| ... | ... | @@ -57,7 +57,69 @@ Below the Symbol Tree is the Data Type Manager Window, which is useful for ident |
|
|
|
|
|
|
|
In the center, the Listing window shows the disassembled binary.
|
|
|
|
For interpretability, Ghidra adds a great deal of color coding and annotative comments to the assembly display.
|
|
|
|
To the right of the Listing window is the Decompile window which shows Ghidra's best guess of the source code used to produce the corresponding assembly.
|
|
|
|
Clicking on a function in the Symbol Tree window or within a function in the Listing window will load the relevant decompiled source code in the Decompile window.
|
|
|
|
To the right of the Listing window is the Decompiler window which shows Ghidra's best guess of the source code used to produce the corresponding assembly.
|
|
|
|
Clicking on a function in the Symbol Tree window or within a function in the Listing window will load the relevant decompiled source code in the Decompiler window.
|
|
|
|
Clicking on code in the Decompiler window will highlight the associated assembly instructions; this can be used to inspect how well the decompiler translated the assembly to source code.
|
|
|
|
|
|
|
|
We can use the functions list in the Symbol Tree window to locate the main function of the executable.
|
|
|
|
Clicking on the name of the function brings us to the relevant portion of the assembly and loads the decompiled C code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We can see that the decompiler has some mistakes that we can work to correct to improve readability.
|
|
|
|
Right-clicking in the Decompiler window gives the option `Edit Function Signature` which presents the following dialogue:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We can provide the correct function signature for main, then click `OK`:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The code in the Decompiler window is updated and references to `argc` and `argv` are corrected throughout.
|
|
|
|
We can also rename variables and fix their type to make the code more understandable.
|
|
|
|
Middle-clicking with the mouse on a variable highlights its use throughout the code:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Pressing `l` allows us to change the variable name, and pressing `Ctrl+l` lets us change the variable type.
|
|
|
|
We can see that `iVar1` is used as a return value, so let's rename it `retvar`.
|
|
|
|
This actually splits the uses of `iVar1` into two variables, one of which is used as the return value of a `strcmp` call.
|
|
|
|
We'll rename that to `cmpvar`.
|
|
|
|
We'll also change the type and name of `size_t __n` to `int password_length` to match its use.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Once we've identified the intended behavior of a section of code, we can make a comment to save ourselves from repeated work.
|
|
|
|
Right-click and select `Comments > Set ...` to open the comment dialogue.
|
|
|
|
Types of comments possible include end-of-line, pre, post, plate, and repeatable.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Depending on the type, an entered comment will show up in the assembly listing, decompiled source, or both.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Double-clicking the name of any function will show the code of the selected function.
|
|
|
|
Here we'll double-click `strlen` to show the placeholder assembly code used for the external function.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There are numerous views that can be used to further analyze a binary.
|
|
|
|
`Window > Function Call Graph` shows the calling relationship between functions as a graph.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`Window > Function Graph` shows how execution can be traced through the assembly by function calls or jump instructions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`Window > Defined Strings` shows a list of extracted strings and clicking on a string takes you to the relevant portion of the assembly code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Under construction |
|
|
\ No newline at end of file |
