Author Topic: Ghidra scripts  (Read 273 times)

names_are_hard

  • Contributor
  • New to the forum
  • *****
  • Posts: 13
Ghidra scripts
« on: April 07, 2019, 03:17:37 AM »
Ghidra is a free tool similar to IDA Pro.  https://ghidra-sre.org/
You can extend it with scripts, in Java or Python.  I thought we could make some useful ones and collect them here.  I'm going to assume everyone wanting to run scripts has already got Ghidra working and loaded the rom dumps and extra memory regions (eg, parts of the rom that get copied to different locations at runtime).

Here's my first useful script, StubNamer.py - you give it a stubs.S file and it names and disassembles the stubs in your listing:
https://drive.google.com/open?id=17QJSAd-72z_Kp_GgoS6Qn1HdOsQVc832
In Linux, copy to /home/<your_user>/ghidra_scripts/, then it will be visible under Magiclantern when you open "Display Script Manager" (white triangle in green circle icon in button bar).

Limitations:
 - it doesn't define a function at the address, because not all stub addresses are at function starts so I didn't want to force this.  Often Ghidra will work out it's a function due to xrefs etc, but sometimes it doesn't.  Could be made better by inspecting the disassembly, detecting common function starts, only then defining a function?
 - the NSTUB address extraction only handles the simplest case.  If it's a computed address, it will fail (and report this in Ghidra console so you can manually define it)

calle2010

  • Contributor
  • New to the forum
  • *****
  • Posts: 46
Re: Ghidra scripts
« Reply #1 on: April 07, 2019, 09:24:23 AM »
Thank you for this!

Have you seen the latest change to stub.h from A1ex?
https://bitbucket.org/calle2010/magic-lantern/src/6aff5f72ba485652bfd902de0fb1b6fe3480ff0d/include/stub.h?at=digic6-dumper

No guesswork required to know whether it is a data pointer or a function and Thumb or ARM. Also the Thumb bit is handled correctly which removes a source of error.

Would be nice if we could have this in contrib/ghidra or similar.

names_are_hard

  • Contributor
  • New to the forum
  • *****
  • Posts: 13
Re: Ghidra scripts
« Reply #2 on: April 07, 2019, 09:51:23 AM »
I was aware he'd made those changes, but they're not in the code I'm working from, so, didn't bother.  Easy to add, but see "cstart" in stubs: this is listed as THUMB_FN, but it's not a function.  Perhaps it should be named THUMB_CODE?  I guessed the thumb bit wouldn't cause problems for disassembly, since Ghidra knows that ARM functions must be even-aligned - have you seen problems?

EDIT: I take it back, cstart is a function.  Pretty sure I've seen some names that aren't, ones that point into middle of functions at useful places.