Skip to content

Instantly share code, notes, and snippets.

@BenLubar

BenLubar/ghidra wishlist.md

Last active April 22, 2020 19:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save BenLubar/0ae2fc3440038462d41f873d1a0292cd to your computer and use it in GitHub Desktop.
Save BenLubar/0ae2fc3440038462d41f873d1a0292cd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ghidra wishlist.md

I wish Ghidra could understand these constructs (or alternatively, I knew how to tell Ghidra to override these incorrectly decompiled statements)

Multi-field assignments

Simple example:

struct
{
    int16_t x;
    int16_t y;
} foo;
*(undefined4*)&foo.x = 0xffffffff;

More extreme example:

char x[25];
*(undefined8*)&x[0] = 0x7320656c706d617865
*(undefined8*)&x[8] = 0x206e6f20676e697274
*(undefined8*)&x[16] = 0x6b6361747320656874
x[24] = '\x00';

Pointer subtraction

Seen commonly in vectors:

vector<some_type *> foo;
size = (int)(long)((long)foo._M_finish - (long)foo._M_start) >> 3;

Bool return values end up as undefined8 for no reason

This one is easy to override, but still very annoying.

return in_RAX & 0xffffffffffffff00 | (some_condition));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment