00 00        MOV        EAX,0x0
         00 00
                     LAB_00010bcb                                    XREF[6]:     000109d8(j), 00010a0b(j), 
                                                                                  00010a3a(j), 00010a61(j), 
                                                                                  00010a86(j), 00010b0a(j)  
00010bcb 8b 5d fc        MOV        EBX,dword ptr [EBP + local_8]
00010bce c9              LEAVE
00010bcf c3              RET

According to Ghidra, this decompiles to:

int main(int argc,char **argv)

{
  __uid_t __euid;
  __uid_t __ruid;
  __gid_t __egid;
  __gid_t __rgid;
  int iVar1;
  int __fd;
  int iVar2;
  __pid_t __pid;
  ssize_t sVar3;
  uint uVar4;
  int status;
  char c;
  int pipefd [2];
  pid_t pid;
  int fd;
  int in;
  
  __euid = geteuid();
  __ruid = geteuid();
  setreuid(__ruid,__euid);
  __egid = getegid();
  __rgid = getegid();
  setregid(__rgid,__egid);
  if (argv[1] == (char *)0x0) {
    fwrite("Please specify the file to verify\n",1,0x22,stderr);
    iVar1 = 1;
  }
  else {
    iVar1 = open(argv[1],0);
    if (iVar1 < 0) {
      perror("open");
      iVar1 = 2;
    }
    else {
      __fd = open("/dev/null",2);
      if (__fd < 0) {
        perror("open");
        iVar1 = 5;
      }
      else {
        iVar2 = pipe(pipefd);
        if (iVar2 < 0) {
          perror("pipe");
          iVar1 = 3;
        }
        else {
          __pid = fork();
          if (__pid < 0) {
            perror("fork");
            iVar1 = 4;
          }
          else if (__pid == 0) {
            dup2(pipefd[0],0);
            dup2(__fd,1);
            dup2(__fd,2);
            close(pipefd[1]);
            close(__fd);
            close(iVar1);
            execlp("tidy","tidy","-asxml",0);
            perror("execlp");
            iVar1 = 5;
          }
          else {
            while( true ) {
              sVar3 = read(iVar1,&c,1);
              if (sVar3 == 0) break;
              write(pipefd[1],&c,1);
            }
            close(pipefd[1]);
            close(pipefd[0]);
            close(__fd);
            close(iVar1);
            waitpid(__pid,&status,0);
            uVar4 = status >> 8 & 0xff;
            if (uVar4 == 1) {
              puts("Your file is not completely compliant");
            }
            else if (uVar4 == 2) {
              puts("Your file contains errors");
            }
            else if (uVar4 == 0) {
              puts("OK!");
            }
            else {
              puts("I can\'t tell if your file is XHTML-compliant");
            }
            iVar1 = 0;
          }
        }
      }
    }
  }
  return iVar1;
}

It appears it is (to summarize) opening the file passed as the first argument using open in read only mode. If successful, it is forking and using the child process to execute tidy to validate the file is valid XHTML.

Nothing about it stands out to me as an obvious vulnerability that I can use here. I've looked into vulnerabilities for the tidy command, but wasn't really able to find anything useful for this.

Any help would be much appreciated!

ANSWER

Answered 2022-Feb-02 at 10:16

In regular C code, execlp("tidy","tidy","-asxml",0); is incorrect as execlp() expects a null pointer argument to mark the end of the argument list.

0 is a null pointer when used in a pointer context, which this is not. Yet on architectures where pointers have the same size and passing convention as int, such as 32-bit linux, passing 0 or passing NULL generate the same code, so sloppiness does not get punished.

In 64-bit mode, it would be incorrect to do so but you might get lucky with the x86_64 ABI and a 64-bit 0 value will be passed in this case.

In your own code, avoid such pitfalls and use NULL or (char *)0 as the last argument for execlp(). But on this listing, Ghidra produces code that generates the same assembly code, and in 32-bit mode, passing 0 or (char *)0 produce the same code, so no problem here.

