Ghidra reverse engineering tool - General Discussion and Assistance - CHDK Forum  

Ghidra reverse engineering tool

  • 4 Replies
  • 201 Views
*

Offline reyalp

  • ******
  • 11747
Ghidra reverse engineering tool
« on: 06 / March / 2019, 00:49:02 »
Advertisements
The NSA has open-sourced  a reverse engineering tool https://www.ghidra-sre.org/

Use at you're own risk, they pinky swear there's no back door :haha

It looks quite capable and supports a bunch of processors, including ARM of course, though sadly appears not to include Xtensa.

I was able to load a digic 6 dump with minimal fuss.
Don't forget what the H stands for.

Ghidra disassembler
« Reply #1 on: 10 / March / 2019, 15:00:08 »
Wondering if anyone is familiar with Ghidra, a recently opensourced disassembly tool, that might complement some of the other tools we use?

*

Offline reyalp

  • ******
  • 11747
Re: Ghidra disassembler
« Reply #2 on: 10 / March / 2019, 17:12:56 »
Wondering if anyone is familiar with Ghidra, a recently opensourced disassembly tool, that might complement some of the other tools we use?
Merged topics.

I tried it briefly on windows. It's straightforward to set up and looks quite good. Java based UI is ugly as sin. Analyzing a full firmware takes a long time.

Some scripts / extensions would probably be helpful, for example to name functions based on funcs_by_*.csv. I haven't explored this aspect, but it's supposed to be quite extensible. see below

Install / setup:
* Download and unzip file from https://www.ghidra-sre.org/
* Download and unzip current JDK https://jdk.java.net/11/
* Run ghidraRun.bat -  it will prompt for JDK location if needed

Loading a dump
* New project, not shared (shared could be interesting...)
* Pick a directory. It will use significant diskspace (e.g ~500mb after initial analsys)
* With the project selected, choose file, import file, select primary.bin. I'm using sx710 here
* Format - raw binary
* Language ARM v7 32 bit little endian default
* Options - Block name ROM, Base address = ROMBASADDR (0xfc000000) File offset 0
* Double click on primary bin to open in default tool (code browser)
* It will prompt you to analyze. I clicked NO because I want to add additional copied code first.
* File -> Add to Program. PRIMARY.BIN again
* Options - Name RAMCODE, values from stubs entry: Base  0x010e1000, offset 0xd4742c (copied from adr - base), length 158672 (dec!)
* File -> Add to Program. PRIMARY.BIN again
* Options - Name BTCMCODE, values from stubs entry: Base  0xbfe10800, offset 0xd6dffc (copied from adr - base), length 27674 (dec, rounded up)
* File -> Add to Program. PRIMARY.BIN again
* Options - Name RAMDATA, values from stubs entry: Base  0x8000, offset 0xd1e5d4 (copied from adr - base), length 167512  (dec) (not sure this is useful just trying now)
* Tools - Window, memory map, uncheck X on RAMDATA
* Save
* Analysis - auto-analyze. I left the options at default, but just disassembling rather than decompiling might be a better initial choice.
* Go get a $beverage (like IDA, you can do stuff while it's analyzing, and it seems to prioritize what you have in view)



One particularly interesting, potentially CHDK relevant thing in the docs is the "version tracking" section:

Quote
Version Tracking refers to the process used by reverse engineers to identify matching code or data between different software binaries. One common use case is to version track two different versions of the same binary. Alternatively, version tracking techniques can be used to check for the presence of of a particular piece of code within a given binary of interest.

edit:
Screenshot
« Last Edit: 10 / March / 2019, 18:39:11 by reyalp »
Don't forget what the H stands for.

*

Offline reyalp

  • ******
  • 11747
Re: Ghidra reverse engineering tool
« Reply #3 on: 10 / March / 2019, 18:16:03 »
Here's a ghidra python script to import funcs_by_address.csv.

To add:
Download somewhere.
Window -> Script manager.
Script directories (right click or bullet list icon)
Either copy the script into one of the defined directories, or add wherever you want to keep your scripts
Script should be recognized. You can use the refresh button if you add more scripts
Right click, run. Select the funcs_by_address.csv for your port
After it finishes, the functions from the CSV will be named in Ghidra

Note this is very basic, and my python and Ghidra knowledge is very limited...

edit:
Oops, first version didn't handle the thumb bit in the csv correctly. This one should. There's a commented line that will remove the bad ones if you already ran the old version

edit:
Some other useful things for scripting:
Window->python gives you an interactive python interpreter where you can use the script API.
Help->Ghidra API help gives you an API reference (though for Java)
« Last Edit: 10 / March / 2019, 20:06:25 by reyalp »
Don't forget what the H stands for.


*

Offline srsa_4c

  • ******
  • 3815
Re: Ghidra reverse engineering tool
« Reply #4 on: 11 / March / 2019, 14:55:20 »
Here's a ghidra python script to import funcs_by_address.csv.
Thanks for making that script.

Some pros/cons I found while using ghidra:
+ The decompiler is very useful
+ Function boundaries are recognized
- Could not find a way to customize the label prefix
- If I define a variable that consists of 2 registers, the disassembly becomes bogus (those registers are no longer displayed separately)
- LDR shows the constant's location even though I rarely care about it (the value is displayed on the same line but too far off)

... but the overall impression is positive.

 

Related Topics