Ghidra | NSA Ghidra | Reverse Engineering library
kandi X-RAY | Ghidra Summary
kandi X-RAY | Ghidra Summary
This is source code derived from Java code found in XXX-src.zip files shiped with Ghidra. I collect modification which community post in the issues to actual Ghidra, and just ship them here. Also I provide some simple fixes for silly issues when I able to make it. Azure DevOps project now have built JAR files, and they should be usable with Ghidra. You could modify your Ghidra installation, by replacing JAR files in the original Ghidra installation. Just click on Azure badge and download JAR from Artifacts button. Structure of the project is similar to what of Ghidra.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- the special parser
- Matches a key as id
- Moves forward from the last state in the state set .
- Matches a variable node .
- 11
- Returns the next pcode for the instruction .
- Performs the given relocation .
- reference all tokens
- Create the filters .
- Simplify a pcode operation .
Ghidra Key Features
Ghidra Examples and Code Snippets
Community Discussions
Trending Discussions on Ghidra
QUESTION
I am trying to decompile nodejs bytecode using ghidra, and there is this specific plugin which decompiles the the nodejs bytecode. How can I install that plugin using ghidra headless method?
And another question I have is, after analysing the nodejs bytecode it generated a .rep folder, which I am not sure what to do about now, as I thought it will be giving me the source code after analysis.
Thanks in advance :)
...ANSWER
Answered 2022-Mar-23 at 09:37Installing a plugin in Ghidra via GUI is just an unzip with extra checks. Headless install is described in the doc at https://ghidra-sre.org/InstallationGuide.html#GhidraExtensionNotes
To install an extension in these cases, simply extract the desired Ghidra extension archive file(s) to the /Ghidra/Extensions directory. For example, on Linux or macOS:
- Set current directory to the Ghidra installed-extensions directory:
cd /Ghidra/Extensions- Extract desired extension archive file(s) to the current directory:
unzip /path/to/.zip- The extension(s) will be installed the next time Ghidra is started.
How to dump the source code will depend on the plugin you are using, without a link it's hard to tell. I guess it just allows disassembling NodeJS bytecode, so you have to use the regular Ghidra APIs or scripts to dump disassembly?
QUESTION
ANSWER
Answered 2022-Feb-13 at 17:33You can only do rename in a fully defined function. The grey background means that Ghidra didn't properly create a function at this point. You can see this also in a disassembly where you only have a label at this location. If you think this is a function you can type F and define a function. It should enable all the edit options.
QUESTION
So I am working on a challenge problem to find a vulnerability in a C program binary that allows a command to be executed by the program (using the effective UID in Linux).
I am really struggling to find how to do this with this particular program.
The disassembly of the function in question (main function):
...ANSWER
Answered 2022-Feb-02 at 10:16In regular C code, execlp("tidy","tidy","-asxml",0); is incorrect as execlp() expects a null pointer argument to mark the end of the argument list.
0 is a null pointer when used in a pointer context, which this is not. Yet on architectures where pointers have the same size and passing convention as int, such as 32-bit linux, passing 0 or passing NULL generate the same code, so sloppiness does not get punished.
In 64-bit mode, it would be incorrect to do so but you might get lucky with the x86_64 ABI and a 64-bit 0 value will be passed in this case.
In your own code, avoid such pitfalls and use NULL or (char *)0 as the last argument for execlp(). But on this listing, Ghidra produces code that generates the same assembly code, and in 32-bit mode, passing 0 or (char *)0 produce the same code, so no problem here.
In your context, execlp("tidy","tidy","-asxml",0); shows another problem: it will look for an executable program with the name tidy in the current PATH and run this program as tidy with a command line argument -asxml. Since it changed the effective uid and gid, this is a problem if the program is setuid root because you can create a program named tidy in a directory appearing in the PATH variable before the system directories and this program will be run with the modified rights.
Another potential problem is the program does not check for failure of the system calls setreuid() and setregid(). Although these calls are unlikely to fail for the arguments passed, as documented in the manual pages, it is a grave security error to omit checking for a failure return from setreuid(). In case of failure, the real and effective uid (or gid) is not changed and the process may fork and exec with root privileges.
QUESTION
So I am working on a "find the password" type binary disassembly problem and cannot quite figure it out.
The assembly is as follows:
function checkpw
...ANSWER
Answered 2022-Jan-24 at 01:44This:
QUESTION
I have a case where some function allocates/uses a 404 bytes temporary structure on the stack for its internal calculations (the function is self-contained and shuffles data around within that data structure). Conceptually the respective structure seems to consist of some 32-bit counters followed by an int[15] and a byte[80] array, and then an area that might or might not actually be used. Some of the generated data in the tables seems to represent offsets that are again used by the function to navigate within the temporary structure.