In your context, execlp("tidy","tidy","-asxml",0); shows another problem: it will look for an executable program with the name tidy in the current PATH and run this program as tidy with a command line argument -asxml. Since it changed the effective uid and gid, this is a problem if the program is setuid root because you can create a program named tidy in a directory appearing in the PATH variable before the system directories and this program will be run with the modified rights.

Another potential problem is the program does not check for failure of the system calls setreuid() and setregid(). Although these calls are unlikely to fail for the arguments passed, as documented in the manual pages, it is a grave security error to omit checking for a failure return from setreuid(). In case of failure, the real and effective uid (or gid) is not changed and the process may fork and exec with root privileges.

Source https://stackoverflow.com/questions/70941855

QUESTION

How can I determine this string value based on the C disassembly?

Asked 2022-Jan-24 at 01:47

So I am working on a "find the password" type binary disassembly problem and cannot quite figure it out.

The assembly is as follows:

function checkpw

                         **************************************************************
                         *                                                            *
                         *  FUNCTION                                                  *
                         **************************************************************
                         undefined8 __stdcall checkpw(void)
         undefined8        RAX:8          <RETURN>
                         checkpw                                         XREF[2]:     Entry Point(*), main:001012a1(c)  
    00101179 48 89 c8        MOV        RAX,RCX
    0010117c 48 31 c1        XOR        RCX,RAX
    0010117f 8a 08           MOV        CL,byte ptr [RAX]
    00101181 80 f1 52        XOR        CL,0x52
    00101184 80 f9 11        CMP        CL,0x11
    00101187 75 5e           JNZ        LAB_001011e7
    00101189 8a 48 07        MOV        CL,byte ptr [RAX + 0x7]
    0010118c 80 e9 16        SUB        CL,0x16
    0010118f 80 f9 0d        CMP        CL,0xd
    00101192 75 53           JNZ        LAB_001011e7
    00101194 8a 48 01        MOV        CL,byte ptr [RAX + 0x1]
    00101197 48 31 d2        XOR        RDX,RDX
    0010119a fe c2           INC        DL
    0010119c 48 d1 e2        SHL        RDX,1
    0010119f 40 8a 3c 10     MOV        DIL,byte ptr [RAX + RDX*0x1]
    001011a3 40 30 cf        XOR        DIL,CL
    001011a6 40 80 ff 40     CMP        DIL,0x40
    001011aa 75 3b           JNZ        LAB_001011e7
    001011ac 80 c1 63        ADD        CL,0x63
    001011af 80 f9 d6        CMP        CL,0xd6
    001011b2 75 33           JNZ        LAB_001011e7
    001011b4 8a 4c 10 01     MOV        CL,byte ptr [RAX + RDX*0x1 + 0x1]
    001011b8 80 f9 23        CMP        CL,0x23
    001011bb 7e 2a           JLE        LAB_001011e7
    001011bd 80 c1 5b        ADD        CL,0x5b
    001011c0 70 25           JO         LAB_001011e7
    001011c2 48 8d 0c 50     LEA        RCX,[RAX + RDX*0x2]
    001011c6 8a 09           MOV        CL,byte ptr [RCX]
    001011c8 80 f1 f3        XOR        CL,0xf3
    001011cb 80 f9 c7        CMP        CL,0xc7
    001011ce 75 17           JNZ        LAB_001011e7
    001011d0 8a 48 05        MOV        CL,byte ptr [RAX + 0x5]
    001011d3 8a 68 06        MOV        CH,byte ptr [RAX + 0x6]
    001011d6 66 81 f1        XOR        CX,0x4c47
             47 4c
    001011db 66 81 f9        CMP        CX,0x1234
             34 12
    001011e0 75 05           JNZ        LAB_001011e7
    001011e2 48 31 c0        XOR        RAX,RAX
    001011e5 eb 05           JMP        LAB_001011ec
                         LAB_001011e7                                    XREF[8]:     00101187(j), 00101192(j), 
                                                                                      001011aa(j), 001011b2(j), 
                                                                                      001011bb(j), 001011c0(j), 
                                                                                      001011ce(j), 001011e0(j)  
    001011e7 b8 01 00        MOV        EAX,0x1
             00 00
                         LAB_001011ec                                    XREF[1]:     001011e5(j)  
    001011ec c3              RET

