Ghidra scripts

Started by names_are_hard, April 07, 2019, 03:17:37 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

names_are_hard

Ghidra is a free tool similar to IDA Pro.  https://ghidra-sre.org/
You can extend it with scripts, in Java or Python.  I thought we could make some useful ones and collect them here.  I'm going to assume everyone wanting to run scripts has already got Ghidra working and loaded the rom dumps and extra memory regions (eg, parts of the rom that get copied to different locations at runtime).

Here's my first useful script, StubNamer.py - you give it a stubs.S file and it names and disassembles the stubs in your listing:
https://drive.google.com/open?id=17QJSAd-72z_Kp_GgoS6Qn1HdOsQVc832
In Linux, copy to /home/<your_user>/ghidra_scripts/, then it will be visible under Magiclantern when you open "Display Script Manager" (white triangle in green circle icon in button bar).

Limitations:
- it doesn't define a function at the address, because not all stub addresses are at function starts so I didn't want to force this.  Often Ghidra will work out it's a function due to xrefs etc, but sometimes it doesn't.  Could be made better by inspecting the disassembly, detecting common function starts, only then defining a function?
- the NSTUB address extraction only handles the simplest case.  If it's a computed address, it will fail (and report this in Ghidra console so you can manually define it)

calle2010

Thank you for this!

Have you seen the latest change to stub.h from A1ex?
https://bitbucket.org/calle2010/magic-lantern/src/6aff5f72ba485652bfd902de0fb1b6fe3480ff0d/include/stub.h?at=digic6-dumper

No guesswork required to know whether it is a data pointer or a function and Thumb or ARM. Also the Thumb bit is handled correctly which removes a source of error.

Would be nice if we could have this in contrib/ghidra or similar.

names_are_hard

I was aware he'd made those changes, but they're not in the code I'm working from, so, didn't bother.  Easy to add, but see "cstart" in stubs: this is listed as THUMB_FN, but it's not a function.  Perhaps it should be named THUMB_CODE?  I guessed the thumb bit wouldn't cause problems for disassembly, since Ghidra knows that ARM functions must be even-aligned - have you seen problems?

EDIT: I take it back, cstart is a function.  Pretty sure I've seen some names that aren't, ones that point into middle of functions at useful places.

names_are_hard


reyalp

FWIW, I wrote some ghidra scripts for CHDK that may have useful bits for ML development too.

set_tmode_reg_at from http://subversion.assembla.com/svn/chdk/trunk/tools/ghidra_scripts/chdklib/analyzeutil.py can be used to set the arm/thumb state on an address before disassembling.

http://subversion.assembla.com/svn/chdk/trunk/tools/ghidra_scripts/CleanThumb2BookmarkErrors.py iterates over Ghidra generated error bookmarks and attempts to fix some common issues I noticed working with thumb2 firmware.

I also wrote some notes on using the version tracking tool, which I've found very useful for porting: https://chdk.setepontos.com/index.php?topic=13718.msg142082#msg142082

names_are_hard

@reyalp - these look really nice, thank you!  Much more sophisticated than my hack scripts.