Unfortunately Ghidra's decompiler makes a total mess while trying to make sense of the function: In particular it creates separate "local_.." int-vars (and then uses a pointer to that var) for what should correctly be a pointer into the function's original data-structure (e.g. pointing into one of the arrays).
...ANSWER
Answered 2022-Jan-14 at 17:33I think I found something.. In the "Listing" view the used local-variable layout is shown as a comment under the function's header. It seems that by right clicking on a respective local-var line in that comment, "set data type" can be applied to a respective local variable. Ah, and then there is what I've been looking for under "Function/"Edit stack frame" :-)
QUESTION
I am trying to reverse engineer some decomiled code which originally had been written in C/C++, i.e. I suspect that the below FPU related code sequence is probably derived from some simple C-code "double" handling that justs looks more complicated in the generated assembly code. Leading up to this point, some floating point multiplications had been performed with the result in ST0 (corresponding to d1). I've read the docs on what the underlying FPU operations technically do, still the intention of the respective code sequence still isn't obvious to me.
...ANSWER
Answered 2022-Jan-10 at 08:37Seems it is some variation of a pow(x,y) implementation (see How can I write a power function myself? ). Ghidra just made a total mess of it in the decompiled code view.
Tracing the results in the debugger the performed functionality is indeed:
pow((float10)DOUBLE_00430088, (float10)param_1[0x58])
QUESTION
I'm kind of new to Ghidra Disassembler so kindly bear with me .
I was trying to install Ghidra to analyse an executable. After opening the executable in Ghidra it loads everything fine except Decompiler. Decompiler window displays
Decompiler: Unable to initialize the DecompilerInterface: Could not find decompiler executable" this error message. Also it shows "os/mac_x86_64/decompile does not exist
I downloaded it from here. I also have JDK installed in my mac. What should i do so as to make Decompiler work?
As the error says there is no decompiler inside "os/mac_x86_64". Not sure on what i should do.
...ANSWER
Answered 2022-Jan-09 at 14:46Issue happened because I removed the decompile file while installing ghidra for the first coz gatekeeper in my Mac prompted me to remove it as it was from github. Solution to this issue is to allow it in the Security & Privacy . Thank you @Robert for ur inputs and ur time. U saved me ton of time.
Clicking "Allow Anyways" without removing decompile fixed the issue for me.
QUESTION
I'm working on a crackme , and having a bit of trouble making sense of the flag I'm supposed to retrieve. I have disassembled the binary using radare2 and ghidra , ghidra gives me back the following pseudo-code:
...ANSWER
Answered 2021-Dec-24 at 01:09You can tweak the Ghidra reverse result by edit variable type. Based on scanf const string %32s your local_38 should be char [32].
Before the first if, there are some char swap.
And the first if statment give you a long constrain of flag
At this point, you can confirm part of flag is FARADAY{d0ubl3_@nd_f1o@t, then is ther main part of this challenge.
It print x, y, z based on the flag, but you'll quickly find x and y is constrain by the if, so you only need to solve z to get the flag, so you think you need to bruteforce all double value limit by printable ascii.
But there are a limitaion in if statment says byte0 of this double must be _ and a math constrain there, simple math tell dVar2 - 4088116.817143337 <= 1.192092895507813e-07 and it comes dVar2 is very close 4088116.817143337
And byte 3 and byte 7 in this double will swap
By reverse result: dVar2 = y*y*x*x/z, solve this equation you can say z must near 407.2786840401004 and packed to little endian is `be}uty@. Based on double internal structure format, MSB will affect exponent, so you can make sure last byte is @ and it shows byte0 and byte3 is fixed now by constrain and flag common format with {} pair.
So finally, you only need to bureforce 5 bytes of printable ascii to resolve this challenge.
QUESTION
I disassembled a jni .so file(the native part of an android application) and I decompiled one of its function in ghidra.
I saw a DAT_* in a part of decompiled code and when I double clicked on that ghidra show me only question marks.
What should I do for finding the data in the DAT_*
( '*' Means any chars )
...ANSWER
Answered 2021-Nov-09 at 09:15I think what you are referring to are the questions mark like in this screenshot:
This just means that the datatype of the data at this address is not yet defined in any way. For example, if you specify the data at this address to be of the type QWORD it will state dq and look like this:
if it is a string it will contain ds and look like this
QUESTION
I've picked out a short and "self-contained" function from the Ghidra decompiler. Can Ghidra itself compile the function again so I can try to run it for a couple different values, or would I need to compile it myself with e.g. gcc?
Attaching the function for context:
...ANSWER
Answered 2021-Oct-22 at 03:08You can, but you'll have to change some of the types to be standard C, or just add typedefs like so:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
Install Ghidra
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