According to Ghidra, the decompiled function is:

undefined8 checkpw(void)

{
  undefined8 uVar1;
  char *in_RCX;
  
  if (((((*in_RCX != 'C') || (in_RCX[7] != '#')) || ((byte)(in_RCX[2] ^ in_RCX[1]) != 0x40)) ||
      ((in_RCX[1] != 0x73 || (in_RCX[3] < '$')))) ||
     ((SCARRY1(in_RCX[3],'[') || ((in_RCX[4] != '4' || (*(short *)(in_RCX + 5) != 0x5e73)))))) {
    uVar1 = 1;
  }
  else {
    uVar1 = 0;
  }
  return uVar1;
}

It decompiles main function as :

void main(int param_1,long param_2)

{
  long lVar1;
  size_t sVar2;
  undefined8 uVar3;
  
  lVar1 = ptrace(PTRACE_TRACEME,0,1,0);
  if (lVar1 < 0) {
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  if (param_1 != 2) {
                    /* WARNING: Subroutine does not return */
    exit(2);
  }
  sVar2 = strlen(*(char **)(param_2 + 8));
  if (sVar2 != 8) {
                    /* WARNING: Subroutine does not return */
    exit(3);
  }
  uVar3 = checkpw();
  if ((int)uVar3 != 0) {
    puts("Invalid Password!");
                    /* WARNING: Subroutine does not return */
    exit(4);
  }
  puts("Correct Password!");
                    /* WARNING: Subroutine does not return */
  exit(0);
}

At this point, I can tell the password must be 8 characters.

Also based on the checkpw decompilation, I believe the following is true (assuming variable passwd is a character array containing a valid password):

passwd[0] = 'C'
passwd[1] = 's'
passwd[2] = '3'
passwd[3] = '$'
passwd[4] = '4'
passwd[7] = '#'

Though I'm not entirely confident on a few of them, I really have am having trouble with those in position 5 and 6.

The decompiled function doesn't seem to reference the seventh character so I'm assuming it can be anything, but not sure what this means as it relates to this problem:

(*(short *)(in_RCX + 5) != 0x5e73)

ANSWER

Answered 2022-Jan-24 at 01:44

This:

(*(short *)(in_RCX + 5) != 0x5e73)

Is comparing two characters at once. This statement is calculating in_RCX + 5 and then casting it to short * i.e. a pointer to a 16bit signed integer (the register used in the function body is actually RAX despite the name of this variable in the decompiled code). It is then dereferencing said pointer to get two bytes at once, and it compares them to 0x5e73. Of course, this is just decompiled code, so it doesn't mean that the program is actually doing a 16-bit MOV (indeed it is doing two 8-bit MOVs), it is only the C version of what the decompiler thinks is going on.

You can see this a lot more clearly in the disassembly:

    001011d0 8a 48 05        MOV        CL,byte ptr [RAX + 0x5]
    001011d3 8a 68 06        MOV        CH,byte ptr [RAX + 0x6]
    001011d6 66 81 f1        XOR        CX,0x4c47
             47 4c
    001011db 66 81 f9        CMP        CX,0x1234
             34 12
    001011e0 75 05           JNZ        LAB_001011e7

The check in the disassembly is done with XOR + CMP + JNZ, so Ghidra already xored 0x4c47 and 0x1234 together for you, which is 0x5e73. This means that in order for the check to pass, passwd[5] must be 0x73 ('s') and passwd[6] must be 0x5e ('^').

Source https://stackoverflow.com/questions/70828047

QUESTION

how to make Ghidra use a function's complete/original stackframe for decompiled code

Asked 2022-Jan-14 at 17:33

I have a case where some function allocates/uses a 404 bytes temporary structure on the stack for its internal calculations (the function is self-contained and shuffles data around within that data structure). Conceptually the respective structure seems to consist of some 32-bit counters followed by an int[15] and a byte[80] array, and then an area that might or might not actually be used. Some of the generated data in the tables seems to represent offsets that are again used by the function to navigate within the temporary structure.

