You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is the obfuscated code I work with. After marking some fields as constants, Ghidra almost overcomes it:
(ignore the GS_OFFSET, it's a result of me doing random changes, it has no relevance to the decompilation
The issue is:
decompiler understands where the jump goes, but since it technically goes outside of the function (as defined in listing), it marks it as an external call
disassembler is too limited to understand where the jump goes, so it needs manual fixing
While in reality, this JMP is just pointless obfuscation that goes to the next function instruction.
Now, there are a plenty of manual ways to fix it:
I can set fallthrough override of ADD R10, RBX to 1406304ad
I can add a COMPUTED_JUMP reference to 1406304ad, and set flow override of JMP R10
Equivalently, I can add a COMPUTED_JUMP reference to 1406304ad, and run SwitchOverride.java
I can patch JMP R10 to JMP [constant] or NOP it in this particular case
With exception of SwitchOverride that does it automatically, I will also have to use the script console to execute CreateFunctionCmd.fixupFunctionBody, in order to let Ghidra know that this new fragment of code belongs to the original function (out of curiosity, is there a way to do this from the UI? "Clear flow and repair" doesn't help.).
Finally, there's no obvious non-hacky way to automate it:
SymbolicPropagator is not powerful enough to recover R10 value at this place (may be related to this issue, but I suspect it will always be less powerful than the decompiler)
As far as I can see, high pcode doesn't have this constant readily available:
I can probably implement my own symbolic propagator based on high pcode (I sort of already did already once), but it feels wrong - Ghidra already knows the answer.
Technically I can get this constant from DecompilationResult.getCCodeMarkup() - that's why I specified a non-hacky solution :)
Is there something I'm missing? What is the best way to proceed? I'm OK with scripting my way out of this, but I want to reuse ghidra features as much as possible.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
This is the obfuscated code I work with. After marking some fields as constants, Ghidra almost overcomes it:
(ignore the GS_OFFSET, it's a result of me doing random changes, it has no relevance to the decompilation
The issue is:
While in reality, this JMP is just pointless obfuscation that goes to the next function instruction.
Now, there are a plenty of manual ways to fix it:
JMP [constant]or NOP it in this particular caseWith exception of SwitchOverride that does it automatically, I will also have to use the script console to execute
CreateFunctionCmd.fixupFunctionBody, in order to let Ghidra know that this new fragment of code belongs to the original function (out of curiosity, is there a way to do this from the UI? "Clear flow and repair" doesn't help.).Finally, there's no obvious non-hacky way to automate it:
Is there something I'm missing? What is the best way to proceed? I'm OK with scripting my way out of this, but I want to reuse ghidra features as much as possible.
Beta Was this translation helpful? Give feedback.
All reactions