Unfortunately Ghidra's decompiler makes a total mess while trying to make sense of the function: In particular it creates separate "local_.." int-vars (and then uses a pointer to that var) for what should correctly be a pointer into the function's original data-structure (e.g. pointing into one of the arrays).

    undefined4 local_17f;
...
    dest= &local_17f;
    for (i = 0xf; i != 0; i = i + -1) {
      *dest = 0;
      dest = dest + 1;
    }

Ghidra does not seem to understand that an array based data access is actually being used at that point. Ghirda's decompiler then also generates a local auStack316[316] variable which unfortunately seems to cover only a part of the respective local data structure used by the original ASM code (at least Ghidra actually did notice that a temporary memory buffer is used). As a result the decompiled code basically uses two overlapping (and broken) shadow data structures that should correctly just be the same block of memory.

Is there some way to make Ghidra's decompiler use the complete 404 bytes block allocated by the function as an auStack404 thus bypassing Ghidra's flawed interpretation logic and actually preserve the original functionality of the ASM code?

ANSWER

Answered 2022-Jan-14 at 17:33

I think I found something.. In the "Listing" view the used local-variable layout is shown as a comment under the function's header. It seems that by right clicking on a respective local-var line in that comment, "set data type" can be applied to a respective local variable. Ah, and then there is what I've been looking for under "Function/"Edit stack frame" :-)

Source https://stackoverflow.com/questions/70697145

QUESTION

what's this decompiled f2xm1/fscale sequence meant to do?

Asked 2022-Jan-10 at 08:37

I am trying to reverse engineer some decomiled code which originally had been written in C/C++, i.e. I suspect that the below FPU related code sequence is probably derived from some simple C-code "double" handling that justs looks more complicated in the generated assembly code. Leading up to this point, some floating point multiplications had been performed with the result in ST0 (corresponding to d1). I've read the docs on what the underlying FPU operations technically do, still the intention of the respective code sequence still isn't obvious to me.

  d1 = (float10)1.442695040888963 *(float10)0.6931471805599453 * (float10)DOUBLE_00430088 * (float10)param_1[0x58];
  d2 = ROUND(d1);
  d1 = (float10)f2xm1(d1 - d2);
  d1 = (float10)fscale((float10)1 + d1,d2);

what is the intended change performed to the original d1 result, i.e. what would the C code have done with the original d1 "double"?

PS: below the actual x86 code (just in case Ghidra misinterpreted something while decompiling):

                     * Push ST(i) onto the FPU register stack, i.e.               *
                     * duplicate ST0                                              *
                     **************************************************************
0040aeef d9 c0           FLD        ST0
                     **************************************************************
                     * Rounds the source value in the ST(0) register              *
                     * to the nearest integral value, depending on                *
                     * the current rounding mode (lets suppose some               *
                     * "floor" mode was used?)                                    *
                     **************************************************************
0040aef1 d9 fc           FRNDINT
                     **************************************************************
                     * Exchange the contents of ST(0) and ST(1).                  *
                     **************************************************************
0040aef3 d9 c9           FXCH
                     **************************************************************
                     * get fractional part?                                       *
                     **************************************************************
0040aef5 d8 e1           FSUB       d2[0],d1[0]
                     **************************************************************
                     * Computes the exponential value of 2 to the power           *
                     * of the source operand minus 1.                             *
                     **************************************************************
0040aef7 d9 f0           F2XM1
                     **************************************************************
                     * Push +1.0 onto the FPU register stack.                     *
                     **************************************************************
0040aef9 d9 e8           FLD1
                     **************************************************************
                     * Add ST(0) to ST(1), store result in ST(1),                 *
                     * and pop the register stack.                                *
                     **************************************************************
0040aefb de c1           FADDP
                     **************************************************************
                     * Scale ST(0) by ST(1).  This instruction provides           *
                     * rapid multiplication or division by integral               *
                     * powers of 2.                                               *
                     **************************************************************
0040aefd d9 fd           FSCALE
                     **************************************************************
                     * The FSTP instruction copies the value in the ST(0)         *
                     * register to the destination operand and then pops          *
                     * the register stack.                                        *
                     **************************************************************
0040aeff dd d9           FSTP       d1[0]

ANSWER

Answered 2022-Jan-10 at 08:37

Seems it is some variation of a pow(x,y) implementation (see How can I write a power function myself? ). Ghidra just made a total mess of it in the decompiled code view.

Tracing the results in the debugger the performed functionality is indeed:

pow((float10)DOUBLE_00430088, (float10)param_1[0x58])

Source https://stackoverflow.com/questions/70641943

QUESTION

How to reverse strings that have been obfuscated using floats and double?

Asked 2021-Dec-24 at 01:09

I'm working on a crackme , and having a bit of trouble making sense of the flag I'm supposed to retrieve. I have disassembled the binary using radare2 and ghidra , ghidra gives me back the following pseudo-code:


undefined8 main(void)

{
  long in_FS_OFFSET;
  double dVar1;
  double dVar2;
  int local_38;
  int local_34;
  int local_30;
  int iStack44;
  int local_28;
  undefined2 uStack36;
  ushort uStack34;
  char local_20;
  undefined2 uStack31;
  uint uStack29;
  byte bStack25;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  __printf_chk(1,"Insert flag: ");
  __isoc99_scanf(&DAT_00102012,&local_38);
  uStack34 = uStack34 << 8 | uStack34 >> 8;
  uStack29 = uStack29 & 0xffffff00 | (uint)bStack25;
  bStack25 = (undefined)uStack29;
  if ((((local_38 == 0x41524146) && (local_34 == 0x7b594144)) && (local_30 == 0x62753064)) &&
     (((iStack44 == 0x405f336c && (local_20 == '_')) &&
      ((local_28 == 0x665f646e && (CONCAT22(uStack34,uStack36) == 0x40746f31)))))) {
    dVar1 = (double)CONCAT26(uStack34,CONCAT24(uStack36,0x665f646e));
    dVar2 = (double)CONCAT17((undefined)uStack29,CONCAT43(uStack29,CONCAT21(uStack31,0x5f)));
    __printf_chk(0x405f336c62753064,1,&DAT_00102017);
    __printf_chk(dVar1,1,"y: %.30lf\n");
    __printf_chk(dVar2,1,"z: %.30lf\n");
    dVar1 = dVar1 * 124.8034902710365;
    dVar2 = (dVar1 * dVar1) / dVar2;
    round_double(dVar2,0x1e);
    __printf_chk(1,"%.30lf\n");
    dVar1 = (double)round_double(dVar2,0x1e);
    if (1.192092895507812e-07 <= (double)((ulong)(dVar1 - 4088116.817143337) & 0x7fffffffffffffff))
    {
      puts("Try Again");
    }
    else {
      puts("Well done!");
    }
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

It is easy to see that there's a part of the flag in plain-sight , but the other part is a bit more interesting :

if (1.192092895507812e-07 <= (double)((ulong)(dVar1 - 4088116.817143337) & 0x7fffffffffffffff))

From what I understand , I have to generate the missing part of the flag depending on this condition . The problem is that I absolutely have no idea how to do this .

I can assume this missing part is 8 bytes of size , according to this line :

dVar2=(double)CONCAT17((undefined)uStack29,CONCAT43(uStack29,CONCAT21(uStack31,0x5f)));`

Considering flags are usually ascii , with some special characters , let's say , each byte will have values from 0x21 to 0x7E , that's almost 8^100 combinations , which will clearly take too much time to compute.

Do you guys have an idea on how I should proceed to solve this ?

Edit : Here is the link to the binary : https://filebin.net/dpfr1nocyry3sijk

ANSWER

Answered 2021-Dec-24 at 01:09

You can tweak the Ghidra reverse result by edit variable type. Based on scanf const string %32s your local_38 should be char [32].

Before the first if, there are some char swap.

And the first if statment give you a long constrain of flag

At this point, you can confirm part of flag is FARADAY{d0ubl3_@nd_f1o@t, then is ther main part of this challenge.

It print x, y, z based on the flag, but you'll quickly find x and y is constrain by the if, so you only need to solve z to get the flag, so you think you need to bruteforce all double value limit by printable ascii.

But there are a limitaion in if statment says byte0 of this double must be _ and a math constrain there, simple math tell dVar2 - 4088116.817143337 <= 1.192092895507813e-07 and it comes dVar2 is very close 4088116.817143337 And byte 3 and byte 7 in this double will swap

By reverse result: dVar2 = y*y*x*x/z, solve this equation you can say z must near 407.2786840401004 and packed to little endian is `be}uty@. Based on double internal structure format, MSB will affect exponent, so you can make sure last byte is @ and it shows byte0 and byte3 is fixed now by constrain and flag common format with {} pair.

So finally, you only need to bureforce 5 bytes of printable ascii to resolve this challenge.

import string, struct
from itertools import product

possible = string.ascii_lowercase + string.punctuation + string.digits

for nxt in product(possible, repeat=5):
    n = ''.join(nxt).encode()
    s = b'_' + n[:2] + b'}' + n[2:] + b'@'
    rtn = struct.unpack("<d", s)[0]
    rtn = 1665002837.488342 / rtn
    if abs(rtn - 4088116.817143337) <= 0.0000001192092895507812:
        print(s)

And bingo the flag is FARADAY{d0ubl3_@nd_f1o@t_be@uty}

Source https://stackoverflow.com/questions/70402074

QUESTION

Can Ghidra re-compile and run a short function?

Asked 2021-Oct-23 at 09:19

I've picked out a short and "self-contained" function from the Ghidra decompiler. Can Ghidra itself compile the function again so I can try to run it for a couple different values, or would I need to compile it myself with e.g. gcc?

Attaching the function for context:

undefined8 FUN_140041010(char *param_1,longlong param_2,uint param_3)

{
  char *pcVar1;
  uint uVar2;
  ulonglong uVar3;
  
  uVar3 = 0;
  if (param_3 != 0) {
    pcVar1 = param_1;
    do {
      if (pcVar1[param_2 - (longlong)param_1] == '\0') {
        if ((uint)uVar3 < param_3) {
          param_1[uVar3] = '\0';
          return 0;
        }
        break;
      }
      *pcVar1 = pcVar1[param_2 - (longlong)param_1];
      uVar2 = (uint)uVar3 + 1;
      uVar3 = (ulonglong)uVar2;
      pcVar1 = pcVar1 + 1;
    } while (uVar2 < param_3);
  }
  param_1[param_3 - 1] = '\0';
  return 0;
}

ANSWER

Answered 2021-Oct-22 at 03:08

You can, but you'll have to change some of the types to be standard C, or just add typedefs like so:

#include <stdint.h>

typedef uint8_t undefined8;
typedef long long int longlong;
typedef unsigned long long int ulonglong;
typedef unsigned int uint;

undefined8 FUN_140041010(char *param_1,longlong param_2,uint param_3)
{
  char *pcVar1;
  uint uVar2;
  ulonglong uVar3;
  
  uVar3 = 0;
  if (param_3 != 0) {
    pcVar1 = param_1;
    do {
      if (pcVar1[param_2 - (longlong)param_1] == '\0') {
        if ((uint)uVar3 < param_3) {
          param_1[uVar3] = '\0';
          return 0;
        }
        break;
      }
      *pcVar1 = pcVar1[param_2 - (longlong)param_1];
      uVar2 = (uint)uVar3 + 1;
      uVar3 = (ulonglong)uVar2;
      pcVar1 = pcVar1 + 1;
    } while (uVar2 < param_3);
  }
  param_1[param_3 - 1] = '\0';
  return 0;
}

Then you can call it like any function:

int main(int argc, char const* argv[])
{
  char* mystr = "hello";
  printf("%hhu\n", FUN_140041010(mystr, /* not sure about this arg */ 0, strlen(mystr));
  return 0;
}

Source https://stackoverflow.com/questions/69669889

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install ghidra

To install an official pre-built multi-platform Ghidra release:. For additional information and troubleshooting tips about installing and running a Ghidra release, please refer to docs/InstallationGuide.html which can be found in your extracted Ghidra release directory.
Install JDK 11 64-bit
Download a Ghidra release file
Extract the Ghidra release file
Launch Ghidra: ./ghidraRun (or ghidraRun.bat for Windows)
To create the latest development build for your platform from this source repository:. NOTE: Instead of downloading the compressed source, you may instead want to clone the GitHub repository: git clone https://github.com/NationalSecurityAgency/ghidra.git. The compressed development build will be located at build/dist/. For more detailed information on building Ghidra, please read the Developer Guide.
JDK 11 64-bit
Gradle 6.8+ or 7.x
make, gcc, and g++ (Linux/macOS-only)
Microsoft Visual Studio (Windows-only)

Support

If you would like to contribute bug fixes, improvements, and new features back to Ghidra, please take a look at our Contributor Guide to see how you can participate in this open source project.

DOWNLOAD this Library from

Reuse Trending Solutions

14 best Python Telegram Bot

21 best C# Game Development

Build AI Fake News Detector

Build Text Summarizer in Python

Getting Started with Web3

24 best Python Blockchain

26 best Python Face Recognition

Build Ludo Game in Python

Build Location Based AR App

Build AI Study Assistant Bot

Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from
over 430 million Knowledge Items

Find more libraries

Reuse Solution Kits and Libraries Curated by Popular Use Cases

Save this library and start creating your kit

Explore Related Topics

Telecommunications and Media

Advertising and Marketing

Reverse Engineering

Share this Page

Reuse Utilities Kits

Build Text Summarizer in Python

Build AI Study Assistant Bot

Tetris Game

Open Source Intelligence

Ai Hulks App Kit

See all related Kits

Consider Popular Reverse Engineering Libraries

x64dbg

by x64dbg

ImHex

by WerWolv

cutter

by rizinorg

Reverse-Engineering

by mytechnotalent

qira

by geohot

See all Reverse Engineering Libraries

Try Top Libraries by NationalSecurityAgency

SIMP

by NationalSecurityAgency Ruby

lemongraph

by NationalSecurityAgency Python

datawave

by NationalSecurityAgency Java

timely

by NationalSecurityAgency CSS

DCP

by NationalSecurityAgency C

See all Libraries by this author

Compare Reverse Engineering Libraries with Highest Support

x64dbg

by x64dbg

cutter

by rizinorg

lighthouse

by gaasedelen

ImHex

by WerWolv

miasm

by cea-sec

See all Reverse Engineering Libraries

Compare Reverse Engineering Libraries with Highest Quality

ghidra-xbox-extensions

by JayFoxRox

brut.apktool

by brutall

block-lldb-script

by ddeville

cantordust

by Battelle

SpecialSource

by md-5

See all Reverse Engineering Libraries

Compare Reverse Engineering Libraries with Highest Security

ghidra-xbox-extensions

by JayFoxRox

brut.apktool

by brutall

cantordust

by Battelle

BinDiffHelper

by ubfx

SpecialSource

by md-5

See all Reverse Engineering Libraries

Compare Reverse Engineering Libraries with Permissive License

cantordust

by Battelle

binch

by tunz

grap

by QuoSecGmbH

qc_modem_tools

by bkerler

UEFI_RETool

by yeggor

See all Reverse Engineering Libraries

Compare Reverse Engineering Libraries with Highest Reuse

DumpReport

by xquintana

zstack-constants

by zigbeer

FAROS

by mnavaki

prxtool

by pspdev

hacks

by t184256

See all Reverse Engineering Libraries

Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from
over 430 million Knowledge Items

Find more libraries

Reuse Solution Kits and Libraries Curated by Popular Use Cases

Save this library and start creating your kit

© 2022 Open Weaver Inc.

© 2022 Open Weaver Inc.